Skip to main content

User Manual

Connecting to an L2TP/IPSec VPN server from Android

Important

If you want to configure a Keenetic router as a VPN server, make sure that it has a public IP address, and when using the KeenDNS service, that it works in the 'Direct access' mode. If any of these conditions are not met, connecting to such a server from the Internet will be impossible. The exception to this rule is described in the Note section below.

Configure the VPN server according to the instruction: L2TP/IPSec VPN server. For example:

ipsec-android-01-en.png

Then set up an L2TP/IPSec connection on your Android mobile device.

Important

The support for the IPSec Xauth PSK client was present in Android until version 11. Since version 12, only IKEv2 and IPSec tunnel support remains (some vendors and phone manufacturers have different list of supported tunnels).

On the 'VPN' screen, add a new entry.

ipsec-android-02-en.png

Specify the name, connection type 'L2TP/IPSec PSK', the server address is the public IP address of the router or its KeenDNS domain name, and enter the preshared IPSec key previously installed on the VPN server. Save the connection settings.

ipsec-android-03-en.png

Click on the created connection.

ipsec-android-04-en.png

Enter the username and password of the router user account that has permission for the VPN connection. Click the 'Connect' button.

ipsec-android-05-en.png

After that, the VPN connection to the L2TP/IPSec server on the Keenetic router will be attempted.

To view the connection state, click on the VPN connection entry.

ipsec-android-06-en.png
ipsec-android-07-en.png

You can disable the VPN connection on the same screen by clicking the 'Disconnect' button.

When a VPN connection is running, you can see statistics of current connections on the Keenetic router.

ipsec-android-08-en.png

Note

If your Keenetic is located behind another router, you may need to do some extra steps to access the VPN server.

It is only possible to connect from the Internet to a VPN server with a private IP address if you have configured port forwarding on the upstream router with a public IP to the private IP address of Keenetic. L2TP/IPSec requires UDP 500 and UDP 4500 forwarding. Another option is to forward all ports and protocols, which on some routers is called DMZ.

A typical example of such a router is a CDCEthernet 3G/4G USB modem. It can get a public address from the ISP and give a private address to the Keenetic router. Port forwarding setup depends on the USB modem. There are the ones that forward all ports without any adjustments, and some of them have this option in their own web interface. And there are the ones where it is not allowed at all.

Another example of such a router is an optical GPON ONT. In such devices, the forwarding is configured in their web interface.

If the port forwarding is set up correctly, you can establish a VPN connection with an external public IP address of such a router. It will forward it to Keenetic's private address.