Is their a wiki/guide on how to connect these phones through VPN?
Hello all:
Iāve read through the WIKI and checked settings 4 or 5 times. My head is ready to explode. Iām feeling beaten by this VPN thing in FreePBX 13 and donāt know what is wrong. Sangoma phone says VPN activated but I donāt believe it because the phoneās info page says āVPN IPv4 address: File not existā
FreePBX is v13 with all updates as of last night
PBX is behind a dedicated firewall on a particular WAN subnet
My own network is on a different WAN subnet and has been allowed access as necessary.
Port UDP:1194 is forwarded (NAT and FW)
VPN server is enabled and configured
VPN client settings are configured
UCP works except for the red bar that says 'xhr poll errorā
I canāt get registation through VPN and, honestly, it looks like VPN is not connected.
can someone help save my sanity?
Thanks much,
Under Sysadmin, VPN server, it will also tell you what clients are connected and their respective vpn ip addresses.
The UCP error hints that you donāt have the proper ports forwarded, (which may be the issue for your vpn as well). Under Settings, Advanced settings, find out what port the UCP Node Server is using, and ensure it is forwarded as well.
Thanks Lorne.
Youāre right - VPN client doesnāt have an address under SysAdmin > VPN Server.
TCP:8001 is what nodejs server uses and itās been forwarded.
Incidentally, I enabled HTTPS access, for remote management, on the server? Could that be conflicting with VPN?
Even though UCP gives the red bar error, Iām still able to d/l the client file client0.zip. Iāve renamed it to client0.tar to be able to import into the S500. The file contains 4 files prefixed with sysadmin* - ca.crt, client0.conf, client0.crt, and client0.key.
I can ping the PBX VPN server address from the CentOS console - 10.8.0.1.
Iāve specified the remote server address as the WAN address of the firewall.
Any other thoughts?
You donāt need to download the vpn client zip file for a Sangoma phone, 100% of the phone config is done via Endpoint Manager. Once the VPN client has been created and linked to a user in User Manager, then the option to use the VPN for that userās extension will show up in EPM.
How cal I tell the S500 to make a VPN connection if I donāt d/l the VPN config files?
The VPN wiki page noted above has the steps to set up a VPN:
http://wiki.freepbx.org/display/PHON/Connecting+Phone+to+use+PBX+VPN
At the bottom of that page is a link to the EPM wiki page which explains how to provision the phone:
http://wiki.freepbx.org/display/FPG/EPM-Admin+User+Guide#EPM-AdminUserGuide-VPN
Yup, Iāve seen those WIKIās and followed them through - to the letter. Still no joy. Can you think of some things that I might be missing, especially if theyāre not in the WIKIs?
Other things that might be relevant:
- HTTPS setup is configured using a self-signed certificate
- Support VPN is not running but there is a āconfig errorā message that says āIt seems that you are missing the necessary files to start OpenVPN. Click āRun Setupā to install those files nowā Clicking āRun Setupā appears to do nothing.
- From the PBX, I CAN ping 10.8.0.1, which is supposed to be the address of the OpenVPN server
- FreePBX Firewall is disabled b/c I have a dedicated firewall router in front of the PBX
- PBX version is 10.13.66-11
Thanks.
Wellā¦ finally got it working but not without some good help from Sangoma. Here are the highlights.
First - the above referenced WIKIs are correct, afaik. There are no instructions which I changed.
Second - For Zero-Touch configuration to work, the Sangoma phones MUST be added into the Schmooze portal beforehand and linked to a specific deployment ID. The phones are configured to check the portal for a specific deployment ID for the phoneās MAC after which things should just work with zero hassle. My phone shipped without being linked to a deployment ID and so didnāt know where to get itās config from. This is not documented anywhere. Of course, anyone can go into the phoneās Management > Auto Provision menu and set the PBXās WAN IP URL. That would technically not be Zero Touch but thatās how I did it and itās working. I.E. https://xx.xx.xx.xx:83
Third - Change to HTTP provisioning and open port 83 on the firewall. Iām not using the Smart Firewall, but it should handle that automatically. At this point, the phone was able get configs from my PBX. But VPN would not activate.
Fourth - and maybe this was not the issue but VPN now works after doing this one weird trick 
Per supports suggestion, I switch from PJSIP to SIP and recreated the extension I was testing with. I was advised to delete the extension then re-add it as SIP.
All good now. Thanks to Robert K for his help
2 Likes
So there is probably a few things still in play here:
- Whether you have the zero-touch provisioning redirect done in the portal or not, would have no effect on whether the phone can successfully vpn. It is an option for users to facilitate provisioning, but is not required.The Zero Touch feature is documented, please take a moment to go through the phone wiki here: http://wiki.freepbx.org/display/PHON/ the first few links show how to set up zero-touch. If you find these docs incomplete or needlessly complex, that is feedback that would be useful.
- In your third step you note that you must provide access to the provisioning server, which of course is a requisite for using EPM. If you are using the FreePBX Firewall, you also must ensure that it is also configured properly for exterior access.
- Step 4 is a puzzle. I donāt have an S500, but the S300 and S700 will register to both chan_sip and PJSIP with or without the vpn. In fact, while testing I managed to get a VPN IP without working SIP credentials at all, I donāt believe the vpn relies on the SIP registration in any way. If this is repeatable with a fresh config from factory default please file a bug report with the steps to reproduce.
Hi Lorne:
Sorry itās taken so long to respond. I had a fresh deployment but were not ready to roll-out our 3 remote extensions until now. Youāre right of course - VPN works fine with SIP or PJSIP. I understand now a little more about the overall process having setup 8 remote phones thus far.
But, on this fresh deployment the VPN deamon wasnāt running and no ātunā adapter was found. Support, once again, saved me - Thanks to Giti. The reason Iām posting this here is because it seems related to the original issue. Giti said that it was necessary to set our vpn information on your server (Sangoma?) so do a re-activation to get new info. Admittedly, I have no idea what this means. Could you elaborate, please?
Thanks again