How to set up a VPN on a Keenetic router in 2026: step by step

If you want to figure out how to set up a VPN on Keenetic so that all traffic in the house goes through a tunnel — without separate applications on each phone, Smart TV, and PlayStation — you are on the right page. Keenetic allows this, but there are several methods, and they vary greatly in complexity and capabilities.

The main question right away: do you just need to bypass blocked sites or also hide the VPN traffic from the provider's DPI? This determines everything. We will discuss both scenarios.

What methods exist to set up a VPN on Keenetic

KeeneticOS — the firmware that Keenetic develops itself — already includes VPN clients out of the box. They are available through the web interface my.keenetic.net in the "Other connections" and "Internet filters" sections. This is the simplest way, and for most tasks, it is sufficient.

But there is also an advanced route: installing Entware (a package manager for routers) and additional packages like XKeen or Shadowsocks. This is for those whose provider cuts the WireGuard itself through DPI.

Built-in VPN clients of KeeneticOS

KeeneticOS supports WireGuard, OpenVPN, IKEv2/IPsec, SSTP, L2TP/IPsec, and PPTP. PPTP — forget it, it is insecure and does not actually encrypt data. The others work fine, but the choice depends on the task and the model of the router.

Components are installed in the "General settings" → "Change component set" section. If WireGuard is not there — the firmware version is old, you need to update to at least KeeneticOS 3.7.

Cloudflare DNS over HTTPS Proxy component and DPI bypass

This is not a VPN, but it sometimes helps with certain blocks. DoH encrypts DNS queries, so the provider cannot see which domains you are accessing. However, the destination IP address is still visible. For YouTube, which is throttled at the IP level, this is not a solution.

Installation via Entware and third-party packages

Entware is a package repository that can be installed on a USB drive connected to the router. Through it, you can install XKeen (a wrapper over XRay with VLESS/XTLS support), Shadowsocks-libev, AmneziaWG, and other tools. It’s powerful but requires a basic understanding of Linux commands and time for setup.

When the built-in client is enough and when Entware is needed

The built-in WireGuard will suffice if your provider simply blocks sites by IP or domain — this is the case for most in 2026. If the provider actively filters traffic through DPI and blocks the WireGuard protocol itself (this occurs with some regional ISPs) — AmneziaWG or XKeen/VLESS is needed. If you are unsure — start with the built-in WireGuard and see if it works.

Step 1. Installing the WireGuard component in KeeneticOS

WireGuard is the best choice for most home networks. Fast, CPU-efficient, and set up in 10 minutes. Here’s how to install a VPN on Keenetic specifically through WireGuard.

Step 1. Installing the WireGuard component in KeeneticOS

Go to my.keenetic.net → "General settings" → "Change component set". Find "WireGuard VPN client" in the "Network" section and check the box. The router will download the component and reboot. This takes about 2-3 minutes.

If the component is not in the list — first update the firmware via "General settings" → "KeeneticOS update". There’s no point in proceeding without the WireGuard component.

Step 2. Importing the configuration (conf file or manual key entry)

Go to "Other connections" → "VPN connections" → "Add" button. Select "WireGuard". There are two options here: import a ready .conf file (easier) or enter the parameters manually.

The ready .conf is provided by the VPN provider — NvoVPN, Mullvad, ProtonVPN, and others provide it in the personal account. The file looks like this:

Click "Import configuration", upload the file — all fields will be filled automatically. When entering manually, fill in each field separately: PrivateKey, PublicKey, Endpoint (server address and port separated by a colon), AllowedIPs.

Step 3. Configuring the routing table and connection priority

After creating the connection, find the switch "Use for internet access" — turn it on. Without this, the VPN will come up, but traffic will not go through it. The router will think it’s an additional tunnel, not the main path.

In the "Connection priority" section, make sure WireGuard is above the main WAN connection. Otherwise, upon reboot, the router may revert to direct access.

If selective routing is needed (some sites through VPN, others directly) — disable "Use for internet access" and set access policies for the required devices or domains through the "Internet access policies" section.

Step 4. Checking the connection and DNS leaks

Go to ipleak.net or dnsleaktest.com from any device on the network. The IP of the VPN server should appear, not your real one. The DNS servers should also be from the VPN provider, not from your ISP. If you see your real IP in DNS — the config has an incorrect or missing DNS.

Configuring OpenVPN and IKEv2 on Keenetic

OpenVPN and IKEv2 are alternatives to WireGuard, each with its pros and cons. It makes sense to choose between them only if WireGuard is unsuitable for some reason.

Importing .ovpn file through the OpenVPN section

The principle is the same: "Other connections" → "VPN connections" → "Add" → "OpenVPN". Upload the .ovpn file provided by the provider. The file contains certificates, keys, and settings — almost nothing needs to be entered manually.

The problem is different: OpenVPN is heavy on the router's CPU. On Keenetic Giga or Ultra, this is not noticeable. On Keenetic Lite or Start, the speed will drop to 20-40 Mbps even on a 100+ Mbps channel — the CPU simply cannot handle the encryption. This is not a bug, it’s a physical limitation.

Configuring IKEv2/IPsec for a stable connection

IKEv2 is added through the same interface. You need to specify the server address, identifier, login, and password or certificate — depending on what the provider gives. IKEv2 can reconnect when switching networks (from Wi-Fi to mobile internet and back) without breaking the session. This is convenient for mobile devices, but the setup is a bit more complicated than WireGuard.

When to choose OpenVPN and when IKEv2 or WireGuard

WireGuard is the first choice almost always. Faster, lighter, simpler. OpenVPN — if the VPN provider does not support WireGuard, or maximum compatibility with old equipment is needed. IKEv2 — if the main load comes from mobile devices and stability during network switching is important.

Typical errors in logs and how to read them

View logs in "Diagnostics" → "System log". Filter by keywords: "WireGuard", "OpenVPN", "IPsec". Common errors: "handshake timeout" in WireGuard — incorrect PublicKey or Endpoint is unavailable; "TLS Error" in OpenVPN — expired certificate or incorrect CA; "No proposal chosen" in IKEv2 — mismatch of encryption algorithms between client and server.

Bypassing DPI and blocks on YouTube, Instagram, Telegram on Keenetic

This is the most important section for those living in Russia. Standard WireGuard bypasses site blocks — YouTube, Instagram, Twitter/X, Telegram, TikTok open normally. But Roskomnadzor and providers in 2026 can block not only sites but also the VPN protocols themselves through DPI (Deep Packet Inspection). If the provider sees the WireGuard pattern in the traffic — it cuts it.

Why regular WireGuard does not always bypass the provider's DPI

WireGuard has a characteristic signature — a specific format of handshake packets over UDP. Modern DPI systems recognize it and block the connection even before the tunnel is established. If you see that WireGuard is constantly trying to connect but cannot, while pinging the server works — it’s likely DPI.

It’s easy to check: try connecting through the mobile internet of another operator. If it works there but not at home — your home provider is filtering the protocol.

Installing XKeen (XRay/VLESS) via Entware on a USB drive

XKeen is a package for Keenetic that installs XRay with VLESS+XTLS-Reality support. VLESS traffic is virtually indistinguishable from regular HTTPS — DPI does not see it. But for installation, a USB drive (at least 1 GB, formatted in ext4) and a router with a USB port are required.

Action steps: connect the flash drive → in KeeneticOS in the "Management" section → "USB drives" make sure it is recognized → install the "OPKG Package Manager" component → via SSH or web terminal run the installation of Entware with the commandopkg install entware. After that, throughopkg install xkeen the XKeen itself is installed.

If the flash drive is not recognized, it is likely formatted in NTFS or FAT32. KeeneticOS for Entware requires ext2/ext3/ext4. Format it using GParted or in Linux with the commandmkfs.ext4 /dev/sdX.

Shadowsocks and Amnezia WG (AmneziaWG) as protection against protocol blocking

AmneziaWG is a fork of WireGuard with added obfuscation. The traffic is disguised as random noise, and DPI does not recognize it as WireGuard. In 2026, it is supported by several VPN services, and this is the easiest way to bypass protocol blocking — the setup is almost the same as regular WireGuard, just the config is different.

Shadowsocks is a proven tool, especially popular for bypassing the Chinese firewall. It works reliably but requires installation via Entware. The speed is usually lower than WireGuard but higher than OpenVPN.

Selective routing: allowing only necessary sites through VPN

When VPN is enabled for all traffic, Russian banks and State Services sometimes refuse to work — they may block IP addresses from abroad. The solution is selective routing.

In KeeneticOS, this is called "Internet Access Policies." You can create a "Through VPN" policy and assign it to specific devices (Smart TV, phone) or set up domain-based routing through XKeen, where the lists of sites are specified in the XRay config. Russian resources (Sberbank, State Services, VKontakte) go directly, blocked ones (YouTube, Instagram, Telegram) go through the tunnel.

Checking VPN operation and troubleshooting

After figuring out how to install VPN on Keenetic and completing the setup, you need to ensure that everything is working correctly, not just "connected."

How to check that all traffic is going through VPN (IP and DNS leak test)

The most reliable way is to visit ipleak.net from a phone or computer on your network. The service will show the IP address, geolocation, and DNS servers. The correct picture: the IP belongs to the VPN server, and the DNS servers are also from the VPN provider, not from your ISP.

The second tool is dnsleaktest.com, Extended Test. It makes several DNS queries and shows which servers they passed through. If you see your provider's servers, you have a DNS leak. This can be fixed by manually specifying DNS in the WireGuard config or in the DHCP settings of the router.

Speed test before and after connecting VPN

Method: perform a test on fast.com or speedtest.net without VPN, record the result. Then connect VPN and repeat. The difference in speed depends on the router model and protocol. Do not rely on others' numbers — they are measured on different hardware and different channels. Only your own tests will give a real picture.

If the speed drops significantly, first check if OpenVPN is selected on the budget router. Try another VPN provider server, preferably geographically closer.

What to do if VPN connects but there is no internet

This is the most common problem. Checklist in order:

• Is the "Use for internet access" switch enabled in the VPN connection settings?
• Is AllowedIPs set to0.0.0.0/0, and not a specific subnet?
• Is DNS specified in the config — is the DNS field not empty?
• Is there a conflict with double NAT — is the router not behind the provider's router?
• Is the priority of the VPN connection higher than the main WAN in the priority section?

Double NAT is a separate story. If your router is connected to the provider's router (and not directly to the line), sometimes raising WireGuard is not possible due to UDP port blocking. The solution is to ask the provider to issue an external IP or to move the router port to DMZ on the provider's device.

Why is the speed dropping and how to increase it

On budget Keenetic (Lite, Start), the bottleneck is the MIPS processor without hardware encryption acceleration. OpenVPN loads it to 100% at speeds above 50 Mbps. WireGuard is more efficient — on the same hardware, it passes 2-3 times more traffic. AmneziaWG is slightly slower than regular WireGuard due to obfuscation, but the difference is small.

If the speed is still low, enable selective routing. Let only blocked services go through VPN, while the rest of the traffic goes directly. The load on the processor will decrease proportionally to the volume of traffic that actually goes through the tunnel.