V. VPN (Virtual Private Networking)

How to setup an OpenVPN Teleworker VPN using VPN Matcher

Products:
Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2862
Show all

Keywords:
OpenVPN
STUN
Teleworker
VPN
Show all

In order to connect to a VPN Server, the router normally needs to have a public IP address routable from the Internet, for a Remote Dial-In User / Teleworker VPN Client to be able connect to it. A challenge in some environments is where the router has been provided with a private IPv4 address. This might be because the ISP uses Carrier Grade NAT (CGNAT) or because the router is not directly connected to the Internet and is operating behind another device.

DrayTek's VPN Matcher service provides a simple solution to this problem. Available on many new DrayTek UK routers running 3.9.2 firmware or later.  VPN Matcher helps by registering each of the VPN devices that are behind the NAT to the VPN Matcher server and acting as a concierge to exchange the connection information to enable the two devices to communicate with each other. The VPN Matcher services cannot observe traffic, data, payload or access either router. It simply acts as a directory and exchange service to facilitate the configuration so that the correct information such as IP addresses and port numbers can be exchanged.

This article describes steps needed to configure VPN Matcher account, DrayTek compatible router (firmware 3.9.2 or later is needed) and the client’s Smart VPN Client application (version 5.3.0 or later). The result would be a working VPN tunnel between VPN peers that are behind NAT.

1. Visit the DrayTek VPN Matcher site to create an account and log in to your account to proceed.

Add the router and PC in to the VPN Matcher's VPN Device Management menu, with the LAN MAC address of both the router and the PC.

You can find the MAC address of the router from the [Dashboard] in the router's web interface. On a Windows PC, you can find the MAC address by opening the Command prompt and entering "ipconfig /all". If your laptop will be connecting over wireless, make sure to use the wireless adapter's MAC address.

kb openvpn host to lan vpn matcher Capture1

2. Copy the Router List Key

Capture2

3. VPN Matcher uses OpenVPN as VPN protocol for Host-to-LAN connection. Therefore certificates for router and PC are required, please refer to 'OpenVPN Setup on Vigor Router with XCA' article (part 1 to 5) to set up the OpenVPN server.

Capture3a

Capture3b

4. Go to [VPN and Remote Access] > [VPN Matcher Setup], enable it and enter VPN Matcher Server and Router List Key, then click OK.

Capture4

5. Run Smart VPN Client, and Add a profile

  • Enable VPN matcher and enter Router List Key.
  • Click Get List to select the VPN server.
  • Enter OpenVPN username and password, and choose the certificates

Capture5a

Capture5b

Capture5c

6. Click Connect on Smart VPN client, then we can see the VPN status on both router and PC

Capture6a

Capture6b

NAT Types

VPN Matcher can work with Cone NAT, such as Full cone NAT(one-to-one), Address-Restricted cone NAT or Port-Restricted Cone NAT. Symmetric NAT is not supported.

The type of NAT your router & client are using can be determined from the Vigor Router's web interface and in the Smart VPN Client by performing Stun Detection, which will indicate which type of NAT is being used:

Capture6c

Capture6d


How do you rate this article?

1 1 1 1 1 1 1 1 1 1