V. VPN (Virtual Private Networking)

Basic Verification

Step 1. Create an SSL VPN Dial-In User Account

To set up the SSL VPN profile on the router, go to [SSL VPN] > [User Account], click on the first un-used Index number link to edit the profile settings:

• Enable the profile
• Enter a suitable Username to for the account
• Set a secure Password (up to 19 characters, alphanumeric and special characters allowed)
• Set the profile to accept SSL Tunnel connections:

Click OK on that page to save the settings for that profile.

The Status text displays in red if the user is not connected and will display in green when the user has connected.

With the account created and a valid certificate installed on the router, the client can be configured to connect.

Step 2. DrayTek Smart VPN App Configuration

Open the DrayTek Smart VPN application and press + to create a new VPN profile:

• Profile: The name of the VPN profile
• Server: The IP address or Host Name of the SSL VPN server, the VPN server in this example is the hostname "ssl.draytek.vpn"
• Port: The port of the SSL VPN server; this will be 443 by default and should only be changed if the SSL VPN port has been changed on the router
• Username: The VPN username such as the one created earlier in this guide

The Create button will be greyed out, click the Authentication Settings button to continue:

Enter the password for the dial-in user and click OK to save the password for the VPN connection.

Once the password has been set for the VPN, the Create button will no longer be greyed out, click Create to save the VPN profile.

The operating system will then display this warning:

Press Allow to continue.

Once the VPN has saved the profile, go to the Advanced settings for the profile to configure how the VPN tunnel operates:

In this section, the security protocols used and options for how traffic routes through the VPN can be changed:

The option to "Send all traffic through this tunnel" is not enabled by default. When disabled, only traffic to the VPN router's local subnet will go through the VPN tunnel. If it's enabled, all traffic including Internet access will pass through the VPN tunnel.

The VPN tunnel can now be established, the VPN profile will show with a red icon to indicate that it is disconnected. Press the "Connect" buton to establish the VPN tunnel. The operating system will prompt to confirm whether the SmartVPN application is allowed to use the credentials it has saved, click Always Allow and SmartVPN will then continue connecting:

Once connected, the SmartVPN client will then show details for the VPN once it has connected. Click the Disconnect button to terminate the VPN connection.

The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:

Match Server Name Verification

Step 1. Install a valid certificate for HTTPS and SSL VPN on the router

When the SmartVPN client has its Certificate Validation Level set to "Match Server Name", it will require a certificate with matching details on the device it's connecting to, this means that the CN / Common Name of the certificate must match the IP address or Host Name of the VPN server that SmartVPN is connecting to and that the certificate has not expired (or is within its Valid To and Valid From time).

To create a custom self-signed certificate on the router with valid Common Name details, follow this guide.

To create and install certificates signed by a Trusted Certificate Authority on the router, follow this guide.

To create and install certificates signed by a Trusted Certificate Authority on the Vigor 3900 and Vigor 2960, follow this guide.

This example uses the hostname ssl.draytek.vpn as the public hostname of the router and the router's certificate Common Name.

If the router has a fixed IP address with no hostname associated, that IP address can be used as the router certificate Common Name.

If the router has a Host Name associated with its public IP address, the host name can be used as the Common Name.

It's possible to create a certificate that will work with dynamic IP addresses by using the router's Dynamic DNS facility and a dynamic DNS hostname as the certificate's Common Name.

Step 2. Create an SSL VPN Dial-In User Account

To set up the SSL VPN profile on the router, go to [SSL VPN] > [User Account], click on the first un-used Index number link to edit the profile settings:

• Enable the profile
• Enter a suitable Username to for the account
• Set a secure Password (up to 19 characters, alphanumeric and special characters allowed)
• Set the profile to accept SSL Tunnel connections:

Click OK on that page to save the settings for that profile.

The Status text displays in red if the user is not connected and will display in green when the user has connected.

With the account created and a valid certificate installed on the router, the client can be configured to connect.

Step 3. DrayTek Smart VPN App Configuration

Open the DrayTek Smart VPN application and press + to create a new VPN profile:

• Profile: The name of the VPN profile
• Server: The IP address or Host Name of the SSL VPN server, the VPN server in this example is the hostname "ssl.draytek.vpn"
• Port: The port of the SSL VPN server; this will be 443 by default and should only be changed if the SSL VPN port has been changed on the router
• Username: The VPN username such as the one created earlier in this guide

The Create button will be greyed out, click the Authentication Settings button to continue:

Enter the password for the dial-in user and click OK to save the password for the VPN connection.

Once the password has been set for the VPN, the Create button will no longer be greyed out, click Create to save the VPN profile.

The operating system will then display this warning:

Press Allow to continue.

Once the VPN has saved the profile, go to the Advanced settings for the profile to configure how the VPN tunnel operates:

In this section, the security protocols used and options for how traffic routes through the VPN can be changed:

The option to "Send all traffic through this tunnel" is not enabled by default. When disabled, only traffic to the VPN router's local subnet will go through the VPN tunnel. If it's enabled, all traffic including Internet access will pass through the VPN tunnel.

The VPN tunnel can now be established, the VPN profile will show with a red icon to indicate that it is disconnected. Press the "Connect" buton to establish the VPN tunnel. The operating system will prompt to confirm whether the SmartVPN application is allowed to use the credentials it has saved, click Always Allow and SmartVPN will then continue connecting:

Once connected, the SmartVPN client will then show details for the VPN once it has connected. Click the Disconnect button to terminate the VPN connection.

The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]: