VPN (Virtual Private Network) - a generic name for technologies that enable one or more network connections (tunnels) over another network (e.g., the Internet).
There are many reasons for using virtual private networks. The most common of these are security and data privacy. The confidentiality of original user data is guaranteed with the use of data protection tools in virtual private networks.
It is known that IP (Internet Protocol) networks have a 'weak point' due to the structure of the protocol. There are no means of protection of the transferred data and no guarantee that the sender is the one whom he claims to be. The data in an IP network can be easily tampered with or intercepted.
We recommend using a VPN connection if you are connecting from the Internet to your home server, USB flash drive files connected to a router, DVR, or a computer desktop through RDP protocol. In this case, you don't have to worry about the security of the data being transmitted, because the VPN connection between the client and the server is usually encrypted.
The Keenetic devices support the following types of VPN connections:
- L2TP over IPSec (L2TP/IPSec)
- IPSec Xauth PSK (Virtual IP)
With the help of the Keenetic router, your home network can be connected via a VPN to a public VPN service, office network, or another Keenetic device, regardless of Internet connection type.
VPN clients/servers for secure access (PPTP, L2TP over IPSec, Wireguard, OpenVPN, SSTP) as well as tunnels for network interconnection (Site-to-Site IPSec, EoIP (Ethernet over IP), GRE, IPIP (IP over IP) are implemented in all the Keenetic devices.
Depending on the protocols used and the purpose, a VPN can provide connections in different scenarios: host-host, host-network, hosts-network, client-server, clients-server, router-router, routers-router (VPN concentrator), network-network (site-to-site).
If you don't know what type of VPN to choose, the tables and recommendations below will help you do that.
||Client||Server||Hardware acceleration*||Number of simultaneous connections|
|PPTP||+||+||-||Client: up to 128
Server: up to 100/150/200 depending on model **
|L2TP over IPSec||+||+||+||Client: up to 128
Server: no limitation
|WireGuard||+||+||-||up to 32|
|IPSec||+||+||+||no limitation ***|
|GRE/IPIP/EoIP||+||+||-||up to 128|
|IPSec Xauth PSK||-||+||+||no limitation|
* — in Starter, Launcher, Sprinter, Hopper, Glider, Explorer, Carrier models only the AES algorithm acceleration is used, and in Skipper, Titan, Hero models the entire IPSec protocol hardware acceleration is used.
** — up to 200 for Hero and Titan; up to 150 for Hopper DSL and Carrier DSL; up to 100 for Starter, Launcher, Sprinter, Hopper, Glider, Explorer and Carrier.
*** — before KeeneticOS 3.3, the limit was 10 connections for Hero, Titan, and 5 for all other models.
NOTE: Important! The number of client connections is limited by the dedicated service storage space (24 Kbytes) for VPN configurations. This is especially important for OpenVPN connections, as the total size of their configurations should not exceed 24 Kbytes.
||Difficulty level||Level of data protection||Speed**||Resource intensity||OS integration|
|PPTP||for ordinary users||low||average||low||Windows, macOS, Linux, Android, iOS (up to and including v9.)|
|SSTP||for ordinary users||high||average, low operating via the cloud||average||Windows|
|L2TP over IPSec||for ordinary users||high||high||high||Windows, macOS, Linux, Android, iOS|
|WireGuard||for advanced users||very high||high||low||not available*|
|IPSec||for professionals||very high||high||high||Windows, macOS, Linux, Android, iOS|
|OpenVPN||for advanced users||very high||low||very high||not available*|
|IPSec Xauth PSK||for ordinary users||high||high||high||Android, iOS|
* — you will need to install additional free software in Windows, macOS, Linux, Android, iOS operating systems to set up the connection.
** — values are relative, not the exact figures, because speeds for VPN connections depend on models and several factors - the type of encryption algorithms used, the number of simultaneous connections, the type of the Internet connection, the speed and the load of the Internet channel, the load on the server and other factors. Let's consider low speed up to 15 Mbit/s, average speed around 30 - 40 Mbit/s, and high speed - over 70 Mbit/s.
|PPTP||popularity, high customer compatibility||low level of data protection, in comparison with other VPN protocols|
|SSTP||the capability of VPN-server operation using the private IP-address for Internet access *, via HTTPS protocol (TCP/443)||
the built-in Windows-only client, low data transfer rate when working through the cloud
|L2TP over IPSec||security, stability, high customer compatibility||the standard ports are used, which allows the ISP or system administrator to block the traffic|
|WireGuard||modern data security protocols, low resource intensity, high data transfer rate||is not a part of the modern OS, development is experimental and instability may occur|
|IPSec||reliability, very high level of data protection||the configuration is difficult for ordinary users|
|OpenVPN||high level of data protection, the use of HTTPS protocol (TCP/443)||is not a part of the modern OS, very resource-intensive, low data rates|
|IPSec Xauth PSK||security, it is a part of a modern mobile OS||lack of customer support for PC operating systems|
* — this feature is implemented on our cloud server as a special software extension and is available only for the users of Keenetic devices.
In most cases, for clients-server remote connections, we recommend the following protocols:
- L2TP over IPSec (L2TP/IPSec), PPTP, IPSec Xauth PSK, SSTP
In many Keenetic models, data transfer over IPSec (including L2TP over IPSec) is hardware accelerated using the device processor. You don't have to worry about the privacy of IP telephony or CCTV streams in such a tunnel.
If your ISP gives you a public IP address, we recommend you to pay attention to the so-called IPSec virtual server (Xauth PSK) and L2TP over IPSec server. They are great because they provide secure access to your home network from your smartphone, tablet, or computer with minimal configuration: Android, iOS, and Windows have convenient built-in clients for these types of VPNs.
If your ISP only provides you with a private IP address to surf the Internet, and you can't get a public IP, you can still organize remote access to your home network using an SSTP VPN server. The main advantage of the SSTP tunnel is its ability to work through the cloud, i.e., it allows establishing a connection between the client and the server, even if there are private IP addresses on both sides. All other VPN servers require a public IP address. Please note that this feature is implemented on our cloud server and is available only for Keenetic users.
As for the PPTP tunnel protocol, it is the easiest and most convenient to configure, but potentially vulnerable in comparison to other types of VPN. However, it is better to use it than not to use a VPN at all.
And for advanced users we may add these VPNs to the list above:
- WireGuard, OpenVPN
OpenVPN is very popular but extremely resource-intensive and has no particular advantages against IPSec. The Keenetic devices have such features as TCP and UDP mode, TLS authentication, use of certificates and encryption keys to improve the security of the VPN connection for the OpenVPN connection.
Modern protocol WireGuard will make it easier and faster to work with VPN (several times compared to OpenVPN) without increasing the power of the hardware in the device.
To consolidate networks and organize a Site-to-Site VPN, use:
- IPSec, L2TP over IP (L2TP/IPSec), WireGuard
To solve specific problems of network interconnection:
- EoIP, GRE, IPIP
IPSec is one of the most secure VPN protocols due to its crypto secure encryption algorithms. It is the best option for establishing Site-to-Site VPN connections to interconnect networks. For professionals and advanced users, it is possible to create IPIP, GRE, EoIP tunnels both in a simple way and in combination with IPSec tunnels, which will allow you to use IPSec VPN security standards to protect these tunnels. Support for IPIP, GRE, EoIP tunnels makes it possible to establish a VPN connection with hardware gateways, Linux routers, UNIX/Linux computers, and servers, as well as other network and telecommunication equipment supporting these tunnels. The tunnel setting of this type is available only in the command-line interface (CLI) of the router.
For more information on configuring different types of VPNs in the Keenetic devices, read the instructions: