V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - Troubleshooting Mobile One-Time-Password (mOTP) 2FA VPN Connections
Mobile One-Time-Password authentication is used to provide two factor authentication to VPN connections. Instead of a simple username and password that could be guessed or 'brute-forced', the VPN tunnel is instead secured with a long and complex secret that's stored on the authentication device (laptop, mobile phone, tablet) and a PIN that the user knows along with their username.
These are combined with a time element for additional security, when the PIN is entered into the mOTP token device, this provides a password that the user then enters. This password is valid for around 30 seconds.
mOTP can be used with any VPN client, but it will require using a phone/tablet as the mOTP token with a suitable mOTP app for Android or iPhone.
The DrayTek SmartVPN client can automate the mOTP process and be used as the mOTP token, so the user only needs to enter their PIN code to connect the VPN tunnel. With only the laptop set up with mOTP being able to connect to that VPN tunnel.
mOTP authentication can be used with these VPN types:
- DrayTek SSL VPN
- IPsec - IKEv2 EAP
- L2TP over IPsec
- PPTP
This guide specifically covers troubleshooting mobile One Time Password protected VPN connections, for general VPN troubleshooting steps, see this article.
Troubleshooting Steps with mOTP
There are a few common reasons why a VPN connection using mOTP authentication might fail to establish:
1. Check Time Settings
One element of the mobile One Time Password generation process is matching the time on both the router and the VPN client. The temporal element of the password generation improves security. If the time is out of sync between the two systems however, the generated mOTP password will fail to authenticate the VPN and it will not be able to connect.
- Check that the time settings on the computer or phone/tablet are matching your router's time. Check that NTP (Network Time Protocol) is enabled.
- On the router, also check that it's using a working NTP time server to get the correct time.
Because the password is temporal, it can expire while the PIN entry screen is shown. If the connection fails, make sure to start the VPN connection on the client, enter the PIN and connect within 30-60 seconds.
2. Non-matching Secret
If the Secret value does not match between the VPN client and the router, the VPN connection will fail to authenticate every time.
Try generating a new secret on the mOTP token, or set the Secret value on the router and paste that into the mOTP app.
3. Incorrect PIN or Username
If the PIN or Username entered when connecting the VPN client do not match the router's configuration, the connection will fail to authenticate every time. The Username is case sensitive so make sure it's being entered correctly on the remote side. Try changing the username or try a simpler username if there are any special characters.
Entering an incorrect PIN in an mOTP app will not give an error message, it will generate an incorrect password that the router will reject.
4. Incorrect Password
If using a phone/tablet as the mOTP token, the user must enter the password once it has been generated. There's a possibility that could be entered incorrectly, make sure that it's entered in lower case as the generated password is 6 hexadecimal digits.
There is also a countdown timer shown in most mOTP apps, once the timer has expired, the shown password has expired and cannot be used. Enter the PIN again to generate a new password and use that to connect.
How do you rate this article?
- First Published: 03/08/2020
- Last Updated: 22/04/2021