OpenVPN HowTo

Is there a guide and/or wiki article on how to configure OpenVPN on the FreePBX Distro? If not, I’m more than happy to put one together (so long as folks are willing to review & offer feedback).

I found a slew of OpenVPN tutorials via Google, so I’m sure that’d be enough to get me started (I just wouldn’t want to miss something specific to the FreePBX Distro).


Yealink handsets have OpenVPN client in them so for remote extensions would be great to configure OpenVPN on FreePBX and then be able to ship a phone to remote user and have it “Just Work” out of the box. Correct me if i am wrong but i think there is some weird port or protocol forwarding that not all routers pass through to the PBX though.

I’m also working with Yealink handsents and would love to user the OpenVPN option.

I hate to be master of the obvious but have any of you installed OpenVPN on your systems and tried to make it work?

I looked a year or two ago when I was first looking into the Yealink handsets and there was very limited documentation at the time and nothing specific on how to do on same server as Asterisk / FreePBX.
The OP was offering to write a guide / tutorial on how to install and configure OpenVPN on the systems and both of our responses were to say we would be interested in seeing that done and commenting on the guide once it is done.

OpenVPN has nothing to do with Asterisk or FreePBX. Assuming you have a build of OpenVPN for the OS and CPU that you have Asterisk on you can install OpenVPN.

You only need the VPN username and password and the IP of the OpenVPN server and you are off to the races on the Yealink.

Hey Scott, I am just always careful about injecting more into one box that is already running so nicely. The OP was looking for interest in making a guide. I was only notifying him of my interest. I haven;t had to look back into this for a while but now my curiosity is piqued again I may have a go when i next have some time. I just thought for some reason there was a “different” protocol that needed to be forwarded in router which i was not sure if my router did. Looks like i was trying to see how to install on router itself by mistake and needed dd-wrt.
Hope you had a great Christmas and New Year and i look forward to another year with FreePBX.

Freepbx 12 has an item on the status page now to tell you if your openvpn server is running. Does that mean that if I just install openvpn on my Freepbx server and start it, that this flag will get a green check? I’d like at least a bit more information about FreePBX’s view of OpenVPN on a FreePBX implementation, especially if they are going to put an item on the status page.

“Freepbx 12 has an item on the status page now to tell you if your openvpn server is running.”

That is referencing the OpenVPN server associated with the SysAdmin Pro VPN connection to FreePBX support.

Thank you, it wasn’t obvious what the “Open VPN” was referring to. I see it now in the module admin list.

Not sure if you’ve tried this. I tried it on the asterisk box to no avail, then I setup an independent ubuntu install and did this and it worked great after forwarding 1194 from the firewall. Eventually though I just used Untangle’s openvpn modifying the files to match what was coming from ubuntu’s format, importing the certificates manually to the phone and it works through untangle now. Your right, it’s nice to be able to ship phones fully configured, have them plug and play and sleep better at night no worrying about security.

OpenVPN is preinstalled on the Distro.

If you want to set it up manually, and if you want a client-server model (one server, with multiple clients connecting), following these instructions (but start from “Setting up your own Certificate Authority (CA) and generating certificates and keys for an OpenVPN server and multiple clients”):

Or if you want a simple site-to-site setup, following these instructions (but start from “Build A Pre-Shared Static Key”):

Again, if you are using the Distro, OpenVPN is already installed so you can skip the portions of these instructions discussing how to install…

I will hop-in because VPN is something I know very well.

Look, I hope no one here has FreePBX configured on a computer directly connected to the internet (with a public IP address). If that is the case, you already have a device, hopefully a Linux device, that does the NATing, firewalling and some routing for your LAN.

Well, it is in that device that you should set-up OpenVPN. No need to port-forward anything but you do need to understand how routing works. My advice is: use TUN and search for “topology subnet” as the modern-way (but not the default-way) of setting OpenVPN up, especially if you plan to connect many clients over OpenVPN.

If you have many offices and need inter-office traffic to be always on, I recommend TINC VPN instead because of its mesh capabilities, I personnally use TINC to connect all main offices and OpenVPN for end-users because OpenVPN is more widely available on end-user devices/sip phones.

If your current firewall is not up for the job, I recommend you search for OpenWRT if you have a WiFi router as firewall or if it is a PC search for Shorewall (on top of whatever supported OS you prefer).

I’m curious, what’s so much better about having a separate linux box be the firewall, instead of simply having the FreePBX box on the public IP and use it’s built in firewall? I would figure you’d want to avoid NAT as much as possible, and with some simple preventative measures, you’d prevent any major catastrophes. Do you think I’m vulnerable if I do the following?

In sshd_config…

  • Change SSH port

In Asterisk settings…

  • Change SIP port
  • Change RTP range to start at some random point above 10000

In iptables…

  • Only allow SSH & HTTP port connections from your own IP Address and perhaps one other backup IP address
  • Deny ALL inbound traffic other than the new SIP port and RTP range
  • Ensure fail2ban is watching SSH and SIP logs and changed from default settings (increase the time in which failed logins are counted against a ban, and increase bantime to 100 years)

In your VOIP provider settings…

  • Disable international calls
  • Do not use SIP Registration, use IP based call authentication.
  • IF international calls are needed, use a strict whitelist of only the countries you need to call

If your routing/firewalling needs are that simple and you know your way to setup safe netfilter (iptables) rules then sure, go for it and plug your FreePBX box directly to the internet.

However, keep in mind that:

  1. Changing the default port for a service like SSH, SIP, etc gains you very little (security through obscurity);

  2. I would disable SSH root login and also disable SSH password logins (certificate-based auth only);

  3. Make sure you buy Sysadmin Pro and keep your FreePBX box updated (both system updates and module updates). And remember that FreePBX is not updated automatically;

  4. You will not be able to use FreePBX’s awesome firewall module because it is intended for boxes that are not doing routing. Once you enable forwarding and turns your box into a router your firewalling needs change a lot (masquerading, routing rules, port forwarding, etc) and you will be on your own;

    So yes, you can have FreePBX directly connected to the internet, it is possible to keep it safe and it is possible to set it up as a functional router. However, there are better tools out there for routing+firewalling job and by using the right tools you avoid wasting time and reduce the chance of making mistakes.

    I think it is so easy and cheap to run virtual machines today, and if you know how to setup routing rules there is no need to fear NAT issues. So I see no reason to have FreePBX distro running anything other than its own PBX-related services. Let all other tasks be handled by other VMs or the host.

Good luck!

1 Like