Really not sure how to set this up, all the guides are overwhelming and delve into VPN and all sorts of other seemingly unrelated content.

I have got as far as generating a self signed certificate and when I visit the Https admin page of the router, my browser tells me it's untrusted and I should continue.

What next? 

Is there a way to use use let's encrypt or something similar?  It's not this difficult on my Synology nas, which takes care of this, along with cert renewals.

I gave up, you need a trusted certificate externally signed. There are guides out there on how to get one but too many steps for me so sticking to http.

https://www.draytek.co.uk/support/guides/kb-local-certificate-management

Hi  MarkG1234

It really is a good idea to use the VPN service to connect to your Vigor router first, then administer it.

Connecting over http is so unbelievably easy to intercept and examine (by a third party) that I have even stopped using it for all internal devices as well, well at least ones that offer https over http, in fact, I will disable the http access if at all possible on as many devices as I can, and for devices that only offer http, I will never use the same password that I use on my https connections.

Just to stress, if you launch a copy of Wire Shark and start capturing packets on your network, then login to your Vigor router using http, you can stop the capture, find the http POST packet and copy out the password string, then open a base64 conversion tool on the internet and paste that copied string into it, it will return your password!

I have done this several times to demonstrate to others how dangerous it is to use http - even internally, anyone can sniff packets flying around your network and then dissect them. With http, there is virtually zero encryption, you might as well just put the password in as the username; which, by the way, is even easier to extract than the password.


There are plenty of examples of how to setup the VPN service on a Vigor router, on this forum and even on the DrayTek website, not to mention the many videos on YouTube showing how to configure it.


The easiest method is SSL but IPsec is better if you can spend the time to get it setup and working properly.



I totally agree with John though, setting up the external certs can be a pain in the arse, and I used the http connection myself for so many years until I discovered how easy it was to extract the password; honestly, try it yourself on an internal basis and you’ll be gobsmacked! 

Another John here!

It's true, http is a doddle to intercept, but I use it on local LANs where I have control of who connects.

I found that self-signed certs work fine for admin page access.

Concur that the VPN matcher service makes VPN setup really easy.

If you are using a modern Vigor that supports LetsEncrypt then use that for your certificate authority, you'll need to setup DrayDDNS and then enable LetsEncrypt.  Doesn't take long to setup and it takes all the hassle out of using external certificates.  Also remember to change the SSL VPN port to something other than 443 so it doesn't conflict.

Isn't this only useful if you want to access your router from the internet? (Which sounds like a really bad idea)