This article provides information regarding A-Series Phones' VPN setup.
You may also wish to visit the A-Series IP Phones for Asterisk Overview for additional information and links to related articles.
Our Digium A-Phones support VPN services via OpenVPN. You can configure this feature either by Web interface or by phone configuration file. We will review both options in this KB article.
Before beginning, please review the information below:
- In other to enable VPN service, you need to have a OpenVPN server and Client OpenVPN configuration file (client.ovpn), a Root (CA) certificate (ca.crt) ,client KEY (client.key), and client CRT (client.crt) files.
- Files: client.ovpn , ca.crt , client.key and client.crt will be uploaded to the phone.
- If you are using setting up the phones via configuration files, please note that the files that should be uploaded to the phone must be available outside of the VPN
- Digium A-Phone supports HTTP authentication basic and digest as well as connecting without authentication.
- Configuration files that are downloaded by the phone will be stored in the phone and will be used for subsequent reboots.
- OpenVPN server configuration must not require manual password entry in order to connect. The phone does not provide the user a means of inputting user and/or password credentials as a part of VPN connection.
- Only Certificates within CRT format are supported.
Web interface configuration
1. Log into the web interface by surfing to the IP of the phone on your network. The default username is admin, and the default password is 789.
2. Click on Network and then click on the VPN tab.
3. Click on "Enable VPN" option
4. Upload the following files by click the "upload" button next to each item.
- OpenVPN Configuration file
- CA Root Certification
- Client Certification
- Client Key
5. Apply Changes and exit the GUI.
Using configuration files
Phone configuration file example:
|
A2x VPN Configuration Example
|
|---|
|
A30 VPN Configuration Example
|
|---|
The VPN mode element controls the type of VPN to be used. In this case, we are configuring for OpenVPN, so the value is 2.
The Enable VPN Tunnel element controls whether or not the phone is to start up the OpenVPN connection. It defaults to 0, so it must be set to 1.
The Auto etc Url element contains the URL path to a .tar.gz package of the OpenVPN configuration files, containing.
- ca.crt
- client.crt
- client.key
- client.ovpn
Creating OpenVPN configuration files
OpenVPN is very extensive in terms of the configuration options and therefore is almost impossible for us to test each possible scenario as how you should setup this file is depended on your OpenVPN Server configuration. If you need assistance adding additional paramther please contact your IT Network team as they should provide more information about what parameters are needed in your VPN implementation. if you are implementing a new OpenVPN, you can use the example below, we have confirmed that the following confiration works with Digium A-Phones
client.ovpn:
client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
|
Please note that you must pass in the ca, cert, and key parameters as ca.crt, client.crt, and client.key and they should not have any directory declaration (example /something/ca.cert ). Also It is not possible to in-line the ca, cert, or key parameters.
Once you have ca.crt, client.crt, client.key ,client.ovpn files, please use the following line in order to create the correct tar file that should be uploaded into the phone.
tar czvf etc.tar.gz ca.crt client.crt client.key client.ovpn
|
Testing the Configuration
When the Enable VPN Tunnel element is enabled on the phone, the phone will display a lock in the status bar, e.g.:
In the event of an issue, or the VPN not enabling, the lock won't appear:
The VPN-connected IP address is visible only in the phone's web UI, in the Network>VPN screen under "Virtual Private Network (VPN) Status."
