User Manual

Starting with KeeneticOS 4.2.1, an OpenConnect VPN server and client have been added, allowing users to configure a remote SSL VPN connection to a Keenetic router.

This VPN type is peculiar because it uses SSL/TLS security protocols, which allow secure data transfer over HTTPS traffic. The OpenConnect connection type is a compatible analogue of Cisco AnyConnect. OpenConnect VPN is a simple means of remote access to the router's local network, allowing users to work securely from anywhere on the Internet, easily passing through NAT and ISP firewalls.

To connect to the OpenConnect server, you will need to install additional programmes and applications in Windows, iOS, and Android. A Keenetic router itself can act as an OpenConnect client. The article OpenConnect VPN client provides more information.

To configure the server, you need to install the OpenConnect VPN server. You can do this on the General System Settings page in the KeeneticOS Update and Component Options by clicking Component options.

Once this is done, go to the Applications page. Here, you will see the OpenConnect VPN Server tile.

For the server to work, the router must be pre-registered in the KeenDNS Cloud service by obtaining a name from keenetic.link, keenetic.pro or keenetic.name domain that supports work with an SSL security certificate. Otherwise, a client connecting to the server will not be able to establish a trusted HTTPS connection. For information on how to register the KeenDNS name, see the KeenDNS service article.

To connect to the VPN server, the 4th level domain name of the router will be automatically generated; it will be specified in Server address and will look like ****.*****.keenetic.* (in our example, it is 9413.*****.keenetic.pro). It is this address that you will have to enter into the VPN client's settings to connect to the server.

Now, let's move directly to the VPN server configuration.

On the Applications page, click the OpenConnect VPN Server link.

In the main settings, the default setting in the Network access field is Home segment. If necessary, you can specify a segment other than the Home network. In this case, the VPN tunnel will access the network of the specified segment.

The total number of possible simultaneous connections can be set by configuring the IP address pool size. Like the starting IP address, this setting should not be changed unnecessarily.

The Multiple sign-in setting controls the ability to establish multiple simultaneous connections to the server using the same credentials. This is not a recommended scenario due to reduced security and inconvenient monitoring. However, for initial configuration or cases where you want to allow tunnelling from multiple devices of the same user, the option can be left enabled.

By default, the NAT for clients option is disabled in the server configuration. This setting is used for VPN server clients to access the Internet. In the case of Cloud access (KeenDNS service setting), we recommend that you do not use the NAT for clients setting because the tunnel bandwidth of the cloud connection may be lower than the bandwidth of the server or client Internet connection.

Camouflage mode provides additional security for the OpenConnect VPN connection from remote scanning of accessible services.

In the Users section, select the user accounts you want to allow access to the OpenConnect server and to the local network. Here, you can also add a new user by specifying a name and password.

After configuring the VPN server, set the switch to Enabled.

The Connection statistics link lets you view the connection status and additional information about active sessions.

If you want to organise client access not only to the local network of the VPN server but also in the reverse direction, i.e. from the VPN server network to the remote network of the VPN client to enable data exchange between the two sides of the VPN tunnel, please refer to the instructions Routing networks over VPN.