Remote handset advice

When we started rolling out Asterisk/FreePBX (FreePBX distro - currently a mix of 5.211.65 and 6.12.65), we made the decision to not open the boxes up to the Internet. We have been using softphones over a Cisco client VPN connection for all one-off remote users and site-to-site Cisco VPN tunnels for remote offices. This has worked well but we are getting more and more requests for desktop handsets for some remote users and have not settled on a solution yet.

As you can see, on the networking side, we are a Cisco shop and, for good or bad, that is out of my hands. From what I’ve found, outside of Cisco handsets, OpenVPN is the most supported solution with VoIP handsets. Talking with several others about handsets with built-in VPN support, Snom has been recommended to us and I have several in-house now to test with.

Before I get started and re-create the wheel, I want to air-out my plan in the forum and let y’all poke any holes in it that you might see. Here’s a bird’s eye view of what I’m thinking -

Install OpenVPN on the FreePBX box.
Configure OpenVPN and Snom phones (following guides I have found in the forum)
Open ports in our ASAs for open VPN (UDP 1194 for what I see at a quick search)

Questions -
Am I missing anything obvious?
I see that OpenVPN can be used for Schmooze support, will installing and configuring for remote phones cause any issues with this?
Any gotcha’s that anyone has run across doing this?
Is there a better way than what I’m thinking (without opening the FreePBX box to the Internet)?



The Yealinks are the easiest to configure for OpenVPN. They have a client with full logging capability.

Drop a small Microtik router on the client side, this can support a several phones depending on the router model you purchase. Several smaller models to choose from and not expensive

The benefit besides being able to setup the VPN on the router, is you can also get DHCP that defines boot 66 (most inexpensive routers don’t do that), allowing the phone to provision to the phone system ( this to me helps manage all the phones a little easier instead of hand configuring).
Also, you can put any phone you like on the other side so that the vpn option doesn’t have to be built in to the phone.

One other note, with that router you put it in DHCP mode, and the router itself gets an IP off whatever network you plug it in to and then provides appropriate settings to the devices, so you can literally pick it up from one location, drop it in place and your running.

It just depends on what’s most important to you in the selection process.