V. VPN (Virtual Private Networking)

Teleworker VPN - SSL - Java SSL Tunnel

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2765
Show all

Keywords:
SSL
Smart VPN Client
Tunnel
VPN

Important Notice - Java Plugin Support & DrayTek's Java SSL Tunnel

To be able to use the browser-based Java SSL Tunnel feature, the web browser must support Java as an NPAPU plugin.

Microsoft Edge does not support NPAPI plugins.
Chrome after version 42 no longer supports or allows the use of NPAPI plugins.
Firefox after version 52 no longer supports or allows the use of NPAPI plugins.

To use DrayTek SSL Tunnel, use the SmartVPN client instead.

The DrayTek routers that support Dial-In VPN connections can use any compatible VPN client to connect a remote dial-in user VPN to achieve secured access to the network connected to the router and its internet connection.

The DrayTek Smart VPN Client software is free for use and can use all protocols that the DrayTek routers currently support such as PPTP, IPsec, L2TP over IPsec and SSL VPN protocols (depending on router model).

This example will demonstrate how to make an SSL VPN connection to a DrayTek router using the Java SSL Tunnel facility. This requires a VPN user account configured with permission to establish SSL Tunnel connections and this user must be added to an SSL VPN User Group to allow access to the router's web SSL interface.

The example will demonstrate how to connect an SSL VPN when the router does not have a trusted certificate, which the web browser will give a warning for. Setting up a trusted certificate as shown in this guide will simplify connections to the Java SSL Tunnel.

This connection method requires that the computer connecting is a Windows PC and that the web browser supports Java, please note that Google Chrome and Microsoft Edge browsers do not support Java at this time.

Please note that this requires firmware that supports TLS encryption to work with current versions of Java:

Product Name TLS Firmware
Vigor 2860 series 3.7.8 and later
Vigor 2925 series  3.7.8.1 and later
Vigor 2830 series 3.6.8 and later
Vigor 2830n v2 3.7.4.2 and later
Vigor 3200 series  3.6.8 and later
Vigor 2850 series  3.6.8 and later
Vigor 2960 1.0.9 and later
Vigor 3900 1.0.9 and later

To set up the VPN profile on the router, go to [SSL VPN] > [User Account], click on the first un-used Index number link to edit the profile settings:

Enable the profile, enter a suitable Username to for the account, set the Password for the account and set up the profile to accept SSL Tunnel connections:

Click OK on that page to save the settings for that profile.


Go to [SSL VPN] > [User Group] and select an un-used Index entry to create a new user group:

In the User Group settings:

  • Tick Enable
  • Set the Group Name
  • Tick Local User DataBase if using a user account configured on the router, otherwise tick the relevant option such as RADIUS or LDAP (which are configured from the Applications menu)
  • Add the user account from the Available User Accounts list to the Selected User Accounts list by selecting the account and clicking >>

Click OK to save that user group.

It is now possible to connect to the router's SSL VPN server from a web browser:

{tab Mozilla Firefox}

The Java SSL Tunnel needs Administrator access to install the VPN tunnel software. To do this, go to the Windows Start Menu and right click the icon for the Mozilla Firefox browser and select Run as administrator which will then prompt to run the browser in this mode:

Alternatively, if the application is pinned to the taskbar, press [Ctrl] + [Shift] on the keyboard and click on the icon for the browser, which will prompt to run the browser in administrator mode:


In the web browser, enter the router's HTTPS address in the address bar, for instance this router is accessible on 198.51.100.30 over the internet, enter https://198.51.100.30. If the router's SSL VPN server is on an alternative port, for instance 444, enter "https://198.51.100.30:444".

This should bring up a warning that the connection is untrusted, if the router does not have a trusted certificate installed on it. This is because the router's default certificate does not link to the IP address or hostname of the router.

Allow the connection by clicking I Understand the Risks and Add Exception:

Add an exception for the router's IP address / hostname:

This will allow the browser to proceed to the router's SSL VPN Login page, enter the SSL VPN user's username and password details then click Login:

This will present the router's SSL VPN interface, click on SSL Tunnel and click Connect.

There is a tickbox on this page "Change the default route to be the remote gateway", when this is enabled, all traffic will go through the VPN tunnel once established. If this is not ticked, the VPN connection will only be used to access the remote subnet, internet access will bypass the VPN tunnel.

After clicking Connect, the button will change to say "SSL Tunnel loading". If the browser does not prompt to start Java, check the left of the address bar and if it displays this icon, click the icon and select Allow Now to start Java once or Allow and Remember to start Java and remember this choice so that Java will start without prompting for this IP address / Hostname's request:

This should then start Java, it will warn that the certificate is untrusted if the router does not have a trusted certificate installed, click Continue to download the applet:

The applet will then load and Java will prompt to confirm whether to run the applet or not, click Run

With older firmware versions, it may display a warning, in which case, tick the option to "accept the risk" and click Run

Click Allow for this prompt so that the router can configure the VPN tunnel:

The client will then set up the VPN connection, this can take a minute in some instances so that it can install the tunnel driver, which will prompt that the publisher cannot be verified, click Install this driver software anyway:

With the driver installed, the DrayTel SSL Tunnel Client software will start and display the status of the connection:

To close the VPN, click the Disconnect button. Ticking Remove Virtual Driver on disconnecting will remove the VPN tunnel driver from the computer on closing the VPN tunnel.

{tab Microsoft Internet Explorer}

The Java SSL Tunnel needs Administrator access to install the VPN tunnel software. To do this, go to the Windows Start Menu and right click the icon for the Microsoft Internet Explorer browser and select Run as administrator which will then prompt to run the browser in this mode:

Alternatively, if the application is pinned to the taskbar, press [Ctrl] + [Shift] on the keyboard and click on the icon for the browser, which will prompt to run the browser in administrator mode:


In the web browser, enter the router's HTTPS address in the address bar, for instance this router is accessible on 198.51.100.30 over the internet, enter https://198.51.100.30. If the router's SSL VPN server is on an alternative port, for instance 444, enter "https://198.51.100.30:444".

This should bring up a warning that the connection is untrusted, if the router does not have a trusted certificate installed on it. This is because the router's default certificate does not link to the IP address or hostname of the router. Click Continue to this website to continue:

This will allow the browser to proceed to the router's SSL VPN Login page, enter the SSL VPN user's username and password details then click Login:

This will present the router's SSL VPN interface, click on SSL Tunnel and click Connect.

There is a tickbox on this page "Change the default route to be the remote gateway", when this is enabled, all traffic will go through the VPN tunnel once established. If this is not ticked, the VPN connection will only be used to access the remote subnet, internet access will bypass the VPN tunnel.

After clicking Connect, the button will change to "SSL Tunnel loading":

This should then start Java, it will warn that the certificate is untrusted if the router does not have a trusted certificate installed, click Continue to download the applet:

The applet will then load and Java will prompt to confirm whether to run the applet or not, click Run

With older firmware versions, it may display a warning, in which case, tick the option to "accept the risk" and click Run

Click Allow for this prompt so that the router can configure the VPN tunnel:

The client will then set up the VPN connection, this can take a minute in some instances so that it can install the tunnel driver, which will prompt that the publisher cannot be verified, click Install this driver software anyway:

With the driver installed, the DrayTel SSL Tunnel Client software will start and display the status of the connection:

To close the VPN, click the Disconnect button. Ticking Remove Virtual Driver on disconnecting will remove the VPN tunnel driver from the computer on closing the VPN tunnel.


The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:


How do you rate this article?

1 1 1 1 1 1 1 1 1 1