Apple macOS and Mac OS X computers can connect to a DrayTek router that supports SSL VPN with the free DrayTek Smart VPN client for Mac OS X which allows Apple macOS devices to create fast and secure SSL VPN tunnels for teleworking and/or secure browsing.
Requirements:
- Apple computer running Mac OS X 10.11 or later with a 64-bit processor
- DrayTek Vigor router with SSL VPN Tunnel support (i.e. Vigor 2860)
- Static IP address or Host Name (including Dynamic DNS) for the router's WAN interface
- Recommended: Certificate (can be self-signed) with valid Common Name (IP or Host Name) and valid To/From times
Set the Certificate Verification Level
The DrayTek Smart VPN client has options to control the level of verification used for the certificates that secure the SSL VPN tunnel. Before setting up the SSL VPN connection, it's important to consider which type of certificate verification that the SSL VPN client will enforce; more verification will require additional certificate setup.
Each level of verification has different requirements and the default setting is to "Match server name", which checks that the certificate is valid and that it is for the domain / IP that the connection is being made to. If the certificate does not match the verification requirements, the Smart VPN application will not allow the VPN tunnel to establish.
| Certificate Verification Level | Description |
|---|---|
| Basic | Checks that the certificate is within the Valid To and Valid From times |
| Match Server Name | Checks that the certificate's Common Name / CN matches the destination of the server connection. Checks that the certificate is within the Valid To and Valid From times |
| Verify Root CA | Checks that the certificate is signed by a trusted root authority. Checks that the certificate's Common Name / CN matches the destination of the server connection. Checks that the certificate is within the Valid To and Valid From times |
This is changed from the Settings section of the app, which is accessed from the gear icon highlighted below:

{tab Overview}
This setup guide gives instructions for two methods of configuring the VPN connection, depending on the Certificate Verify Level selected:
- Basic Verification - This is recommended for setting up the VPN connection quickly
- Match Server Name - This method requires configuring a valid certificate on the router before the VPN can be established, but does provide higher security because the authenticity of the VPN server can be confirmed
{tab Basic Verification}
Step 1. Create an SSL VPN Dial-In User Account
To set up the SSL VPN profile on the router, go to [SSL VPN] > [User Account], click on the first un-used Index number link to edit the profile settings:

- Enable the profile
- Enter a suitable Username to for the account
- Set a secure Password (up to 19 characters, alphanumeric and special characters allowed)
- Set the profile to accept SSL Tunnel connections:

Click OK on that page to save the settings for that profile.
The Status text displays in red if the user is not connected and will display in green when the user has connected.

With the account created and a valid certificate installed on the router, the client can be configured to connect.
Step 2. DrayTek Smart VPN App Configuration
Open the DrayTek Smart VPN application and press + to create a new VPN profile:


- Profile: The name of the VPN profile
- Server: The IP address or Host Name of the SSL VPN server, the VPN server in this example is the hostname "ssl.draytek.vpn"
- Port: The port of the SSL VPN server; this will be 443 by default and should only be changed if the SSL VPN port has been changed on the router
- Username: The VPN username such as the one created earlier in this guide
The Create button will be greyed out, click the Authentication Settings button to continue:

Enter the password for the dial-in user and click OK to save the password for the VPN connection.
Once the password has been set for the VPN, the Create button will no longer be greyed out, click Create to save the VPN profile.
The operating system will then display this warning:

Press Allow to continue.
Once the VPN has saved the profile, go to the Advanced settings for the profile to configure how the VPN tunnel operates:

In this section, the security protocols used and options for how traffic routes through the VPN can be changed:
The option to "Send all traffic through this tunnel" is not enabled by default. When disabled, only traffic to the VPN router's local subnet will go through the VPN tunnel. If it's enabled, all traffic including Internet access will pass through the VPN tunnel.
The VPN tunnel can now be established, the VPN profile will show with a red icon to indicate that it is disconnected. Press the "Connect" buton to establish the VPN tunnel. The operating system will prompt to confirm whether the SmartVPN application is allowed to use the credentials it has saved, click Always Allow and SmartVPN will then continue connecting:

Once connected, the SmartVPN client will then show details for the VPN once it has connected. Click the Disconnect button to terminate the VPN connection.

The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:

{tab Match Server Name Verification}
Step 1. Install a valid certificate for HTTPS and SSL VPN on the router
When the SmartVPN client has its Certificate Validation Level set to "Match Server Name", it will require a certificate with matching details on the device it's connecting to, this means that the CN / Common Name of the certificate must match the IP address or Host Name of the VPN server that SmartVPN is connecting to and that the certificate has not expired (or is within its Valid To and Valid From time).
To create a custom self-signed certificate on the router with valid Common Name details, follow this guide.
To create and install certificates signed by a Trusted Certificate Authority on the router, follow this guide.
To create and install certificates signed by a Trusted Certificate Authority on the Vigor 3900 and Vigor 2960, follow this guide.
This example uses the hostname ssl.draytek.vpn as the public hostname of the router and the router's certificate Common Name.
If the router has a fixed IP address with no hostname associated, that IP address can be used as the router certificate Common Name.
If the router has a Host Name associated with its public IP address, the host name can be used as the Common Name.
It's possible to create a certificate that will work with dynamic IP addresses by using the router's Dynamic DNS facility and a dynamic DNS hostname as the certificate's Common Name.
Step 2. Create an SSL VPN Dial-In User Account
To set up the SSL VPN profile on the router, go to [SSL VPN] > [User Account], click on the first un-used Index number link to edit the profile settings:

- Enable the profile
- Enter a suitable Username to for the account
- Set a secure Password (up to 19 characters, alphanumeric and special characters allowed)
- Set the profile to accept SSL Tunnel connections:

Click OK on that page to save the settings for that profile.
The Status text displays in red if the user is not connected and will display in green when the user has connected.

With the account created and a valid certificate installed on the router, the client can be configured to connect.
Step 3. DrayTek Smart VPN App Configuration
Open the DrayTek Smart VPN application and press + to create a new VPN profile:


- Profile: The name of the VPN profile
- Server: The IP address or Host Name of the SSL VPN server, the VPN server in this example is the hostname "ssl.draytek.vpn"
- Port: The port of the SSL VPN server; this will be 443 by default and should only be changed if the SSL VPN port has been changed on the router
- Username: The VPN username such as the one created earlier in this guide
The Create button will be greyed out, click the Authentication Settings button to continue:

Enter the password for the dial-in user and click OK to save the password for the VPN connection.
Once the password has been set for the VPN, the Create button will no longer be greyed out, click Create to save the VPN profile.
The operating system will then display this warning:

Press Allow to continue.
Once the VPN has saved the profile, go to the Advanced settings for the profile to configure how the VPN tunnel operates:

In this section, the security protocols used and options for how traffic routes through the VPN can be changed:
The option to "Send all traffic through this tunnel" is not enabled by default. When disabled, only traffic to the VPN router's local subnet will go through the VPN tunnel. If it's enabled, all traffic including Internet access will pass through the VPN tunnel.
The VPN tunnel can now be established, the VPN profile will show with a red icon to indicate that it is disconnected. Press the "Connect" buton to establish the VPN tunnel. The operating system will prompt to confirm whether the SmartVPN application is allowed to use the credentials it has saved, click Always Allow and SmartVPN will then continue connecting:

Once connected, the SmartVPN client will then show details for the VPN once it has connected. Click the Disconnect button to terminate the VPN connection.

The status of the VPN tunnel can be viewed from the router's web interface under [VPN and Remote Access] > [Connection Management]:

{/tabs}
Comments
0 comments
Please sign in to leave a comment.