V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - SSL with mOTP 2FA - Smart VPN Client & Smartphone
DrayTek's Smart VPN Client software for Windows is ideal for connecting remotely to a DrayTek Vigor router's VPN server as a Remote Dial In User. Available for download here. It is free and can connect all protocols that the DrayTek routers currently support such as IPsec, L2TP over IPsec, OpenVPN and SSL VPN protocols.
In this example, the Smart VPN Client will be used to make an SSL VPN connection to a DrayTek router. Two-factor authentication will be provided by mOTP (mobile One Time Password), which will use a smartphone or tablet in posession of the remote user, as the VPN token through the use of an mOTP app.
mOTP can be used with any Android phone or tablet, as well as Apple iPhone, iPad and iPod Touch, with a suitable mOTP app such as these: DroidOTP for Android or imOTP for Apple devices
The mOTP app manages the time based authentication and password response with its securely held mOTP secret. The end user does not need to know the mOTP secret value, just the Username and 4-digit PIN code. To connect the VPN tunnel, the user enters their VPN username and one-time VPN password, which is generated by entering their PIN into the mOTP app.
This guide demonstrates:
Generating the mOTP secret in an mOTP app
In this example, the VPN token device will be set up first, because most mOTP apps can generate a unique and secure mOTP 'secret'.
Open the mOTP app on the phone/tablet and create a new profile.
Give the profile a suitable name to identify it. Set the PIN Type to 4-digit PIN for compatibility with DrayTek routers.
Press Initialise Secret to create the mOTP secret value, which will be stored within the mOTP app.
Select a method to generate the Secret, in this example the iPhone's sensor values are generating a secret when the phone is shaken.
Press Done to save the secret value, which in iOS can then be sent via text/email/other messaging applications. In Android, the secret can be copied to paste into messages or other messaging applications.
Note this value down for entry into the router's VPN profile later.
Alternatively, if the VPN profile is set up before the phone, the mOTP secret entered for that user's VPN profile can be entered into the phone using the 'Direct' option.
Press Save to save the mOTP profile for use later.
With the secret value now set, the VPN profile can be set up on the router.
Creating an SSL VPN Profile on the Router with mOTP Authentication
To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:
Enable the profile, enter a suitable Username for the account and set up the profile to accept SSL Tunnel connections:
Tick Enable Mobile One-Time Passwords(mOTP) to enable the PIN and Secret settings. Paste the secret in and set the PIN value (4 numerical digits). The end user will need to know the PIN value and their Username to connect the VPN.
The order in which this setup is demonstrated is just one way to set up mOTP for SSL VPN. If setting up from the router's web interface first and the end user is remote, the Secret can be configured on the router and sent to the user through secure means, then entered into the Secret value for the SmartVPN profile's mOTP configuration.
Click OK on that page to save the settings for that profile.
With the VPN connection set up, the remote user can connect their SSL VPN tunnel once the SmartVPN client is configured.
Setting up an SSL VPN profile in the SmartVPN client
Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:
That will open a new window to configure the VPN settings. See the table below for a description of what each setting does and the recommended settings for connecting an SSL VPN tunnel with mOTP:
Profile Name | Specify a profile name to identify the VPN |
Server Type | Select SSL VPN Tunnel |
Server IP or Hostname & Port | Specify the IP or Hostname of the router |
Authentication Type | Select Username and Password |
User Name |
Enter the username of the user |
Password |
Leave this empty, the password will be randomly generated by the user's mOTP app when connecting the VPN |
Remember My Credentials | Enabling this option will keep the Username specified |
Always Prompt for Credentials | Enable this option, the user will be entering a new secure password each time they connect |
IP Property | Leave this on its default settings of Auto |
Advanced Options | Select the options shown here. See this article for more information on what each setting does. |
Use default gateway on remote network |
Enable this to send all traffic through the VPN tunnel. Disable it to send only remote network access through the VPN tunnel. |
Click OK on the SmartVPN profile to save that profile.
Connecting and Using a VPN with mOTP Two-Factor Authentication
On the remote computer, open the SmartVPN client and select the profile from the list on the main window. Click the Connect button:
That will pop-up a window to enter the User Name and Password settings, the username will be stored after entering for the first time.
To generate the one-time password for the VPN tunnel, open the mOTP app on the VPN token device (mobile phone/tablet).
This password will also be stored but will be invalid after the VPN tunnel has connected, so will be re-entered every time the VPN is connected.
In the mOTP app on the token device, enter the 4-digit PIN code to generate the one-time password.
Entering an incorrect PIN code will generate an incorrect one-time password.
Once all 4 digits have been entered, the OTP app will display the six hex digit (0-9 & a-f, all lower case) one-time password.
The circle acts like a timer - once the timer completes, the one-time password will no longer be valid and a new password will need to be generated with the correct PIN code.
Enter that one-time password into the SmartVPN client's Password and click OK.
The SmartVPN client will start to connect, displaying connection status here:
Once the VPN successfully connects, the SmartVPN client will minimise into the Windows System Tray and display a connection status notification in Windows:
Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:
Expanding the SmartVPN will show the connection status, clicking the Disconnect button will drop the VPN tunnel:
If the VPN fails to connect, check this article for troubleshooting steps.
- First Published: 17/08/2020
- Last Updated: 22/04/2021