I’ve been spending a lot of time lately with my FusionPBX installation at work (single server with extensions in three separate physical locations).  I’ve been tweaking things here and there in an attempt to drive down the incidence of “bad calls”.  If you’ve done anything with SIP/VoIP you’ll know that there is always the potential for a bad call as there are so many variables involved; all you can do is try and do the best you can with the variables you do control, the rest is up to the SIP gods.

One of the constant bugaboos with SIP calls are the issues surrounding NAT’d connections.  Every SIP phone and every SIP client offers multiple tools and options to try and smooth the NAT dance; some work better than others but NAT is just a pain in the behind to be perfectly honest.  One way to get around the NAT problem is to implement an OpenVPN solution if your SIP phones and/or SIP clients support it.  OpenVPN is small and very lightweight AND it supports UDP tunnels which is right up the SIP alley.  Many SIP phones support OpenVPN — Grandstream and Yealink are two that come to immediate mind.  Of course, every phone vendor seems to implement OpenVPN support a little differently form other vendors so it can sometimes be a bit of a pain to find just the right configuration options to make things work.

I have a fleet of newer Grandstreams (GXP2135, GXP2140 and GXP2170) and the following documents what I had to do to make OpenVPN work between my Grandstreams and my FusionPBX server.  Hopefully, the instructions will be of some use if you are trying to do something similar.

These are the steps I followed to setup and enable OpenVPN on my Debian8 box running my FusionPBX production install.  The goal was to provide OpenVPN connectivity to my Grandstream phones.


Grandstream only supports the simplest of OpenVPN configurations.  You MUST use Blowfish crypto, your DH config cannot be anything other than 2048, TLS and/or passphrase authentication is NOT supported therefore it should not be incorporated into the OpenVPN configuration.  Also, you must be using Grandstream firmware at or newer with GXP21XX series phones.  This might also work with older phones such as the GXP1625 but I have no way of testing.


I followed the instructions on on this site as a guideline.  Perform Steps 1 through 3.  For the step where you modify the server.conf file you can follow their listed steps but make sure you make the changes appropriate to your configuration.  The default conf file does not have any LTS or passphrase options enabled.  These are the particular settings I changed:

# Which local IP address should OpenVPN

# listen on? (optional)

local 192.168.X.X    → change to match your server IP

# Which TCP/UDP port should OpenVPN listen on?

port 1194

# TCP or UDP server?

;proto tcp

proto udp

# “dev tun” will create a routed IP tunnel,

dev tun

# Any X509 key management system can be used.

# OpenVPN can also use a PKCS #12 formatted key file

# (see “pkcs12” directive in man page).

ca ca.crt

cert server.crt

key server.key  # This file should be kept secret

# Diffie hellman parameters.

# Generate your own with:

#   openssl dhparam -out dh1024.pem 1024

# Substitute 2048 for 1024 if you are using

# 2048 bit keys.

dh dh2048.pem

# Configure server mode and supply a VPN subnet


# Push routes to the client to allow it

push “route 192.168.X.X”  → change to match your internal network

push “redirect-gateway def1 bypass-dhcp”

push “dhcp-option DNS”

push “dhcp-option DNS”

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

cipher BF-CBC        # Blowfish (default)

# Enable compression on the VPN link.

# If you enable it here, you must also

# enable it in the client config file.


Do NOT perform Step 4 (install UFW).  Instead, run the following commands:

iptables -t nat -A POSTROUTING -s -o eth0 -j MASQUERADE

(run it twice to be sure)



Continue with the rest Steps 5 through 7 in the guide, stop after completing Step 7.

Follow this link to add in OpenVPN to your fail2ban settings.

You will probably have to reboot your server at this point as OpenVPN doesn’t seem to properly create the needed TUN networking device until a reboot has been performed.  Once rebooted you should see a TUN device in your ifconfig -a output and there should be a address attached to the device.

Grandstream Client Config

The Grandstream phones require 3 files, the CA crt file as well as a crt and key file generated specifically for each phone.  Follow these instructions to generate PER phone:

  1. In the /etc/openvpn/easy-rsa directory issue the following command:
./build-key ABCDEF

I use the last 6 characters of my phone’s MAC address as the identifier so if my MAC is 00:0B:82:92:DC:7D the “ABCDEF” above would end up as 92DC7D.

Once again, you’ll be asked to change or confirm the Distinguished Name variables and two extra prompts which should be left blank. Press ENTER to accept the defaults.

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

As before, these two confirmations at the end of the build process require a (y) response:

Sign the certificate? [y/n]

1 out of 1 certificate requests certified, commit? [y/n]

You will then receive the following output, confirming successful key build.

Write out database with 1 new entries.

Data Base Updated

Check the /etc/openvpn/easy-rsa/keys directory, there should now be a ABCDEF.crt, ABCDEF.csr and ABCDEF.key file, if there are the process was a success.  You’ll also see a ca.crt file in the same directory.  You now have to transfer the three required files to the phone and set up OpenVPN connection on the phone.

Login in to the phone’s webpage.  Change to the Network –> OpenVPN page

Set OpenVPN Enable to Yes.  Set the OpenVPN Server Address to the WAN IP of your FusionPBX box.  If you accepted 1194 as the default OpenVPN port you should also open your firewall to point inbound UDP on 1194 to your FusionPBX server).

Now you have to upload the three files.  This phone is 92DC7D so it requires ca.crt for the OpenVPN CA, 92DC7D.crt for OpenVPN Certificate and 92DC7D.key for OpenVPN Client Key.

Best way to get the files is to use WinSCP to copy the files from server t your PC then push up through web page.  NOTE:  The Upload function won’t work if a file has already been uploaded.  If you get a message to that effect use the Delete key.

Once the files have all been uploaded click Save and Apply and reboot the phone.

All things being equal, the phone should fire up OpenVPN and connect to the FusionPBX server over OpenVPN.  The phone network status will display an IP address if the tunnel comes up correctly and you will be able to ping the OpenVPN IP of the phone from the server.  If you can ping the phone then the tunnel is completely in place and all traffic between the phone and the server will route over OpenVPN.  To confirm this you can close off the SIP ports (5060) and the range of UDP ports that you have opened on your firewall to support NAT’d phone connections.  The phone(s) running OpenVPN should continue to operate normally while non-OpenVPN phones should fail.  Just make sure that you DON’T close off the ports you are using to communicate with your SIP provider!

OpenVPN with FusionPBX and Grandstream Phones
Tagged on:         

Leave a Reply

Your email address will not be published. Required fields are marked *