Skip to main content

User Manual

IPSec VPN server (Virtual IP)

In Keenetic routers, it is possible to connect to the IPsec Virtual IP server using Xauth PSK authentication to access home network resources. IPsec connection provides absolutely secure access to the home network from a smartphone or tablet: Android and iOS have convenient built-in clients for this type of VPN.


A Keenetic device that hosts the IPsec VPN server must be connected to the Internet with a global (public) IP address, and if using the KeenDNS domain name, it must be configured in the Direct Access mode. If any of these conditions are not met, it will not be possible to connect to such a server from the Internet.

Go to the 'Applications' page. Here you will see the 'IPsec VPN server' panel. Click the 'IPsec VPN server' link.


In the 'IPsec VPN server (Virtual IP)' window that appears, specify the security key in the 'Shared IPsec key' field. This security key will need to be used on the client when configuring the VPN connection.


The L2TP/IPsec VPN server also uses this key.


The 'NAT for clients' option is enabled in the server settings by default. This setting is used to allow VPN server clients to access the Internet.


In the current implementation, the system does not check for address conflicts between addresses on servers and addresses on local segments and external interfaces. As a result, the following situations can occur:

  • If the server address is the same as the address of the segment for which automatic NAT is enabled, disabling the 'NAT for clients' option in the VPN server configuration will not disable NAT for the addresses used by this server i.e. the disabling will not work.

  • If the server address is the same as the address on the WAN interface, conversely, NAT will not work even if the 'NAT for clients' option is enabled.

The IP address pool size limits the total number of possible simultaneous connections. Like the initial IP address, this setting should not be changed unnecessarily.


The IP subnet you specify must not match or intersect with the IP addresses of other interfaces of the Keenetic router, as this may result in an IP address conflict.

In the settings of the IPsec virtual VPN server, there is a 'DNS server' field. This is due to the specifics of virtual server operation. All other VPN servers use two IP addresses within connection establishment: client and server (router) address, and the router address is used by clients as a DNS server. On the IPsec virtual VPN server, the router address is not present, so a DNS server address must be specified. If it is not specified, the client cannot resolve any names.

The default DNS server address used is (this is the IP we acquired for the name Requests to this address are intercepted by the router and the result is the same as if the address of the router in the home network ( was specified in this field, except that the latter can be changed by the user, and then it must be changed in the VPN server settings, while is always intercepted. By obtaining, the client will pass all DNS queries to Keenetic, and it will already pass to its DNS servers obtained from the ISP or manually assigned.

Select the accounts you want to allow access to the VPN server in the 'Users' section. Here you can also add a new user by specifying a username and password.

After configuring the server, put the switch in the 'Enabled' state.


By clicking on the 'Connection statistics' link, you can see the connection status and additional information about active sessions.



When setting up the connection to the VPN server on Android devices, choose the type of VPN connection 'IPsec Xauth PSK' and on iOS devices — 'IPsec'.