V. VPN (Virtual Private Networking)

VPN TOTP Time-based One-Time Password

Vigor 2865
Vigor 2866
Vigor 2927
Vigor 2962
Show all

Time-based One-Time Password
dial-in user
Show all

Additional security options such as 2FA described on our blog are becoming more popular, and for some businesses such as banks are now mandatory. DrayTek routers have supported mOTP (mobile One Time Password) authentication for some time now. You can find the mOTP setup guide here.

Newer DrayTek routers such as Vigor 3910 support even more sophisticated authentication method called TOTP (Time-based One-Time Password) for remote VPN connections (teleworkers). It's an easy-to-use method that is potentially more secure than SMS or token based 2FA because the user must authenticate with the phone to access the TOTP code.

This article depicts steps on how to use VPN TOTP authentication.

Below is the list of routers supporting the new feature:

Router Model First Firmware supporting TOTP VPN Authentication
Vigor 2865 4.4.1 – Expected Q2 2022
Vigor 2866 4.4.1 – Expected Q2 2022
Vigor 2927 4.4.1 – Expected Q2 2022
Vigor 2962 4.3.1 – Available now
Vigor 3910 4.3.1 – Preview release available now
Here is the list of TOTP Time-based One-Time Password supported teleworker VPN protocols:
IPsec Xauth DrayTek SSL VPN IKEv2 EAP
L2TP over IPsec OpenVPN PPTP (for legacy applications)

DrayTek Vigor Router Setup

1. Go to [VPN and Remote Access] > [Remote Dial-in User] and create a new profile

  • Check Enable this account
  • Enter the Username of your choice
  • Enable the protocol for Allowed Dial-In Type
kb vpn totp01

2. Make sure that the Time-based One-time Password (TOTP) option is enabled. Then copy Secret or scan the QR Code

Note that the Secret or QR Code should be given to the VPN user so that they can use it with their Authenticator APP. The VPN user will then generate a code to establish their VPN tunnel to the router.

kb vpn totp02

3. Open an Authenticator APP such as Google Authenticator or TOTP Authenticator

  • Enter the Secret or scan the QR Code
kb vpn totp03

The password will be automatically generated in the Authenticator App.

kb vpn totp04

4. Enter the password generated in step 3, press Verify and OK to save.

kb vpn totp05

DrayTek Smart VPN Client Setup

1. Open the SmartVPN Client

  • Click Add to create a profile
  • Enter the Profile Name
  • Select the VPN protocol Type
  • Enter the Host IP or Domain
  • Enter the Username
  • Click OK to save the profile
kb vpn totp06

2. Select the profile created in step 1 and click Connect

  • Enter the password generated by the Authenticator App. (Refer to Step 3 in the DrayTek Vigor Router Setup section)
  • Press OK
kb vpn totp07

The green switch indicates that your VPN tunnel has been established:

kb vpn totp08