Starting from KeeneticOS version 3.3, you can use WireGuard VPN to remotely connect to the local network of the Keenetic router.
First, you need to configure the WireGuard server on the Keenetic device, which is shown in the following instruction: Configuring a WireGuard VPN between two Keenetic routers, then move on to the VPN client configuration.
NOTE: Important! If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address, and when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, it will be impossible to connect to such server from the Internet.
Below is an example of how to connect to a server from a macOS operating system, using the version macOS Catalina as a reference.
To connect to the Keenetic WireGuard server on a macOS-based computer, you need to download and install the program WireGuard.
1. Launch the program and click on the down arrow in the lower-left corner. Select 'Add empty tunnel... [⌘+N]'.
2. A connection setup window will open where you need to enter the Wireguard client settings for macOS [Interface] and the remote Wireguard server Keenetic [Peer].
NOTE: Important! Leave this window open, do not close it.
In the 'Name' field enter the connection name 'wg-client' (you can specify another name).
Opposite to 'On-Demand' select the network interface for the Wireguard client to work through.
Configuring the client [Interface]:
The 'PrivateKey' field of the interface contains the macOS Wireguard client key generated by the program.
Set the IP address in the 'Address' field of the WireGuard client in IP/bitmask format — 172.16.82.10/24 (internal tunnel address). It is possible to use a different subnet, choosing it from the private address range and avoiding overlapping with other subnets configured on these devices.
NOTE: Important! If you have set up Internet access via WireGuard VPN, in the '[Interface]' section you need to specify the DNS server in the 'DNS=' field.
In our example, the Google DNS server address is set to 22.214.171.124:
[Interface] PrivateKey = Address = 172.16.82.10/24 DNS = 126.96.36.199 [Peer] PublicKey = AllowedIPs = 172.16.82.1/32, 192.168.22.0/24 Endpoint = enpwgwrkserver.dynns.com:16631 PersistentKeepalive = 5
Configuring the server [Peer]:
In the 'PublicKey' field insert the public key of the server, which can be copied to the clipboard from WireGuard settings in the web interface of the router:
In the 'Allowed IPs' field enter the allowed IP addresses, in IP/bitmask format — 172.16.82.1/32 (internal server address) and 192.168.22.0/24 (local segment address of the Keenetic router).
In the 'Endpoint' field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.
In the 'PersistentKeepalive' field, specify the frequency of the attempts to verify the availability of the connection's remote side. Usually, a 10-15 second interval between checks is sufficient.
3. Setting up a remote connection on the WireGuard server side.
Connect to the web interface of the Keenetic router and go to 'Internet' — 'Other connections' menu. Click on the previously created WireGuard connection ('WG-S') and add 'Peer settings'. Clicking on 'Add Peer' will open the Peer Settings form, where you will enter the name of the tunnel 'wg-mac-client'.
In the 'Public Key' field, insert the key that was generated earlier in step 2 of this article.
In the 'Allowed IPs' field specify the address from which traffic will be allowed to the server in IP/bitmask format — 172.16.82.10/32.
In the 'Persistent keepalive' field, specify the frequency of attempts to check the availability of the remote connection side. Usually, a 10-15 second interval between checks is sufficient. By default, the 'Persistent keepalive' value in peer settings is 30 seconds.
4. Return to the Wireguard program settings, the configured connection will appear in the list.
If the setting is correct, you will see a green indicator in front of the 'Status' line.
To verify server availability, you can send ICMP packets to an IP address in Terminal.
Check the availability of the server web interface (in our example, it is a Keenetic with IP address 192.168.22.1).
The setup is complete.