VPN PoE endpoint "blackbox"

Some phones have built in VPN clients, cool, but often limited in their VPN support. Plus this may be mostly needed for a device in a random remote location, on a LAN without PoE.

So, I’m looking for a little magic box ™ which:

  • provides a single PoE output to power a phone (proper PoE, not passive nonsense)
  • makes an IPSec VPN connection to our corporate network

So, plug the box into the network and a wallwart power supply, plug the phone into the box, phone “just works”

So far, I’m not finding anything ‘just right’. Has anyone done anything suitable? How do you deal with remote extensions for a corporate PBX?

So you’re looking for a VPN “appliance” that can (as an option) provide POE?

Interesting. A little crazy, but interesting :wink:

Normally, one would drop a small POE switch onto the network at the remote location and connect it to a Firewall, so something like a Linksys POE Switch ($50) or POE Injector (also about $50) connected to a remote VPN Firewall (Linksys BEFSX41 might be a good choice there). You could probably do it for $200, assuming you can get the phone cheap.

Now - if you’re a brave sort, you can do the POE injector yourself using a small black box and a wall wart, which would reduce your cost considerably. Even braver, you can rewire the ports on the router to provide your POE directly (soldering and chopping required).

Pretty much yeah, but as compact as possible.
Ideally of course, one could just plug a pre-configured handset into any network socket and it would work like it was in the office, but that’s not happening because of firewalls and most sockets don’t supply power.

So, a small box that sits in between the phone and the network, and one power supply, is the goal.

A small router like the Mikrotik device would do it, but it provides only passive PoE and I can’t see the working with a class 3 device. Easy fix would be to combine the mini router with a mini poe switch and duct tape them together, but that needs two power sockets and loses out on the ‘elegant solution’ measurement!

Mikrotik actually say they may make a proper 802.3af device in the future, but don’t have one right now.

Linksys did (or maybe does) sell a POE injector that is small (about the size of a big pack of gum) that can sit anywhere in the line between the router and phone. I’ve got one for a Polycom phone that I was playing with last year. I’ve also used them for POE wireless access points and a couple other devices. If you’re budget is ridiculous, Cisco actually makes one too.

Most of the stuff I was looking at when I wrote the last response is small - paperback book size at biggest. I’m sure there’s a way to get pretty close with some pretty small equipment. Of course, a router that did both would be cool, but I just don’t know of a way to get there from here right now.

I found this and ordered one:-


no PoE but you only need two pairs for the ethernet :slight_smile: so


Be careful with the CCTV splitters - the ones I use only use the blue pair for data and transmit power over the other three pairs.

yeah, never been a fan of poe injectors for that reason.
My current thinking is to just buy the overpriced cisco power supply for the phone and strap a tiny router to it.

Stumbled across the Next WT1520 on eBay for almost no money, it supports DDWRT so I can reflash it and make it connect an IKEv2 vpn. A little hack-y but should work fine. I’ll keep my eyes open for an all-in-one though.

1st a disclosure - I work for Sangoma. That said I went thru my lab with my new phone ( S300 ) to make use of the new OpenVPN panel in System Admin Pro module. Basically, I enabled VPN Server added a “client” and then in User Management assigned that user that VPN client. Then as a last step go to extension mapping in End Point Manager and assign ( map ) the VPN Client to the device ( S300 ) save and reboot… and Bobs your uncle the phone comes up on your new private network ( directly connected vpn with no gear in-between.)

This can be done with other phones, I use this example because it is the simplest phone to PBX VPN setup ( and ease of maint and control ) I have ever seen.

Yes, it requires FreePBX 13, System Admin Pro (if using Sangoma phones) and the Commercial End Point Manager (other phones), but the cost would still be less than any black box approach, scales well and is supported.

BTW, I connect to the PBX thru the same VPN server so there is that added bonus.

Lastly, please don’t hammer me about my response being a commercial. I know it looks that way and I hope the takeaway is that this is just “another” suggestion of how this can be done.

No worries, I don’t regard is as a commercial, and besides, there’s an unavoidable Sangona link here anyway, so it’d be churlish to be offended.

The VPN client on the phone is indeed the simplest way to accomplish this, but generally I have found that the VPN offered by such devices are restrictive or lack features. For example, OpenVPN as offered by the Sangoma handsets. Not the best VPN in the world but arguably better than nothing.

Of course, in my case the phones we have do have VPN client inbuilt but I’ve no way to access them due to using Cisco handsets on Asterisk. Therefore using a small external device is the available option.

@matphillips Help me out here. If a VPN connection is made and works I don’t see what is wrong with OpenVPN? Everything I use can connect with it ( Mac, PC, Android, iOS and phones.)

Is the encryption not high enough? IMHO OpenVPN is one of the better choices so why is it a bad VPN in your opinion?

Before answering, I attempted to find citation for my statements, unsuccessfully.
I use IKEv2 tunnels at work and trust them. I don’t recall the reasons that led to IPSec being selected years ago over OpenVPN but I do remember there was some research involved. Sadly, as I can’t currently back that up, it’s irrelevant.

From what I currently find with a cursory search, OpenVPN is fine, I’d not intend to denigrate the Sangoma phones if that is the only protocol they support; though of course more is more :wink:

Sangoma, Yealink, Grandstream and Snom phones all have models with built-in VPN clients, it seems to be the client of choice for non-Cisco phones. FreePBX EPM (paid version) can provision Yealink phones in the same manor as described above.