V. VPN (Virtual Private Networking)
ExpiredLAN to LAN VPN with VPN Matcher
Connecting two locations with VPN routers usually requires that both sides are directly accessible over the Internet.
In some network configurations, or with some ISPs such as with 4G Internet connections, it may not be possible to have a directly accessible IPv4 Internet address. Instead, routers may receive non-routable IP addresses starting with 10.x.x.x, 172.x.x.x or 192.168.x.x, which rely on NAT (Network Address Translation) to access the Internet. Services such as VPNs cannot be established when both sides are connected through NAT.
DrayTek's VPN Matcher service works to resolve this. When DrayTek VPN routers are registered with the same DrayTek VPN Matcher account, they can locate each other. Allowing them to establish a secure, end-to-end encrypted VPN tunnel between the two routers.
The DrayTek VPN Matcher feature is available on many new DrayTek routers running 3.9.2 or later firmware.
Once configured, each router behind NAT will register to the DrayTek VPN Matcher server. Enabling them to determine the correct IP addresses and ports to negotiate through NAT and establish the LAN-to-LAN VPN tunnel. The VPN Matcher service only gives routers directions to locate each other, it does not handle encrypted VPN data at any point.
This article demonstrates the configuration of a DrayTek VPN Matcher account and how to use it with two DrayTek VPN routers, "RouterA" and "RouterB". The end result is a secure and direct VPN tunnel between VPN peers, both located behind NAT'ted Internet connections.
Establishing a VPN tunnel through NAT with VPN Matcher:
Step 1. Both routers register to the VPN Matcher server.
Step 2. The VPN Matcher server helps to exchange external IP addresses and the ports' number to both VPN gateways that want to communicate.
Step 3. RouterA performs an outbound connection to RouterB to open the port for RouterA to connect back. At the same time, RouterA receives the connection info. of RouterB from the server.
Step 4. RouterA can now establish a VPN tunnel to RouterB.
Setting up a VPN Matcher Account
1. Go to https://vpn-matcher.draytek.com and create an account.
2. Log into the VPN Matcher server, and add your Vigor routers, including LAN MAC addresses, router models, VPN role and LAN network for VPN tunnel.
3. Go to My Profile, and copy Router VPN devices Authkey.
Configure RouterA - VPN Server
1. Go to [VPN and Remote Access] > [VPN Matcher Setup], and enter VPN Matcher Server address, port 31503, Account, and Authkey.
2. Click Get List and choose the device to establish VPN. Click Create Profile to set a new profile.
3. Set up VPN profile for the VPN server router:
a. Select Profile Index in [VPN and Remote Access] > [LAN to LAN]
b. Give a Profile Name
c. Set Direction as Dial-in
d. VPN type is IPsec by default, it can be manually changed once VPN profile is configured
e. Enter IPsec Pre-shared Key
f. Enter Peer ID for IPsec identity
g. Network settings are auto-filled according to the settings on the VPN Matcher server.
Configure RouterB - VPN Client
1. Configure VPN client router similarly to VPN server but set Direction as Dial-out.
2. After the setting is finished, we can check VPN status in [VPN and Remote Access] > [Connection Management].
Note: There is a network requirement, that the NAT type should be Cone NAT, such as Full cone NAT (one-to-one), Address-Restricted cone NAT or Port-Restricted cone NAT.
Symmetric NAT is not supported, Vigor Router also provides detection function in VPN Matcher Setup.
How do you rate this article?
- First Published: 18/03/2020
- Last Updated: 22/04/2021