V. VPN (Virtual Private Networking)

Teleworker VPN - SSL - Vigor 3900 - DrayTek Smart VPN Client

Products:
Vigor 2960
Vigor 3900
Keywords:
2960
SSL
Smart VPN Client

The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.

The DrayTek Smart VPN Client software is free for use and can use all protocols that the DrayTek routers currently support such as PPTP, IPsec, L2TP over IPsec and SSL VPN protocols (depending on router model).

In this example, the Smart VPN Client will be used to make an SSL VPN connection to a DrayTek router. This provides a quicker way to connect an SSL VPN compared to the browser method.

Please note that this example will be using DrayTek Smart VPN Client 4.3.2 because it adds TLS support to improve the security of the encryption.


Router Configuration

The SSL VPN server must be enabled from [VPN and Remote Access] > [Remote Access Control] and the router needs to have HTTPS Management enabled on it.

HTTPS management can be enabled by going to [System Maintenance] > [Access Control], go to the Access Control tab and expand the Internet Access Control options, set HTTPS Allow to Enable and apply that on the router. The HTTPS port configured under Management Port Setup is used for both HTTPS management and the SSL Tunnel facility. Click Apply to apply and save the configuration changes.


To set up the VPN profile on the router, go to [User Management] > [User Profile], click Add in the User Profile tab to create a new user profile:

  • Enable the profile,
  • Enter a suitable Username, please note that this cannot be changed after creating the user account
  • Set the Password
  • Click on the PPTP/L2TP/SSL Server bar to expand the VPN options for the profile
  • Enable SSL Tunnel

Click Apply to save the changes to that profile. The router is now ready to accept client SSL VPN connections with those credentials.


Client Configuration

Open the DrayTek Smart VPN Client utility in Windows:

In the DrayTek Smart VPN Client software, click the Insert button to make a new profile, which will open a new window:

In the new profile, set the Profile Name if necessary. In this example, the type of VPN is SSL Tunnel, the address or host name of the VPN server needs to be specified in the VPN Server IP/Host Name field and the Username that will be used in the VPN profile should be set in the User Name field, enter the password for the VPN in the Password field.

The Use default gateway on remote network setting is used to set whether all traffic including internet traffic will go through the VPN, if it is ticked, all traffic will go through the VPN, if it is unticked, the VPN will only be used for accessing the remote network.

Click OK to save that and a window for SSL VPN setup will appear:

This window has security settings for the VPN:

Authentication Method - This can be left on Auto, otherwise it's recommended to use CHAP or MS-CHAP v2 authentication to ensure that authentication details are encrypted. PAP authentication is not encrypted.

Enable server certificate authentication - This can be used to ensure the identity of the remote SSL VPN server/router by exporting the router's certificate and installing it onto the computer.

Enable SSL 3.0 - This option forces the VPN to use SSL 3.0 security, otherwise the default is to use TLS security which is more secure. The SSL VPN server/router must support TLS in its firmware to use TLS. If the router does not support TLS, SSL 3.0 must be enabled for the SSL VPN to work.

Product Name TLS Firmware
Vigor 2960 1.0.9
Vigor 3900 1.0.9

The VPN client will get an IP address from the remote network automatically but this can be specified in the VPN client using the Manually get IP address & DNS server setting.

Click OK to save the settings for the VPN connection.


It is now possible to connect the VPN, select the profile from the list on the main window and click the Connect button:

That will pop-up a window to enter the User Name and Password settings, the username and password were configured in the profile so should already be configured:

Click OK and the VPN will start to connect.

Once the VPN is connected, the main window will show the status of this at the bottom of the window. It will also show the status in the computer's System Tray, which can be used to disconnect the VPN if necessary.


Using a different SSL port for SSL VPN

The DrayTek Smark VPN client will attempt to connect to TCP 443 by default - if that port is in use or if it needs to be changed on the router for another reason, this must be changed on both the client and the router.

To change the router's SSL VPN port, go to [System Maintenance] > [Access Control], expand the Management Port Setup option and set the HTTPS Port, click Apply to save and apply that change.


To change the port that the DrayTek Smart VPN Client connects to when connecting an SSL VPN, edit the profile and change the IP/Host Name used so that it has the IP address/Host Name with :444 (for example) at the end of the address:


How do you rate this article?

1 1 1 1 1 1 1 1 1 1