Sangoma S500 VPN Connection

Is their a wiki/guide on how to connect these phones through VPN?

Hello all:

I’ve read through the WIKI and checked settings 4 or 5 times. My head is ready to explode. I’m feeling beaten by this VPN thing in FreePBX 13 and don’t know what is wrong. Sangoma phone says VPN activated but I don’t believe it because the phone’s info page says ‘VPN IPv4 address: File not exist’

FreePBX is v13 with all updates as of last night
PBX is behind a dedicated firewall on a particular WAN subnet
My own network is on a different WAN subnet and has been allowed access as necessary.
Port UDP:1194 is forwarded (NAT and FW)
VPN server is enabled and configured
VPN client settings are configured
UCP works except for the red bar that says 'xhr poll error’
I can’t get registation through VPN and, honestly, it looks like VPN is not connected.

can someone help save my sanity?

Thanks much,

Under Sysadmin, VPN server, it will also tell you what clients are connected and their respective vpn ip addresses.

The UCP error hints that you don’t have the proper ports forwarded, (which may be the issue for your vpn as well). Under Settings, Advanced settings, find out what port the UCP Node Server is using, and ensure it is forwarded as well.

Thanks Lorne.

You’re right - VPN client doesn’t have an address under SysAdmin > VPN Server.
TCP:8001 is what nodejs server uses and it’s been forwarded.

Incidentally, I enabled HTTPS access, for remote management, on the server? Could that be conflicting with VPN?

Even though UCP gives the red bar error, I’m still able to d/l the client file I’ve renamed it to client0.tar to be able to import into the S500. The file contains 4 files prefixed with sysadmin* - ca.crt, client0.conf, client0.crt, and client0.key.

I can ping the PBX VPN server address from the CentOS console -
I’ve specified the remote server address as the WAN address of the firewall.

Any other thoughts?

You don’t need to download the vpn client zip file for a Sangoma phone, 100% of the phone config is done via Endpoint Manager. Once the VPN client has been created and linked to a user in User Manager, then the option to use the VPN for that user’s extension will show up in EPM.

How cal I tell the S500 to make a VPN connection if I don’t d/l the VPN config files?

The VPN wiki page noted above has the steps to set up a VPN:

At the bottom of that page is a link to the EPM wiki page which explains how to provision the phone:

Yup, I’ve seen those WIKI’s and followed them through - to the letter. Still no joy. Can you think of some things that I might be missing, especially if they’re not in the WIKIs?

Other things that might be relevant:

  • HTTPS setup is configured using a self-signed certificate
  • Support VPN is not running but there is a ‘config error’ message that says “It seems that you are missing the necessary files to start OpenVPN. Click “Run Setup” to install those files now” Clicking ‘Run Setup’ appears to do nothing.
  • From the PBX, I CAN ping, which is supposed to be the address of the OpenVPN server
  • FreePBX Firewall is disabled b/c I have a dedicated firewall router in front of the PBX
  • PBX version is 10.13.66-11


Well… finally got it working but not without some good help from Sangoma. Here are the highlights.

First - the above referenced WIKIs are correct, afaik. There are no instructions which I changed.

Second - For Zero-Touch configuration to work, the Sangoma phones MUST be added into the Schmooze portal beforehand and linked to a specific deployment ID. The phones are configured to check the portal for a specific deployment ID for the phone’s MAC after which things should just work with zero hassle. My phone shipped without being linked to a deployment ID and so didn’t know where to get it’s config from. This is not documented anywhere. Of course, anyone can go into the phone’s Management > Auto Provision menu and set the PBX’s WAN IP URL. That would technically not be Zero Touch but that’s how I did it and it’s working. I.E. https://xx.xx.xx.xx:83

Third - Change to HTTP provisioning and open port 83 on the firewall. I’m not using the Smart Firewall, but it should handle that automatically. At this point, the phone was able get configs from my PBX. But VPN would not activate.

Fourth - and maybe this was not the issue but VPN now works after doing this one weird trick :slight_smile:
Per supports suggestion, I switch from PJSIP to SIP and recreated the extension I was testing with. I was advised to delete the extension then re-add it as SIP.

All good now. Thanks to Robert K for his help


So there is probably a few things still in play here:

  1. Whether you have the zero-touch provisioning redirect done in the portal or not, would have no effect on whether the phone can successfully vpn. It is an option for users to facilitate provisioning, but is not required.The Zero Touch feature is documented, please take a moment to go through the phone wiki here: the first few links show how to set up zero-touch. If you find these docs incomplete or needlessly complex, that is feedback that would be useful.
  2. In your third step you note that you must provide access to the provisioning server, which of course is a requisite for using EPM. If you are using the FreePBX Firewall, you also must ensure that it is also configured properly for exterior access.
  3. Step 4 is a puzzle. I don’t have an S500, but the S300 and S700 will register to both chan_sip and PJSIP with or without the vpn. In fact, while testing I managed to get a VPN IP without working SIP credentials at all, I don’t believe the vpn relies on the SIP registration in any way. If this is repeatable with a fresh config from factory default please file a bug report with the steps to reproduce.

Hi Lorne:

Sorry it’s taken so long to respond. I had a fresh deployment but were not ready to roll-out our 3 remote extensions until now. You’re right of course - VPN works fine with SIP or PJSIP. I understand now a little more about the overall process having setup 8 remote phones thus far.

But, on this fresh deployment the VPN deamon wasn’t running and no ‘tun’ adapter was found. Support, once again, saved me - Thanks to Giti. The reason I’m posting this here is because it seems related to the original issue. Giti said that it was necessary to set our vpn information on your server (Sangoma?) so do a re-activation to get new info. Admittedly, I have no idea what this means. Could you elaborate, please?

Thanks again