Connecting to a WireGuard VPN from Windows

Starting from KeeneticOS version 3.3, you can use WireGuard VPN to remotely connect to the local network of the Keenetic router.

First, you need to configure the WireGuard server on the Keenetic device, which is shown in the following instruction: Configuring a WireGuard VPN between two Keenetic routers, then move on to the VPN client configuration.

NOTE: Important! If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address, and when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, it will be impossible to connect to such server from the Internet.

Below is an example of how to connect to a server from a Windows operating system, using Windows 10 1909 (19H2) as a reference.

To connect to the Keenetic WireGuard server on a Windows-based computer, you will need to download and install the WireGuard program from the official website.

1. Launch the program and click on the down arrow next to 'Add Tunnel' in the lower-left corner. Select 'Add empty tunnel... [Ctrl+N]'.

wg-add01_en.png

The configuration window for connection to the remote WireGuard server Keenetic - 'Create new tunnel' - will open.

wg-add02_en.png

NOTE: Important! Leave this window open, do not close it.

2. Download wg-client.conf file to your computer, you can save it to your Desktop. Open it in a text editor, for example in Notepad++.

notepad01_en_new.png

You will see a ready-made configuration in which you will need to enter the settings for the Windows WireGuard client [Interface] and the remote WireGuard server Keenetic [Peer].

notepad00_en.png

NOTE: Important! Leave this window open, do not close it.

3. Go back to the 'Create new tunnel' window of step 1 and copy the Windows WireGuard client private key from the 'PrivateKey =' field to the clipboard of your computer.

wg-add03_en.png

NOTE: Important! Leave this window open, do not close it.

4. The copied WireGuard client private key must be inserted into the ready-made configuration from step 2 into the 'PrivateKey =' line.

notepad02_en.png

NOTE: Important! Leave this window open, do not close it.

5. If you haven't already configured the WireGuard server, do it according to the following instructions: Configuring WireGuard VPN between two Keenetic routers.

6. Connect to the router's web interface and go to the 'Internet' - 'Other connections' menu. Click on the previously created WireGuard connection ('WG-S') and then the 'Add Peer' button. Enter the name of the tunnel 'wg-windows-client' in the opened form of the peer settings.

In the 'Public key' field of the web interface, insert the Windows WireGuard client key from step 1, which should be copied from the 'Public key' field to the clipboard.

wg-add04_en.png

You can close the 'Create new tunnel' window, click 'Cancel'.

NOTE: Important! Leave the WireGuard connection window open, do not close it.

In the 'Allowed IPs' fields specify the address from which traffic will be allowed to the server in IP/bitmask format — 172.16.82.6/32.

In the 'Persistent keepalive' field, specify the frequency of attempts to check the availability of the remote connection side. Usually, a 10-15 second interval between checks is sufficient. By default, the 'Persistent keepalive' value in peer settings is 30 seconds.

Click 'Save'.

wg-win-peer_en.png

7. Back to configuring wg-client.conf

[Interface]
PrivateKey = wAG52nyfQEEMOnt1W9Y4SdEOQB8XYaggenoUI6Thz3A=
Address = 172.16.82.6/24

[Peer]
PublicKey = 1YVx+x3C817V9YdhUtpUhzyDLVj5tnK2m//WjFGynm4=
AllowedIPs = 172.16.82.1/32, 192.168.22.0/24
Endpoint = enpwgwrkserver.dynns.com:16631
PersistentKeepalive = 5


Configuring the client [Interface]:

In the 'PrivateKey' field of the [Interface], you have already entered the Windows WireGuard client key in step 4.

Set the IP address in the 'Address' field of the WireGuard client in IP/bitmask format — 172.16.82.6/24 (internal tunnel address). It is possible to use a different subnet, choosing it from the private address range and avoiding overlapping with other subnets configured on these devices.

Configuring the server [Peer]:

In the 'PublicKey' field insert the public key of the server, which can be copied to the clipboard from WireGuard settings in the web interface of the router:

wg-win-serv_en.png

In the 'Allowed IPs' field enter the allowed IP addresses in IP/bitmask format — 172.16.82.1/32 (internal server address) and 192.168.22.0/24 (local segment address of the Keenetic router).

In the 'Endpoint' field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.

In the 'PersistentKeepalive' field, specify the frequency of attempts to verify the availability of the connection's remote side. Usually, a 10-15 second interval between checks is sufficient.

Press the Ctrl+S key combination or select the 'File' - 'Save' menu.

8. In the open WireGuard connection settings window from step 6, click on 'Import tunnel(s) from file' and select 'wg-client.conf' on the Desktop, click on 'Open'.

wg-add05_en.png

9. After adding the 'wg-client' configuration to WireGuard, a new connection will appear in the 'Tunnels' list.

Click 'Activate'.

wg-add06_en.png

If the setting is correct, you will see a green indicator in front of the 'Status' line.

wg-add07_en.png

To verify server availability, you can send ICMP packets to its IP address at the Windows command line.

win_cmd_en.png

Check the availability of the server web interface (in our example, it is a Keenetic with IP address 192.168.22.1).

wg-add08_en.png

The setup is complete.

If you want to allow the connected clients to access the Internet through this VPN connection, make an additional configuration from this article Internet access via WireGuard VPN.

Please note that on the VPN client side, in the wg-client.conf configuration file, in the '[Interface]' section you need to specify the DNS server in the 'DNS=' field. In our example, the Google DNS server address is set to 8.8.8.8:

[Interface]
PrivateKey = wAG52nyfQEEMOnt1W9Y4SdEOQB8XYaggenoUI6Thz3A=
Address = 172.16.82.6/24
DNS = 8.8.8.8

[Peer]
PublicKey = 1YVx+x3C817V9YdhUtpUhzyDLVj5tnK2m//WjFGynm4=
AllowedIPs = 172.16.82.1/32, 192.168.22.0/24
Endpoint = enpwgwrkserver.dynns.com:16631
PersistentKeepalive = 5


The article Connecting a Windows 7 computer to a remote Keenetic network through the WireGuard tunnel presents another option when all traffic is routed to the tunnel, and the VPN client accesses the Internet through it.

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.