openVPN GXP21xx to UCM


I also need to terminate some GXP1630 to a Watchguard. Is this possible? Please help.


Its possible and been done, contact Grandstream support who can give you the settings needed


Has anyone succeeded in getting the GXP21xx phones (Or WP820) connected to Untangle’s OpenVPN?

We use GXP21xx with Asterisk FreePBX boxes, sitting behind Untangle firewalls.

It’s mind-boggling that ‘OpenVPN’ doesn’t truly mean “OpenVPN”…


I went over an identical thing, we spent $100’s buying hardware to work out that “openVPN” isnt actually as good as the old IKE VPN (as IKE was a standard, openVPN is just a “nice idea”).

The only openVPN servers we had work was the real openVPN server and Watchguard (after i pushed both ends (Grandstream and Watchgiuard) to talk with each other to get it working.

Others have managed to get Grandstreams firewall to also work.

The problem you have is openVPN is not a standard or protocol, the vendor (in this case Grandstream) can add or take away anything it likes inside the openVPN ecosystem. Good example is LZO compression was removed as its not secure and most servers will reject the connection if the command is present (even if off), Grandstream still have it as a switch…


Yes, we work primarily under Untangle firewall processes…

Untangle deprecated lzo years ago (for good reason), and doesn’t play well with toys that demand it.

have spent dozens of hours attempting to get Grandstream devices to OVPN to Untangle without much success…


Did you set NAT on account to VPN ?


Mikrotik VPN IPSec - no issues with GS product… untangle boxes - freebees… you get what you pay for…


Mikrotik ipsec?! how?!


wrong forum for how…



Grandstream GXP21xx doesnt support IP Sec…


Grab 2 x Mikrotik routers and use VPN IPSEC - done !


Technically with VPN you would wanted routed and not NAT, routed so the IP address remains the same from the end device and so it can route back, NAT can be problematic over VPN generally (when dealing with SIP / RTP trype traffics).


“Grab 2 x Mikrotik”, sure how do i sell that to the client???

Me - “Yeah, the desk phone has VPN, thats why its $500”
Client - “sounds expensive for a deskphone with VPN built in”
Me - “i know, but i dont use it, i purchased 2 other bits of hardware i didnt tell you about to do the VPN”

How is this a solution (genuinely interested in how you sell that idea to the client), espcailly in a thread that askes HOW the VPN works in a desk phone


Im not sure where you get your pricing on… a GXP21xx here in Oz will cost $185 RRP and the Mikrotik would cost you $46.80 RRP and these are AUD - Ozzy dollars… how is that $500

The Mikrotik routers are the internet connection - performing the VPN IPSEC Tunnel to the other end being the HQ - $205 at HQ for a Mikrotik …

The Grandstream Handsets “Do Not” have a usable secure VPN connection capability.

  • You dont charge to install hardware products you supply?
  • If you had read the complete 50+ entries here you will see the handsets do have a VPN and at least ive managed to get them to work in 2 different technologies.


oh now you have changed it from 1 x handset to 50 … Okay

Enough profit in the mix - with provision of 50 x phones behind 1 x Mikrotik with a VPN IPSEC tunnel to HQ - 15 minutes of time to create…

So lets charge $165 for that labour componenet and call it an hour… so 50 x $185 + $165 + $46.80

So it becomes $189.236 per handset … whats the problem ?


Kev - SFX never stated 50 handsets, but rather 50 posts in the thread.

From my take, the issue is that the context of the thread is to provide remote phone capability to 1 off home installs in the wake of the demand caused by the coronavirus. As the phone does have OpenVPN, most would rather use an available resource that costs nothing, assuming that that the UCM side has a suitable OpenVPN server. Using this functionality would avert the issues associated to most residential router limitations and provide a secure path for calls without the need to install a MikroTik or any other device for that matter. Additionally the class of router you speak of (to include most business class routers), would be more than most home users would ever be able to configure on their own for whatever internal needs of their own (not business) they might have.

Unfortunately, there appears to be a level of complexity, given the number of threads seen, that makes if seem as if GS’s implementation of the VPN is somewhat difficult to accomplish. I have seen a number of requests asking about how to do and while some indicate that they have it working, I do not recall seeing any specifics of how it was accomplished and using what hardware to do so. Only that they did. I have had it working with a GWN7000, but as the router has so many shortcomings and is no longer under development, I pulled them. I have not tried it since, but I guess when time permits in the coming week, I will see what I can do.


Thanks Larry. But when I launched this thread I was thinking about business users who now need to provide remote phone access to users. That would include those at home and well as those who may work on the road; either normally or under these extraordinary times.

As I think I have said, I too have gotten some, but not all Grandsteam phones to use openVPN with a GWN7000 (and I fully agree with your sentiment about deploying them).

So in summary what I am looking for, if I could magically have it, is:

  1. Having all current, in production, Grandsteam phones with an openVPN client working with as many different firewalls or other devices that provide openVPN server functions. Ideally Grandstream would provide a complere end-to-end secure solution that would not require users to purchase anything to acheive a secure remote connection (as is done by at least 3CX).

  2. Provide a cellphone client that has a secure connection to the UCM as a built-in funciton which is done by at least 3CX and Yeastar. Further, this client should use push technology to minimize battery drain on the device.

  3. Provide the same as above for a SIP client on a WIndows and MAC computer. In other words a client that does not need to have the UCM provide a WebRTC connection (which I understand is very resource intensive to the UCM).

And to be clear, I am not advocating other products. I am just highlighting the Grandstream’s competition is already doing this.

As @whowe82 has said in the past, I am looking for a complete single vendor end-to-end solution. And I would like that solution to be Grandstream.


David, SFX appears to have launched the thread back in '18. That is the first post and my statement about 1 off home install demand rising in the wake of the virus is still valid and the reply was to Kev, as stated in my post, who was advocating the use of an IPsec tunnel using MikroTiks to address a situation raised by wedgeman and the attempt with untangle.

I saw your other thread and up-voted as did several others, but my response was to Kev who had misread what had been posted about the qty of handsets raised by SFX and an attempt to rationalize why one would attempt to use OpenVPN with existing on-hand hardware and the apparent difficulty it presents to many.

As I too would like to see a more refined, easier and integrated process to remote from GS, that is not yet available and the desire to use OpenVPN is likely not to go away in the meantime.


Sorry Larry. I got confused between the threads.Mea culpa. No disrespect intended.