DrayTek Vigor 2830 VPN domain authentication

Posted on 2011-10-14
Last Modified: 2013-12-02
Router: DrayTek Vigor 2830
Server: Windows SBS 2011
How and is it possible to configure the DrayTek Vigor 2830 VPN for domain authentication or for the client to immediately prompt my domain credentials?
I’m quite a novice when it comes to VPNs however I have configured the VPN on the DrayTek and it connects perfectly fine... but when I connect via VPN from home and navigate to a server IP from Windows Explorer it prompts for my username and password.  
Is there any way to avoid this and add an account within the configuration of the router? Or alternatively I would like for when I connect to be prompted for my domain username and password.
Your advice would be much appreciated.
Thank you
Question by:the_omnific
    LVL 1

    Author Comment

    I can connect via PPTP. But when I navigate to a server IP from Windows Explorer it prompts for my username and password.
    I suspect that I should be using L2TP over IPSec ? How do i configure it?
    LVL 18

    Assisted Solution

    by:Andrej Pirman
    For the proper setup you should disable VPN PPTP service on Vigor 2830, then setup VPN PPTP pass-thru in Vigor, and let Windows server accept tje dial-in call and authenticate.
    If you go this way, I can provide you step-by step instructions.
    LVL 1

    Author Comment

    That sounds great. Can you provide me with step by step instructions please?
    LVL 18

    Assisted Solution

    by:Andrej Pirman
    Here we go:

    NAT --> Port Redirection
    Click on one of free redirections, and create new redirection rule:

    ENABLE: Yes
    Mode: Single
    Service Name: VPN  
    Protocol: TCP
    WAN IP: Any
    Public Port: -
    Private IP: (LAN IP of your windows server)
    Private Port:1723

    FIREWALL --> Filter Setup --> 2. Default Data filter

    Click on one of free filter numbers, and create new filter rule:

    Comments: VPN pass
    Index(1-15) in  Schedule Setup: (leave default blank)  
    Direction: WAN -> LAN
    Source IP:  Any  
    Destination IP: (LAN IP of your windows server)  
    Service Type --> EDIT
        Protocol: TCP  
        Source Port: 1 - 65535  
        Destination Port: 1723
        (other leave default)
    Fragments: Don't Care
    Filter: Pass Immiduatelly

    VPN AND REMOTE ACCESS --> Remote Access Control
    Enable PPTP VPN Service=DISABLE (un-check)

    Then on your Windows server you must configure VPN server role.

    Server Management --> Roles --> Add Role
    You add "Network Policy and Access Services"

    Under this service you enable:
    - Routing and remote Access service
    - Remote Access Service
    - Routing

    When services are installed, you navigate onto "Routing And Remote Access Service" role, right-click on it, and select PROPERTIES:
    Lan IPv4 router --> LAn and demand-dial routing

    Authentication provider: Windows Auth
    Methods: MS-CHAPv2
    Accounting provider: Windows Accounting

    Enable IPv4 Forwarding= ENABLE
    DHCP= Enable
    Broadcast name resolution=ENABLE

    All boxes checked

    Also check your WINDOWS FIREWALL, if wizard enabled VPN port 1723 to be opened in direction "INBOUND" on this server. If not, create new rule and let port 1723 pass in.
    LVL 1

    Author Comment

    Sorry but this method is bypassing the VPN function on the DrayTek completely. I know how to do this. I would prefer to use the DrayTek -it would be a bit of a learn curve for me as well. I just need to create some authentication for the domain on the DrayTek device somehow? Is it possible?
    LVL 18

    Accepted Solution

    Aha...ok, no problemo.
    You are lucky having LDAP authentication built-in firmware.

    So, first I suggest you check router's firmware and if it is lower than upgrade to latest FW.

    Then you create new user, but do not chose default authentication, but rather auth against LDAP server. You have it on page 161 and further in user's manual
    This user will then be able to dial-in via VPN, being it authenticated by LDAP server....but since I did not test this feature, I am not 100% how it will behave agains server resources. It is not VPN dial-in the only mechanism involved - it is caller's PC and his/her login on client PC more related to server resources, rather than VPN dial-in user.
    So if you are logged-in your client PC with domain credentials, any VPN connection to domain LAN network should pass you thru.
    The only prerequisite is to set on VPN connection to pass-thru NET-BIOS traffic (you set ti on Vigor VPN user's properties)
    LVL 18

    Assisted Solution

    by:Andrej Pirman
    One other thing I forgot - SUBNETS.

    If your Office LAN subnet and VPN client's home LAN are both on the same subnet, then it means trouble.
    For example, both are in subnet.

    VPN router tries to create ROUTE for remote VPN user's LAN subnet to Server's LAN subnet. If subnets are different, route can be created in Vigor's routing table.
    But if subnets are the same, route cannot be created, because it already exists. Meaning, server cannot distinguish between LOCAL client and VPN client, and does not know, that user, for example is on local LAN, and is NOT on local LAN, but must route through Vigor.

    So, easiest way to prevent this to happen is to use some non-common IP subnet on SERVER-side, for example or, which is very unlikely any other dial-in user would have setup at home.
    LVL 1

    Author Closing Comment

    Thanks for your advise

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    NetScaler Deployment Guides and Resources

    Citrix NetScaler is certified to support many of the most commonly deployed enterprise applications. Deployment guides provide in-depth recommendations on configuring NetScaler to meet specific application requirements.

    Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
    Juniper VPN devices are a popular alternative to using Cisco products. Last year I needed to set up an international site-to-site VPN over the Internet, but the client had high security requirements -- FIPS 140. What and Why of FIPS 140 Federa…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now