Install AmneziaWG on Keenetic Router

12min
Installing amneziawg on Keenetic router can help bypass restrictions imposed by your Internet Service Provider (ISP) by concealing the operation of WireGuard. Unlike traditional VPN setups, amneziawg masks the WireGuard protocol, making it difficult for the ISP to detect that you're using a VPN. This stealth feature prevents the provider from identifying and blocking the VPN traffic, ensuring a seamless and unrestricted internet experience even in environments where VPN usage is typically monitored or restricted by government-controlled firewalls.
Creating a WireGuard connection with additional asc parameters in the updated interface of Keenetic OS 4.2 routers.
Step 1
Open the page of the management router on the browser: http://192.168.0.1﻿
Log in using your username and password
﻿
Step 2
Move to: Management → System settings
expand the "startup-config" item and save a backup copy of your router's current settings.
﻿
Step3
Check which version of KeeneticOS is installed on the router, and whether KeeneticOS is being updated to version 4.2., since WireGuard support with asc parameters in KeeneticOS has appeared since version 4.2 Alpha 2. If the KeeneticOS 4.2 release has not yet been released for your router, try switching the update channel to "Preview".
﻿
Step4
More important backup a system files before upgrading. Save firmware, startup-config, default-config, and running-config. It will help to restore if failure occurs during the upgrade.
﻿
Step5
On the "System Component Options" page that opens, in the "Network Functions" section, check if the "WireGuard VPN" component is installed. If the "WireGuard VPN" component is not installed, check the appropriate checkbox for installation, and click the "Update KeeneticOS" button that appears below. Wait for the router to update and reboot.
﻿
Step6
If you get insufficient memory to install all select components in a new window that appears during the system update, click to View changes and disable components, and uncheck the unnecessary components to free up memory.
!If the update is interrupted with the message "Not enough space", you need to disable unnecessary components in the list to reduce the size of the update.
﻿
Step7
After that, upgrade the router to version 4.2 or later by clicking the Update KeeneticOS button on the System Settings page. During the update process, the router will reboot.
﻿
Step8
After updating and restarting the router, you need to log in again on the router management page.
﻿
Step 9
Make sure that Keenetic OS has been updated to version 4.2, and that the necessary WireGuard VPN component is installed.
﻿
Step 10
Now, you need to go back to the router settings, go to the Internet section, and select Other connections.
﻿
Step 11
Select the Wireguard section, create a new connection in it, and import the saved AmneziaWG configuration file. To do this, click on the "Import from file" link.
﻿
Step 12
Choose the config file and press enter. You should get the following, where VPS_IP_ADDRESS is the IP address of VPS, and 42666 is the port.
The new connection should appear in the Wireguard section, with the same name as the imported file. But it's too early to use the connection that has appeared. You need to go to its settings for editing by clicking on its line anywhere except the switcher.
﻿
!The internal IP address of the new connection must be unique among existing Wireguard connections to avoid conflicts. If a conflict occurs, create a new configuration file with a different IP address for one of the conflicting connections.
Step 13
In the connection settings window that opens, mark the Use to access the Internet checkbox, then save the changes by clicking the Save button at the bottom of the settings page.
﻿
Step 14
Now you need to go to the web version of the Keenetic router command line to execute several commands. To do this, go to settings, click on the gear image in the upper-right corner of the web page, and click on the Command line link.
﻿
Step 15
Enter show interface command and click the Send Request button. Information about all available interfaces is displayed below.
﻿
Step 16
Now you need to find out the name of the desired interface by the name of the previously created connection. To do this, open the search on the page (this can be done by pressing two keys at the same time, Ctrl+F). Enter the name of the previously created connection for the search. In this example, it is my_amneziawg_client1 . A single, unique name must be found in the "description" field. And next to it, there will be another field, "interface-name", which displays the name of the desired interface. In this example, this is Wireguard 0.
﻿
Step 17
Now, you know the name of the interface and the values of the asc parameters from the file my_amneziawg_client1.conf that we saved earlier. You need to replace all the template values in parentheses with your values and delete the brackets themselves.
Text
interface {name} wireguard asc {jc} {jmin} {jmax} {s1} {s2} {h1} {h2} {h3} {h4}
interface {name} wireguard asc {jc} {jmin} {jmax} {s1} {s2} {h1} {h2} {h3} {h4}
﻿
Open the my_amneziawg_client1.conf on your computer.
From this file, you will need the values of the parameters Jc, Jmin, Jmax, S1, S2, H1, H2, H3, H4 - these are the asc parameters.
Text
[Interface]
PrivateKey = kHcPwRvI3FRc4qcE+Fgrln1K1qxQNM3jl4CpPzaYx4o=
#_PublicKey = 7vzU3tVk39Dj+XvjpX3e9yZzDZhfbTZUde2Elju3nRM=
Address = 10.10.8.2/32
DNS = 8.8.8.8
Jc = 120
Jmin = 60
Jmax = 1266
S1 = 11
S2 = 54
H1 = 563549684
H2 = 1544213701
H3 = 529241130
H4 = 981267317

[Peer]
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
Endpoint = VPS_REMOTE_IP:54666
PersistentKeepalive = 60
PublicKey = 7gExcFjYZ6rR5nU7F3xzrDQchtGu4OCxEwGjSlRGwnE=
[Interface]
PrivateKey = kHcPwRvI3FRc4qcE+Fgrln1K1qxQNM3jl4CpPzaYx4o=
#_PublicKey = 7vzU3tVk39Dj+XvjpX3e9yZzDZhfbTZUde2Elju3nRM=
Address = 10.10.8.2/32
DNS = 8.8.8.8
Jc = 120
Jmin = 60
Jmax = 1266
S1 = 11
S2 = 54
H1 = 563549684
H2 = 1544213701
H3 = 529241130
H4 = 981267317

[Peer]
AllowedIPs = 0.0.0.0/5, 8.0.0.0/7, 11.0.0.0/8, 12.0.0.0/6, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/3, 160.0.0.0/5, 168.0.0.0/6, 172.0.0.0/12, 172.32.0.0/11, 172.64.0.0/10, 172.128.0.0/9, 173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/4, 192.0.0.0/9, 192.128.0.0/11, 192.160.0.0/13, 192.169.0.0/16, 192.170.0.0/15, 192.172.0.0/14, 192.176.0.0/12, 192.192.0.0/10, 193.0.0.0/8, 194.0.0.0/7, 196.0.0.0/6, 200.0.0.0/5, 208.0.0.0/4, 8.8.8.8/32
Endpoint = VPS_REMOTE_IP:54666
PersistentKeepalive = 60
PublicKey = 7gExcFjYZ6rR5nU7F3xzrDQchtGu4OCxEwGjSlRGwnE=
﻿
In this example, the string will look like:
Text
interface Wireguard0 wireguard asc 120 60 1266 11 54 563549684 1544213701 529241130 981267317
interface Wireguard0 wireguard asc 120 60 1266 11 54 563549684 1544213701 529241130 981267317
﻿
The resulting line should be inserted into the web version of the router's command line, and click the "Send request" button. If you entered the correct command, the result of processing the request will be displayed below, as in the screenshot.
﻿
Step 18
The execute system configuration save into the web version of the router's command line, and click the "Send request" button.
﻿
Step 19
Go to the Internet section and select Connection Policies.
﻿
Step 20
In the Connection Policies section add a new policy. For example, write amneziawg policy name and click on to Save button.
﻿
Step 21
Click on amneziawg policy and move my_amneziawg_client1 that it will be on the top and set checkbox. Click save to save this setting.
﻿
In the Access Policy settings in the Default Policy, the created VPN connection (my_amneziawg_client1) should go below your main Internet connection in order to avoid problems with reconnecting the router when the main Internet connection is interrupted.
Step 22
Now you need to go to the Internet section, then Other connections, and check the functionality of the created WireGuard connection by switching its state to "Enabled". After a few seconds, the activity mark of the feast should change color from gray to green. Also, information about incoming/outgoing traffic and the time since the last "handshake" should be displayed.
﻿
Step 23
Move again to Internet → Connection Policies → Policy Bindings.
In the Default policy section choose the device (for example it is SamsungSmartTv) for which you want to route traffic through amneziawg. In the switcher menu choose our amneziawg policy and click to Confirm.
﻿
The device will be moved to amneziawg policy.
﻿
Step 24
To verify that the VPN connection is working correctly for the selected device, you can check its IP address. Use a website like "whoer.net" on the device to confirm that its IP address has changed to that of your VPN server. This step ensures that the traffic from your Samsung Smart TV (or other chosen device) is now being routed through the AmneziaWG VPN connection. Enjoy 🏄‍♂️!
Updated 20 Sep 2024
Did this page help you?
Install AmneziaWG on Ubuntu 22.04
Install WireGuard Client on Ubuntu 22.04 and Connecting to the server using AmneziaWG