Among other issues I’ve been having with new builds this week, I cannot get any phones to attach via VPN configure in EPM.
I have an older establishes system from earlier this summer using D65/D62 phones and this works fine. If I add a new PJSIP extension to this existing system and then take a phone in my office and configure it to connect it will get the config and connect via the VPN no problem.
The new system I built this week however won’t allow VPN connections for some reason. All settings on the two systems appear Identical as far as I can tell. At first I thought it was the P315 phones as I hadn’t used them before but even my test P315 will connect to the older system but not to any new systems I build.
I don’t know where in the back end to look for logs to see what’s going on so if anyone has that info I’d really appreciate it.
I’ve now rebuilt 3 systems of FreePBX distro 15 from scratch and all 3 will not allow VPN connections from either a D62 or P315 phone that will connect to other older builds.
The phones connect fine without the VPN. If I go into EPM > extension mapping and edit the extension to specify the VPN client, then rebuilt and update phone, the phone updates, reboots and then fails contacting proxy 10.8.0.1:5070transport=udp
Question: does it matter what order settings are created in when using the built in VPN server? So for instance, do you have activate the VPN server first, then create the extensions, then alter/apply the settings in user management (with regard to VPN)?
Or does it not matter as long as after any changes you rebuild the config files in EPM??
Something is definitely screwy here or I’m missing something stupid and simple.
If anyone can spin up a new FreePBX Distro 15 and see if they can get the built in VPN to work (or not work) to confirm I’m not crazy that would be awesome.
In Vultr I took a snapshot of a system that has working VPN phones and then loaded that snapshot on a new Vultr VM. Changed the appropriate network settings and I can get phones to connect via VPN. Build a new server and I can’t.
New install this morning again from scratch:
FreePBX 15 Distro
Did not do the full battery of module and system updates during install, no firewall turned on
Updated EPM module only because I needed P315 support
Installed a certificate on the system, made it the default
Set up one extension, added mac address under Other tab to create EPM entry
change PJSIP Port to 5070 in Advanced > Sip Setting
reboot system to make sure asterisk restarts with PJSIP port 5070
set up EPM Global settings
set up EPM sangoma phone profile for P315
Set up DPMA
set up VPN Server
set VPN permissions in user management
set up phone to connect without vpn, phone connects, gets config.
enable VPN on phone in EPM > Extension Mapping, assign VPN profile in EPM > Extension mapping
rebuild config and Update phone
Phone gets config, updates, reboots and fails trying at:
I’m at a loss here… Either something is very broken or I’m missing something really simple but I can’t see what. I suspect the latter but I’ll be damned if I can see it.
Try changing from UDP to TCP. I have also had issues with phones dropping inbound calls anywhere between 30 and 120 seconds but outbound calls are just fine. When I change from UDP to TCP all my issues seem to go away.
I have also had strange issues with the VPN connection just dropping and reattaching for no reason that I can find. I also found that if I just used the Firewall and Fail2ban in asterisk did not use the firewall on Vultr or DigitalOcean that it helped with these issues as well.
This isn’t a dropout issue, I can’t even connect. I’ve even tried with NO firewalls involved to eliminate that possibility. The most frustrating part is that I can’t find logging anywhere to tell me what if anything is happening with the phones that are trying to connect. I can’t believe that there isn’t a log somewhere.
Working with Sangoma Support now… They suggested I download the openvpn client file from UCP and try to connect from my pc. Did that, it works perfectly… no problem, right in.
Phones still won’t connect to any new system I build… pulling my hair out here.
Not sure what phones you are using but you can use the same files from the UCP for most phones and ATA. I just tested and I had to fiddle with it for the iPhone. On my Sangoma phones it works for me either through the Endpoint Management or via the web interface on the phone.
Using sangoma P315 phones for the particular installation that I’m dealing with at the moment. usually I use the D series phones. Sangoma support confirmed a bug in the way the TLS connection is handled (no other details unfortunately) between system admin and the phones. They’ve opened a ticket with development supposedly (no other details unfortunately). Waiting to hear back if they have any info on a work around.
Upgrade EPM to edge, rebuild the phone config in EPM and apply config then reprovision the phone. Worked for me on the first try.
As an aside, if you’re using zero-touch redirect AND the phone vpn client together, we are seeing a conflict with those two things enabled at once. Choose just one for now.