Additional security options such as 2FA described on our blog are becoming more popular, and for some businesses such as banks are now mandatory. DrayTek routers have supported mOTP (mobile One Time Password) authentication for some time now. You can find the mOTP setup guide here.
Newer DrayTek routers such as Vigor 3910 support even more sophisticated authentication method called TOTP (Time-based One-Time Password) for remote VPN connections (teleworkers). It's an easy-to-use method that is potentially more secure than SMS or token based 2FA because the user must authenticate with the phone to access the TOTP code.
This article depicts steps on how to use VPN TOTP authentication.
Below is the list of routers supporting the new feature:
Router Model | First Firmware supporting TOTP VPN Authentication |
Vigor 2865 | 4.4.1 – Expected Q2 2022 |
Vigor 2866 | 4.4.1 – Expected Q2 2022 |
Vigor 2927 | 4.4.1 – Expected Q2 2022 |
Vigor 2962 | 4.3.1 – Available now |
Vigor 3910 | 4.3.1 – Preview release available now |
IPsec Xauth | DrayTek SSL VPN | IKEv2 EAP |
L2TP over IPsec | OpenVPN | PPTP (for legacy applications) |
1. Go to [VPN and Remote Access] > [Remote Dial-in User] and create a new profile
2. Make sure that the Time-based One-time Password (TOTP) option is enabled. Then copy Secret or scan the QR Code
Note that the Secret or QR Code should be given to the VPN user so that they can use it with their Authenticator APP. The VPN user will then generate a code to establish their VPN tunnel to the router.
3. Open an Authenticator APP such as Google Authenticator or TOTP Authenticator
The password will be automatically generated in the Authenticator App.
4. Enter the password generated in step 3, press Verify and OK to save.
1. Open the SmartVPN Client
2. Select the profile created in step 1 and click Connect
The green switch indicates that your VPN tunnel has been established: