VPN types in Keenetic routers
VPN (Virtual Private Network) — a generic name for technologies that provide one or more network connections (tunnels) over another network (e.g., the Internet).
There are many reasons for using virtual private networks. The most common of these are security and data privacy. The confidentiality of original user data is guaranteed using data protection tools in virtual private networks.
It is known that IP (Internet Protocol) networks have a 'weak point' due to the structure of the protocol. There are no means of protecting the transferred data and no guarantee that the sender is the one he claims to be. The data in an IP network can be easily tampered with or intercepted.
We recommend using a VPN connection to connect from the Internet to your home server, USB flash drive files connected to a router, DVR, or a computer desktop through the RDP protocol. In this case, you don't have to worry about the security of the transmitted data because the VPN connection between the client and the server is usually encrypted.
Keenetic devices support the following types of VPN connections:
PPTP/SSTP
L2TP over IPSec (L2TP/IPSec)
WireGuard
OpenVPN
IPSec
IKEv2
GRE/IPIP/EoIP
IPSec Xauth PSK (Virtual IP)
With the help of a Keenetic router, your home network can be connected via a VPN to a public VPN service, office network, or another Keenetic device, regardless of Internet connection type.
VPN clients/servers for secure access (PPTP, L2TP over IPSec, IKEv2, Wireguard, OpenVPN, SSTP) as well as tunnels for network interconnection (Site-to-Site IPSec, EoIP (Ethernet over IP), GRE, IPIP (IP over IP) are implemented in all Keenetic devices.
Depending on the protocols used and the purpose, a VPN can provide connections in different scenarios: host-host, host-network, hosts-network, client-server, clients-server, router-router, routers-router (VPN concentrator), network-network (site-to-site).
If you don't know what type of VPN to choose, the tables and recommendations below will help you.
VPN type | Client | Server | Hardware acceleration | Number of simultaneous connections |
---|---|---|---|---|
PPTP | + | + | - |
|
SSTP | + | + | - |
|
L2TP over IPSec | + | + | + |
|
WireGuard | + | + | - | up to 32 |
IPSec | + | + | + | no limitation |
IKEv2 | + | + | + | up to 32 |
GRE / IPIP / EoIP | + | + | - | up to 128 |
OpenVPN | + | + | - |
up to 128 |
IPSec Xauth PSK | - | + | + | up to 32 |
*
— in the Starter, Runner 4G, Launcher, Explorer, Carrier models, only the AES algorithm acceleration is used, and in Skipper, Titan, Hero, Giant, Peak the entire IPSec protocol hardware acceleration is used.
**
— up to 200
for Hero and Titan; up to 150
for Carrier DSL; up to 100
for Starter, Launcher, Explorer and Carrier.
***
— from KeeneticOS 3.7
the number of WireGuard connections is increased to 128
for Peak and to 48
for Hero, Titan, Skipper, Hero 4G, Giant and Speedster.
****
— before KeeneticOS 3.3
, the limit was 10
connections for Hero, Titan, and 5
for all other models.
Importante
The number of client connections is limited by the dedicated service storage space (24 Kbytes
) for VPN configurations. This is especially important for OpenVPN connections, as the total size of their configurations should not exceed 24 Kbytes
.
VPN type | Difficulty level | Level of data protection | Speed | Resource intensity | OS integration |
---|---|---|---|---|---|
PPTP | for ordinary users | low | average | low | Windows, macOS, Linux, Android, iOS (up to and including v9.) |
SSTP | for ordinary users | high | average, low operating via the cloud | average | Windows |
L2TP over IPSec | for ordinary users | high | high | high | Windows, macOS, Linux, Android, iOS |
WireGuard | for advanced users | very high | high | low | not available |
IPSec | for professionals | very high | high | high | Windows, macOS, Linux, Android, iOS |
IKEv2 | for ordinary users | high | high | high | Windows, macOS, Linux, iOS |
OpenVPN | for advanced users | very high | low | very high | not available |
IPSec Xauth PSK | for ordinary users | high | high | high | Android, iOS |
*
— you will need to install additional free software in Windows, macOS, Linux, Android, iOS operating systems to set up the connection.
**
— values are relative, not the exact figures, because speeds for VPN connections depend on models and several factors - the type of encryption algorithms used, the number of simultaneous connections, the type of the Internet connection, the speed and the load of the Internet channel, the load on the server and other factors. Let's consider low speed up to 15 Mbit/s
, average speed around 30 - 40 Mbit/s
, and high speed — over 70 Mbit/s
.
Importante
You can get maximum VPN connection speeds with the Keenetic Peak (KN-2710). This high-performance model, thanks to an energy-efficient 1.35GHz Cortex-A53 2-core ARM processor and increased RAM capacity, boost the peak speeds of the resource-intensive OpenVPN, SSTP and IPsec VPN protocols to 150-200Mbps
.
Here's an example of maximum speeds for different types of VPN obtained in our testing lab: Wireguard — 450 Mbit/s
; IPsec — 220 Mbit/s
; L2TP/IPsec — 160 Mbit/s
; SSTP (in direct access mode) — 110 Mbit/s
; OpenVPN — 200 Mbit/s
; PPTP (with MPPE) — over 500 Mbit/s
.
VPN type | Advantages | Disadvantages |
---|---|---|
PPTP | popularity, high customer compatibility | low level of data protection, in comparison with other VPN protocols |
SSTP | the capability of VPN-server operation using the private IP-address for Internet access | the built-in Windows-only client, low data transfer rate when working through the cloud |
L2TP over IPSec | security, stability, high customer compatibility | the standard ports are used, which allows the ISP or system administrator to block the traffic |
WireGuard | modern data security protocols, low resource intensity, high data transfer rate | is not a part of the modern OS, development is experimental, and instability may occur |
IPSec | reliability, very high level of data protection | the configuration is difficult for ordinary users |
IKEv2 | reliability, very high level of data protection, easy setup, supports Blackberry devices | not included in Android (you need to use additional free software), standard ports are used, which allows the ISP or system administrator to block traffic |
OpenVPN | high level of data protection, the use of HTTPS protocol (TCP/443) | is not a part of the modern OS, very resource-intensive, low data rates |
IPSec Xauth PSK | security, it is a part of a modern mobile OS | lack of customer support for PC operating systems |
*
— This feature is implemented on our cloud server as a special software extension and is available only for the users of Keenetic devices.
In most cases, for client-server remote connections, we recommend the following protocols:
L2TP over IPSec (L2TP/IPSec), PPTP, IPSec Xauth PSK, SSTP
In many Keenetic models, data transfer over IPSec (including L2TP over IPSec and IKEv2) is hardware accelerated using the device processor. You don't have to worry about the privacy of IP telephony or CCTV streams in such a tunnel.
If your ISP gives you a public IP address, we recommend you to pay attention to the IKEv2, the so-called IPSec virtual server (Xauth PSK), and L2TP over the IPSec server. They are great because they provide secure access to your home network from your smartphone, tablet, or computer with minimal configuration: Android, iOS, and Windows have convenient built-in clients for these types of VPNs. For IKEv2 on Android, use the free popular strongSwan VPN client.
If your ISP only provides you with a private IP address to surf the Internet, and you can't get a public IP, you can still organize remote access to your home network using an SSTP VPN server. The main advantage of the SSTP tunnel is its ability to work through the cloud, i.e., it allows establishing a connection between the client and the server, even if there are private IP addresses on both sides. All other VPN servers require a public IP address. Please note that this feature is implemented on our cloud server and is available only for Keenetic users.
As for the PPTP tunnel protocol, it is the easiest and most convenient to configure, but potentially vulnerable compared to other types of VPN. However, it is better to use it than not to use a VPN at all.
And for advanced users, we may add these VPNs to the list above:
WireGuard, OpenVPN
OpenVPN is very popular but extremely resource-intensive and has no particular advantages against IPSec. Keenetic devices have such features as TCP and UDP mode, TLS authentication, certificates and encryption keys to improving VPN connection's security for OpenVPN connections.
Modern protocol WireGuard will make it easier and faster to work with VPN (several times compared to OpenVPN) without increasing the power of the hardware in the device.
To consolidate networks and organize a Site-to-Site VPN, use:
IPSec, L2TP over IP (L2TP/IPSec), WireGuard
To solve specific problems of network interconnection:
EoIP, GRE, IPIP
IPSec is one of the most secure VPN protocols due to its crypto secure encryption algorithms. It is the best option for establishing Site-to-Site VPN connections to interconnect networks. It is possible for professionals and advanced users to create IPIP, GRE, EoIP tunnels both in pure form and in combination with IPSec tunnels, which will allow you to use IPSec VPN security standards to protect these tunnels. Support for IPIP, GRE, EoIP tunnels makes it possible to establish a VPN connection with hardware gateways, Linux routers, UNIX/Linux computers, and servers, as well as other network and telecommunication equipment supporting these tunnels. The tunnel setting of this type is available only in the router's command-line interface (CLI).
For more information on configuring different types of VPNs in the Keenetic devices, read the instructions: