THIS WIKI HAS BEEN UPDATED FOR VERSION 13 OF YOUR PBX GUI
This feature is for the PRO version of System Admin.
Allows setting up your PBX with a VPN Server to allow clients to connect directly to your PBX.
- On the top menu click Admin
- In the drop down click System Admin
- On the right side navigation box click Server VPN
Setting up a VPN Server
We first need to set up the VPN server before we can create clients and enable them to connect. Click on the Settings tab in Server VPN.
From here we can Enable the VPN Server. This will start the VPN service and always make sure it is set to start on any future reboots. If we disable the VPN Server, it will stop the server and also set it to not start on any future reboots.
The server range is the network that will be used for the VPN and the IP addresses that will be assigned to the clients when they connect. It defaults to 10.8.0.0, which for most users should be fine unless this subnet interferes with your LAN subnet.
The PBX will be assigned the .1 IP address in your range, so in our example below, the PBX would be assigned the VPN IP address of 10.8.0.1.
By default, we set the Redirect Gateway to No, and is what most users will want to use. If you set this to Yes, then when a client connects to the VPN, ALL of the client's internet traffic will route through the PBX and go out from there. Leaving this set to No will have the VPN client only route traffic to the PBX that is on the Sever Range above. So for example if we set this to No and we connect a client to the VPN, we would access the PBX using 10.8.0.1 in our Server Range example above. All non-10.8.0.X traffic from the client would not come across the VPN but instead use the client's normal VPN traffic.
Note: If you want to route the local network to the Openvpn clients, redirect must be enabled and the PBX restarted for the /proc/sys/net/ipv4/ip_forward and /etc/sysctl.d/98-forwarding.conf to be enabled
Once we have set up our VPN server, we need to create one or more clients so that a client can connect to the VPN Server. Click on the Clients tab in Server VPN.
Click on the Add button.
Enable the Client and give it a friendly name for easy reference. If at any time you do not want the client to be able to connect to the VPN, you can either delete the client or disable the client from here.
Enabling the option of Use DDNS will put the PBX's DDNS name into the client config for connecting to the VPN. If DDNS is disabled, Remote Address will be used as a fallback.The DDNS FQDN is managed inside the DDNS section of System Admin. You can also define a Remote Address, which would be the external IP address or FQDN at which the OpenVPN server is reachable for connecting clients.
If you Enable DDNS and define a Remote Address, the client will always try the DDNS first. In the event that fails, it will fall back to the Remote Address option.
You can optionally pick any IP address you want to assign to this client from the server range that we set up in the Server Range section, or leave it set to None to have a random IP address from within the Server Range assigned to the client each time it connects to the VPN server.
Linking Clients to a user
Once a client has been created, you need to link the client to a user manager account, which will then allow a user to download their Server VPN Config file from UCP and also let you link this user in End Point Manager for Sangoma Phones to use the VPN. You will use the User Management Module to set up access privileges.
Editing User Privileges
Navigate to the User Management module in your PBX and click the edit button for the user you want to edit.
In the top row of tabs, click the VPN tab.
For VPN Clients, enter or more clients you want to link to this user.
Next click the UCP tab in the top row of tabs. This is where you will set the UCP-related privileges for the user.
In the bottom row of tabs, click System Admin.
The Allow VPN setting will control whether this user can access VPN Clients through the User Control Panel (UCP).
- Yes: The user will have access. Overrides the group setting.
- No: The user will not have access. Overrides the group setting.
Inherit: The user will inherit the access privileges of the group the user belongs to.
Click the Submit button.
Click the Apply Config button.
Editing Group Privileges
Keep in mind that all users are part of a group. Groups do not have VPN access by default. If you choose the Inherit setting for the specific user, be sure to enable VPN access at the group level if you would like this user to have VPN access.
From the User Management Module home screen, click the Groups tab.
Click the edit buttonto edit a group.
In the top row of tabs, click the UCP tab.
In the bottom row of tabs, click the System Admin tab.
For Allow VPN, select Yes in order to enable VPN access for the group. Any users belonging to this group, whose privileges are set to "Inherit," will now inherit the "Yes" setting from the group. (Dark blue background = selected.)
Click the Submit button.
Accessing the VPN Config in UCP
As long as you have given the user privileges to access VPN Clients, the user can now log into the User Control Panel (UCP) and download the VPN Config.
Port Required if a public NAT is used
UDP port 1194 will need to be forwarded to the PBX for the devices that will be connecting. This is the port that the OpenVPN daemon uses.
For information on how to set up your Open VPN Client on your computer, please click on your operating system below: