This tutorial was officially written by DrayTek. You can find the original tutorial here.
Important update: This tutorial will likely only work for DrayTek routers that have the following version of the firmware:
v2135 - 4.2.1.2
v2765 - 4.2.1.1
v2865 - 4.2.2
v2927 - 4.2.2
Older versions may fail to authenticate.
This tutorial will show you how to create an IKEv2 EAP VPN tunnel from Vigor Router to a NordVPN server.
- First, we'll need to get the hostname of the server that we'll be connecting to.
For this step, you'll need to use our server-finding tool*. Click here to access it: /servers/tools/
*The name is self-explanatory: the tool employs a special algorithm to find the best suiting server for you.
The hostname is the first piece of text you can see under the country's flag.
For the purpose of this tutorial, we will use the de241.nordvpn.com hostname:
Copy and save the hostname somewhere for now. We will need it later in the tutorial.
- Now, let's log into the router's management page.
Open a browser of your choice, click on the address bar, type in 192.168.1.1 and press enter
(If this does not open the log-in prompt, please check your router's manual for the proper IP address).
You should see a log-in prompt appear. The default Username and Password should both be 'admin' or 'admin'/blank.
- Now, navigate to Certificate Management >> Trusted CA Certificate. When there, click IMPORT.
- We will need to import the NordVPN root CA certificate, which you must first download by following this link: https://downloads.nordcdn.com/certificates/root.der.
- Afterwards, press on Choose File and select the root file which you downloaded in the previous step. Later, click Import.
- Wait for a few seconds until the router responds Import Success and the Certificate Status shows OK.
- Then, go to VPN and Remote Access >> IPsec Peer Identity.
Here, you need to set the profile name to NordVPN.- Also, check Enable this account
- And, select Accept Any Peer ID
- Following that, go to VPN and Remote Access >> LAN to LAN, click on an available index number, and edit the profile as follows.
In Common Settings:
- Give it a profile name
- Check Enable this profile
- Set Call Direction to "Dial-Out"
- At Dial-Out Through, select the WAN interface for VPN connection
- In Dial-Out Settings:
- Select IPsec Tunnel and IKEv2
- Select IPsec EAP for the VPN server type
- Enter the hostname of the VPN server you got in step 1 at Server IP address/Hostname
- Enter your NordVPN service Username
- Enter your NordVPN service Password
- You can find your NordVPN service credentials on the Nord Account dashboard. Copy the credentials using the buttons on the right.
- You can find your NordVPN service credentials on the Nord Account dashboard. Copy the credentials using the buttons on the right.
- Choose Digital Signature for IKE Authentication Method and select the IPsec Peer Identity Profile created in step 5 for Peer ID
- Select AES with Authentication for IPsec Security Method
- Click Advanced
- In the IKE advanced settings pop-up window, configure the following:
- IKE phase 1 proposal as AES256_SHA1_G14
- IKE phase 2 proposal as AES256_SHA1
- IKE phase 1 key lifetime as 28800
- IKE phase 2 key lifetime as 3600
- Click OK to close the window. At TCP/IP Network Settings:
- Enter Remote Network IP as 0.0.0.0
- Select Remote Network Mask to 0.0.0.0/00
- Change Routing to NAT for this VPN connection
- (optional) Enable Change Default Route to this VPN tunnel option if you want to route all traffic through NordVPN.
- After finishing the above settings, you can check the VPN status via VPN and Remote Access >> Connection Management page.
Optional.
You can create Policy Route via Routing >> Load-Balance/Route Policy to send specific traffic to the NordVPN tunnel. To verify the policy, you can use the command “tracert” to check if the defined traffic is going through the VPN tunnel correctly.
