Sign Up

Users Mailing list

Sign up for news and firmware updates

Connecting two locations with VPN routers usually requires that both sides are directly accessible over the Internet.

In some network configurations, or with some ISPs such as with 4G Internet connections, it may not be possible to have a directly accessible IPv4 Internet address. Instead, routers may receive non-routable IP addresses starting with 10.x.x.x, 172.x.x.x or 192.168.x.x, which rely on NAT (Network Address Translation) to access the Internet. Services such as VPNs cannot be established when both sides are connected through NAT.

DrayTek's VPN Matcher service works to resolve this. When DrayTek VPN routers are registered with the same DrayTek VPN Matcher account, they can locate each other. Allowing them to establish a secure, end-to-end encrypted VPN tunnel between the two routers.

The DrayTek VPN Matcher feature is available on many new DrayTek routers running 3.9.2 or later firmware.

Once configured, each router behind NAT will register to the DrayTek VPN Matcher server. Enabling them to determine the correct IP addresses and ports to negotiate through NAT and establish the LAN-to-LAN VPN tunnel. The VPN Matcher service only gives routers directions to locate each other, it does not handle encrypted VPN data at any point.

This article demonstrates the configuration of a DrayTek VPN Matcher account and how to use it with two DrayTek VPN routers, "RouterA" and "RouterB". The end result is a secure and direct VPN tunnel between VPN peers, both located behind NAT'ted Internet connections.

Establishing a VPN tunnel through NAT with VPN Matcher:

Step 1. Both routers register to the VPN Matcher server.

Step 2. The VPN Matcher server helps to exchange external IP addresses and the ports' number to both VPN gateways that want to communicate.

Step 3. RouterA performs an outbound connection to RouterB to open the port for RouterA to connect back. At the same time, RouterA receives the connection info. of RouterB from the server.

Step 4. RouterA can now establish a VPN tunnel to RouterB.

Setting up a VPN Matcher Account

1. Go to https://vpn-matcher.draytek.com and create an account.

kb l2l vpnmatcher image01

2. Log into the VPN Matcher server, and add your Vigor routers, including LAN MAC addresses, router models, VPN role and LAN network for VPN tunnel.

kb l2l vpnmatcher image02

3. Go to My Profile, and copy Router VPN devices Authkey.

kb l2l vpnmatcher image03

Configure RouterA - VPN Server

1. Go to [VPN and Remote Access] > [VPN Matcher Setup], and enter VPN Matcher Server address, port 31503, Account, and Authkey.

kb l2l vpnmatcher image04 01

2. Click Get List and choose the device to establish VPN. Click Create Profile to set a new profile.

kb l2l vpnmatcher image04 02

3. Set up VPN profile for the VPN server router:

a. Select Profile Index in [VPN and Remote Access] > [LAN to LAN]
b. Give a Profile Name
c. Set Direction as Dial-in
d. VPN type is IPsec by default, it can be manually changed once VPN profile is configured
e. Enter IPsec Pre-shared Key
f. Enter Peer ID for IPsec identity
g. Network settings are auto-filled according to the settings on the VPN Matcher server.

kb l2l vpnmatcher image04 03

Configure RouterB - VPN Client

1. Configure VPN client router similarly to VPN server but set Direction as Dial-out.

kb l2l vpnmatcher image05 01

2. After the setting is finished, we can check VPN status in [VPN and Remote Access] > [Connection Management].

kb l2l vpnmatcher image05 02

Note: There is a network requirement, that the NAT type should be Cone NAT, such as Full cone NAT (one-to-one), Address-Restricted cone NAT or Port-Restricted cone NAT.
Symmetric NAT is not supported, Vigor Router also provides detection function in VPN Matcher Setup.

kb l2l vpnmatcher image05 03