Tuesday, January 26, 2021

Grandstream GPX2170 OpenVPN

Well, I had a bit of a struggle with this at first but got there in the end.

So, a few notes to remind myself later.

OpenVpn - I am using openvpn routed contrib with https://www.koozali.org & https://www.contribs.org Essentially CentOS (for now).

You will need some network config & firewalling but that can be found elsewhere.

Koozali SME then generates a server config like this for reference (remove the comments << ). This config is installed in /etc/openvpn/routed 

 port 1194  
 proto udp  
 dev tunvpn0  
 user openvpn  
 group openvpn  
 chroot /etc/openvpn/routed  
 persist-key  
 persist-tun  
 # Certificates config  
 dh pub/dh.pem  
 ca pub/cacert.pem  
 cert pub/cert.pem  
 key priv/key.pem  
 tls-server  
 crl-verify pub/cacrl.pem  
 plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so login << required for SME for pam user authentication  
 server 192.168.29.0 255.255.255.0 << could be any network you choose  
 topology subnet  
 # up /etc/openvpn/routed/bin/up << required for SME to set local networking  
 script-security 2  
 # Options  
 keepalive 40 180  
 push "dhcp-option DOMAIN mydomain.com"  
 push "dhcp-option DNS LocalIP.Of.This.Server"  
 push "dhcp-option WINS LocalIP.Of.This.Server"  
 tun-mtu 1400  
 mssfix  
 cipher AES-256-CBC  
 passtos  
 comp-lzo adaptive << deprecated and to be removed soon  
 push "comp-lzo adaptive"  
 nice 5  
 management 127.0.0.1 11195 management-pass.txt  
 max-clients 6  
 client-config-dir ccd  
 status-version 2  
 status bridge-status.txt  
 suppress-timestamps  
 verb 3


You may or may not need some of these options. Make sure the Ciphers agree.

Make sure your server certs are in the right place.

You should be able to connect to this with any normal OPenVPN client. You need to get it working at this point.

Next the Grandstream

Generate certificates. They must unique per device

Set the Server Address, Port, UDP,  Cipher, User and Pass, comp-lzo no, and any additional options ((I didn't need them).

Add your certificates. They must be must be PEM encoded. The CA and Certificate must end with .crt and the Key must end with .key (no idea why!)

Set to enabled. Save and Apply. Then reboot. It should connect.

Clearly you need settings to register etc.

 #OpenVPN on/off  
 P7050 1  
 #Server address  
 P7051 voip.server.com  
 #Port  
 P7052 1194  
 #Transport UDP=1 TCP=0  
 P2912 1  
 #Cipher AES-256=2 Blowfish=0  
 P8396 2  
 User  
 P8394 username  
 Pass  
 P8395 password  
 Comp LZO  
 P8508 0  
 Options  
 P8640  
 eg  
 comp-lzo no;auth SHA256

Done.

Thanks to https://codeformatter.blogspot.com/ for tidying my code!

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)