Home / Hardware / DrayTek / How to Set Up a VPN on a DrayTek Router: SSL VPN and Smart VPN Guide (2026)

How to Set Up a VPN on a DrayTek Router: SSL VPN and Smart VPN Guide (2026)

Table of Contents

1. VPN Types Supported by DrayTek Routers
2. SSL VPN (Recommended for Remote Workers)
3. IPsec (Site-to-Site / LAN-to-LAN)
4. L2TP/IPsec (Legacy Devices)
5. OpenVPN
6. Part 1: Setting Up SSL VPN for Remote Workers
7. Step 1: Enable SSL VPN on the Router
8. Step 2: Set the SSL VPN Port
9. Step 3: Create VPN User Accounts
10. Step 4: Download and Install the Smart VPN Client
11. Step 5: Connecting from a Remote PC
12. Step 6: Verifying the Connection
13. Part 2: Site-to-Site IPsec VPN (Connecting Two Offices)
14. Overview of the Concept
15. Key Settings for IPsec LAN-to-LAN
16. Dynamic DNS: Connecting Without a Static IP
17. Troubleshooting Common SSL VPN Issues
18. Smart VPN Client Won’t Connect
19. Connected But Can’t Reach LAN Devices
20. Certificate Warning on Every Connection
21. Security Tips for DrayTek VPN
22. Use Strong, Unique Passwords for VPN Accounts
23. Limit VPN Access to Specific Users
24. Disable VPN Accounts Immediately When Staff Leave
25. Enable Failed Login Lockout
26. Consider Certificate-Based Authentication
27. Keep Firmware Updated
28. Summary





How to Set Up a VPN on a DrayTek Router: SSL VPN and Smart VPN Guide (2026)

How to Set Up a VPN on a DrayTek Router: SSL VPN and Smart VPN Guide (2026)

If you’re running a small business in the UK and your office uses a DrayTek router, you may already have a capable business-grade VPN sitting unused in your network cabinet. Unlike consumer routers that rely on a paid third-party VPN subscription, DrayTek routers include built-in VPN server functionality at no extra cost. This means your remote workers can connect securely back to the office — accessing shared drives, internal applications, and network printers — without routing traffic through an external service.

This guide walks through the two most common setups: SSL VPN for remote workers using DrayTek’s free Smart VPN Client, and a brief overview of IPsec site-to-site VPN for businesses with multiple offices. We’ll also cover Dynamic DNS configuration, common troubleshooting steps, and security hardening tips.

The instructions below are based on DrayTek’s VigorOS firmware (version 4.x), which is used across the Vigor 2865, 2927, and 3910 series — the routers most commonly found in UK small business environments. Menu paths may differ slightly on older firmware versions.

VPN Types Supported by DrayTek Routers

Before diving into the step-by-step setup, it’s worth understanding what’s available so you can choose the right option for your situation.

SSL VPN is the easiest and most practical option for giving remote employees access to the office network. It runs over HTTPS (TCP), which means it passes through firewalls and hotel/coffee shop networks reliably. DrayTek’s free Smart VPN Client application — available for Windows and macOS — handles the connection with minimal configuration on the user’s end. This is the option covered in detail in Part 1 of this guide.

IPsec (Site-to-Site / LAN-to-LAN)

IPsec is the go-to protocol for connecting two office networks together permanently. If you have a head office and a branch office, both with DrayTek routers, you can create an always-on encrypted tunnel so that devices on both networks can communicate as though they’re on the same LAN. Covered briefly in Part 2.

L2TP/IPsec (Legacy Devices)

L2TP over IPsec is built into Windows, macOS, iOS, and Android without needing any additional software. It’s useful if you need to connect mobile devices or older systems that can’t run the Smart VPN Client. However, L2TP/IPsec is considered less modern than SSL VPN, and some networks block the UDP ports it relies on. It’s still a valid fallback but not the first recommendation for new deployments.

OpenVPN

DrayTek supports OpenVPN on many of its business router models. It’s a well-established open-source protocol that offers strong security and flexibility. The trade-off is that it requires installing the OpenVPN client software and manually importing a configuration file — slightly more involved than the Smart VPN Client experience. OpenVPN is worth considering if you need cross-platform compatibility or want to use certificate-based authentication from the outset.

Part 1: Setting Up SSL VPN for Remote Workers

This section covers setting up SSL VPN on a DrayTek router so that remote employees can connect using the Smart VPN Client application. Allow around 30 to 45 minutes for a clean setup.

Step 1: Enable SSL VPN on the Router

Log in to your DrayTek router’s web interface — typically at 192.168.1.1 — using your admin credentials. Then navigate to:

VPN and Remote Access → SSL VPN → General Setup

On the General Setup page, do the following:

  1. Tick the Enable SSL VPN checkbox.
  2. Set the Server Certificate. By default the router uses a self-signed certificate. This is acceptable for internal use but will produce a browser or client warning. If you have a domain pointing at your router and want to eliminate the warning, you can import a Let’s Encrypt certificate via System Maintenance → Let's Encrypt on supported firmware versions.
  3. Review the IP Pool settings. SSL VPN clients are assigned an IP address from this pool when they connect. The default is typically in the 192.168.100.x range — make sure this doesn’t overlap with your LAN subnet or any other VPN pools.
  4. Ensure the Authentication Method is set to Local User Account for now (we’ll create those accounts in the next step).
  5. Click OK to save.

Step 2: Set the SSL VPN Port

By default, SSL VPN uses port 443. This is also the standard HTTPS port. If you access your router’s management interface over HTTPS, or if you host any HTTPS services internally, port 443 will already be in use and the SSL VPN service will either fail to start or conflict.

The recommended approach for most small businesses is to change the SSL VPN port to 4433 or 1443. You can do this on the same General Setup page — look for the Port field under the SSL VPN settings.

If you change the port, make sure you communicate the new port number to your remote users — they’ll need to include it when connecting via the Smart VPN Client (for example, yourdomain.com:4433).

Important: If your DrayTek router sits behind another firewall or if your ISP uses CGNAT, you’ll need to ensure the chosen port is forwarded or accessible from the internet. On most DrayTek setups where the router has a public WAN IP directly, no additional port forwarding rules are needed — the SSL VPN service binds to the WAN interface automatically.

Step 3: Create VPN User Accounts

Each remote worker needs their own user account. Navigate to:

User Management → User Profile

Click Add to create a new profile. Fill in the following fields:

Field Recommended Setting
Username Use the employee’s first name or initials (e.g. jsmith)
Password Minimum 12 characters, mix of upper/lower/numbers/symbols
Allow SSL VPN Enabled
Idle Timeout 60 minutes (adjust to your preference)
Login Quota 1 session (prevents sharing credentials)

Repeat this for each remote worker. Creating individual accounts — rather than one shared account — makes it easier to revoke access if a member of staff leaves, and gives you a clearer audit trail in the VPN connection logs.

Step 4: Download and Install the Smart VPN Client

The Smart VPN Client is a free application published by DrayTek for Windows and macOS. It’s available from the DrayTek UK website at draytek.co.uk — search for “Smart VPN Client” in the downloads section, or find it linked from your specific router model’s product page.

As of 2026, the current version supports Windows 10, Windows 11, and recent versions of macOS. The installer is straightforward — download, run, and follow the on-screen prompts. No licence key is required.

Send the download link to your remote workers along with their username and password. The client is small and installs quickly.

Step 5: Connecting from a Remote PC

Once the Smart VPN Client is installed, the remote worker should:

  1. Open the Smart VPN Client application.
  2. Click Add (or the plus icon) to create a new VPN profile.
  3. Select SSL VPN as the connection type.
  4. In the Server field, enter the router’s WAN IP address or domain name. If you’ve changed the port from the default 443, append the port number: for example, 203.0.113.45:4433 or office.yourdomain.co.uk:4433.
  5. Enter the Username and Password created in Step 3.
  6. Click Connect.

On first connection, the client may display a certificate warning if the router is using a self-signed certificate. The user should click Accept or Trust to proceed. Once trusted, this prompt won’t reappear for subsequent connections from the same machine.

A successful connection will show a green status indicator in the Smart VPN Client, along with the assigned VPN IP address from the pool configured in Step 1.

Step 6: Verifying the Connection

After connecting, it’s worth running a quick verification to confirm traffic is routing correctly:

  1. Check the assigned IP: In the Smart VPN Client, the connection details should show an IP address from your configured pool (e.g. 192.168.100.10).
  2. Ping a LAN device: Open a Command Prompt (Windows) or Terminal (Mac) and ping a device on the office LAN — for example, the router itself at 192.168.1.1, or a known server or NAS at its internal IP. A successful reply confirms the tunnel is working and routing is correct.
  3. Access a shared resource: Try opening a UNC path to a shared folder (e.g. \\192.168.1.50\shared) or browsing to an internal web application. This confirms name resolution and file access are working end-to-end.

If the ping fails but the VPN shows as connected, the issue is usually a host firewall on the target device blocking ICMP — try accessing a TCP-based resource (like an internal web page) instead before concluding there’s a routing problem.

Part 2: Site-to-Site IPsec VPN (Connecting Two Offices)

If your business has two or more locations — each with a DrayTek router — you can link them with a permanent IPsec LAN-to-LAN tunnel. Once configured, devices at each site can communicate directly as though they’re on the same network.

Overview of the Concept

Each router needs to know about the other site’s WAN IP address (or domain name) and LAN subnet. The routers authenticate each other using a shared pre-shared key (PSK) and negotiate an encrypted tunnel. Traffic destined for the remote subnet is sent through the tunnel automatically; all other traffic continues to the internet as normal.

Key Settings for IPsec LAN-to-LAN

Navigate to VPN and Remote Access → LAN to LAN and click Add. The most important fields are:

  • Profile Name: A descriptive label (e.g. Branch-Office-Manchester).
  • Remote Host / IP: The WAN IP address or domain name of the remote DrayTek router.
  • Pre-Shared Key: A long, random string shared between both routers. Use at least 32 characters — treat this like a password.
  • Local Subnet: Your local LAN range, e.g. 192.168.1.0/24.
  • Remote Subnet: The LAN range at the far end, e.g. 192.168.2.0/24. Crucially, the two subnets must not overlap.
  • Phase 1 (IKE): AES-256, SHA-256, DH Group 14 are solid choices for 2026 deployments.
  • Phase 2 (IPsec): AES-256, SHA-256, with PFS (Perfect Forward Secrecy) enabled if supported by both ends.

Configure the mirror image of these settings on the remote router, swapping local and remote subnets. Once both sides are saved, the tunnel should establish automatically. You can monitor the status under VPN and Remote Access → Connection Management.

Dynamic DNS: Connecting Without a Static IP

Most UK broadband connections — including standard business ADSL and FTTC — use a dynamic public IP address that can change when the router reboots or the ISP renews the lease. This is a problem for VPN because remote workers need a reliable address to connect to.

The solution is Dynamic DNS (DDNS), which maps a hostname to your changing IP address and updates automatically. DrayTek routers have built-in DDNS client support. Navigate to:

Applications → Dynamic DNS

DrayTek supports several DDNS providers including DrayDDNS (their own service), DynDNS, No-IP, and others. DrayDDNS is straightforward — you register on the DrayTek website and the router handles updates automatically with no third-party account needed.

Once configured, your remote workers connect using a hostname like youroffice.drayddns.com:4433 rather than a raw IP address. This hostname remains valid even if your WAN IP changes overnight.

If you already own a domain (e.g. yourbusiness.co.uk), you can also point a subdomain (e.g. vpn.yourbusiness.co.uk) to your router’s IP using a CNAME or A record, and use a DDNS service to keep that IP updated — though this requires a little more DNS management.

Troubleshooting Common SSL VPN Issues

Smart VPN Client Won’t Connect

  • Check the port: Confirm the port in the client matches what’s configured on the router. A mismatch here is the most common cause of connection failures.
  • Check the WAN IP or hostname: Try pinging the router’s WAN address from the remote machine to confirm basic internet connectivity to your office IP.
  • Check SSL VPN is enabled: Log into the router and confirm SSL VPN is still enabled — firmware updates occasionally reset this setting.
  • Check for conflicting services: If port 443 is in use by another service (HTTPS management, for example), SSL VPN on that port won’t start. Move SSL VPN to an alternate port as described in Step 2.
  • ISP blocking: Some mobile data connections and hotel networks block non-standard ports. Try port 443 if possible, or use a mobile hotspot to test connectivity without the network restriction in play.

Connected But Can’t Reach LAN Devices

  • IP pool overlap: If the VPN pool range overlaps with your LAN subnet, routing will break. Check both are on distinct subnets.
  • Split tunnelling vs full tunnel: By default, SSL VPN on DrayTek uses split tunnelling — only traffic destined for the LAN subnet goes through the tunnel. If a device is not reachable, confirm its IP falls within the routed subnet.
  • Host firewall on target device: Windows Firewall on a PC at the office may block inbound connections from the VPN pool range. Add a firewall rule to allow connections from the VPN pool, or test against the router itself first.
  • NAT hairpinning: If a remote worker is connecting from within the same network (e.g. testing from a laptop on the office Wi-Fi using the external WAN IP), this is a NAT hairpin scenario. Many routers don’t support this by default — always test from a genuinely external connection.

Certificate Warning on Every Connection

If users see a certificate warning each time they connect, the router is presenting a self-signed certificate that the client doesn’t trust. To resolve this permanently, either:

  • Import a valid SSL certificate (e.g. from Let’s Encrypt) on the router, tied to a domain name you control — available via System Maintenance → Let's Encrypt on supported firmware; or
  • Export the router’s self-signed certificate and install it as a trusted root on the remote workers’ machines — this is more involved but avoids needing a public domain name.

Security Tips for DrayTek VPN

Use Strong, Unique Passwords for VPN Accounts

VPN user accounts should have passwords of at least 12 characters, containing uppercase letters, lowercase letters, numbers, and symbols. Avoid dictionary words or patterns. If your business uses a password manager, encourage remote workers to store their VPN credentials there.

Limit VPN Access to Specific Users

Don’t give all user accounts VPN access by default. In User Management → User Profile, the Allow SSL VPN permission should only be enabled for staff who genuinely need remote access. Review these permissions quarterly or whenever someone leaves the organisation.

Disable VPN Accounts Immediately When Staff Leave

When an employee leaves, disable or delete their VPN user profile promptly. DrayTek’s User Management page makes this straightforward — untick Enable on the profile to suspend access without deleting the account, which is useful if you want to keep a record.

Enable Failed Login Lockout

DrayTek routers support brute-force protection. Under System Maintenance → Management or within the User Management settings, enable login attempt limits — for example, lock an account for 30 minutes after 5 failed attempts. This significantly reduces the risk of credential-stuffing attacks against VPN accounts.

Consider Certificate-Based Authentication

For higher-security environments, DrayTek supports certificate-based authentication for VPN connections, where each remote device has a client certificate rather than (or in addition to) a username and password. This is more complex to set up and manage but eliminates the risk of stolen passwords being used to connect. It requires issuing and managing client certificates — typically worthwhile for businesses handling sensitive data, financial records, or personal information under UK GDPR obligations.

Keep Firmware Updated

DrayTek regularly releases firmware updates that patch security vulnerabilities, including those in the VPN stack. Check for updates under System Maintenance → Firmware Upgrade or enable auto-notification so you’re alerted when new firmware is available. Given that DrayTek routers are internet-facing devices, staying current with firmware is one of the most impactful security measures you can take.

Summary

DrayTek’s built-in VPN functionality is one of the strongest arguments for choosing a DrayTek router over a cheaper consumer device for small business use. SSL VPN with the Smart VPN Client gives remote workers a straightforward, reliable way to connect back to the office network — with no subscription cost and no dependency on a third-party VPN provider.

The key steps are: enable SSL VPN, set a non-conflicting port, create individual user accounts, and point the Smart VPN Client at your router’s WAN address or DDNS hostname. Most setups can be completed in under an hour, and once it’s running, day-to-day use requires almost no maintenance.

If you have questions about a specific DrayTek model or firmware version, DrayTek’s UK support team is based domestically and is generally responsive — their website at draytek.co.uk also carries detailed knowledge base articles covering more advanced scenarios including OpenVPN configuration and certificate management.


Sign Up For Daily Newsletter

Stay updated with our weekly newsletter. Subscribe now to never miss an update!

[mc4wp_form]

Related Posts

DrayTek ANT-1005 5dBi Wireless LAN Aerial - Black (one aerial only)
DrayTek ANT-1005 5dBi Wireless LAN Aerial
DrayTek VigorAP 912C Wireless Access Point 802.11ac, Range Extender, Mesh With Up To 8 x AP912C, Ceiling Or Wall Mounted, Ideal For Business, Power Over Ethernet
DrayTek VigorAP 912C Wireless Access Point
DrayTek Vigor 167 VDSL2 35b & ADSL2+ Modem, BT MCT Approved, Modem Bridge, IPv6 IPv4 Compatible, 2 LAN Ports, Compatible With IPTV (Sky)
DrayTek Vigor 167

Leave a Reply

Your email address will not be published. Required fields are marked *