Starting from KeeneticOS version 3.3, you can use WireGuard VPN to connect to the local network of the Keenetic router remotely.
NOTE: Important! If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address and, when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, connecting to such a server from the Internet will be impossible.
First, you need to configure the WireGuard server on the Keenetic device. The following instruction shows the process: 'Configuring a WireGuard VPN between two Keenetic routers'. Then move on to the VPN client setup.
Below is an example of connecting to a server from a macOS operating system, using the version macOS Catalina as a reference.
To connect to the Keenetic WireGuard server on a macOS-based computer, you need to download and install WireGuard.
1. Launch the program and click on the down arrow in the lower-left corner. Select 'Add empty tunnel... [⌘+N]'.
2. A connection setup window will open where you need to enter the WireGuard client settings for macOS [Interface] and the remote WireGuard server Keenetic [Peer].
NOTE: Important! Leave this window open, do not close it.
In the 'Name' field, enter the connection name 'wg-client' (you can specify another name).
Opposite to 'On-Demand', select the network interface for the WireGuard client to work through.
Configuring the client [Interface]:
The 'PrivateKey' field of the interface contains the macOS WireGuard client key generated by the program.
Set the IP address in the 'Address' field of the WireGuard client in IP/bitmask format — 172.16.82.10/24 (internal tunnel address). It is possible to use a different subnet, choosing it from the private address range and avoiding overlapping with other subnets configured on these devices.
NOTE: Important! If you have set up Internet access via WireGuard VPN, in the '[Interface]' section, you need to specify the DNS server in the 'DNS=' field.
In our example, the Google DNS server address is set to 126.96.36.199:
[Interface] PrivateKey = Address = 172.16.82.10/24 DNS = 188.8.131.52 [Peer] PublicKey = AllowedIPs = 172.16.82.1/32, 192.168.22.0/24 Endpoint = enpwgwrkserver.dynns.com:16631 PersistentKeepalive = 5
Configuring the server [Peer]:
In the 'PublicKey' field, insert the public key of the server, which can be copied to the clipboard from WireGuard settings in the web interface of the router:
In the 'Allowed IPs' field, enter the allowed IP addresses in IP/bitmask format — 172.16.82.1/32 (internal server address) and 192.168.22.0/24 (local segment address of the Keenetic router).
In the 'Endpoint' field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.
In the 'PersistentKeepalive' field, specify the frequency of the attempts to verify the availability of the connection's remote side. Usually, a 10-15 second interval between checks is sufficient.
3. Setting up a remote connection on the WireGuard server side.
Connect to the web interface of the Keenetic router and go to the 'Internet' — 'Other connections' menu. Click on the previously created WireGuard connection ('WG-S') and add 'Peer settings'. Clicking on 'Add Peer' will open the Peer Settings form, where you will enter the name of the tunnel 'wg-mac-client'.
In the 'Public Key' field, insert the key generated earlier in step 2 of this article.
In the 'Allowed IPs' field, specify the address from which traffic will be allowed to the server in IP/bitmask format — 172.16.82.10/32.
In the 'Persistent keepalive' field, specify the frequency of attempts to check the remote connection side's availability. Usually, a 10-15 second interval between checks is sufficient. By default, the 'Persistent keepalive' value in peer settings is 30 seconds.
4. Return to the WireGuard program settings; the configured connection will appear in the list.
If the setting is correct, you will see a green indicator in front of the 'Status' line.
To verify server availability, you can send ICMP packets to an IP address in Terminal.
Check the availability of the server web interface (in our example, it is a Keenetic with IP address 192.168.22.1).
The setup is complete.