Setting up WireGuard VPN between two Keenetic routers

Starting with version KeeneticOS 3.3, WireGuard VPN support was added for Keenetic Internet centers.

Let's look at an example of setting up a secure VPN connection using the WireGuard protocol between two Keenetic Internet centers. We will show in detail the settings for the VPN server (wait for connection) and VPN client (initiates the connection).

Important! If you plan to use Keenetic as a VPN server, you need to start by checking that it has a public “white” IP address, and if using the KeenDNS service, that it works in “Direct Access” mode, which also requires a public IP -address. If any of these conditions are not met, connecting to such a VPN server from the Internet will not be possible.

Let's look at the connection diagram:

wg.png

There is a Keenetic Internet center with a “white” IP address for accessing the Internet. This router will act as a VPN server and another Keenetic Internet Center (as a VPN client) with an IP address from the private range on the WAN interface will establish a VPN connection to its public address.

It is necessary to provide the hosts of each router with access to the remote local network via a VPN tunnel. This connection scheme is also called “Site-To-Site VPN” (for example, an interoffice connection for communication in order to expand the network infrastructure).

wg-01.png

Important! We recommend setting up WireGuard VPN from one device (for example, a computer or smartphone), since when creating a connection you will need to exchange public keys on both sides of the VPN tunnel. In this connection, it is necessary to provide simultaneous access to the server and client settings.

In our example, the server and client are Keenetic Internet centers, so open two web configurators in your web browser in different tabs.

On devices, do the following:

Go to the “Other connections” page and in the “WireGuard” section, click the “Add connection” button. A settings window will open, in which specify the name of the tunnel. In our example, this is “WG-S” on the server and “WG-CL1” on the client. Click the “Generate key pair” button to create a Private and Public key. In the future, we will only need the Public keys on both sides of the VPN tunnel. The key to the VPN server will need to be specified in the VPN client settings and vice versa.

wg-s-00.png

Important! Do not close the browser tabs with WireGuard connection parameters for the server and client. During the setup process you will need to switch between them.

Now let's move directly to the settings of each router.

Setting up a WireGuard VPN server

In the WireGuard connection settings, in the “Address” field, enter the internal IP address of the tunnel in the IP/bitmask format (in our example it is 172.16.82.1/24). You can use any subnet from the private range that is not used on the server and client sides. In the “Listening port” field, specify the port number that will be used when setting up the VPN client (in our example, it is port 16632). It is this port that the client will contact when establishing a tunnel. The router will automatically open this port on all interfaces to allow incoming connections. There is no need to add additional firewall allowing rules.

wg-s-01.png

Click the “Add Peer” button to create connection settings with the client.

Temporarily switch your browser to the VPN client web configurator tab and in the WireGuard connection settings (“WG-CL1”) click the “Save public key to clipboard” button.

Go back to the VPN server settings tab. Specify the name of the peer (in our example it is “WG-CL1”) and in the “Public key” field paste the public key from the VPN client from the clipboard. In the “Allowed subnets” fields you need to specify the addresses from which traffic should be allowed from the remote parties, and addresses to which traffic can be sent to the remote party. Typically, this is the internal address of the remote end of the tunnel and the remote network (the VPN client's local network).

Important! The address spaces of allowed subnets in peers within the same interface must not overlap.

In our example, the address of the remote end of the tunnel is 172.16.82.2/32. From the VPN client side, the traffic in the tunnel will go with the source address 172.16.82.2, and therefore we explicitly specify the host address here (with a /32 mask). And 192.168.100.0/24 is indicated as the remote network (access to this network must be provided via a tunnel).

wg-s-02.png

Click the “Save” button.

This completes the setup of the WireGuard connection on the VPN server side, but you also need to configure the firewall and routing on the router. For the created WireGuard interface, you need to allow incoming traffic and specify a static route to the remote network.

Open the Firewall page. For the WireGuard interface (in our example it is “WG-S”), add and enable an allow rule for the IP protocol. This is necessary because By default, tunnel interfaces are set to a public security level and incoming traffic is prohibited. In order for requests from remote networks to pass through the tunnel, the appropriate settings will need to be made on the routers.

wg-s-04.png
wg-s-05.png

In order for traffic to be sent through the tunnel to a remote network, you need to add a static route. Go to the “Routing” page, click on the “Add route” button and specify the following static route parameters:

In the “Route Type” field, select the “Route to Network” value, in the “Destination Network Address” field, specify the remote subnet (in our example, this is 192.168.100.0) and in the “Interface” field, select the name of the previously created WireGuard interface (in our example this is “WG-S”), enable the “Add automatically” option.

wg-cl1-07.png

At this point, the VPN server setup is complete and you can proceed to the VPN client settings. But before that, open the “Other connections” page, click on the entry for the created WireGuard connection (in our example it’s “WG-S”) and then click the “Save public key to clipboard” button. We will now need this key when setting up on the VPN client side.

Important! Often, on a router that acts as a VPN server, the administrator additionally configures a firewall to block all incoming connections on the WAN interface and allow connections only from certain IP addresses. If you have such settings, then add a rule to the firewall on the WAN interface for incoming connections to the WireGuard server. In the allowing rule, you need to specify the number of the WireGuard server listening port for the UDP protocol (in our example, this is port 16632). If this is not done, VPN

the tunnel will not be established.

Setting up the WireGuard VPN Client

In the WireGuard connection settings, in the “Address” field, enter the internal IP address of the tunnel from the same subnet that is specified on the VPN server. Specify the IP address in the IP/bitmask format (in our example it is 172.16.82.2/24, since the address 172.16.82.1/24 is used at the remote end of the tunnel).

wg-cl1-01.png

Click the “Add Peer” button to create settings for connecting to the server.

Specify the name of the peer (in our example it is “WG-S”) and in the “Public key” field, paste the public key from the VPN server from the clipboard. In the “Address and port of the peer” field, in the IP:port or name:port format, enter respectively, the public IP address or domain name of the router that acts as a VPN server, and through a colon the peer port (the listening port that was specified when configuring the tunnel on the server). In our example this is ****.keenetic.link:16632

Important! When using the KeenDNS service, make sure it is running in “Direct Access” mode. When using the “Through the Cloud” mode, connecting to the VPN server from the Internet will not be possible.

In the “Allowed subnets” fields, you need to specify the addresses from which traffic should be allowed from the remote side, and the addresses to which traffic can be sent to the remote side. This is the internal address of the remote end of the tunnel and the remote network (the local network of the VPN server). In our example, the address of the remote end of the tunnel is 172.16.82.1/32 (from the VPN client side, the traffic in the tunnel will go with the source address 172.16.82.1, and therefore we explicitly specify the host address here), and the remote network is 192.168.22.0/24 (to this network needs to provide access via a tunnel). In the “Aliveness check” field, specify the interval of attempts to check the activity of the peer (this is an internal check for the availability of the remote side of the connection). In our example, the value is set to 15 seconds.

wg-cl1-02.png

Click the “Save” button.

Now let's configure the firewall and routing on the router. For the created WireGuard interface, you need to allow incoming traffic and specify a static route to the remote network.

Open the Firewall page. For the WireGuard interface (in our example it is “WG-CL1”) add and enable an allow rule for the IP protocol.

wg-s-04.png
wg-s-07.png

In order for traffic to be sent through the tunnel to a remote network, you need to add a static route. Go to the “Routing” page, click on the “Add route” button and specify the following static route parameters:

In the “Route Type” field, select the “Route to Network” value, in the “Destination Network Address” field, specify the remote subnet (in our example, this is 192.168.22.0) and in the “Interface” field, select the name of the previously created WireGuard interface (in our example this is “WG-CL1”), enable the “Add automatically” option.

wg-cl1-04.png

This completes the setup of the VPN server and VPN client.

Enable the created WireGuard connections on the routers. If everything is configured correctly, a green status indicator should be displayed in the “Peer” column.

VPN server:

wg-s-03.png

VPN client:

wg-cl1-03.png

The setup is complete.

To check the operation of the VPN tunnel from hosts or directly from the router (from the “Diagnostics” menu in the web configurator), ping the remote router or devices located behind the tunnel.

For example, from a host on the local network of the VPN client (from the network 192.168.100.x), we will ping the IP address of the VPN server (in our case it is 172.16.82.1) and then the local IP address of the Keenetic Internet center on the remote network for tunnel (in our example it is 192.168.22.1).

ping-s-01.png

We check the availability of the server web interface (in our example it is Keenetic with IP address 192.168.22.1).

win-wg-13.png

But routing from the server to the client did not work right away. And after a couple of hours. So don’t chew it if something doesn’t start right away.

Share your love

Leave a Reply

Your email address will not be published. Required fields are marked *