What is VPN Matcher and how to use it

Some ISPs only assign the private IP addresses for the general user because the public IP address is not enough. Therefore, it brings the demand to have VPN tunnels under the circumstances. Besides this case, we also can imagine that most of 4G providers give the private IP too, and if we want the VPN tunnel somewhere only have 4G connection as a wired network is unable to be deployed. In Order to overcome the limitations, we make both VPN gateways behind the NAT register to the VPN Matcher server. The VPN Matcher server is capable of exchanging the connection information such as IP addresses and Port's numbers for VPN gateways. After the VPN gateways obtain the connection information from the server, VPN tunnel can be started to be established between them.

The image shown below is the topology for the case.

Here are the steps to establish the VPN tunnel between two Vigor routers whose WAN interfaces are behind the NAT.

Step 1, Both routers register to the VPN Matcher server.

Step 2, The VPN Matcher server helps to exchange external IP addresses and the ports' number to both VPN gateways that want to communicate.

Step 3, RouterA performs an outbound connection to RouterB to open the port for RouterA to connect back. At the same time, RouterA receives the connection info. of RouterB from the server and start to establish VPN to RouterB. After that, VPN can be established.

Please note that VPN Matcher ONLY get information of IP´s and Port´s, it will not record/get access to VPN Traffic.

Following is the setup steps of the VPN matcher application, the feature is available since firmware version v3.9.2.

VPN Matcher:

1. Go to https://vpn-matcher.draytek.com, and create an account.

2. Log in VPN matcher server, and add your Vigor routers, including LAN MAC address, Router models, VPN role and LAN network for VPN tunnel.

3. Copy Router List Key.

Vigor Router as VPN server:

1. Go to VPN and Remote Access>>VPN Matcher Setup, and enter VPN matcher server address, port 31503, Account, and Router List Key.

2. Click Get List, then we can find the devices added in the VPN matcher server, choose the device to establish VPN, click Create Profile.

3. Set up VPN profile for the VPN server router.

Select Profile Index in VPN and Remote Access>LAN to LAN

Give a Profile Name

Set Direction as Dial-in

VPN type is IPsec by default, it can be manually changed after VPN profile is configured

Enter IPsec Pre-shared Key

Enter Peer ID for IPsec identity

Network settings are auto-filled according to the settings on the VPN matcher server.

Vigor Router as VPN client:

Configure VPN client router similarly to VPN server, but set Direction as Dial-out.

After the setting is finished, we can check VPN status in VPN and Remote Access>Connection Management.

Note: There is a network requirement, that the NAT type should be Cone NAT, such as Full cone NAT(one-to-one), Address-Restricted cone NAT or Port-Restricted cone NAT. Symmetric NAT is not supported, Vigor Router also provides detection function in VPN Matcher Setup.