Using VPN on Capable Phones


We use FreePBX Distro in a hosted environment, using primarily one hosted virtual private server per customer. We use iptables to secure everything down to the trusted list of IP addresses for port 80, 443, 5060, 4445, 5038, etc.

We exclusively use Yealink phones because of their support for OpenVPN connections and their excellent price/features. We have several customers who use these phones from home, and rather than have to know their home IP address to add to the whitelist of iptables in the PBX, we simply allow them to VPN in on port 1194 for OpenVPN to connect and register.

After I’ve seen several customers using the VPN connections without a problem, this made me wonder… what if we configured all phones to use OpenVPN to allow them all to register “locally” to the PBX through the VPN. Then we simply configure QOS on the firewall where the phones reside to give port 1194 (OpenVPN) highest priority? This then allows any IP address with the trusted vpn certificates to connect from any location, and solves the problem of taking their phone to another customer’s premise who blocks 5060 direct out. This way we can even use the phones at Starbucks should we desire and their firewall wouldn’t block it. Additionally, this would then encrypt all voice traffic through the vpn connection to add a selling point of encrypted voice traffic between phone system and each endpoint.

Technically, I know we can do this and it will not be a problem, but does anybody else who knows more about Asterisk than I know of a reason not to pursue this? Are there any red flags I should be aware of?

Since you already have customers where it’s working without issue, then you’ve pretty much confirmed that it’s going to work the way you want. A few theoretical things to keep in mind would be:

  1. The most clients you have connecting to an OpenVPN server, the more load you put on the server. This is especially true if you’re doing encryption on the VPN. Each client requires it’s own decryption/encryption process, which takes server resources. As long as your virtual server has enough resources allocated to it to handle the number of clients it shouldn’t be an issue, but in theory at least it’s something to be aware of that wouldn’t be there without the VPN.
  2. Some home routers (cheap ones especially) may not properly pass the VPN traffic through to the phone. Having said that, those same routers probably wouldn’t properly pass the SIP traffic through to the phone either, so I don’t think that’s really a point of contention.
  3. VPN encoding does add a slight amount of overhead traffic (and thus latency in processing), which could in theory have an impact on your voice quality. Realistically though since you’ve confirmed a number of users running without issue, and you’ve setup QoS to prioritize the VPN traffic you shouldn’t have a problem. Just be aware that if the user takes a PC and connects it to the LAN port of the phone, if you haven’t locked down the LAN port that PC will now have access to the VPN network.

All in all though I’m not aware of any major downsides to your proposed plan, especially given the benefits it’s going to provide from a management perspective.

Thank you jolouis, I will definitely take into account these considerations. The primary concern is CPU cycles being used, since this is a hosted VPS to begin with… I certainly like the manageability and centralized port number (1194 for all phones to connect through)… and the phones are still provisionable through OpenVPN…

But rather than having 25 VPNs (one for each of a 25 extension PBX, for example), it probably would make more sense to use a VPN router that can pass this connection along, and then the phones that support VPN direct on the device that are remote or behind a non-vpn-capable firewall or one we cannot manage, we could tell those physical phones to connect direct through the VPN, like we are already doing.

I’ll think some more on this… the nerd in me wants to test this theory out to observe the impact it makes, but I don’t necessarily have downtime to config 25 phones to have their own VPN connection straight to a hosted PBX, using encrypted SSL. So I’ll just ignore my urges for the time being.

Thanks again