Author Topic: Getting a VPN Working  (Read 203 times)

exeyesoftware

  • Beta Club Members
  • Hero Member
  • *
  • Posts: 515
    • View Profile
Getting a VPN Working
« on: August 12, 2017, 09:19:56 AM »
This is a summary of information posted elsewhere.  I've spent several months trying to get OpenVPN working on a GXP2140, and have learned a lot.  For those unfamiliar with Grandstream's OpenVPN support, it is a way to locate a phone remotely from the office phone system without (most of) the risks of placing the PBX and/or the phone on the open internet.  The remote phone can be located anywhere in the world that has internet service, and will function exactly as if it were located in the office that hosts the PBX.  What follows assumes that you have a GXP21xx phone and a UCM61xx PBX, but it should work with any PBX, Grandstream or not.  Once you have an OpenVPN server set up, you can connect more than one phone to it.

Here are some ways to get this to work:

1. Use a router with OpenVPN support: earlier firmware only supported Blowfish encryption, but the latest firmware lets you select from several encryption methods, and adds the ability to authenticate using a username/password combination.  This makes many routers with built-in VPN support usable.  I have gotten this to work with a TP-Link Archer C1200, a $60 consumer-grade router.  I used the router's certificate generation support to generate the required certificates (which are supplied in the downloadable configuration file and which need to be extracted with a text editor for uploading to the phone).  Using a router avoids dealing with configuratioin files, port forwarding, and routing issues, but you still need to set up a Dynamic DNS account.

2. Run an OpenVPN server on any office-based Windows machine:  this is theoretically the cheapest way to do this, but I was never able to get it to work.  Others have reported that the Windows version of the OpenVPN server has problems.  Also, I was probably not handling routing correctly.  Please post if you can get this to work.  It should be able to be set up to run in the background without affecting normal use of the PC.

3. Run a SoftEther VPN server on any office-based computer: similar to #2 above, I was never able to get this to work, though it may be possible.  SoftEther is an open-source VPN server that has a fairly easy-to-use GUI and OpenVPN emulation.  It does not support Blowfish encryption which is why I abandoned it, but with support for other encryption methods in the latest Grandstream firmware, it may be possible to use SoftEther's OpenVPN support.  Again, let me know if you get it to work.

4. Run OpenVPN on a Linux-based computer: as one might expect, this is the most involved method to set up, but it works reliably.  As with Windows, it can run in the background on a Linux machine used for other things, or can run on a dedicated machine.  I am using $50 Raspberry Pi (RPi) microcomputers for this with great success.  The Raspberry Pi has a reputation as a low-quality hobbyist machine, but my experience with it is that it is reliable, simple, and powerful enough to support a number of phones.  There are many steps necessary to get this to work, which I've listed (or at least hinted at) in this post: https://forums.grandstream.com/forums/index.php?topic=35842.15.  The RPi runs Raspbian Lite (a variation of Debian Linux) and OpenVPN is installed with http://www.pivpn.io/.  A config file that works is in the post referenced above.

5. Buy a pre-configured Raspberry Pi-based OpenVPN server: in a probably foolish attempt to recoup some of the months of time I put into this, I've decided to try to sell plug-in servers that will support Grandstream phones with little or no configuration.  You can find them easily on eBay.  The server comes with a DVD and a printed manual that goes into extensive detail about how the server is set up and how to troubleshoot it if it doesn't work, something that's easy but very much non-obvious.  I'm selling these for $99 which includes $55 worth of hardware.  They will certainly save more than $99 worth of time.

Until recently, Grandstream phones didn't have VPN support, and until very recently, it wasn't at all easy to get working.  It still requires a fair amount of work and learning, or some good luck, but my experience is that once you get it working, it's rock solid and gives you call quality equal to that of a locally-based phone.

Please post here 1) if you have problems getting this to work -- several forum members have experience with this, or 2) if you get this working successfully, especially if you use a method different from those described above.

Many thanks to those forum members who have helped me in my long struggle to get this to work, and to Grandstream support, especially Francisco who got me over the last hurdle, as well as improving the OpenVPN support over the past few firmware releases.

-jimc