Grandstream GXP21xx GXP2160 GXP2170 VOIP phone OpenVPN connect



  • Did anyone manage to connect a Grandstream VOIP phone to the pfSense to then access a local SIP server like Asterisk?

    The settings and whole process is hardly documented.. the phones have an OpenVPN client though.

    There is this post https://beagledom.ca/2016/12/22/openvpn-with-fusionpbx-and-grandstream-phones/ giving some ideas, but hardly enough to really set everything up.

    My hope would be for phones in home office to connect to the work LAN (just like the laptops) and then use the local VOIP server for features like BLF and also a CRM integration.

    Any experience, helpful insight or the like on that?



  • Forget about VoIP phones for a while and make sure you can connect to your pfSense from PC with regular OpenVPN client software. Test if you can reach your Asterisk server from remote location over the VPN.
    Then test the VoIP part with the regular SIP client on that PC.
    Once you get this working - use the same configuration on your hardware phone.

    Regarding the Asterisk in such environment - recommendation is here.



  • Many thanks!

    I have already noticed that pfSense and FreePBX (Asterisk) don't go together too well. Somehow, certain states are not handled correctly, especially when starting the internet connection through PPPoE from within pfSense.

    Also, the NAT settings are a nightmare - I finally got best results by switching everything off (in Asterisk).

    As for the Grandstream: yes - I wanted to avoid hat effort. But I somehow got it to work - also, with a configuration I thought I had tried before already.

    Looks like both DH 1024 and 2048 are supported (did not try any more) as well as Blowfish (BF-CBC) and AED-256 (AES-256-CBC). After first managing with certificates of only 1024 bits, it now also works with 2048 bits, so security should be ok. Only the SHA1 (did not try any others) seems a little bit weak.

    Also, OpenVPN is configured for "Remote Access (SSL/TLS)" and when enabling access to just the one IP of the Asterisk, everything is working fine, to reduce the security risk a little. No username/password is needed.

    Also.. in case someone else has similar problems: I had to enable symmetrical RTP in both the phone and Asterisk, otherwise I often had the problem of audio being one-way and that one person thus could not be hear.

    I am hoping that the real use will prove stable.. setup certainly was a challenge.

    Also, my next task is to enable the redundant internet connection.. so now I wonder if that is goin to introduce any more issues..