Using a Draytek Router as dedicated VPN Gateway

07/11/2012 – 23:13

I am currently using a Fritzbox 7390 as a device for handling a 16MBit ADSL line, telephony (SIP based) and two DECT devices. I also used the 7390 as VPN endpoint for some time, dealing with Astaro UTMs as counterparts. VPN was halfways robust, some points however were unnerving:

  • There is no possibility to force a tunnel initiation on the 7390 (“always start up tunnel”), the tunnels only initiated on demand from devices inside the 7390’s local nets.
  • Configuration has to be done via config text files that have to be uploaded. Each upload results in a reboot.
  • There is no VPN logging for debugging
  • Activating/deactivating tunnels in the web interface results in reboots
  • Tunnels sometimes hung -> Reboot
  • No firewall rules configurable for IPSec tunnels
  • We use a lot of Draytek devices at work, which we have good results with, and acquiring a used Draytek 2900 on Ebay cost me 11€ including freight. I personally recommend either the Draytek 2900 (hardware based 3DES) or the 2920 (hardware based AES), the 2910 is a lemon, the 26xx series does not support hardware encryption/decryption.

    My goals were:

  • VPN on 7390 disabled, Draytek as main VPN gateway
  • No need to touch existing devices at home: 7390 still is main gateway
  • Existing port-forwarding rules on 7390 still needs to work
  • Draytek can be turned off or taken away, existing net still needs to work
  • Firewall rules need to be installed on Draytek to regulate access LAN<>VPN
  • Schematic for the setup

    The Draytek uses a IP from the local subnet on its LAN port (e.g., another on its WAN port (, using the Fritzbox as gateway ( A connection has to be established between a Fritzbox LAN port and the Draytek WAN port and between a Fritzbox LAN port and a Draytek LAN port. (Cabling-wise this can be achieved by using a cable FritzboxLAN<>DraytekLAN, and a short 30cm cable between DraytekLAN and DraytekWAN)

    WAN setup Draytek

    The Draytek has a valid gateway to the internet now, so we can go ahead and configure a VPN tunnel to a remote site (configuring Draytek tunnels is not part of this guide).

    We still have to get the clients to be able to use the tunnel however, and there are two options for that:

  • Set static route on (each) client: route add mask
  • Set static route in Fritzbox, to route packets for to
  • Preferred method: set route in main gateway (Fritzbox)
    (Net, network, static ipv4 routes)

    We still want to set firewall rules in the Draytek. You can get some examples here:

    Post a Comment