VPN Provider Integration

Bifrost supports native integration with major VPN providers, enabling automatic server selection, credential management, and seamless VPN connections without manual configuration.

Supported Providers

Provider	Auth Method	WireGuard	OpenVPN	Auto-Select
NordVPN	None (public API)	Yes (NordLynx)	Yes	Yes
Mullvad	Account number	Yes	Yes	Yes
PIA	Username/Password	Yes	Yes	Yes
ProtonVPN	OpenVPN credentials	No	Yes	Yes

NordVPN

NordVPN integration uses the public NordVPN API. No credentials are required for server list access.

Configuration

backends:
  - name: nordvpn-us
    type: nordvpn
    enabled: true
    config:
      country: "US"           # ISO country code (required)
      city: "New York"        # Optional: specific city
      protocol: "wireguard"   # wireguard or openvpn
      auto_select: true       # Auto-select best server by load
      max_load: 50            # Skip servers above this load percentage

Available Options

Option	Type	Default	Description
`country`	string	required	ISO 3166-1 alpha-2 country code
`city`	string	""	City name (optional)
`protocol`	string	”wireguard”	Protocol: “wireguard” or “openvpn”
`auto_select`	bool	true	Auto-select server with lowest load
`max_load`	int	0	Skip servers above this load (0 = no limit)
`server_id`	string	""	Connect to specific server by ID

Server Selection

NordVPN selects servers based on:

Country and city filters
Protocol support (WireGuard/NordLynx or OpenVPN)
Server load (lowest load preferred)
Feature requirements (P2P, streaming, etc.)

Features

NordVPN servers support various features:

standard - Standard VPN servers
p2p - Optimized for P2P/torrenting
double_vpn - Double VPN for extra privacy
onion_over_vpn - Onion routing
dedicated_ip - Dedicated IP servers

config:
  country: "NL"
  features:
    - "p2p"

Mullvad

Mullvad uses a 16-digit account number for authentication. No email or password required.

Getting Your Account Number

Visit mullvad.net
Create an account or use existing
Your 16-digit account number is shown on the dashboard

Configuration

backends:
  - name: mullvad-de
    type: mullvad
    enabled: true
    config:
      account_id: "1234567890123456"  # 16-digit account number
      country: "DE"
      city: ""                        # Optional
      protocol: "wireguard"
      auto_select: true

Available Options

Option	Type	Default	Description
`account_id`	string	required	16-digit Mullvad account number
`country`	string	required	ISO country code
`city`	string	""	City name (optional)
`protocol`	string	”wireguard”	Protocol: “wireguard” or “openvpn”
`auto_select`	bool	true	Auto-select best server

WireGuard Key Management

When using WireGuard, Bifrost automatically:

Generates a WireGuard key pair
Registers the public key with Mullvad
Receives the assigned IP address
Configures the tunnel

Keys are cached and reused across restarts.

Security Notes

Keep your account number secure
The account number is the only authentication
Consider using environment variables:

config:
  account_id: "${MULLVAD_ACCOUNT}"

PIA (Private Internet Access)

PIA uses username/password authentication with token-based sessions.

Getting Your Credentials

Log in to privateinternetaccess.com
Find your PIA username (looks like p1234567)
Your password is set during signup

Configuration

backends:
  - name: pia-uk
    type: pia
    enabled: true
    config:
      username: "p1234567"
      password: "${PIA_PASSWORD}"  # Use env var for security
      country: "UK"
      protocol: "wireguard"
      port_forwarding: true

Available Options

Option	Type	Default	Description
`username`	string	required	PIA username
`password`	string	required	PIA password
`country`	string	required	ISO country code
`city`	string	""	City name (optional)
`protocol`	string	”wireguard”	Protocol: “wireguard” or “openvpn”
`port_forwarding`	bool	false	Enable PIA port forwarding

Port Forwarding

PIA supports port forwarding on select servers. When enabled:

Bifrost requests a forwarded port after connection
The assigned port is logged
Port forwarding auto-renews while connected

config:
  country: "NL"       # Port forwarding supported
  port_forwarding: true

Note: Port forwarding is not available in all regions.

Token Refresh

PIA uses token-based authentication:

Initial login with username/password
Receives access token
Token used for subsequent API calls
Auto-refresh when token expires

ProtonVPN

ProtonVPN integration uses manual OpenVPN credentials mode due to API limitations.

Getting Your OpenVPN Credentials

Log in to account.protonvpn.com
Navigate to Downloads → OpenVPN / IKEv2 username
Copy your OpenVPN username (looks like username+pmp)
Generate or view your OpenVPN password

Important: These are NOT your Proton account credentials!

Configuration

backends:
  - name: proton-ch
    type: protonvpn
    enabled: true
    config:
      username: "username+pmp"
      password: "${PROTON_PASSWORD}"
      country: "CH"
      tier: "plus"
      secure_core: false
      protocol: "openvpn"

Available Options

Option	Type	Default	Description
`username`	string	required	OpenVPN/IKEv2 username
`password`	string	required	OpenVPN password
`country`	string	required	ISO country code
`city`	string	""	City name (optional)
`tier`	string	”free”	Account tier: free, basic, plus, visionary
`secure_core`	bool	false	Use Secure Core servers
`protocol`	string	”openvpn”	Only “openvpn” supported

Account Tiers

ProtonVPN has different tiers with different server access:

Tier	Description
`free`	Free servers (limited locations)
`basic`	Basic paid tier
`plus`	Plus tier (full server access)
`visionary`	Visionary tier

Secure Core

Secure Core routes traffic through privacy-friendly countries before exiting:

config:
  country: "US"
  secure_core: true   # Routes via CH/IS/SE first

Secure Core servers provide extra privacy but may reduce speed.

Limitations

WireGuard not supported: ProtonVPN’s WireGuard (NetShield) requires their app
OpenVPN only: Uses standard OpenVPN protocol
Manual credentials: Requires obtaining credentials from account portal

Server Selection Architecture

graph TD
    A[User Config] --> B[Backend Factory]
    B --> C{Provider Type}
    C -->|nordvpn| D[NordVPN Provider]
    C -->|mullvad| E[Mullvad Provider]
    C -->|pia| F[PIA Provider]
    C -->|protonvpn| G[ProtonVPN Provider]

    D --> H[Provider API]
    E --> I[Provider API]
    F --> J[Provider API]
    G --> K[Server List Cache]

    H --> L[Server Selection]
    I --> L
    J --> L
    K --> L

    L --> M[WireGuard Backend]
    L --> N[OpenVPN Backend]

Caching

Server lists are cached to reduce API calls:

Default TTL: 6 hours
Cache location: In-memory
Refresh: Automatic on expiration or manual via API

Manual Cache Refresh

# Refresh all provider caches
curl -X POST http://localhost:7080/api/v1/providers/refresh

# Refresh specific provider
curl -X POST http://localhost:7080/api/v1/providers/nordvpn/refresh

Troubleshooting

Connection Failures

Check credentials: Verify username/password or account ID
Check server availability: Some servers may be overloaded
Try different server: Use server_id to test specific servers
Check protocol support: Ensure selected protocol is available

Authentication Errors

Provider	Error	Solution
NordVPN	N/A	No auth required
Mullvad	Invalid account	Verify 16-digit number
PIA	Auth failed	Check username (p-number) and password
ProtonVPN	Auth failed	Use OpenVPN credentials, not account login

Server List Empty

Check internet connectivity
Verify country code is valid
Check provider API status
Try clearing cache and refreshing

Performance Issues

Select closer servers: Use country/city filters
Avoid overloaded servers: Set max_load limit
Use WireGuard: Generally faster than OpenVPN
Check MTU settings: May need adjustment for your network

Security Best Practices

Use environment variables for passwords:
```
config:
  password: "${VPN_PASSWORD}"
```
Secure your config file:
Terminal window
```
chmod 600 config.yaml
```
Don’t commit credentials to version control
Rotate credentials periodically
Monitor connections for unexpected behavior