Skip to main content

User Manual

VPN types in Keenetic routers

VPN (Virtual Private Network) — a generic name for technologies that provide one or more network connections (tunnels) over another network (e.g., the Internet).

There are many reasons for using virtual private networks. The most common of these are security and data privacy. The confidentiality of original user data is guaranteed using data protection tools in virtual private networks.

It is known that IP (Internet Protocol) networks have a 'weak point' due to the structure of the protocol. There are no means of protecting the transferred data and no guarantee that the sender is the one he claims to be. The data in an IP network can be easily tampered with or intercepted.

We recommend using a VPN connection to connect from the Internet to your home server, USB flash drive files connected to a router, DVR, or a computer desktop through the RDP protocol. In this case, you don't have to worry about the security of the transmitted data because the VPN connection between the client and the server is usually encrypted.

Keenetic devices support the following types of VPN connections:


  • L2TP over IPSec (L2TP/IPSec)

  • WireGuard

  • OpenVPN

  • IPSec

  • IKEv2

  • OpenConnect


  • IPSec Xauth PSK (Virtual IP)

With the help of a Keenetic router, your home network can be connected via a VPN to a public VPN service, office network, or another Keenetic device, regardless of Internet connection type.

VPN clients/servers for secure access (PPTP, L2TP over IPSec, IKEv2, Wireguard, OpenVPN, SSTP, OpenConnect) as well as tunnels for network interconnection (Site-to-Site IPSec, EoIP (Ethernet over IP), GRE, IPIP (IP over IP) are implemented in all Keenetic devices.

Depending on the protocols used and the purpose, a VPN can provide connections in different scenarios: host-host, host-network, hosts-network, client-server, clients-server, router-router, routers-router (VPN concentrator), network-network (site-to-site).

If you don't know what type of VPN to choose, the tables and recommendations below will help you.

VPN type



Hardware acceleration*

Number of simultaneous connections





  • Client: up to 128

  • Server: up to 100/150/200 depending on model **





  • Client: up to 128

  • Server: up to 100/150/200 depending on model **





  • Client: up to 128

  • Server: up to 100/150/200 depending on model **

L2TP over IPSec




  • Client: up to 128

  • Server: no limitation





up to 32***





no limitation ****





up to 32





up to 128





IPSec Xauth PSK




up to 32

* — in the Starter, Runner 4G, Launcher, Explorer, Carrier models, only the AES algorithm acceleration is used, and in Skipper, Titan, Hero, Giant, Peak, Hopper the entire IPSec protocol hardware acceleration is used.

**up to 200 for Hero, Peak and Titan; up to 150 for Carrier DSL; up to 100 for Starter, Launcher, Explorer and Carrier.

*** — from KeeneticOS 3.7 the number of WireGuard connections is increased to 128 for for ARM-based models (KN-2710, KN-1811, KN-1012, KN-3811, KN-3812), and to 48 for KN-1011, KN-1810, KN-1912, KN-2311, KN-2610 and KN-3013.

**** — before KeeneticOS 3.3, the limit was 10 connections for Hero (KN-1011), Titan (KN-1810), and 5 for all other models.


The number of client connections is limited by the dedicated service storage space (24 Kbytes) for VPN configurations. This is especially important for OpenVPN connections, as the total size of their configurations should not exceed 24 Kbytes.

For modern Keenetic models with KN-xxxxx index the size of storage, where startup-config configuration file and environment variables (including keys) are placed in compressed form, has been increased to 260 Kbytes to 2 Mbytes (depending on the model).

VPN type

Difficulty level

Level of data protection


Resource intensity

OS integration


for ordinary users




Windows, macOS, Linux, Android, iOS (up to and including v9.)


for ordinary users


average, low operating via the cloud




for ordinary users


average, low operating via the cloud


not available*

L2TP over IPSec

for ordinary users




Windows, macOS, Linux, Android, iOS


for advanced users

very high



not available*


for professionals

very high



Windows, macOS, Linux, Android, iOS


for ordinary users




Windows, macOS, Linux, iOS


for advanced users

very high


very high

not available*

IPSec Xauth PSK

for ordinary users




Android, iOS

* — you will need to install additional free software in Windows, macOS, Linux, Android, iOS operating systems to set up the connection.

** — values are relative, not the exact figures, because speeds for VPN connections depend on models and several factors - the type of encryption algorithms used, the number of simultaneous connections, the type of the Internet connection, the speed and the load of the Internet channel, the load on the server and other factors. Let's consider low speed up to 15 Mbit/s, average speed around 30 - 50 Mbit/s, and high speed — over 70 Mbit/s.

VPN type




popularity, high customer compatibility

low level of data protection, in comparison with other VPN protocols


the capability of VPN-server operation using the private IP-address for Internet access *, via HTTPS protocol (TCP/443)

the built-in Windows-only client, low data transfer rate when working through the cloud


the capability of VPN-server operation using the private IP-address for Internet access *, via HTTPS protocol (TCP/443)

is not a part of the modern OS

L2TP over IPSec

security, stability, high customer compatibility

not included in Android (you need to use additional free software), the standard ports are used, which allows the ISP or system administrator to block the traffic


modern data security protocols, low resource intensity, high data transfer rate

is not a part of the modern OS


reliability, very high level of data protection

the configuration is difficult for ordinary users


reliability, very high level of data protection, easy setup, supports Blackberry devices

standard ports are used, which allows the ISP or system administrator to block traffic


high level of data protection, the use of HTTPS protocol (TCP/443)

is not a part of the modern OS, very resource-intensive, low data rates

IPSec Xauth PSK

security, it is a part of a modern mobile OS

lack of customer support for PC operating systems

* — This feature is implemented on our cloud server as a special software extension and is available only for the users of Keenetic devices.

In most cases, for client-server remote connections, we recommend the following protocols:

  • L2TP over IPSec (L2TP/IPSec), PPTP, IPSec Xauth PSK, SSTP, OpenConnect

In many Keenetic models, data transfer over IPSec (including L2TP over IPSec and IKEv2) is hardware accelerated using the device processor. You don't have to worry about the privacy of IP telephony or CCTV streams in such a tunnel.

If your ISP gives you a public IP address, we recommend you to pay attention to the IKEv2, the so-called IPSec virtual server (Xauth PSK), and L2TP over the IPSec server. They are great because they provide secure access to your home network from your smartphone, tablet, or computer with minimal configuration: Android, iOS, and Windows have convenient built-in clients for these types of VPNs. For IKEv2 on Android, use the free popular strongSwan VPN client.

IKEv2 and L2TP/IPSec can be considered as the best universal option.

If your ISP only provides you with a private IP address to surf the Internet, and you can't get a public IP, you can still organize remote access to your home network using an VPN server SSTP or OpenConnect. The main advantage of the SSTP and OpenConnect tunnel is its ability to work through the cloud, i.e., it allows establishing a connection between the client and the server, even if there are private IP addresses on both sides. All other VPN servers require a public IP address. Please note that this feature is implemented on our cloud server and is available only for Keenetic users.

As for the PPTP tunnel protocol, it is the easiest and most convenient to configure, but potentially vulnerable compared to other types of VPN. However, it is better to use it than not to use a VPN at all.

And for advanced users, we may add these VPNs to the list above:

  • WireGuard, OpenVPN

OpenVPN is very popular but extremely resource-intensive and has no particular advantages against IPSec. Keenetic devices have such features as TCP and UDP mode, TLS authentication, certificates and encryption keys to improving VPN connection's security for OpenVPN connections.

Modern protocol WireGuard will make it easier and faster to work with VPN (several times compared to OpenVPN) without increasing the power of the hardware in the device.

For mobile devices, and organising a remote connection to the router, use:

  • IKEv2

IKEv2 EAP (Login/Password) client is embedded in Android, iOS, MacOS, Windows.

To consolidate networks and organize a Site-to-Site VPN, use:

  • IPSec, L2TP over IP (L2TP/IPSec), WireGuard

To solve specific problems of network interconnection:


IPSec is one of the most secure VPN protocols due to its crypto secure encryption algorithms. It is the best option for establishing Site-to-Site VPN connections to interconnect networks. It is possible for professionals and advanced users to create IPIP, GRE, EoIP tunnels both in pure form and in combination with IPSec tunnels, which will allow you to use IPSec VPN security standards to protect these tunnels. Support for IPIP, GRE, EoIP tunnels makes it possible to establish a VPN connection with hardware gateways, Linux routers, UNIX/Linux computers, and servers, as well as other network and telecommunication equipment supporting these tunnels. The tunnel setting of this type is available only in the router's command-line interface (CLI).

For more information on configuring different types of VPNs in the Keenetic devices, read the instructions: