Expired

V. VPN (Virtual Private Networking)

Expired

Teleworker VPN - SSL with mOTP 2FA - DrayTek Smart VPN Client

Products:
Vigor 2135ax
Vigor 2620Ln
Vigor 2762
Vigor 2763
Show all

Keywords:
SSL
Smart VPN Client
Tunnel
VPN

DrayTek's Smart VPN Client software for Windows is ideal for connecting remotely to a DrayTek Vigor router's VPN server as a Remote Dial In User. Available for download here. It is free and can connect all protocols that the DrayTek routers currently support such as IPsec, L2TP over IPsecOpenVPN and SSL VPN protocols.

In this example, the Smart VPN Client will be used to make an SSL VPN connection to a DrayTek router with two-factor authentication provided by mOTP (mobile One Time Password), which is built into the DrayTek SmartVPN client. This uses the laptop as the VPN token so that the user logged in to the laptop can connect their VPN tunnel with a simple PIN code.

The SmartVPN client on the laptop manages the time based authentication and password response with its securely held mOTP secret. The end user does not need to know the mOTP secret value, just the Username and PIN code. To connect the VPN tunnel, the user simply enters their VPN username and PIN code and the SmartVPN client handles the key generation.

This guide demonstrates setting up the VPN client first, generating the mOTP secret in the VPN client, then afterwards creating the VPN profile on the router with that secret value.

Setting up the SmartVPN Client for SSL VPN with mOTP

Open the DrayTek Smart VPN Client, go to the Profiles section and click Add to create a new VPN profile:

That will open a new window to configure the VPN settings. See the table below for a description of what each setting does and the recommended settings for connecting an SSL VPN tunnel with mOTP:

Profile Name Specify a profile name to identify the VPN
Server Type Select SSL VPN Tunnel
Server IP or Hostname & Port Specify the IP or Hostname of the router
Authentication Type Select mOTP to use 2-factor authentication
User Name (not displayed) Unavailable with mOTP authentication selected, this is entered later
Password (not displayed) Unavailable with mOTP authentication, the password is stored as a combination of the secret + PIN, which are both set in later steps
IP Property Leave this on its default settings of Auto
Advanced Options Select the options shown here. See this article for more information on what each setting does.
Use default gateway
on remote network
Enable this to send all traffic through the VPN tunnel. Disable it to send only remote network access through the VPN tunnel.

Click mOTP Settings to continue:

smartvpn5 sslmotp2

Select the SmartVPN Built-in OTP Generator and click Generate:

smartvpn5 sslmotp4

This will pop-up a window with the generated secret (32 hexadecimal characters) and forms part of the mOTP password. This will be stored securely on the laptop by the SmartVPN Client software.

Click Copy to copy the secret into the clipboard. This can be then be pasted into a text editor or other application. In this example, this is pasted into Windows Notepad. This secret value will be needed to set up the VPN profile later and cannot be retrieved from the SmartVPN client after it has been stored. Keep this open for later:

smartvpn5 sslmotp5

Make sure that the generated secret value is noted somewhere and go back to the SmartVPN client. Click OK on the Generate Secret window:

smartvpn5 sslmotp10

Click Store to save the value in the SmartVPN client. This can be changed later if needed, but the Secret value (16 to 32 Hex digits) must match on the router's VPN profile and the SmartVPN client.

smartvpn5 sslmotp3

With the Secret set and the VPN profile configured, click OK on the SmartVPN profile to save that profile.


Setting up SSL VPN User Account with mOTP on a DrayTek Vigor router

To set up the profile on the router, go to [VPN and Remote Access] > [Remote Dial-In User], click on the first un-used Index number link to edit the profile settings:

Enable the profile, enter a suitable Username for the account and set up the profile to accept SSL Tunnel connections:

Tick Enable Mobile One-Time Passwords(mOTP) to enable the PIN and Secret settings. Paste the secret in and set the PIN value (4 to 7 numerical digits). The end user will need to know the PIN value and their Username to connect the VPN.

The order in which this setup is demonstrated is just one way to set up mOTP for SSL VPN. If setting up from the router's web interface first and the end user is remote, the Secret can be configured on the router and sent to the user through secure means, then entered into the Secret value for the SmartVPN profile's mOTP configuration.

smartvpn5 sslmotp6

Click OK on that page to save the settings for that profile.

With the VPN connection set up, the remote user can now connect their SSL VPN tunnel with the SmartVPN client.

Connecting the VPN and Checking VPN Status in Windows

It is now possible to connect the VPN, select the profile from the list on the main window and click the Connect button:

smartvpn5 sslmotp7

That will pop-up a window to enter the User Name and PIN settings, the username will be stored after entering for the first time:

smartvpn5 sslmotp8

Click OK and the VPN will start to connect, displaying connection status here:

Once the VPN successfully connects, the SmartVPN client will minimise into the Windows System Tray and display a connection status notification in Windows:

Double-click the green system tray icon to display the SmartVPN client. Alternatively, right click the SmartVPN client system tray icon for quick access to connect/disconnect & statistics options:

Expanding the SmartVPN will show the connection status, clicking the Disconnect button will drop the VPN tunnel:

smartvpn5 sslmotp9

If the VPN fails to connect, check this article for troubleshooting steps.

Check VPN Status on a Vigor Router

The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:


How do you rate this article?

1 1 1 1 1 1 1 1 1 1