By default, Keenetic routers are configured to allow access to router management (web interface) only from the local 'Home' segment.
For KeenDNS or VPN server to work, you need to allow remote access from the Internet on the router. This setting can be found on the 'Users and access' page.
This setting is also duplicated on the 'Domain name' page under the KeenDNS tab.
In order to block attempts to access the local addresses of the router from the Guest network, the Firewall must be configured. Create firewall rules for the Guest Network interface to deny TCP traffic on ports 80 (HTTP) and 443 (HTTPS) when accessing addresses where the Keenetic web interface is accessible, i.e. the address in the Home network segment (default 192.168.1.1) and the address in the Guest network segment (default 10.1.30.1).