I need some help getting zero touch configuration working for remote users. I am currently testing with Sangoma s305. I have been able to setup OpenVPN and have a template that will allow a phone to connect via VPN successfully. If a phone is first provisioned on the PBX LAN, it will work fine when moved to a remote location. However provisioning fails when initiated fully remote. I end up with a “blank” template of some sort.
I currently have ports 1194, 83-84 forwarded to my freePBX server.
The issue seems to be with the Sangoma Smart Firewall settings. If eth0 of the FreePBX server is set to internet then remote provisioning fails. If however I set it briefly to trusted then remote provisioning occurs. I have whitelisted my internal LAN subnet so that would explain why provisioning works internally but not externally. I feel like I just want to allow the provisioning ports through the SRF but don’t see how to do that. Any suggestions on how to properly configure this would be appreciated.
When remotely provisioning the first time, the best way to ensure the firewall does not get in the way is to whitelist the external IP in the Firewall and Intrusion Detection.
Thanks for the comment but no luck. I can use zero touch to provision a phone and connect the VPN while on the LAN, move to out of the network and everything works fine. But nothing I have tried allows for a full remote provision. The phone get the settings but the VPN never connects. I had tried previously the whitelisting you suggested without any success.
Pretty frustrated as this is a key feature I am going to need if I use this platform for my clients. I have spent many hours on it without success. I was hoping for more input here but nothing but crickets…
I set all this up initially by following the VPN wiki instructions.The wiki instructions do not mention this issue with the template configuration. I also found a (truly horrible) video on youtube posted by Sangoma about configuring the OpenVPN client on their phones. In the video, the engineer incorrectly formats the provisioning address as Public_IP:84 which sent me in the wrong direction for way, way too long.
Also since finally solving the problem I did find a couple of posts from someone else that confirmed the fact that for whatever reason “External” does not work and you must choose “Custom” with the properly formatted address. Hope this helps someone.
As I mentioned above choosing “External” in the template does not work. For some reason “Custom” must be chosen. Others have experienced the same issue.
Thanks for the input!
Can you provide a sanitized screenshot of the Global Settings page?
I am interested in what you are putting in the external section.
It should only be an FQDN or IP address. You should not declare a specific protocol or port.