{"id":1721,"date":"2015-11-14T20:53:48","date_gmt":"2015-11-14T20:53:48","guid":{"rendered":"http:\/\/emtunc.org\/blog\/?p=1721"},"modified":"2015-12-06T21:04:38","modified_gmt":"2015-12-06T21:04:38","slug":"setting-up-a-vpn-tunnel-on-draytek-nordvpn","status":"publish","type":"post","link":"https:\/\/emtunc.org\/blog\/11\/2015\/setting-up-a-vpn-tunnel-on-draytek-nordvpn\/","title":{"rendered":"Setting up a VPN Tunnel on Draytek – NordVPN"},"content":{"rendered":"

In this step-by-step article I will go through setting up a VPN tunnel on the Draytek 2860n router – I will set-up the tunnel using the NordVPN service<\/a>\u00a0–\u00a0I recommend you check them out – they’re awesome, take privacy seriously<\/a> and you get 20% off if you use the link above \ud83d\ude42 –\u00a0however the instructions should be similar on other Draytek models and VPN service providers.
\nUsing this article as a guide, you can set up your router to establish a VPN tunnel such that all traffic (or some as we’ll get on to later) on your network will pass through the VPN tunnel; thus doing away with the need to set up and configure separate clients for all your devices. You also get the advantage that guests on\u00a0your network will seamlessly\u00a0send\u00a0traffic through the tunnel without any additional configuration.<\/p>\n

<\/p>\n

Draytek Configuration – All Traffic Through VPN<\/h3>\n

First we need to disable all unused WAN interfaces. If you don’t do this then you won’t be able to check the “Change default route to this VPN tunnel ( Only single WAN supports this )<\/em>” option. Granted you can probably create a manual static route anyway but that’s not ideal.<\/p>\n

Click General Setup under the WAN menu then\u00a0disable all unused WAN links.<\/p>\n

\"2015-11-14<\/a><\/p>\n

Next click on LAN to LAN under the VPN and Remote Access menu. Assuming you have no profiles already set-up then just click the first one. You can see that I already have one (currently offline)<\/p>\n

\"2015-11-14<\/a><\/p>\n

Now it’s time to configure the main options. I will briefly go through the options below.<\/p>\n

For profile name<\/strong> you can call it whatever you like. I called mine nordvpn followed by the location of the destination server.
\nVPN dial-out<\/strong> via WAN1 – for you it may not be WAN1 so make sure you select the right one (check first screenshot of this article).
\nNetbios and multicast<\/strong> are unlikely to be used so block these so you don’t send unnecessary traffic over the tunnel.
\nCall direction<\/strong> is self explanatory.
\nAlways on<\/strong> makes the VPN tunnel ‘permanent’ otherwise it’ll timeout after a default inactivity period of 5 minutes. If you want to manually establish the VPN tunnel then you should uncheck this box.
\nUnder dial-out settings<\/strong>, the username and password<\/strong> will be your NordVPN credentials. This would be a good time to ensure you have generated a secure password for your NordVPN account!
\nThe type of server you are calling is L2TP with IPsec Policy<\/strong> = Must. This is the most secure and recommended method.
\nThe sever you are connecting to is one of your choice – choose one from the many here.<\/a>
\nThe pre-shared key<\/strong> is nordvpn
\nAgain, for maximum security, set the IPsec security method<\/strong> to High(ESP) AES with Authentication
\nFrom first subnet to remote network, you have to do<\/strong> NAT.
\nChange default route to this VPN tunnel ( Only single WAN support this )\u00a0<\/strong>you want to check this box to make all traffic go via the VPN.<\/p>\n

\"2015-11-14<\/a><\/p>\n

Click OK. This will establish the tunnel which can take a few seconds. Click Connection Management under the VPN and Remote Access menu to see the status of the tunnel. In my set-up you can see that the tunnel is up and traffic is passing through it.<\/p>\n

\"2015-11-14<\/a><\/p>\n

Draytek Configuration – Advanced Configuration<\/h3>\n

Note: You will need firmware version 3.8.1 which was released on the 8th October 2015. Previous versions of firmware please follow the instructions here<\/a>.<\/p>\n

Route policies allow you to configure\u00a0exactly<\/em> which IP’s, subnets and ports will go over the VPN tunnel. This is really useful because you can configure things like all<\/strong> web traffic (80 and 443) go over the VPN tunnel but everything else goes out through your ISP as normal.<\/p>\n

Before we start configuring the route policies you need to make sure you uncheck the “Change default route to this VPN tunnel ( Only single WAN supports this )”\u00a0<\/em>option in\u00a0your LAN to LAN profiles otherwise the default route will always point to the VPN tunnel.<\/p>\n

Click General Setup under the Load-Balance\/Route Policy menu.<\/p>\n

Click the first rule and configure a source IP range or subnet (enter the same IP twice if you just want one address) and any destination IPs or ports that you want to tunnel then select the Interface to be VPN.<\/p>\n

In the example below I configured my machine (192.168.1.2) to forward HTTP traffic\u00a0(80) over the VPN interface. You can see in the web browser windows that HTTPS traffic was\u00a0(https\/443) not affected by the change but the HTTP window on the right gets the tunnel IP. Cool right?<\/p>\n

\"2015-11-14<\/a><\/p>\n

Confirming your default routes and testing them<\/h3>\n

To make sure your default routes have been updated, click Routing Table under the Diagnostics menu. You should see the default route for all web bound traffic\u00a0(0.0.0.0\/0) being routed out the VPN tunnel (10.9.9.1 in this case).<\/p>\n

\"2015-11-14<\/a><\/p>\n

To confirm, we can run a trace route with the tunnel up and one with the tunnel down. This will tell us the next hop address which should either be the ISP router or VPN tunnel interface.<\/p>\n

Tunnel down (normal internet access without any VPN active):<\/strong><\/p>\n

\"2015-11-14<\/a><\/p>\n

Tunnel up (VPN tunnel established and default route automatically changed):<\/strong><\/p>\n

\"2015-11-14<\/a><\/p>\n

Things to keep in mind<\/h3>\n
    \n
  • You should create multiple LAN to LAN profiles (in fact it’s a good idea to do so in case a server goes down for maintenance) with different names. By doing this you can easily toggle between tunnels.<\/li>\n<\/ul>\n

    Hope you found the article useful! Feel free to leave your comments or questions below.<\/p>\n","protected":false},"excerpt":{"rendered":"

    In this step-by-step article I will go through setting up a VPN tunnel on the Draytek 2860n router – I will set-up the tunnel using the NordVPN service\u00a0–\u00a0I recommend you check them out – they’re awesome, take privacy seriously and you get 20% off if you use the link above \ud83d\ude42 –\u00a0however the instructions should […]<\/p>\n","protected":false},"author":32,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":""},"categories":[1],"tags":[167,212,126],"class_list":["post-1721","post","type-post","status-publish","format-standard","hentry","category-tech","tag-draytek","tag-nordvpn","tag-vpn"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p1trTO-rL","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1721","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/users\/32"}],"replies":[{"embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/comments?post=1721"}],"version-history":[{"count":16,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1721\/revisions"}],"predecessor-version":[{"id":1749,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/posts\/1721\/revisions\/1749"}],"wp:attachment":[{"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/media?parent=1721"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/categories?post=1721"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/emtunc.org\/blog\/wp-json\/wp\/v2\/tags?post=1721"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}