Need a VPN for your router?Get ExpressVPN Now
Love ExpressVPN? Want a free month?Refer a friend now
This tutorial will show you how to set up ExpressVPN on your DrayTek DrayOS router using the L2TP protocol.
DrayTek DrayOS routers include: Vigor 2120, 2132, 2133, 2710, 2760, 2762, 2820, 2830, 2850, 2860, 2862, 2920, 2925, 2930, 2926, 2952, 3200, and 3220.
Find your ExpressVPN account credentials
To begin, sign in to your ExpressVPN account.
Once you have signed in to the website, click on Set Up on More Devices.
Click on Manual Config on the left side of the screen and then select PPTP & L2TP-IPSec on the right. This will show you your username, password, and a list of server addresses around the world.
Please keep this information on hand as you will need it to configure your DrayTek router.
Configure your DrayTek router with the VPN
Access your router’s control panel by entering the LAN IP address (default: 192.168.1.1) in your browser. Then log in with your username and password (default: admin / admin).
On the left-side menu, go to VPN and Remote Access > LAN to LAN.
Under 1. Common Settings:
- Profile Name: enter a name of your choosing
- Enable this profile: checked
- VPN Dial-Out Through: choose a Dial-Out WAN policy (e.g., WAN1 First)
- Call Direction: Dial-Out
- Always on: checked
Under 2. Dial-Out Settings:
- L2TP with IPsec Policy: Must
- Server IP/Host Name for VPN: enter a server address you found above
- Username: the ExpressVPN username you found above
- Password: the ExpressVPN password you found above
- Pre-Shared Key: 12345678
- High(ESP): AES with Authentication
Under 5. TCP/IP Network Settings:
- Remote Network Mask: 0.0.0.0 / 00
- From first subnet to remote network, you have to do: NAT
Configure split tunneling on your DrayTek router
You can use DrayOS’s Policy Route feature to select which traffic goes through the VPN tunnel and which does not.
To use the Policy Route feature, go to Routing > Load-Balance/Route Policy.
Under Index: 1:
- Enable: checked
- Comment: enter a name of your choosing
- Protocol: enter the protocol you want to send through the VPN connection
- Source: enter the IP address you want to send through the VPN connection
- Destination: enter the IP address you want to reach through the VPN connection
- Destination Port: enter the port you want to reach through the VPN connection
- Interface: VPN
- Failover to: WAN/LAN
- Gateway: Default Gateway
- Failback: checked
To verify the VPN connection is working, go to VPN and Remote Access > Connection Management to verify traffic is flowing through the VPN tunnel.
Connect to another VPN server
To use another VPN server, you will need to create a new VPN profile with a different server address.
Next, go to Routing > Load-Balance/Route Policy and change the VPN Interface to the new VPN profile. This is because only one VPN connection can be active at any time.
Alternatively, you can create a new Route Policy if you only want to send specific traffic to the new VPN profile.
Disconnect from the VPN
To disconnect the VPN connection, go to VPN and Remote Access > LAN to LAN.
Uncheck the box next to the connection name, then click OK at the bottom of the page.