Ok, so in the 3.9.0 firmware, DrayTek added an OpenVPN server for dial-in VPN access. Great!

In order to make use of it you need to create your own SSL CA, import it into the router as a Trusted CA, and generate a server certificate signed by your CA, (plus certificates for any clients that need access). Sounds reasonable!

However, despite the fact that OpenVPN gets its own dedicated section in the management UI, the only way to actually assign your new SSL certificate to your OpenVPN server is by selecting it in the "SSL VPN >> General Setup" section. Umm, what?

This means that you are now using an SSL certificate signed by an untrusted fake CA for all of your other SSL-enabled router services, including your HTTPS server and your SSL VPN, (which leads to security warnings on any clients you use to access those services, unless you manually import and trust the CA certificate on each client). You can no longer use a trusted Let's Encrypt certificate, which DrayTek also added support for in the 3.9.0 firmware...

In other words, they have literally implemented two new features in the same firmware update which are completely incompatible with each other, because there's no way to assign different SSL certificates to different services, even though the router can store multiple certificates. What the actual ****?

And that's not all!

I've also discovered that, despite the 3.9.0 release notes stating:

The router’s OpenVPN server is automatically enabled on the router upon upgrade to 3.9.0 firmware, which listens on TCP & UDP ports 1194 by default and will take precedence over port forwarding to a LAN server using these ports .

if you have an internal IP address assigned as a DMZ host, the router will actually send traffic on port 1194 to the DMZ rather than to its own OpenVPN server. I had to remove my DMZ host to get the OpenVPN server to respond to dial-in attempts, and I only figured that out purely by chance, because I randomly looked at "Diagnostics >> NAT Sessions Table" and spotted that port 1194 was routing to the DMZ host.

Bravo DrayTek! Bravo!

Seriously, why even bother releasing new features when they're clearly not fit for purpose? This is basic QA stuff that should be picked up in testing before the firmware is ever approved for release, but here we are, four firmware versions later at 3.9.1.3, still with the same problems!

/rant

I'm now off to file a report to DrayTek tech support.

[/quote]I'm now off to file a report to DrayTek tech support." [/quote]

Don't waste your bytes.

This is typical DrayTek - system design and code quality just appears to be amateurish. It's impossible to recommend their products in good faith to clients.