More than 100 (for Starter, Launcher, Explorer and Carrier), 150 (for Launcher DSL and Carrier DSL) or 200 (for Hero and Titan) simultaneous client connections can be made to a VPN server on a Keenetic router.
There is no limit for L2TP/IPsec VPN tunnels. The hardware capabilities of the particular model determine the number of simultaneous tunnels.
NOTE: Important! The Keenetic router on which the PPTP VPN server will run must be connected to the Internet with a public IP address. When using a KeenDNS domain name, it must be configured in 'Direct access' mode, which also requires a public IP address. If these conditions are not met, connecting to such a server from the Internet will not be possible.
Let's take the example of connecting four remote LANs through a PPTP VPN server. Each network has access to the Internet. The settings will be identical for the L2TP/IPsec VPN server because the logic used in Keenetic is the same for these servers.
Let LAN 1 be connected to the Internet via a public IP address located behind a router with a PPTP server. Each LAN 2-4 will connect to the VPN server using a PPTP connection. The main task is to provide access between all the LAN 1-4 networks to be joined together.
In this example, the "master router" (with the PPTP VPN server) will be the VPN connection hub. All PPTP connections will be established with it, and routing between all connected subnets will be performed. In the settings of the master router, create as many user accounts with VPN server access rights as you plan to connect to it (in our example, three accounts – net_2, net_3 and net_4 – are created for three remote subnets).
Let the VPN server provide each client with the following IP addresses: 172.16.1.2, 172.16.1.3 and 172.16.1.4, respectively (please note that these IP addresses belong to the same subnet). To configure the VPN server, go to the 'Applications' page.
Static routes on the master router (with the VPN server) will include the following entries: For each network to be joined, except the 'Home network' of the server itself, you must specify the IP address allocated to the corresponding user by the VPN server as the gateway address. Configure static routes on the 'Routing' page.
NOTE: Important! All connected remote subnets (as well as the pool of IP addresses on the VPN server) must not have the same or overlapping address spaces.
When configuring the devices to operate according to this scheme, we recommend changing the addressing in the default network (192.168.1.0/24 network) by taking the number in the third octet of the IPv4 address as the network sequence number, i.e. LAN 2 — 192.168.2.0/24, LAN 3 — 192.168.3.0/24, etc. With a 24-bit mask, these networks do not overlap and contain a sufficient number of addresses for the local network hosts.
The following are the PPTP server connection and routing settings on the VPN client devices shown in the diagram above, from left to right.
Setting up a VPN client from LAN 2 (192.168.2.0/24):
In the 'Server address' field, enter the public static WAN IP address of the master router or its KeenDNS domain name (in this case, the 'Direct access' mode must be used in the KeenDNS server settings, which also requires a public IP address).
Two routes indicate the location of the LAN 3 network:
To communicate with the LAN 4 subnet, you will need to specify the following routes:
Setting up a VPN client from LAN 3 (192.168.3.0/24):
The following routes will provide communication with the LAN 2 network:
To communicate with the LAN 4 network, specify the following routes:
Setting up a VPN client from LAN 4 (192.168.4.0/24):
The following routes must be added to communicate with the LAN 2 network:
The following routes must be added to communicate with the LAN 3 network:
Note
1. It is recommended not to enable the 'Use for accessing the Internet' option when setting up connections to the VPN server in this scheme, as it eliminates the need to specify routing settings to the network behind the server manually. If you don't check this box, routes to the network behind the server will automatically be sent to the Keenetic client device.
2. With these settings in place, computers and other hosts on any of the networks connected to the VPN server will be accessible on each network by IP address. Because each of the networks to be connected uses a different subnet than the others, device discovery on the Windows network by computer name will not work.
3. Since a firewall is enabled on the PPTP client interface by default, blocking all incoming connections, you will need to open the ports/protocols you need in the client router settings. On the 'Firewall' page, you need to create the appropriate allow rules for incoming connections via any protocol (it will be enough to open access via the IP protocol).
For example, a rule for a LAN 3 router would look like this:
4. If you have established a VPN connection, but the ping only goes to the remote router and does not go to the computers on the remote network, then most likely, the Windows Firewall is blocking traffic on the computers. More information can be found in the article Configuring the Windows Firewall for connections from the network behind the Keenetic VPN server.
If you try to ping a computer by its IP address, ensure that the computer is not blocking incoming connections (by default, the Windows Firewall blocks ICMP requests). Try pinging again with the blocking disabled.