Expired

V. VPN (Virtual Private Networking)

Expired

Teleworker VPN - SSL - Apple iOS Smart VPN App

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2763
Show all

Keywords:
Apple
Apple iOS
Certificate
Certificate Error
Show all

Apple iOS devices such as the Apple iPad and iPhone can connect to a DrayTek router that supports SSL VPN with the free DrayTek Smart VPN App for iOS which allows iOS devices to create fast and secure SSL VPN tunnels for teleworking and/or secure browsing.

It integrates with Apple's VPN facilities so that users can quickly establish a VPN tunnel from both the Smart VPN App and through the iOS Settings - VPN menu.

Requirements:

  • Apple iPad, iPhone or iPod Touch with iOS 9.0 or later
  • DrayTek Vigor router with SSL VPN Tunnel support (i.e. Vigor 2860)
  • Static IP address or Host Name (including Dynamic DNS) for the router's WAN interface
  • Recommended: Certificate (can be self-signed) with valid Common Name (IP or Host Name) and valid To/From times

DrayTek SSL VPN with Apple devices on iOS 13 and later

The iOS 13 update from Apple introduces new requirements for Trusted SSL Certificates, which are required for operation of an SSL VPN connection.

If the Trusted Certificate used by the router does not meet these requirements, the SmartVPN app will display a connection error:

"SmartVPN"
"Connection error, please verify
certificate on the Vigor router side or
contact your administrator."

There are two recommended solutions:

Use LetsEncrypt Certificate Regenerate the Self-Signed Certificate

The certificates provided by the LetsEncrypt Certificate Authority are compatible with iOS 13 and later. If your router supports LetsEncrypt and you have set up a DrayDDNS account, the router can manage the process of getting certificates signed by LetsEncrypt. Once this is in place and the LetsEncrypt/DrayDDNS certificate is selected for SSL VPN use, your Apple device will be able to authenticate with the router.

One significant benefit of this method is that you can use the more complex "Verify Root CA" verification level without needing any additional setup.

Refer to this guide for setting up LetsEncrypt on your router:
How to apply Let's Encrypt certificate on Draytek routers

DrayTek released firmware updates in November 2019 for compatibility with Apple's iOS 13 and later.
The Self-Signed Certificate on DrayTek routers has been updated to meet these new requirements.

Update the firmware of your router to the latest version and regenerate the certificate:
How to regenerate the router's Self-Signed Certificate

If there is no firmware update available for your DrayTek router model yet, or the firmware can not be updated, use this method instead.
Set the "Valid To" date to 2 years from the date of creation when signing:
How to generate custom self-signed router certificates

Set the Certificate Verification Level

The DrayTek Smart VPN client has options to control the level of verification used for the certificates that secure the SSL VPN tunnel. Before setting up the SSL VPN connection, it's important to consider which type of certificate verification that the SSL VPN client will enforce; more verification will require additional certificate setup.

Each level of verification has different requirements and the default setting is to "Match server name", which is defined in the table below. If the certificate does not match the verification requirements, the Smart VPN application will not allow the VPN tunnel to establish and will display the error message shown to the right.


Certificate Verification LevelDescription
Basic Checks that the certificate is within the Valid To and Valid From times
Match Server Name Checks that the certificate's Common Name / CN matches the destination of the server connection.
Checks that the certificate is within the Valid To and Valid From times
Verify Root CA Checks that the certificate is signed by a trusted root authority.
Checks that the certificate's Common Name / CN matches the destination of the server connection.
Checks that the certificate is within the Valid To and Valid From times

This is configured from the Settings section of the app:

Overview

This setup guide gives instructions for two methods of configuring the VPN connection, depending on the Certificate Verify Level selected:

  • Basic Verification - This is recommended for setting up the VPN connection quickly
  • Match Server Name - This method requires configuring a valid certificate on the router before the VPN can be established, but does provide higher security because the authenticity of the VPN server can be confirmed

How do you rate this article?

1 1 1 1 1 1 1 1 1 1