Как настроить AdGuard VPN для Linux на роутере Keenetic

Системные требования

Для работы AdGuard VPN для Linux, также известного как AdGuard VPN CLI, требуется не менее 22 МБ свободного места на встроенной памяти роутера или на внешнем USB после установки других необходимых пакетов.

1. Убедитесь, что на вашем роутере включён SSH

SSH-клиент используется для отправки команд на роутер с компьютера.

Чтобы запустить SSH-сервер, в Keenetic должен быть установлен системный компонент SSH-сервер. Это можно сделать на странице Общие настройки системы в разделе Параметры компонентов, нажав кнопку Параметры компонентов. Найдите SSH-сервер и установите его. Это обновит операционную систему вашего Keenetic.

После установки компонента SSH-сервер включится автоматически.

На сайте Keenetic описано, как настроить SSH сервер для оптимальных настроек безопасности.

2. Определите IP-адрес вашего роутера

IP-адрес по умолчанию для большинства роутеров — 192.168.1.1 или 192.168.0.1. Если вы изменили IP-адрес или не уверены, его можно найти, проверив конфигурацию IP-адреса на подключенном устройстве.

На Windows

Откройте командную строку:
```
ipconfig
```
Найдите Шлюз по умолчанию в активном сетевом подключении. Это IP-адрес вашего роутера.

На macOS и Linux

В Linux откройте Терминал и выполните эту команду:
```
ip route | grep default
```
Или эту на Mac:
```
route -n get default
```
Найдите запись default. Рядом с ней находится IP-адрес вашего роутера.

3. Use an SSH client to connect to the router

You’ll need an SSH client. Most Linux and macOS systems come with an SSH client pre-installed. For Windows, you can use PowerShell, the built-in SSH client in Windows 10/11, or a third-party application like PuTTY.

Built-in SSH client (Linux, macOS, and Windows 10/11)

Open Terminal or PowerShell.
Run the SSH command:
```
ssh admin@192.168.1.1
```
Replace 192.168.1.1 with your router’s IP address.

If this is your first time connecting to the router via SSH, you’ll see a message like this:

The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is SHA256:...
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Type yes and press Enter.

Enter the router’s password when prompted. The default username is root and the default password is keenetic.

PuTTY (Windows 8 and earlier)

Download and install PuTTY from the official website.
Open PuTTY.
In the Host Name (or IP address) field, enter your router’s IP address (e.g., 192.168.1.1)
Ensure the Connection type is set to SSH.
Click Open.
When the Terminal window opens, log in. The default username is root and the default password is keenetic.

Once logged in, you can use various commands to interact with your router’s Linux-based operating system.

4. Install OPKG Entware

In Keenetic models equipped with a USB port (except Keenetic 4G), you can use the OPKG package manager. It allows you to install third-party software packages to expand routers capabilities.

Starting with version 3.7, for some Keenetic models, it is possible to write OPKG Entware to the UBIFS partition of the router's NAND flash memory, i.e. to the built-in memory of the router. Follow the steps below to install the Entware repository package system on a USB drive or in the router’s internal memory.

How to install OPKG Entware on a USB drive

It is possible to install OPKG packages on the Keenetic models with USB ports that support USB flash drives. These are: KN-1410, KN-1710/1711, KN-1010/1011, KN-2510, KN-2410, KN-1810, KN-1910, KN-2310, KN-2010, KN-2110, KN-2610, KN-2710.

For detailed instructions, visit the official Keenetic Wiki.

How to install OPKG Entware in the router’s internal memory

This method will work with the following models: KN-1010/1011, KN-1810/1811, KN-1910, KN-2010, KN-2110, KN-2310, KN-2410, KN-2510, KN-2610, KN-2710, KN-3810, KN-3610 with the KeeneticOS version 3.7 and later.

For detailed instructions, visit the official Keenetic Wiki.

If your router doesn’t support installing packages on its internal memory, follow the instructions for installing packages on a USB drive.

5. Install AdGuard VPN CLI

In your SSH client, execute the following code to install the packages required for AdGuard VPN CLI:

opkg install curl sudo ca-certificates

Go to the /opt folder by typing /cd opt and run the AdGuard VPN CLI installation script:

curl -fsSL https://raw.githubusercontent.com/AdguardTeam/AdGuardVPNCLI/master/scripts/release/install.sh | sh -s -- -v

When asked “Would you like to link the binary to /usr/local/bin?“, reply n and run this line:

ln -s /opt/adguardvpn_cli/adguardvpn-cli /opt/bin

6. Set up AdGuard VPN CLI

Log in to your account
To use AdGuard VPN for Linux, you need an AdGuard account. You can sign up or log in on our website or in Terminal.
Before logging in, go to Terminal and make sure you are in the right shell interface. If you can see the following text:
```
KeeneticOS version 4.01.C.7.0-1, copyright (c) 2010-2024 Keenetic Ltd.

THIS SOFTWARE IS A SUBJECT OF KEENETIC LIMITED END-USER LICENCE AGREEMENT. BY USING IT YOU AGREE ON TERMS AND CONDITIONS HEREOF. FOR MORE INFORMATION PLEASE CHECK https://keenetic.com/legal
```
Run this command to exit into the shell needed for the next steps:
```
exec sh
```
If you see the following text, you can continue the setup:
```
BusyBox v1.36.1 (2024-08-08 16:11:23 UTC) built-in shell (ash)

/ #
```
To sign up or log in, type:
```
adguardvpn-cli login
```
Connect to VPN
For Keenetic routers, be sure to import the SSL certificate and select a folder for the user directory by running this command before connecting:
```
export SSL_CERT_FILE=/opt/etc/ssl/certs/ca-certificates.crt
export HOME=/opt/home/admin
```
This must be done before each session.
Select a VPN server location that best suits your needs.
In general, the closer the server is to you, the faster the connection.
To view available locations, type:
```
adguardvpn-cli list-locations
```
To connect to a specific location, type:
```
adguardvpn-cli connect -l LOCATION_NAME
```
Replace LOCATION_NAME with the city, country, or ISO code of the location you want to connect to.
For quick connect, type:
```
adguardvpn-cli connect
```
AdGuard VPN will choose the location with the lowest ping and remember it for future quick connections.
Adjust your settings
Get a list of all available AdGuard VPN commands and customize the VPN client to your needs.
To view all commands, type:
```
adguardvpn-cli --help-all
```
Enter yes when asked “Would you like to set default routes in TUN mode?”

AdGuard VPN CLI will create a tun0 interface for VPN tunneling.

7. Set up firewall rules

This step is designed to configure firewall rules on a Keenetic router to route traffic through AdGuard VPN.

Install iptables by running this command via SSH:
```
opkg install iptables
```
This line installs the iptables package, which is a tool for managing network packet filtering rules on Linux systems.

Create a new shell script by running the following command:

cat << 'EOF' > /opt/etc/ndm/netfilter.d/001-adguardvpn.sh
#!/opt/bin/sh
for ipt in iptables ip6tables; do
    $ipt -D FORWARD -j ADGUARD_FORWARD || true
    $ipt -F ADGUARD_FORWARD || true
    $ipt -X ADGUARD_FORWARD || true
    $ipt -N ADGUARD_FORWARD
    $ipt -I FORWARD -j ADGUARD_FORWARD
    $ipt -A ADGUARD_FORWARD -i br0 -o tun0 -j ACCEPT
done
EOF

And make it executable:

chmod +x /opt/etc/ndm/netfilter.d/001-adguardvpn.sh

If you have more brX interfaces, make sure to include them in the script as well to route their traffic. Alternatively, make sure to specify a different routing rule for those interfaces.

This will create a new shell script named 001-adguardvpn.sh in the /opt/etc/ndm/netfilter.d/ directory, which is where network-related scripts are typically stored on a Keenetic router.

The script creates a custom firewall rule to ensure that traffic from your LAN (br0) is routed through the AdGuard VPN interface (tun0). It first cleans up any previous rules related to this configuration, then sets up new rules to direct the traffic appropriately.

8. Set up automatic launch for AdGuard VPN CLI

The following script is designed to automatically establish a VPN connection using AdGuard VPN on your Keenetic router when the WAN interface becomes available (e.g., after a reboot or reconnecting to the Internet).

Run the following command:

cat << E0F > /opt/etc/ndm/wan.d/001-adguardvpn.sh
#!/opt/bin/sh
export SSL_CERT_FILE=/opt/etc/ssl/certs/ca-certificates.crt
export HOME=/opt/home/admin
/opt/adguardvpn_cli/adguardvpn-cli connect &
exit 0
E0F

And make it executable:

chmod +x /opt/etc/ndm/wan.d/001-adguardvpn.sh

The script named 001-adguardvpn.sh will be saved to /opt/etc/ndm/wan.d/.

It will start AdGuard VPN when Internet is connected.

Reboot your router to finish setup.

Congrats! Now you have a router secured with AdGuard VPN.

1. Убедитесь, что на вашем роутере включён SSH​

2. Определите IP-адрес вашего роутера​

На Windows​

На macOS и Linux​

3. Use an SSH client to connect to the router​

Built-in SSH client (Linux, macOS, and Windows 10/11)​

PuTTY (Windows 8 and earlier)​

4. Install OPKG Entware​

How to install OPKG Entware on a USB drive​

How to install OPKG Entware in the router’s internal memory​

5. Install AdGuard VPN CLI​

6. Set up AdGuard VPN CLI​

7. Set up firewall rules​

8. Set up automatic launch for AdGuard VPN CLI​