Configuring VPN Distribution Over LAN on a Keenetic Router
My network configuration is as follows:
- External internet is connected to a Rostelcom router (Router 1)
- The LAN port of Router 1 is connected via patch cable to the WAN port of the Keenetic Launcher router
I have Wireguard VPN installed on the Keenetic with multiple locations. The issue is that the VPN connection works properly when distributed over Wi-Fi, but it doesn’t work when connecting via LAN.
Question: How can I configure the Keenetic to distribute VPN over LAN? And is it possible to set it up so that different VPN locations use different interfaces:
- For the Germany location - distribute over Wi-Fi
- For the Netherlands location - distribute over LAN
Thank you in advance for your answers.
Configuring VPN Distribution Over LAN on Keenetic Router
To configure VPN distribution over LAN on a Keenetic Router, you need to properly set up routing and connection policies. Your issue with VPN not working when connecting via LAN occurs due to routing settings and interface policies.
Table of Contents
- Basic VPN Settings for LAN
- LAN Routing Configuration
- Connection Policies for Different VPN Locations
- WireGuard Configuration
- Testing and Debugging
Basic VPN Settings for LAN
For proper VPN distribution over LAN, you need to ensure that correct routing rules are configured on Keenetic. To do this:
- Enable NAT for VPN clients in WireGuard settings
- Configure firewall rules to allow traffic through VPN
- Set up static routes for LAN devices
As stated in the official Keenetic documentation, to provide internet access through a VPN tunnel, you need:
interface Wireguard0 security-level private ip Wireguard0 nat Wireguard0 system configuration save
This will allow traffic from LAN devices to pass through the VPN tunnel.
LAN Routing Configuration
To configure routing through LAN, you need to create appropriate rules in the Keenetic interface:
- Go to “Firewall” → “Access Rules”
- Add a rule to allow traffic from LAN devices to the VPN interface
- Ensure the LAN interface is allowed in the routing policy
As mentioned in the guide to routing networks through VPN:
On the “Firewall” page, select the interface where incoming traffic will be monitored (this is the VPN connection), and click “Add rule” to create access rules for any protocols
For your configuration, you need to:
- Select the WireGuard interface in firewall rules
- Allow traffic through the LAN interface
- Configure NAT for VPN clients
Connection Policies for Different VPN Locations
To configure different VPN locations on different interfaces (Germany - WiFi, Netherlands - LAN), you need to use Connection Priorities (PBR).
As explained in the documentation on connection priorities, PBR (Policy-Based Routing) allows you to solve the following practical problems:
Allows certain devices in the network to go through a VPN connection, while others go through the main internet provider
For your configuration:
-
Create a profile for Germany (WiFi):
- Interface: Wi-Fi
- VPN location: Germany
- Priority: High
-
Create a profile for Netherlands (LAN):
- Interface: LAN (connected to Rostelecom)
- VPN location: Netherlands
- Priority: Low
Important! As stated in the guide to setting up routes:
If connection priorities are configured, interfaces for connections through ISP and VPN provider must be in the same profile
WireGuard Configuration
For proper WireGuard operation with LAN distribution, you need to configure tunnel parameters:
- In WireGuard settings for each location, specify:
- Tunnel address (for example, 172.16.82.1/24 for server, 172.16.82.2/24 for client)
- Listening port on the VPN server side
- Encryption keys
As stated in the official Keenetic documentation:
For example, 172.16.82.1/24 on the server and 172.16.82.2/24 on the client. You need to specify the listening port number on the VPN server side, which will be used for incoming connections to the WireGuard interface
For your configuration, create two WireGuard connections:
- For Germany: WiFi interface
- For Netherlands: LAN interface
Testing and Debugging
After configuration, check VPN operation:
-
Check VPN interface availability:
bashshow interfaces wireguard0
-
Check routes:
bashshow ip route
-
Check NAT rules:
bashshow ip nat
-
For diagnostics, use the command:
bashdebug routing
If VPN still doesn’t work through LAN, check:
- Firewall rules on Keenetic
- DHCP settings on LAN port
- Routes on the main Rostelecom router
Sources
- Internet access through a WireGuard VPN tunnel – Keenetic
- Routing networks over VPN – Keenetic
- Connection priorities – Keenetic
- Setting up a route to a specific host through a WireGuard VPN provider – Keenetic
- WireGuard VPN – Keenetic
Conclusion
To solve your problem, you need to:
- Configure NAT for VPN clients in WireGuard settings for operation through LAN
- Create firewall rules to allow traffic through the VPN interface
- Use connection policies (PBR) to distribute different VPN locations across different interfaces
- Verify routing and DHCP settings on both routers
After proper configuration, you will be able to:
- Distribute VPN through LAN for the Netherlands location
- Use WiFi for the Germany location
- Ensure stable operation of both VPN connections simultaneously
For more detailed configuration, study the official Keenetic documentation on VPN operation and routing policies.