V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - SSL with mOTP 2FA - DrayTek Smart VPN Client
DrayTek's Smart VPN Client software for Windows is ideal for connecting remotely to a DrayTek Vigor router's VPN server as a Remote Dial In User. Available for download here. It is free and can connect all protocols that the DrayTek routers currently support such as IPsec, L2TP over IPsec, OpenVPN and SSL VPN protocols.
In this example, the Smart VPN Client will be used to make an SSL VPN connection to a DrayTek router with two-factor authentication provided by mOTP (mobile One Time Password), which is built into the DrayTek SmartVPN client. This uses the laptop as the VPN token so that the user logged in to the laptop can connect their VPN tunnel with a simple PIN code.
The SmartVPN client on the laptop manages the time based authentication and password response with its securely held mOTP secret. The end user does not need to know the mOTP secret value, just the Username and PIN code. To connect the VPN tunnel, the user simply enters their VPN username and PIN code and the SmartVPN client handles the key generation.
This guide demonstrates setting up the VPN client first, generating the mOTP secret in the VPN client, then afterwards creating the VPN profile on the router with that secret value.
Setting up the SmartVPN Client for SSL VPN with mOTP
Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:
That will open a new window to configure the VPN settings. See the table below for a description of what each setting does and the recommended settings for connecting an SSL VPN tunnel with mOTP:
Profile Name | Specify a profile name to identify the VPN |
Server Type | Select SSL VPN Tunnel |
Server IP or Hostname & Port | Specify the IP or Hostname of the router |
Authentication Type | Select mOTP to use 2-factor authentication |
User Name (not displayed) | Unavailable with mOTP authentication selected, this is entered later |
Password (not displayed) | Unavailable with mOTP authentication, the password is stored as a combination of the secret + PIN, which are both set in later steps |
IP Property | Leave this on its default settings of Auto |
Advanced Options | Select the options shown here. See this article for more information on what each setting does. |
Use default gateway on remote network |
Enable this to send all traffic through the VPN tunnel. Disable it to send only remote network access through the VPN tunnel. |
Click mOTP Settings to continue:
Select the SmartVPN Built-in OTP Generator and click Generate:
This will pop-up a window with the generated secret (32 hexadecimal characters) and forms part of the mOTP password. This will be stored securely on the laptop by the SmartVPN Client software.
Click Copy to copy the secret into the clipboard. This can be then be pasted into a text editor or other application. In this example, this is pasted into Windows Notepad. This secret value will be needed to set up the VPN profile later and cannot be retrieved from the SmartVPN client after it has been stored. Keep this open for later:
Make sure that the generated secret value is noted somewhere and go back to the SmartVPN client. Click OK on the Generate Secret window:
Click Store to save the value in the SmartVPN client. This can be changed later if needed, but the Secret value (16 to 32 Hex digits) must match on the router's VPN profile and the SmartVPN client.
With the Secret set and the VPN profile configured, click OK on the SmartVPN profile to save that profile.
Setting up SSL VPN User Account with mOTP on a DrayTek Vigor router
To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:
Enable the profile, enter a suitable Username for the account and set up the profile to accept SSL Tunnel connections:
Tick Enable Mobile One-Time Passwords(mOTP) to enable the PIN and Secret settings. Paste the secret in and set the PIN value (4 to 7 numerical digits). The end user will need to know the PIN value and their Username to connect the VPN.
The order in which this setup is demonstrated is just one way to set up mOTP for SSL VPN. If setting up from the router's web interface first and the end user is remote, the Secret can be configured on the router and sent to the user through secure means, then entered into the Secret value for the SmartVPN profile's mOTP configuration.
Click OK on that page to save the settings for that profile.
With the VPN connection set up, the remote user can now connect their SSL VPN tunnel with the SmartVPN client.
Connecting the VPN and Checking VPN Status in Windows
It is now possible to connect the VPN, select the profile from the list on the main window and click the Connect button:
That will pop-up a window to enter the User Name and PIN settings, the username will be stored after entering for the first time:
Click OK and the VPN will start to connect, displaying connection status here:
Once the VPN successfully connects, the SmartVPN client will minimise into the Windows System Tray and display a connection status notification in Windows:
Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:
Expanding the SmartVPN will show the connection status, clicking the Disconnect button will drop the VPN tunnel:
If the VPN fails to connect, check this article for troubleshooting steps.
- First Published: 03/08/2020
- Last Updated: 22/04/2021