Some ISPs only assign the private IP addresses for the general user because the public IP address is not enough. Therefore, it brings the demand to have VPN tunnels under the circumstances. Besides this case, we also can imagine that most of 4G providers give the private IP too, and if we want the VPN tunnel somewhere only have 4G connection as a wired network is unable to be deployed. In Order to overcome the limitations, we make both VPN gateways behind the NAT register to the VPN Matcher server. The VPN Matcher server is capable of exchanging the connection information such as IP addresses and Port's numbers for VPN gateways. After the VPN gateways obtain the connection information from the server, VPN tunnel can be started to be established between them.
The image shown below is the topology for the case.
Here are the steps to establish the VPN tunnel between two Vigor routers whose WAN interfaces are behind the NAT.
Step 1, Both routers register to the VPN Matcher server.
Step 2, The VPN Matcher server helps to exchange external IP addresses and the ports' number to both VPN gateways that want to communicate.
Step 3, RouterA performs an outbound connection to RouterB to open the port for RouterA to connect back. At the same time, RouterA receives the connection info. of RouterB from the server and start to establish VPN to RouterB. After that, VPN can be established.
Please note that VPN Matcher ONLY get information of IP´s and Port´s, it will not record/get access to VPN Traffic.
Following is the setup steps of the VPN matcher application, the feature is available since firmware version v3.9.2.
1. Go to https://vpn-matcher.draytek.com, and create an account.
2. Log in VPN matcher server, and add your Vigor routers, including LAN MAC address, Router models, VPN role and LAN network for VPN tunnel.
3. Copy Router List Key.
1. Go to VPN and Remote Access>>VPN Matcher Setup, and enter VPN matcher server address, port 31503, Account, and Router List Key.
2. Click Get List, then we can find the devices added in the VPN matcher server, choose the device to establish VPN, click Create Profile.
3. Set up VPN profile for the VPN server router.
Configure VPN client router similarly to VPN server, but set Direction as Dial-out.
After the setting is finished, we can check VPN status in VPN and Remote Access>Connection Management.
Note: There is a network requirement, that the NAT type should be Cone NAT, such as Full cone NAT(one-to-one), Address-Restricted cone NAT or Port-Restricted cone NAT. Symmetric NAT is not supported, Vigor Router also provides detection function in VPN Matcher Setup.
Was this helpful?
Sorry about that. Contact Support if you need further assistance, or leave us some comments below to help us improve.