I have spent about 40 man hours on this (Accounts will go ballistic if they find out). It doesnt work… heres my findings
GXP21xx will connect but doesnt build the route table correctly so generally will be bumped off the openVPN server, which then results in it connecting again, we then going around these circles indefinitely.
GWN7000 DOES connect to the VPN server (which is real ironic) however again it deoesnt build the route tables correctly inside the router so cant actually use the tunnel outside of the GWN7000, you can however use the diagnostic PING to get to ANY IP addresses the other end of the tunnel, so not working for a totally different reason HOWEVER it DOES connect and remain connected (this confirmed its a BUG in the phone, as the GWN7000 WILL connect and remain connected to the openVPN server.
Side note we have tried uplifting all the config from the GWN7000 and manually inputting in to the phones, doesnt work, so its an existing bug
DDWRT, ive put this in as this has the same issue as the phones, so it MIGHT be a config issue, but considering the GWN7000 does work, also ANY Windows PC with the openVPN client also works, i assume its possible to be both a BUG in the phone and a config issue as well (ts NOT a TLS auhentication issue, he phones do authenticate, they are then bumped as they dont finsih something after connecting).
Another item to understand, openVPN is END POINT, not really a routing system (assigned to a firewall as a client), clearly openVPN has a routing method (TUN over TAP setting), but when it comes to the PBX you need to know the IP subnet of the end phones, so having the phones assigned an IP address by the firewall next to the PBX clearly gives you way better control on getting RTP traffic to them (which itself is problematic at the best of times).
With the above, we have (just) stop testing firewalls (Wathcguard, Grandstream and DDWRT firmware) with openVPN being the client used inside them (the Watchguard openVPN server works well well with Windows, its scary good).
We have also written off the remote phones, due to the VPN issue as confirmed by me AND Grandstream in a ticket, i have however told Grandstream (with the config) that the GWN7000 works as an openVPN client, but as i said thats only the tip of a HUGE iceberg to get it working.
I have no idea (STILL) why Grandstream has not put a VPN server inside the PBX as this clearly would solve ALL issues, as long as the server is TLS / SSL based then your likely to have that working in all public locations.
They can call it openVPN if they want, but it clearly ISNT openVPN as no one would be asking how to get it work as openVPN works perfectly on Window with the config.opvn file and openVPN client (it works so well its scary fast to set up !
What are we doing now?
Well we have abandoned the use of all Grandstream phones remotely until Grandstream fix the “VPN client” in the phones, clearly using something “called” “openVPN” isnt working as they dont seem to work with ANY 100% openVPN compliant server (that doesnt have Grandstream on the lid). Knowing that, just put the VPN server in the PBX and be done with it, then everything work, everyone’s happy, YOU SELL MORE PRODUCTS.