Single-Arm VPN allows the router's VPN to work only on the WAN interface, instead of working on traffic sent between LAN and WAN. When doing single-arm VPN, traffic arrives on the WAN interface, gets encrypted, and sent out through the same WAN interface. It's the solution to add VPN compatibility to the network without replacing the Internet gateway. To use the Single-Arm VPN, it’ s required to open the corresponding ports for VPN protocols to Vigor Routers and create the static routing rule for the VPN traffic on the Internet gateway.

Since 3.8.4.2 version firmware, Vigor Router supports single-arm VPN for PPTP (TCP 1723), IPsec (UDP 500 and 4500) and SSL (TCP 443 or user-defined).
1. Go to VPN and Remote Access >> LAN to LAN and click an available index


2. To avoid LAN network conflict with WAN network, please change the LAN network of the Vigor Router.
3. Go to Routing > Route Policy and click an available index to add a new rule:
Go to VPN and Remote Access >> LAN to LAN and click an available index to add a new profile:
To make the single-arm VPN work, we must make the VPN traffic pass through the internet gateway and be sent to the VPN tunnel. Here we take a Vigor300B for example.
1. Go to NAT >> Port Redirection and click Add to create a new rule:
2. Go to Routing >> Static Route and click Add to create a new rule

The latest DrayOS 5 routers can also support Single-Arm VPN since 5.3.1 version and above for the following protocols:
- IPsec (UDP 500, 4500)
- OpenVPN (TCP/UDP 1194)
- WireGuard (UDP 51820)
To make the Single-Arm VPN work, we must make the VPN traffic pass through the Internet Gateway and forward to the VPN server. Here we take a Vigor2927 for example.
Here we take a Vigor2136 as the example for VPN server router.
Here we take a Vigor2962 as the example for VPN client router.
Published On:2017-01-11
ShareWas this helpful?