V. VPN (Virtual Private Networking)
ExpiredTeleworker VPN - SSL - Apple iOS Smart VPN App
Apple iOS devices such as the Apple iPad and iPhone can connect to a DrayTek router that supports SSL VPN with the free DrayTek Smart VPN App for iOS which allows iOS devices to create fast and secure SSL VPN tunnels for teleworking and/or secure browsing.
It integrates with Apple's VPN facilities so that users can quickly establish a VPN tunnel from both the Smart VPN App and through the iOS Settings - VPN menu.
Requirements:
- Apple iPad, iPhone or iPod Touch with iOS 9.0 or later
- DrayTek Vigor router with SSL VPN Tunnel support (i.e. Vigor 2860)
- Static IP address or Host Name (including Dynamic DNS) for the router's WAN interface
- Recommended: Certificate (can be self-signed) with valid Common Name (IP or Host Name) and valid To/From times
DrayTek SSL VPN with Apple devices on iOS 13 and later
The iOS 13 update from Apple introduces new requirements for Trusted SSL Certificates, which are required for operation of an SSL VPN connection.
If the Trusted Certificate used by the router does not meet these requirements, the SmartVPN app will display a connection error:
"SmartVPN"
"Connection error, please verify
certificate on the Vigor router side or
contact your administrator."
There are two recommended solutions:
Use LetsEncrypt Certificate | Regenerate the Self-Signed Certificate |
The certificates provided by the LetsEncrypt Certificate Authority are compatible with iOS 13 and later. If your router supports LetsEncrypt and you have set up a DrayDDNS account, the router can manage the process of getting certificates signed by LetsEncrypt. Once this is in place and the LetsEncrypt/DrayDDNS certificate is selected for SSL VPN use, your Apple device will be able to authenticate with the router. One significant benefit of this method is that you can use the more complex "Verify Root CA" verification level without needing any additional setup. Refer to this guide for setting up LetsEncrypt on your router: |
DrayTek released firmware updates in November 2019 for compatibility with Apple's iOS 13 and later. Update the firmware of your router to the latest version and regenerate the certificate: If there is no firmware update available for your DrayTek router model yet, or the firmware can not be updated, use this method instead. |
Set the Certificate Verification Level
The DrayTek Smart VPN client has options to control the level of verification used for the certificates that secure the SSL VPN tunnel. Before setting up the SSL VPN connection, it's important to consider which type of certificate verification that the SSL VPN client will enforce; more verification will require additional certificate setup.
Each level of verification has different requirements and the default setting is to "Match server name", which is defined in the table below. If the certificate does not match the verification requirements, the Smart VPN application will not allow the VPN tunnel to establish and will display the error message shown to the right.
Certificate Verification Level | Description |
---|---|
Basic | Checks that the certificate is within the Valid To and Valid From times |
Match Server Name | Checks that the certificate's Common Name / CN matches the destination of the server connection. Checks that the certificate is within the Valid To and Valid From times |
Verify Root CA | Checks that the certificate is signed by a trusted root authority. Checks that the certificate's Common Name / CN matches the destination of the server connection. Checks that the certificate is within the Valid To and Valid From times |
This is configured from the Settings section of the app:
Overview
This setup guide gives instructions for two methods of configuring the VPN connection, depending on the Certificate Verify Level selected:
- Basic Verification - This is recommended for setting up the VPN connection quickly
- Match Server Name - This method requires configuring a valid certificate on the router before the VPN can be established, but does provide higher security because the authenticity of the VPN server can be confirmed
- First Published: 08/06/2016
- Last Updated: 22/04/2021