FreePBX VPN setup with Sangoma S500

Sangoma Hardware Phones
1

FreePBX 15.0.17.12 / Current Asterisk Version 16.15.1 / all modules up to date

As the subject title states, I’m having trouble configuring a Sangoma S500 phone over VPN. FreePBX is a Virtualbox VM running on 172.16.0.0/24 and is behind a pfSense firewall. Port 1194 has been opened to the PBX on the pfSense firewall. The public IP, say, 11.22.15.72, is configured as “Trusted (Excluded from Firewall)” in the FreePBX firewall. The public IP of the remote phone is, say, 11.22.23.21.

I have followed all the VPN setup wikis as carefully as I could.

FreePBX VPN server is configured as follows:

Settings: Enabled
Server Range:10.8.0.0/255.255.255.0
Server Remote Address: 11.22.15.72
Redirect Gateway: Yes
VPN Renegotiate Timer: 3600
Routes:
10.8.0.0 255.255.255.0 Enabled
172.16.0.0 255.255.255.0 Enabled

VPN Client:
Enabled: Yes
Description: Sangoma S500 ext. 1011
Use DDNS: Yes
Use Server Remote Address: Yes
Client Remote Address(s): 11.22.23.21
Assigned Address: 10.8.0.3

Extension 1011 has been configured in Endpoint Manager (EPM) to use VPN Client “Sangoma S500 ext. 1011”. This extension uses sangoma_external_template configured as follows:

Default internal template: No
Default external template: Yes
SIP Destination Address: External www.fqdn.com (which resolves to 11.22.15.72)
Provisioning Protocol: HTTP
Provisioning Address: External www.fqdn.com (which resolves to 11.22.15.72)
Phone Apps Protocol: HTTP
Force Firmware Version: Recommended
Save, Rebuild Config(s) and Update Phones: Apply

The Sangoma GUI on at the remote IP 11.22.23.21 was used to upload the VPN config files which were generated from the 1011 User Control Panel (UCP). The Authentication Password on the Sangoma S500 GUI at the remote IP 11.22.23.21 is correct but the S500 refuses to register. The S500 displays “VPN activated”.

If anyone has further suggestions, or can point me to logs I can use to resolve this issue it would be appreciated. Thanks.

2

IIRC, the built in VPN only works for the SIP services, you’ll have to open the provisioning port so it can download the config. I may be wrong tho.

3

You must provision the phone the first time from a trusted zone, but after that the S series will provision via the vpn.

4

@PitzKey and @lgaetz Thanks for your reply. Opening up the provisioning port on the firewall was the key.

For reference:

  1. The VPN setting on the remote S500 phone GUI under Network==>Advanced must also be set to “Active” for the phones to register.
  2. On the S500 phone GUI under Accounts, each of the the Primary SIP Servers is set to www.fqdn.com:port where the non-standard port configured in Settings==>Asterisk SIP Settings==>SIP Settings [chan_pjsip]==>Port to Listen On.
  3. This non-standard pjsip port has been opened up on the firewall for the public IP of the remote S500 phone, in this case 11.22.23.21.
  4. The UDP RTP Ports have been opened up for the public IP of the remote S500 phone.

The S500 has now registered, indeed, all four “Accounts” (i.e., extensions 1011, 1012, 1013 and 1014) now display as “Registered” in the S500 phone GUI, and I can call extension 1011 from another extension, say 2001, which is on the PBX.

5

FreePBX 15.0.17.21 all modules up to date

Back again, still trying to get the S500 to register remotely over VPN.

Ports 1443 and 1194 are open on the pfSense firewall.

The S500 will register ext. 1001 (pjSIP) remotely using HTTPS provisioning if the “VPN Client” field in Endpoint Manager==/>Extension Mapping for ext. 1001 is set to “None”.

If the “VPN Client” field is set to “1001 - 1001”, when the phone is rebooted, the S500 displays “VPN activated” but ext. 1001 doesn’t register.

Both 11.22.15.72/32 (FreePBX server) 11.22.23.21/32 (IP of remote phone) are in the Trusted (Excluded from Firewall) zone in the FreePBX firewall.

Here is what I see in /var/log/messages:

Feb 11 06:55:11 freepbx15vb openvpn: Thu Feb 11 06:55:11 2021 11.22.23.21:47242 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 TLS Error: TLS handshake failed
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:51541 SIGUSR1[soft,tls-error] received, client-instance restarting
Feb 11 06:55:13 freepbx15vb openvpn: Thu Feb 11 06:55:13 2021 11.22.23.21:45567 TLS: Initial packet from [AF_INET]64.46.23.21:45567, sid=477a946b d13a1978
Feb 11 06:55:15 freepbx15vb openvpn: Thu Feb 11 06:55:15 2021 11.22.23.21:33964 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Feb 11 06:55:15 freepbx15vb openvpn: Thu Feb 11 06:55:15 2021 11.22.23.21:33964 TLS Error: TLS handshake failed

Here is the relevant portion of the DEBUG syslog.txt from the S500:

[02-11 09:13:44 50:ce:04] SYSLOG: load flash Flie 2 -1
[02-11 09:13:45 50:ce:04] vpn_log_file_length is 802178, st_size is 0
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Re-using SSL/TLS context
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 LZO compression initialized
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Socket Buffers: R=[126976->131072] S=[126976->131072]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Local Options hash (VER=V4): ‘41690919’
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Expected Remote Options hash (VER=V4): ‘530fdded’
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 UDPv4 link local: [undef]
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 UDPv4 link remote: 11.22.15.72:1194
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS: Initial packet from 11.22.15.72:1194, sid=c399c668 956f9f0a
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 VERIFY ERROR: depth=0, error=unable to get local issuer certificate: /CN=server1
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS Error: TLS object -> incoming plaintext read error
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TLS Error: TLS handshake failed
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 TCP/UDP: Closing socket
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 SIGUSR1[soft,tls-error] received, process restarting
[02-11 09:13:45 50:ce:04] OpenVPN: Thu Feb 11 15:13:48 2021 Restart pause, 2 second(s)

Certificate Management in the FreePBX GUI shows a valid Let’s Encrypt certificate at www.fqdn.com which resolves to 11.22.15.72.

There is an issue with a “local issuer certificate” but I’m not sure what this means and where to go from here.

6

@rwize @Databarinc It appears likely that this issue is related to and is discussed in (and indeed may be resolved by) recent comments from another FreePBX issue which I opened some weeks back:

I believe it would be helpful to quote the comments by @rwise:

For those without EPM one has to export your certs and then import them to the phones. If you are not using the End Point Manager module, then this means a manual process, I can verify it works as we updated one of ‘shared’ pbx’s and encountered a phone disconnect issue even after updating the phones vpn certificates until we updated the Sys Admin module. The Sys Admin module has to be V.15.0.21.17 or greater.

Here is the command to run from the console and root access:

“fwconsole ma downloadinstall sysadmin --edge”

For others who have not “rebuild” their certificates, I recommend not to until you are ready to update each phone however you do that in your environments.

Here is a link again to the bug case I opened and obtained the guidance from FreePBX support:

[FREEPBX-22242] OpenVPN breaks after Critical Update - Sangoma Issue Tracker

7

@rwize In your comments quoted directly above you say the Sys Admin module has to be “15.0.21.17”. At the moment, all the modules in my FreePBX are up to date and the Dashboard GUI says “FreePBX 15.0.17.21” which is the version I presume you meant.

8

As luck would have it, immediately after I posted the comment above, I updated FreePBX from the command line and a number of modules were updated. The Dashboard GUI now reads FreePBX 15.0.17.24.

9

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.