The router is described here
http://www.draytek.co.uk/products/vigor2955.html

and the SSL mode here
http://www.draytek.co.uk/support/kb_vigor_ssl.html

Currently I am running with the 2900 router's PPTP VPN for "teleworker" connections; PPTP is supported natively by windoze but is not propagated by most 3G networks or many wifi networks.

So I am looking at SSL which, running over port 443, is sure to work everywhere...

Reading the above Draytek stuff, they seem to just use a standard www browser as the client, but this obviously works only with host apps which interact with an HTTPS browser (I cannot think of any such app myself; we are not talking of the slick "Citrix" functionality here whereby a remote web browser becomes the client for a remote desktop server).

They also offer the option of a download of a client tunneling program (a java active-x thingy) which then gives a normal VPN functionality. This is the bit I would need for e.g. pc/anywhere which is the main app I run over the VPN.

Curiously the HTTPS browser needs to remain loaded throughout the VPN session even if one is using the tunnel mode. That's OK.

The attraction of this product, over a separate "SSL VPN box", is that I could replace the 2900 router with the 2955 and it "should just work"

Also curiously one needs to enable the remote management mode in the router, on HTTPS only, for the SSL VPN to work. I can understand this, but surely this means port 443 is going to be hacked mercilessly. On the 2900 we had many password (dictionary) attacks on port 443; the 2900 router had/has a bug in that disabling remote management totally still did not disable remote management on p443 so a port sniffer quickly detected a response on that port and then went to work on it... We solved this by port forwarding p443 to an internal IP on which nothing is responding and that made p443 appear dead to the sniffers.

Maybe a response to a port sniffer on port 443 is just an unavoidable side effect of any SSL VPN?

Which begs the question of which ports does a PPTP VPN appear on? I got somebody to do a port scan on my IP and apart from the obvious ports he found nothing open.

I would expect a VPN router to not respond to port sniffers unless it first receives a data packet which contains a part of the user's password or something like that. Otherwise, this opens up the router to an easy DOS attack, especially on an ADSL connection with a fast downlink speed e.g. 8Mbits/sec

The other thing I can't get my head around is how would one run an HTTPS server behind this router. Currently we run an HTTP server behind ours, which is trivial. Presumably the 2955 must be configurable for an automatic "pass-through" so any traffic not destined for the remote admin function, and not destined for one of the VPN users, gets passed through to the internal network?

I too have many questions about this piece of kit doesnt look like many know much about it though.

I will just have to suck it and see

peter-h wrote:
I would expect a VPN router to not respond to port sniffers unless it first receives a data packet which contains a part of the user's password or something like that.

I don't think that would work. It's a bit like saying someone's doorbell shouldn't ring unless someone says "Hey, it's Peter" whilst they hold the button down The RFCs most likely require responses to requests (I am guessing). A strong password should defeat any sniffing point.