Expired

V. VPN (Virtual Private Networking)

Expired

VPN TOTP Time-based One-Time Password

Products:

Show all

Keywords:

Show all

Additional security options such as 2FA described on our blog are becoming more popular, and for some businesses such as banks are now mandatory. DrayTek routers have supported mOTP (mobile One Time Password) authentication for some time now. You can find the mOTP setup guide here.

Newer DrayTek routers such as Vigor 3910 support even more sophisticated authentication method called TOTP (Time-based One-Time Password) for remote VPN connections (teleworkers). It's an easy-to-use method that is potentially more secure than SMS or token based 2FA because the user must authenticate with the phone to access the TOTP code.

This article depicts steps on how to use VPN TOTP authentication.

Below is the list of routers supporting the new feature:

Router Model	First Firmware supporting TOTP VPN Authentication
Vigor 2865	4.4.2*
Vigor 2866	4.4.2*
Vigor 2927	4.4.2*
Vigor 2962	4.3.1
Vigor 3910	4.3.1

* - firmware release expected in Q4-2022

Here is the list of TOTP Time-based One-Time Password supported teleworker VPN protocols:

IPsec Xauth	DrayTek SSL VPN	IKEv2 EAP
L2TP over IPsec	OpenVPN	PPTP (for legacy applications)

DrayTek Vigor Router Setup

1. Go to [VPN and Remote Access] > [Remote Dial-in User] and create a new profile

Check Enable this account
Enter the Username of your choice
Enable the protocol for Allowed Dial-In Type

2. Make sure that the Time-based One-time Password (TOTP) option is enabled. Then copy Secret or scan the QR Code

Note that the Secret or QR Code should be given to the VPN user so that they can use it with their Authenticator APP. The VPN user will then generate a code to establish their VPN tunnel to the router.