Disclaimer:

• This is not officially endorsed by Proton VPN.
• Use at your own risk (like with any custom DNS)
• This will leak DNS requests on purpose outside of the Proton VPN Tunnel to NextDNS, with DoH enabled, for the purpose of a better customization of DNS blocking.

Credits to https://reddit.com/u/DN9TP3 who wrote this guide originally for Mullvad. Thank you for your excellent work.

I took the liberty to take the original guide and adapt the procedure for Proton VPN. This is mainly directed to users, who were making use of the “Personal VPN” and “Device VPN” Configuration slots on iOS / iPadOS, to have more blocking customization options with 3rd party apps (Lockdown, Ad Guard etc.) as Proton VPN does not have Netshield customizations or Custom DNS support (on iOS, iPadOS and macOS) so far. I believe there will be some more customizations possible in the future (Sam pointed at that in a comment once here), for now though there’s this guide here:

Requirements:

• Have a NextDNS account (https://nextdns.io)

• Have the WireGuard app installed:

  • iOS / iPadOS: https://apps.apple.com/app/wireguard/id1441195209

  • macOS: https://apps.apple.com/app/wireguard/id1451685025

NextDNS steps:

1. Visit: https://apple.nextdns.io (while logged in NextDNS)

   1. Enter your “Configuration ID.”
   2. Enter your “Device Name.”
   3. Enter your “Device Model.”
   4. Do not “Trust NextDNS Root CA.”
   5. Do not enable “Bootstrap IPs.”
   6. Do not enable “Sign Configuration Profile.”

2. “Download” your new Configuration Profile, which will be in your Downloads folder, as a file ending with .mobileconfig.

3. Inside that file, there will be one occurrence of the string apple.dns.nextdns.io. Replace that string with doh3.dns.nextdns.io.

   1. If one is comfortable with macOS’s Terminal app, one option for effecting the above string replacement would be to execute: sed -i.bak 's#apple.dns.nextdns.io#doh3.dns.nextdns.io#' ~/Downloads/NextDNS\ \([::alnum::]*\).mobileconfig

4. Install the edited Configuration Profile. Simply open the file with iOS / iPadOS through Files or on macOS and a Configuration Profile will have to be approved in the Settings.

Proton VPN (WireGuard) steps:

1. Visit: https://account.protonvpn.com/downloads

2. Select a Server, generate and download a WireGuard Configuration File.

   Note: Netshield can be off, as NextDNS is used instead of Proton DNS.

   Note: It is one configuration file per server. If you want multiple servers, you’ll need to download and prepare multiple files.

   Note: WireGuard configuration files have an expiration date, visible in the dashboard. After that, this step will have to be repeated.

3. Edit the WireGuard Configuration File.

   1. For “DNS” specify: 0.0.0.0/32
   2. For “Allowed IPs,” specify: 0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1 Note: The above CIDR ranges were derived by visiting the WireGuard AllowedIPs Calculator and—on that page—setting Allowed IPs to 0.0.0.0/0 and setting Disallowed IPs to 0.0.0.0/32.

4. In the WireGuard app, create a new WireGuard tunnel from your WireGuard Configuration File.

   Note: Due to a bug in the macOS WireGuard app’s UI, you will not be able to “Add Empty Tunnel”, nor will you be able to “Edit” an existing tunnel; You must instead have edited your WireGuard Configuration File first, and then “Import Tunnel(s) from File.” This bug is not present in the WireGuard app on iOS/iPadOS.

5. Enable On-Demand–> Wi-Fi or cellular; Any SSID and activate your new WireGuard tunnel.

6. Restart your device.

7. Visit https://ip.me and confirm you’re connected to a Proton VPN server

8. Visit: https://test.nextdns.io

   1. status should be: ok
   2. protocol should be: DOH3 or DOH
      1. IMPORTANT NOTE: NextDNS features foundational support for DOH3. Currently, DOH is the default; DOH3 is not. When explicitly using the doh3.dns.nextdns.io endpoint, DOH3 will be leveraged when available; otherwise, DOH will be leveraged. This means that—at this time—when visiting test.nextdns.io, you should expect to see either DOH3 or DOH; instead of only DOH3. Similarly, when visiting the my.nextdns.io Logs tab and hovering over a row’s lock symbol, you should expect to see either DNS-over-HTTP/3 or DNS-over-HTTPS; instead of only DNS-over-HTTP/3. [1][2]

The above steps will make it such that your new WireGuard tunnel uses the NextDNS Configuration Profile you installed. It achieves this by explicitly setting the DNS servers to 0.0.0.0/32 (which is not the same as 127.0.0.1/32) for IPv4. Then, we allow the entire IPv4 address spaces to transit the tunnel, except for the aforementioned device-local IP.