How To Guide: Remote GXP21XX using OpenVPN to Mikrotik Router


#1

Step 1 - Configure Mikrotik router
The best guide I’ve found is here
Note: You should correct all values: Location, usernames, etc. to values relevant to your install.

You need three sections of this guide:

  • Setup OpenVPN server and generate certificates
    NOTE: Use this INSTEAD OF the command in the link above:
    /interface ovpn-server server
    set auth=sha1 certificate="server@$CN" cipher=aes256 \
    default-profile=OVPN-Profile enabled=yes keepalive-timeout=60 \
    max-mtu=1450 require-client-certificate=yes
  • Add a new user
  • Decrypt private key to avoid password asking
    You need OpenSSL to decrypt the client key file. If needed, you can find binaries here.

Step 2 - Configure UCM
Add the subnet offered to OVPN clients (in scripts linked above, it’s 192.168.68.0/24, but correct to your environment) in the UCM:

  • WebUI->PBX Settings->SIP Settings->NAT->Local Network Address
  • WebUI->Value-added Features->Zero Config->Zero Config Settings->Subnet Whitelist

Step 3 - Configure phone
WebUI->Network->OpenVPN Settings:

  • OpenVPN Server Address: [External IP of the Mikrotik router]
  • OpenVPN Transport: TCP
  • OpenVPN Cipher Method: AES-256
  • OpenVPN Username: [username used in Step1]
  • OpenVPN Password: [password used in Step1]
  • OpenVPN Comp-lzo: NO
    Upload the three certificate files you created in Step1. NOTE: Upload ONLY the decrypted Key.
  • OpenVPN CA Certificate
  • OpenVPN Client Certificate
  • OpenVPN Client Key (decrypted version)
  • Additional Options:
    route 192.168.x.0 255.255.255.0
    NOTE: This is the internal subnet and mask of the UCM. Change to your values.
  • Save And Apply

WebUI->Account1->Basic Settings
Configure this page as you would any normal extension in your environment.
Use the internal IP of the UCM for SIP Server

WebUI->Account1->Network Settings

  • NAT Traversal: VPN

REBOOT the phone. OpenVPN changes don’t take effect until reboot.

NOTES:

  • Mikrotik router uses TCP encapsulation for OVPN. You MUST use TCP on the phone.
  • If cipher allows multiple encryption types, the connection will establish, but won’t work.
    Pick one and make that the only option for both server and client.
  • The phone’s OpenVPN Additional options route is necessary to get the phone to push traffic through the tunnel. In my opinion, it shouldn’t be… but, whatever it takes!

If you have suggestions or need additional details let me know…


#2

Saludos, puedes crear una guia o video; muchos estamos tratando de configurar con Mikrotik


#3

I can’t get the phone to connect to the mikrotik vpn, can you post a video many of us are trying to configure with mikrotik. Thank you


#4

Grandstream Assistance


#5

support does not solve this problem, all the videos related to the problem do not work when you apply them. Thanks


#6

I’m trying to muddle my way through this too since the GWN7000 is getting discontinued and I need a different solution for VPN. I’m pretty fluent in Mikrotik and I built a Router using the info in this thread and I can establish a connection and get an IP, but I cannot pass traffic. From the phone I cannot ping the Mikrotik and from the Mikrotik I cannot ping the Phone’s VPN IP.

I can connect a PC to the Mikrotik and get all the way into the UCM. I’m tinkering with the various cyphers but I haven’t found one that allows me to pass traffic.


#7

I’m glad you got it to establish the connection. That’s a lot of the steps already finished.

I’m guessing you missed something in the NOTES section (please check these):

  • You must only allow a single cipher on the Mikrotik and it must match the one you specify on the phone.
  • You must specify the “Additional Options” ROUTE parameter correctly.
  • You must reboot the phone after making changes to the OpenVPN settings.

If those don’t help, PM your router config and phone config and I’ll see if I can spot the issue.


#8

Thank you so much. It was very helpful and practical, we were struggling for some days, and finally, we realized the MTU was the answer.
Other people, don’t forget to set MTU on 1450