Multiple endpoints same extension using FreePBX VPN

I believe I know the answer but I want to make sure…

Is it possible to have multiple (2 or more) PJSIP phones on the same extension all using the FreePBX built in OpenVPN server? Initial tests produce an IP Conflict as the VPN Server hands out the same IP to both test phones.

Is there any way to skin this cat?

If your server.conf file (likely /etc/openvpn/server.conf) has the duplicate-cn option present (and not commented out), you have restarted the server after setting this option, and you are not assigning a static tunnel IP address to the user, it should work. or something else? Do other extensions get different tunnel addresses?

This is really weird as we’ve setup several VPN servers for some installations and never run into this problem. Unless you have something configured specifically inside your instance the default is to assign a unique IP to each physical phone that connects to the VPN.

I think the point your missing is that both phones are on the SAME EXTENSION. Since the OpenVPN users/certs are assigned per extensions, both phones receive the same IP by the OpenVPN server

the only conf is /etc/openvpn/sysadmin_server1.conf.

In the conf file:

Configuration automatically generated via Sysadmin RPM


Generated at: Wed, 09 Aug 2023 12:51:10 +0000

log /var/log/openvpn.log
port 1194
proto udp
dev tun
topology subnet
ca sysadmin_ca.crt
dh sysadmin_dh.pem
crl-verify sysadmin_crl.pem
cert sysadmin_server1.crt
key sysadmin_server1.key
ifconfig-pool-persist ipp.txt
keepalive 10 120
verb 3
client-config-dir ccd
status sysadmin_server1-status.log 10
status-version 3
script-security 2
reneg-sec 3600

So even if I added the parameter you suggest it will get overwritten by FreePBX presumibly.

So I edited the /etc/openvpn/sysadmin_server1.conf file and added the duplicate-cn parameter to the end of it… rebooted the PBX… the file is still intact and the phones now get different IP’s from the OpenVPN server.

I’m just wondering what will trigger FreePBX to overwrite the file though an break the functionality.

Sorry, I’m not familiar with sysadmin and don’t know how any override options for the openvpn config work.

Possibly, the file /etc/systemd/system/[email protected]/sangoma_openvpn_override.conf
can be modified, or you can add your own .conf to /etc/systemd/system/[email protected] .

An alternative approach is to use different extension numbers for the two phones, e.g. 201 and 9201. Set up Follow Me on 201 to also ring 9201. Set CID Num Alias on 9201 to 201, so calls made from 9201 will look like they came from 201.

yeah thought of multiple extensions and FMFM but that’s really clunky… No reason we should have to do that.

Just confirmed that if you go into sysadmin > vpn server and submit (even without changes) it does in fact overwrite the conf file and remove the duplicate-cn setting. So while this does work, it’s not ideal…

I submitted a feature request for this, don’t see this as being a big deal for them but we’ll see.

I don’t have any good ideas but one of these might be usable:

  1. Get the OpenVPN config somehow modified. I assume that you can add a file to /etc/systemd/system/[email protected] to add duplicate-cn, but you probably also need to modify the files in ccd to not force a static IP, which I don’t know how to do, as I don’t use sysadmin. Look at the files in ccd, with luck they don’t force a static IP, in which case this should be fairly simple.

  2. Configure OpenVPN outside of sysadmin, or configure an additional server with the extra extensions.

  3. Give up on OpenVPN for remote phones. If they are capable of ‘modern’ TLS and SRTP, security should be just as good.

  4. Set the phones up as separate extensions, but override the extension number and secret, so it’s really the same extension.

  1. I can manually modify the conf no problem. just have to remember to fix it if I make changes in the GUI. static IP’s have to be specifically set in the gui per user.
  2. again, don’t want to do extra extensions…
  3. That’s my next project, as of yet I’ve never used TLS/SRTP only VPN… so a learning curve there.
  4. too much monkeying around under the hood…

On (1), are you saying that enabling duplicate-cn does work, i.e. that static tunnel IPs are not the default and two devices with the same extension number get different tunnel IPs and work correctly? If so, I would think that there is some place (such as the [email protected] folder) where you could shield your change from being overwritten.

Another possibility is making /etc/openvpn/sysadmin_server1.conf immutable, though I have no idea what consequences that would have.

yes, as stated above adding duplicate-cn does allow the OpenVPN server to give out multiple different IP’s on the same extension (OpenVPN user).

Static IP’s are NOT the default, you have to set them manually per extension user if you want them (Usually I do, having run into duplicate IP issues in the past with the OpenVPN in FreePBX).

Not sure… I did just get the phones in my lab to connect using TLS/SRTP so I’ve got that going for me and I did create a ticket in the FreePBX issues asking for the capability to add “duplicate-cn” config to the file in system admin.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.