WireGuard VPN
WireGuard — is a free, open-source software application, virtual private network protocol (VPN) to transfer encrypted data and create secure point-to-point connections.
Важливо
WireGuard VPN support is implemented for current generation Keenetic devices, starting from KeeneticOS version 3.3
The features and advantages of the WireGuard protocol are in the use of modern, highly specialized data processing algorithms. The codebase of the project is written from scratch and is characterized by its compact design.
WireGuard is part of the system kernel module. WireGuard connection is software accelerated and is multithreaded, i.e., it can work stably and use resources of one kernel.
Keenetic devices can operate either as a VPN server or as a VPN client. The terms 'client' and 'server' are conditional due to the specifics of the protocol. But usually, the server is a device that waits for a connection, and the client is a device that initiates a connection.
When connecting to the WireGuard VPN server on Keenetic as a VPN client, you can use a computer (based on Windows, Linux, macOS), a mobile device (based on Android and iOS), or the Keenetic devices.
Using the WireGuard VPN client on Keenetic, you can connect to a VPN provider that provides a WireGuard VPN connection service or another Keenetic that operates as a VPN server and get remote access to its local network.
Важливо
If you plan to configure your Keenetic device as a VPN server, you should first check that it has a public IP address and, if you use the KeenDNS service, that it works in the direct access mode. If you do not comply with any of these conditions, you will not be able to connect to such a server from the Internet.
To set up protected tunnels via the WireGuard protocol in Keenetic routers, you must install the 'WireGuard VPN' system component. You can do this in the web interface on the 'System settings' page in the 'Updates and component options' section by clicking on 'Component options'.
Then you will find the 'WireGuard' section on the 'Other connections' page.
To configure the WireGuard interface manually, click the 'Add Connection' button. We are not going to review the connection settings here, but you can find them in the detailed instruction:
Configuring WireGuard VPN between two Keenetic routers (this article describes the VPN server configuration example).
You may also import WireGuard interface settings from a pre-created configuration file. Click the 'Download from file' button and then choose the path to the pre-configured file on your computer.
The main principles of WireGuard VPN operation:
Each WireGuard tunnel is a system interface operating at the third (network) layer of the OSI model. Traffic can be routed into it, and IP access policies can be configured (network screen).
The WireGuard interface has several main configuration parameters: private and public key pair, address, and listening port.
When creating the WireGuard interface, you will need to create a pair of encryption keys — Private and Public, as well as assign the internal IP address of the device in the VPN tunnel and determine the listening port number on the VPN server side.
Private and Public keys are used to secure the connection. These keys are used to authenticate the members. Public and private keys are a pair of keys that are created (generated) simultaneously. Cryptographic algorithms involve the joint use of such a key pair. Both keys must '
match
' the encrypted part of the information. For example, if encryption is done with the private key, the decryption can be done only with the public key.You need to generate encryption keys on both sides of the VPN tunnel. You will only need to exchange public keys on both sides of the VPN tunnel during the connection setup.
As for the internal address of the tunnel interface, it must be any suitable address from the private range, but it must not match the other subnets on the Keenetic router itself. This IP address is specified in the IP/bitmask format (e.g.,
10.11.12.1/24
). Different addresses must be set on the VPN client and VPN server, but they should be from the same subnet. For example,172.16.82.1/24
on the server and172.16.82.2/24
on the client.You will need to specify the listening port number on the VPN server side, and it will be used for incoming connections to the WireGuard interface. You can set the random port number (for example,
16632
); the most important thing is that it should not be blocked by your ISP and should not match the already opened ports of other services on the router.Then, you need to add peer(s). A peer is a member or client of a specific connection. You can create multiple peers in one VPN connection, for example, to connect to a VPN server from various computers or mobile devices.
Each peer is uniquely characterized by the public key of the remote side. You will need to specify a public key to the device, the internal IP address of the tunnel, and the allowed subnets in the peer settings on the other side of the VPN tunnel.
The list of allowed subnets (Allowed IPs) is a special parameter in the peer settings. These are address areas from which this peer can receive traffic (source IP addresses) and to which traffic can be sent (destination IP addresses). Technically, these addresses are used to encrypt and decrypt traffic. This technology is called Crypto Routing and is a fundamental feature of WireGuard. You must add a
0.0.0.0/0
subnet to allow the transmission to any address.It is essential to specify the public IP address or the domain name of the WireGuard VPN server on the VPN client side and specify the listening port to which the VPN client will connect (for example,
myrouter01.keenetic.pro:16632
). On VPN clients, this field is usually called Remote Endpoint.It is also necessary to specify the interval of attempts to check the peer activity in its settings. It is an internal check of the accessibility of the remote side of the connection by sending keepalive packets in the tunnel. By default, the value of 'Persistent keepalive' in Keenetic peer settings is
30 seconds
, but usually,10 or 15
seconds between checks are enough.Важливо
It is recommended to leave the Persistent keepalive field empty (blank) on the server side if you are setting up a server for clients to connect to. This will prevent unnecessary standby in the wait of handshake attempt to finish when a client has disconnected.
On the client side, the Persistent keepalive field should be filled with chosen value for WireGuard VPN to work properly!
WireGuard has an encryption key routing concept that uses private key bindings to each network interface. The VPN connection is initialized by sharing public keys and is similar to the SSH model.
The encryption keys are assigned to a list of VPN IP addresses allowed in the tunnel. Access to the list of IP addresses is allowed on the network interface. When the server accepts and decrypts an authenticated packet, its source field is checked. If it matches the one specified in the ''Allowed IPs' field of the authenticated peer, the WireGuard interface will accept the packet. When you send an outgoing packet, the destination IP address is checked to determine its legitimacy, and the appropriate peer is selected on its basis. Then the package is signed with its key, encrypted with the peer key, and sent to the public address and peer port (to Remote Endpoint). All IP packets received on the WireGuard interface are encapsulated in the UDP and are safely delivered to other peers.
WireGuard protects user data with advanced cryptography types: Curve25519 for key exchange, ChaCha20 for encryption, Poly1305 for data authentication, SipHash for hash keys, and BLAKE2 for hashing.
The Crypto Routing process allows you to provide a user with up to
100%
trusted traffic and ensures high security and performance at the exit of the interface.
Examples of WireGuard connection settings
You can find detailed instructions on how to configure the Keenetic as a VPN server and VPN client to interconnect two local networks:
To set up a connection to VPN providers that can work with WireGuard, refer to the instructions:
You can use mobile devices based on Android and iOS to connect to the Keenetic router via WireGuard protocol:
Or you may use computers based on Windows, Linux, macOS:
Sometimes you want clients connected to the Keenetic router via WireGuard to access the Internet through this VPN tunnel. You will need to make additional configurations. Please refer to the article: