V. VPN (Virtual Private Networking)

Teleworker VPN - SSL with mOTP 2FA - Smart VPN Client & Smartphone

Vigor 2620Ln
Vigor 2762
Vigor 2765
Vigor 2832
Show all

Smart VPN Client
Show all

DrayTek's Smart VPN Client software for Windows is ideal for connecting remotely to a DrayTek Vigor router's VPN server as a Remote Dial In User. Available for download here. It is free and can connect all protocols that the DrayTek routers currently support such as IPsec, L2TP over IPsecOpenVPN and SSL VPN protocols.

In this example, the Smart VPN Client will be used to make an SSL VPN connection to a DrayTek router. Two-factor authentication will be provided by mOTP (mobile One Time Password), which will use a smartphone or tablet in posession of the remote user, as the VPN token through the use of an mOTP app.

mOTP can be used with any Android phone or tablet, as well as Apple iPhone, iPad and iPod Touch, with a suitable mOTP app such as these: DroidOTP for Android or imOTP for Apple devices

The mOTP app manages the time based authentication and password response with its securely held mOTP secret. The end user does not need to know the mOTP secret value, just the Username and 4-digit PIN code. To connect the VPN tunnel, the user enters their VPN username and one-time VPN password, which is generated by entering their PIN into the mOTP app.

This guide demonstrates:

  • Generating the mOTP secret in an mOTP app
  • Creating an SSL VPN profile on the router with mOTP authentication
  • Setting up an SSL VPN profile in the SmartVPN client
  • Connecting and using a VPN with mOTP two-factor authentication
  • motp android

    Generating the mOTP secret in an mOTP app

    In this example, the VPN token device will be set up first, because most mOTP apps can generate a unique and secure mOTP 'secret'.

    Open the mOTP app on the phone/tablet and create a new profile.

    Give the profile a suitable name to identify it. Set the PIN Type to 4-digit PIN for compatibility with DrayTek routers.

    Press Initialise Secret to create the mOTP secret value, which will be stored within the mOTP app.

    imOTP app on an iPhone

    Select a method to generate the Secret, in this example the iPhone's sensor values are generating a secret when the phone is shaken.

    Press Done to save the secret value, which in iOS can then be sent via text/email/other messaging applications. In Android, the secret can be copied to paste into messages or other messaging applications.

    Note this value down for entry into the router's VPN profile later.

    Alternatively, if the VPN profile is set up before the phone, the mOTP secret entered for that user's VPN profile can be entered into the phone using the 'Direct' option.

    imOTP app on an iPhone - Generating Secret value

    Press Save to save the mOTP profile for use later.

    With the secret value now set, the VPN profile can be set up on the router.

    imOTP app on an iPhone - Save profile

    Creating an SSL VPN Profile on the Router with mOTP Authentication

    To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:

    Enable the profile, enter a suitable Username for the account and set up the profile to accept SSL Tunnel connections:

    Tick Enable Mobile One-Time Passwords(mOTP) to enable the PIN and Secret settings. Paste the secret in and set the PIN value (4 numerical digits). The end user will need to know the PIN value and their Username to connect the VPN.

    The order in which this setup is demonstrated is just one way to set up mOTP for SSL VPN. If setting up from the router's web interface first and the end user is remote, the Secret can be configured on the router and sent to the user through secure means, then entered into the Secret value for the SmartVPN profile's mOTP configuration.

    smartvpn5 sslmotp6

    Click OK on that page to save the settings for that profile.

    With the VPN connection set up, the remote user can connect their SSL VPN tunnel once the SmartVPN client is configured.

    Setting up an SSL VPN profile in the SmartVPN client

    Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:

    That will open a new window to configure the VPN settings. See the table below for a description of what each setting does and the recommended settings for connecting an SSL VPN tunnel with mOTP:

    Profile Name Specify a profile name to identify the VPN
    Server Type Select SSL VPN Tunnel
    Server IP or Hostname & Port Specify the IP or Hostname of the router
    Authentication Type Select Username and Password 
    User Name
    Enter the username of the user
    Leave this empty, the password will be randomly generated by the user's mOTP app when connecting the VPN
    Remember My Credentials Enabling this option will keep the Username specified
    Always Prompt for Credentials Enable this option, the user will be entering a new secure password each time they connect
    IP Property Leave this on its default settings of Auto
    Advanced Options Select the options shown here. See this article for more information on what each setting does.
    Use default gateway
    on remote network
    Enable this to send all traffic through the VPN tunnel. Disable it to send only remote network access through the VPN tunnel.

    Click OK on the SmartVPN profile to save that profile.

    Connecting and Using a VPN with mOTP Two-Factor Authentication

    On the remote computer, open the SmartVPN client and select the profile from the list on the main window. Click the Connect button:

    smartvpn5 sslmotp7

    That will pop-up a window to enter the User Name and Password settings, the username will be stored after entering for the first time.

    To generate the one-time password for the VPN tunnel, open the mOTP app on the VPN token device (mobile phone/tablet).

    This password will also be stored but will be invalid after the VPN tunnel has connected, so will be re-entered every time the VPN is connected.

    smartvpn5 sslmotp8

    In the mOTP app on the token device, enter the 4-digit PIN code to generate the one-time password.

    Entering an incorrect PIN code will generate an incorrect one-time password.

    Once all 4 digits have been entered, the OTP app will display the six hex digit (0-9 & a-f, all lower case) one-time password.

    The circle acts like a timer - once the timer completes, the one-time password will no longer be valid and a new password will need to be generated with the correct PIN code.

    Enter that one-time password into the SmartVPN client's Password and click OK.

    Entering One-Time password into the SmartVPN client

    The SmartVPN client will start to connect, displaying connection status here:

    Once the VPN successfully connects, the SmartVPN client will minimise into the Windows System Tray and display a connection status notification in Windows:

    Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:

    Expanding the SmartVPN will show the connection status, clicking the Disconnect button will drop the VPN tunnel:

    smartvpn5 sslmotp9

    If the VPN fails to connect, check this article for troubleshooting steps.

    Check VPN Status on a Vigor Router

    The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:

    How do you rate this article?

    1 1 1 1 1 1 1 1 1 1