Starting from KeeneticOS version 3.3, you can use WireGuard VPN to connect to the local network of the Keenetic router remotely.
First, you need to configure the WireGuard server on the Keenetic device. The following instruction shows the process: 'Configuring a WireGuard VPN between two Keenetic routers'. Then move on to the VPN client setup.
NOTE: Important! If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address and, when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, it will be impossible to connect to such a server from the Internet.
Below is an example of connecting to a server from an iPhone running the iOS operating system.
To connect to the Keenetic WireGuard server on your iOS mobile device, you can use the free application WireGuard.
1. Install the client, find the WireGuard shortcut on the desktop and launch it.
2. The main program window will open. In the upper right corner of the screen, click on the '+' icon to configure the WireGuard client on your phone. Then click on 'Create from scratch'.
In the 'Name' field, enter a name for the connection, for example, 'wg-ios-client' (you can specify any arbitrary name). Go on to the creation of Private and Public keys. Click on 'Generate keypair'. Save the Public key to the phone clipboard (you will need it in the following settings step) by clicking on 'Public key'.
3. Perform the remote peer connection setup. Set the IP address in the 'Addresses' field of the WireGuard client in IP/bitmask format — 172.16.82.7/32 (internal tunnel address). It is possible to use a different subnet by selecting it from the private address range and avoiding overlapping with other subnets configured on these devices.
4. In the 'Peer' section, specify the server public key, server address, port, and allowed addresses/subnets on the server side.
The public key should be obtained in the WireGuard server settings in the web interface of the Keenetic router. Copy the generated server public key by clicking on 'Save Public key to clipboard' and then paste it into your phone's peer settings.
In the 'Allowed IPs' field, enter the allowed IP addresses in IP/bitmask format — 172.16.82.1/32 (internal server address) and 192.168.22.0/24 (local segment address of the Keenetic router).
In the 'Endpoint' field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.
In the 'Persistent keepalive' field, specify the frequency of attempts to verify that the connection's remote side is available. Usually, a 10-15 second interval between checks is sufficient.
Save the settings by clicking on 'Save' in the upper right corner of the screen.
5. Setting up a remote connection on the WireGuard server side.
Connect to the web interface of the Keenetic router and go to 'Internet' — 'Other connections' menu. Click on the previously created WireGuard connection ('WG-S') and add 'Peer settings'. Clicking on 'Add Peer' will open the Peer Settings field, where you will enter the name of the tunnel 'wg-ios-client'.
In the 'Public Key' field, specify the key generated earlier in section 2 of this article.
In the 'Allowed IPs' fields, specify the address from which traffic will be allowed to the server in IP/bitmask format — 172.16.82.7/32.
In the 'Persistent keepalive' field, specify the frequency of attempts to check the remote connection side's availability. Usually, a 10-15 second interval between checks is sufficient. By default, the 'Persistent keepalive' value in peer settings is 30 seconds.
6. Go back to the WireGuard client settings on your phone and activate the server connection.
NOTE: Important! If you have Internet access via the WireGuard VPN router configured, you must specify a DNS server on the WireGuard client side in the 'DNS Servers' field.
In this example, we have the address of a Google DNS server 22.214.171.124:
7. Check server availability on the client side.
If configured correctly, the server's web interface will be available (in our example, it is Keenetic with IP address 192.168.22.1).
To check the server's availability, you can send ICMP packets to an IP address, for example, via iNetTools - Ping, DNS, or Port Scan.
The setup is complete.
If you want to allow the connected clients to access the Internet through this VPN connection, make an additional configuration from this article Internet access via WireGuard VPN.