Getting a VPN Working

ip-communications

#1

This is a summary of information posted elsewhere. I’ve spent several months trying to get OpenVPN working on a GXP2140, and have learned a lot. For those unfamiliar with Grandstream’s OpenVPN support, it is a way to locate a phone remotely from the office phone system without (most of) the risks of placing the PBX and/or the phone on the open internet. The remote phone can be located anywhere in the world that has internet service, and will function exactly as if it were located in the office that hosts the PBX. What follows assumes that you have a GXP21xx phone and a UCM61xx PBX, but it should work with any PBX, Grandstream or not. Once you have an OpenVPN server set up, you can connect more than one phone to it.

Here are some ways to get this to work:

  1. Use a router with OpenVPN support: earlier firmware only supported Blowfish encryption, but the latest firmware lets you select from several encryption methods, and adds the ability to authenticate using a username/password combination. This makes many routers with built-in VPN support usable. I have gotten this to work with a TP-Link Archer C1200, a $60 consumer-grade router. I used the router’s certificate generation support to generate the required certificates (which are supplied in the downloadable configuration file and which need to be extracted with a text editor for uploading to the phone). Using a router avoids dealing with configuratioin files, port forwarding, and routing issues, but you still need to set up a Dynamic DNS account.

  2. Run an OpenVPN server on any office-based Windows machine: this is theoretically the cheapest way to do this, but I was never able to get it to work. Others have reported that the Windows version of the OpenVPN server has problems. Also, I was probably not handling routing correctly. Please post if you can get this to work. It should be able to be set up to run in the background without affecting normal use of the PC.

  3. Run a SoftEther VPN server on any office-based computer: similar to #2 above, I was never able to get this to work, though it may be possible. SoftEther is an open-source VPN server that has a fairly easy-to-use GUI and OpenVPN emulation. It does not support Blowfish encryption which is why I abandoned it, but with support for other encryption methods in the latest Grandstream firmware, it may be possible to use SoftEther’s OpenVPN support. Again, let me know if you get it to work.

  4. Run OpenVPN on a Linux-based computer: as one might expect, this is the most involved method to set up, but it works reliably. As with Windows, it can run in the background on a Linux machine used for other things, or can run on a dedicated machine. I am using $50 Raspberry Pi (RPi) microcomputers for this with great success. The Raspberry Pi has a reputation as a low-quality hobbyist machine, but my experience with it is that it is reliable, simple, and powerful enough to support a number of phones. There are many steps necessary to get this to work, which I’ve listed (or at least hinted at) in this post: https://forums.grandstream.com/forums/index.php?topic=35842.15. The RPi runs Raspbian Lite (a variation of Debian Linux) and OpenVPN is installed with http://www.pivpn.io/. A config file that works is in the post referenced above.

  5. Buy a pre-configured Raspberry Pi-based OpenVPN server: in a probably foolish attempt to recoup some of the months of time I put into this, I’ve decided to try to sell plug-in servers that will support Grandstream phones with little or no configuration. You can find them easily on eBay. The server comes with a DVD and a printed manual that goes into extensive detail about how the server is set up and how to troubleshoot it if it doesn’t work, something that’s easy but very much non-obvious. I’m selling these for $99 which includes $55 worth of hardware. They will certainly save more than $99 worth of time.

Until recently, Grandstream phones didn’t have VPN support, and until very recently, it wasn’t at all easy to get working. It still requires a fair amount of work and learning, or some good luck, but my experience is that once you get it working, it’s rock solid and gives you call quality equal to that of a locally-based phone.

Please post here 1) if you have problems getting this to work – several forum members have experience with this, or 2) if you get this working successfully, especially if you use a method different from those described above.

Many thanks to those forum members who have helped me in my long struggle to get this to work, and to Grandstream support, especially Francisco who got me over the last hurdle, as well as improving the OpenVPN support over the past few firmware releases.

-jimc


#2

EXEYES,

You really seem to know what you are doing here, so I thought I would ask in here.

Disclaimer: I’ve spent the last hour searching and reading, this question might be the most laughably simple but I can’t believe that I have to ask.

How do I enable the OpenVPN settings page on my GXP2140/2160 phones?

The phones just don’t have the settings that everyone is talking about, that the Admin Guide specifies, they just don’t exist for me. See the image. I’ve opened every page, every menu. I’ve gone in with Putty and read the help. What am I missing?

GXP 2140 FW 1.0.9.32
I’ll be using a FreePBX installation, an EdgeRouter with OpenVPN configured.


#3

I must be challenged. I logged into the phone as “user” instead of “admin” out of curiosity, the settings weren’t there. I logged back in as “admin” and everything appeared!

Now, I will admit that 45 minutes ago, I changed the config file, P7050=1, because I was really curious. But that JUST showed up. Also note the weird XXXXX in the internet protocol section.

Maybe I had some caching issues with my browser. Thanks for now, no need to reply to this garbage post.


#4

Exeyesoftware,
I am using a grandstream GDS3710 intercom and a grandstream UCM6202 pbx as a gate access system for my rural property. The SIP registration is through a free Callcentic voip account using the Grandstream Wave softphone app. It is working pretty well as long as my iPhone 8plus is on my local wifi. As soon as I leave my local network and my iPhone goes onto ATT cellular my iPhone fails to register. Do you think that if I purchase one of your devices that I will be able to send and receive SIP calls on my iPhone using the grandstream wave app?
Thanks,
Robert Dean


#5

Hi Robert,

Thanks for your interest but I don’t think my OpenVPN server is the answer to your problem.

I’m not familiar with the GDS3710, but I think that if possible you should connect it directly to Callcentric and bypass the UCM6202 entirely. Then register your iPhone to Callcentric, which you can do from anywhere. If the GDS can function like a phone and be controlled by touch-tone is should work. You might need a paid account with Callcentric but they’re dirt cheap.

You also might post your (good) description of your setup to the general forums and see what suggestions others, who know more than I, can offer.

My OpenVPN server would work for you, but it only works with Grandstream phones with built-in OpenVPN support, which IPhones don’t have, and if they did the routing wouldn’t be right. So you’re on the right track conceptually, but the details keep it from working.

-jimc


#6

Thank you very much for the reply. I will try it out. Thank you
Robert Lee Dean