V. VPN (Virtual Private Networking)

Teleworker VPN - PPTP with mOTP - DrayTek Smart VPN Client

Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

Smart VPN Client
Two Factor Authentication

Secure Two-Layer Authentications for Teleworkers and mobile VPN users

Teleworkers or remote users will typically have a password to log into your office VPN. Although this is quick and easy, if the user saves the password on their PC, writes it down somewhere or are seen typing it, your VPN and therefore your network is immediately compromised.

A single password provides just a single layer of security; only one fixed piece of information to crack, intercept or otherwise get hold of, and that piece requires only the user's memory. Once intercepted, an authorised person can log into your VPN whenever they wish. By introducing a second security factor, of a different type, you introduce a two-layer authentication. By different 'type' we mean that it cannot just be an extra password; it has to be something that uses a method other than the user's memory.

Mobile One Time Passwords use a secret generated by an mOTP device, stored on both the router and the mOTP key generating software, which remains unknown to the end user and the PIN code which is known by the end user.
When establishing a VPN connection, mOTP generates a One Time Password from the PIN code, the secret and the current time, which means that the resulting password is only valid for a few seconds. mOTP keys can be generated by a number of devices such as smart phones or mOTP applications.

The DrayTek Smart VPN Client software can be used as an mOTP key generating device, this means that only the computer that was set up using the Smart VPN Client and generated the mOTP secret would be able to connect and the end user would only need to know the PIN code used by the VPN.

This can be used with the PPTP, L2TP with IPsec and SSL VPN protocols, this example will cover PPTP specifically.

To set this up, firstly create a new profile in the DrayTek Smart VPN Client software by clicking the Insert button:

In the new profile, set the Profile Name if necessary. In this example, the type of VPN is PPTP, the address or host name of the VPN server needs to be specified in the VPN Server IP/Host Name field and the Username that will be used in the VPN profile should be set in the User Name field.

Tick the Enable mobile One Time Password (mOTP) tickbox.

The Use default gateway on remote network setting is used to set whether all traffic including internet traffic will go through the VPN, if it is ticked, all traffic will go through the VPN, if it is unticked, the VPN will only be used for accessing the remote network.

Click on the mOTP Settings button to continue setting up an mOTP profile.

An mOTP Settings window will pop up, select the SmartVPN Built-in OTP Generator option, then click the Generate button to continue:

Another window will pop-up with the generated secret - click the Copy button to copy the secret into the clipboard on the computer, then click OK to close that window.

With the Generated Secret now in the computer's clipboard, access the router's web interface and create a new VPN profile by going to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:

Set up the profile to accept PPTP connections, enable the profile, enter a suitable Username to match the one configured in the Smart VPN Client profile.

Tick Enable Mobile One-Time Passwords(mOTP) for the profile, enter a PIN Code which is a numeric code between 4-7 digits long which will be used by the end user to generate the one time password when it's in use.

Right click the Secret field and paste the contents of the clipboard, which should be the mOTP secret.

Once configured, it should look like this:

Click OK to save the changes to that profile and go back to the DrayTek Smart VPN Client software.

Click OK on the profile settings, which will pop-up a PPTP Setup window:

Set the Authentication Method to MS-CHAP v2 and the MPPE Encryption to Maximum Strength Encryption. Set the IP address if it needs to be set, otherwise leave it set to automatically receive its IP address, then click OK to save those settings.

It is now possible to connect the VPN, select the profile from the list on the main window and click the Connect button:

That will pop-up a window to enter the User Name and PIN Code settings, the username should already be configured, enter the PIN code, which will need to be entered each time to connect the VPN:

Click OK and the VPN will start to connect.

Once the VPN is connected, the main window will show the status of this at the bottom of the window. It will also show the status in the computer's System Tray, which can be used to disconnect the VPN if necessary.

How do you rate this article?

1 1 1 1 1 1 1 1 1 1