External S500 Phones

Hello all,

I am tying to get the correct setup in place for supporting S500 phones that are remote and will be connecting via VPN to our systems. I have followed the steps to create the OpenVPN server on Freepbx, I have added the Extension as a VPN client to User Admin and mapped this in EPM with a default external template. I have opened up the port for OPEN VPN on our firewall, and passed port 84 which is http provision port. But it is still not working. I have defined my deployment on the phone in the schmooze portal. I looked at the firewall on the pbx and http provision is set to internal and other which i assume is the default, and there is a warning about not opening this port up to outside world. so now i am confused as to the correct secure setup to make this work.

Overall i am impressed with the documentation on the wiki, but there really needs to be a clear and concise step by step document on how to make this touted feature of your phones work. Can anyone offer assistance?

Thanks in advance,


*** EDIT ***

Since this post was written, phone firmware and EPM changes render it all obsolete. Just provision your phones like normal, ensure that you first provision a phone from a trusted host, and once the phone is working with the VPN, future provisioning requests will go over the tunnel.

*** EDIT ***

Hi Rob:

So with a small amount of effort, you can provision and register a Sangoma phone entirely through the FreePBX VPN. Before you start, make sure that FreePBX is fully up to date, you have the newest phone firmware and it wouldn’t hurt to be running the edge version of Firewall.

  • It sounds like you have a PBX on a LAN behind a router. In FreePBX Firewall, add the local LAN to trusted networks, so that you can do the initial steps without worrying about Firewalls or nat.
  • Get normal EPM provisioning working properly first with a phone on the same internal network as your PBX. With Sangoma phones, changes made to EPM (or UCP) should be pushed instantly to the phone when you select ‘save and update phone’ in EPM. Wiki is here.
  • Enable the VPN in System Admin, wiki page is here. When up and running, confirm you have a new tun0 interface (Firewall, Zones, Interfaces), set to internal (to traffic is trusted) and confirm PBX VPN IP at from the CLI. You do not have to create clients in this step. Add the VPN subnet to Asterisk SIP settings as a local network.
  • In User Management select a user with the primary extension you want to add to the VPN. Edit the user, VPN tab, select ‘create new’ and apply. User Manager will generate a VPN client certificate for the selected user. Do this for each user. Apply config.
  • In EPM, Extension Management, select the extension you want to provision for the VPN, click the edit icon, select the just vpn client cert, save and rebuild.

The steps above are the basic steps to get a phone on the PBX VPN. At this point when you re-provision the phone on a trusted network, it downloads the new config (not on the vpn), sets up the phone VPN client and registers to the PBX over the VPN. The first time you do this (and every time the phone is factory defaulted), the phone must have free access to the http provisioning service. That’s why I suggest you start with the phone on the local LAN, but you could also add the WAN IP of the phone to the Firewall trusted networks tab. Once the VPN has been enabled on the phone, you will see the ‘VPN’ icon on the phone display, and you will see the phone’s VPN IP address in Sysadmin, VPN Server. You want to confirm that the phone is registered as an extension over the VPN (sip show peers) and confirm 2 way audio (*43).

There is a final step required before you move the phone to an un-trusted network, as long as the phone has access to the VPN service (set it to external in Firewall), when the phone boots it will connect to the PBX VPN. However it won’t get new provisioning updates, because it will be still looking to the http provisioning service on the PBX LAN/WAN IP which is set to internal in Firewall. The way around this is to change the EPM template for the phone and set the provisioning server to the PBX VPN IP. Now when the phone boots, it will get provisioning files over the vpn and register to asterisk over the vpn. For simplicity it is easiest have two templates, a basic one to initially set up the VPN from a trusted network, then change to the final template that uses the VPN IP with the provisioning server.

1 Like

All of the above can be avoided if it is possible to whitelist your remote clients. If they are on fixed IPs or if they are able to use a dynamic DNS service, you can add the IP/FQDNs to the trusted networks tab in Firewall and they will provision and register just fine.