NOTE: Important! If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address, and when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, it will be impossible to connect to such server from the Internet. The exception to this rule is described in the Note section below.
The L2TP/IPSec VPN server on Keenetic can be configured according to the instruction: L2TP/IPSec VPN server.
Below is an example of creating an L2TP/IPSec VPN connection on a Windows 10 computer.
Right-click on the 'Start' button, select 'Network Connections' and on the screen that appears, 'VPN'.
Select 'Add a VPN connection'.
In the connection settings, select 'Windows (built-in)' as the VPN service provider. Enter a name for the connection, for example, 'Home segment'. Enter the domain name or IP address of your Keenetic, in our example — 'myworknow.keenetic.link'. Select the VPN type — 'L2TP/IPSec with pre-shared key'. Enter the pre-shared key for IPSec that you created and recorded during configuration of the Keenetic VPN server. Next, enter the username (that is allowed to connect to the VPN) and its password. Click the 'Save' button.
To establish a connection, click the 'Connect' button.
The connection is established.
It is possible to connect to a VPN server with a private IP address from the Internet if the parent router has a public IP and port forwarding rule configured for the private address of your Keenetic. L2TP/IPSec requires UDP 500 and UDP 4500 forwarding. Another option is to forward all ports and protocols, which on some routers is called DMZ.
A typical example of such router is a CDCEthernet modem. It can receive a public address from a mobile operator and assign a private address to the Keenetic router. Port forwarding configuration depends on the modem. Some modems forward all ports without additional configuration, others need to be set up in their web interface. And there are those where port forwarding is not provided at all.
If the forwarding is configured correctly, you can try to establish a VPN connection to the external public IP address of the router. It will forward it to the Keenetic's private address.
However, in the case of L2TP/IPSec, there is also an exception to this rule. This connection can be quickly established from a smartphone or tablet, but will not be possible from a Windows client.
That is a known Windows limitation. In Keenetic's log file, in this case, the connection attempt ends with errors:
ipsec11[IKE] received retransmit of request with ID 0, retransmitting response ipsec16[IKE] received retransmit of request with ID 0, retransmitting response ipsec15[IKE] received retransmit of request with ID 0, retransmitting response ipsec15[JOB] deleting half open IKE_SA with 126.96.36.199 after timeout
Yes, L2TP/IPSec from Windows can only be established if the Keenetic router itself has a public address. Port forwarding does not help. However, there are other, less finicky VPN types: PPTP, SSTP or OpenVPN. You can use them to connect from Windows to a server behind the NAT after the forwarding. For PPTP you need to forward TCP port 1723 and GRE protocol, for SSTP — TCP 443, and for OpenVPN UDP port 1194 by default. However, in the last case, both the protocol and port can be changed as you wish in the OpenVPN configuration.