Connecting to a WireGuard VPN from macOS
Starting from KeeneticOS version 3.3
, you can use WireGuard VPN to connect to the local network of the Keenetic router remotely.
First, you need to configure the WireGuard server on the Keenetic device. The following instruction shows the process: Configuring a WireGuard VPN between two Keenetic routers. Then, move on to the VPN client setup.
Important
If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address, and when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, connecting to such a server from the Internet will be impossible.
Below is an example of connecting to a server from a macOS operating system, using macOS Catalina as a reference.
To connect to the Keenetic WireGuard server on a macOS-based computer, you need to download and install WireGuard.
Launch the program and click on the down arrow in the lower-left corner. Select 'Add empty tunnel... [⌘+N]'.
A connection setup window will open where you need to enter the Wireguard client settings for macOS
[Interface]
and the remote Wireguard server Keenetic[Peer]
.Important
Leave this window open, do not close it.
Initial setup:
In the Name field, enter the connection name
wg-client
(you can specify another name).Opposite to On-Demand, select the network interface for the Wireguard client to work through.
Configuring the client
[Interface]
:The PrivateKey field of the interface contains the macOS Wireguard client key generated by the program.
Set the IP address in the 'Address' field of the WireGuard client in IP/bitmask format —
172.16.82.10/24
(internal tunnel address). It is possible to use a different subnet, choosing it from the private address range and avoiding overlapping with other subnets configured on these devices.Important
If you have set up Internet access via WireGuard VPN, in the
[Interface]
section, you need to specify the DNS server in the DNS= field.In our example, the Google DNS server address is set to
8.8.8.8
:[Interface] PrivateKey = Address = 172.16.82.10/24 DNS = 8.8.8.8 [Peer] PublicKey = AllowedIPs = 172.16.82.1/32, 192.168.22.0/24 Endpoint = enpwgwrkserver.dynns.com:16631 PersistentKeepalive = 5
Configuring the server
[Peer]
:In the PublicKey field, insert the public key of the server, which can be copied to the clipboard from WireGuard settings in the web interface of the router:
In the Allowed IPs field, enter the allowed IP addresses in IP/bitmask format —
172.16.82.1/32
(internal server address) and192.168.22.0/24
(local segment address of the Keenetic router).In the Endpoint field, enter the public IP address or domain name of the WireGuard server and the listening port on which the WireGuard client will set the connection.
In the PersistentKeepalive field, specify the frequency of the attempts to verify the availability of the connection's remote side. Usually, a
10-15
second interval between checks is sufficient.Click Save.
Setting up a remote connection on the WireGuard server side.
Connect to the web interface of the Keenetic router and go to the Internet → Other connections menu. Click on the previously created WireGuard connection (
WG-S
) and add Peer settings. Clicking on Add Peer will open the Peer Settings form, where you will enter the name of the tunnelwg-mac-client
.In the Public Key field, insert the key generated earlier in step 2 of this article.
In the Allowed v4 IPs field, specify the address from which traffic will be allowed to the server in IP/bitmask format —
172.16.82.10/32
.In the Persistent keepalive field, specify the frequency of attempts to check the remote connection side's availability. Usually, a
10-15
second interval between checks is sufficient. By default, the Persistent keepalive value in peer settings is30
seconds.Click Save.
Return to the Wireguard program settings; the configured connection will appear in the list.
Click Activate.
If the setting is correct, you will see a green indicator in front of the Status line.
To verify server availability, you can send ICMP packets to an IP address in Terminal.
Check the availability of the server web interface (in our example, it is a Keenetic with IP address
192.168.22.1
).The setup is complete.