A-Series OpenVPN
Defaults
By default, the phone does not attempt to connect using OpenVPN. Â These options must be enabled.
Recommended Firmware
At present, all released versions of firmware support OpenVPN connectivity.
Compatibility
OpenVPN connectivity is supported by models A20, A22, A25, and A30.
Important Notes
OpenVPN server configuration must not require manual password entry in order to connect. Â The phone does not provide the user a means of inputting user and/or password credentials as a part of VPN connection.
Certificates have been tested in CRT format only.
Requirements
In order to connect to an OpenVPN server, the phone utilizes an OpenVPN configuration file (client.ovpn), a Root (CA) certificate (ca.crt) ,client KEY (client.key), and client CRT (client.crt) files. Â These files must be manually updated to the phone, using an admin web UI user. Â Or, the phone must be configured to retrieve a .tar.gz file containing them, using its configuration file. Â The phone will, when directed by its configuration, attempt to cURL those files in from a defined http or tftp server. Â
These files can be retrieved from a location that requires no HTTP authentication, basic HTTP authentication, or digest HTTP authentication. Â Once the files are retrieved, the phone will store them locally and will use them on successive boots. Â If the phone receives a new configuration file, and the URL has changed, the phone will retrieve the new package and use its contents instead.
It is important to note that the phone must be able to retrieve the OpenVPN configuration files without actually being connected to the VPN. Â This presents a chicken-and-egg scenario that is most often solved by connecting the phone to an already-secure network, feeding it a configuration file that points to VPN configuration files that can be retrieved, and then, once successfully loaded, moving the phone to the insecure network.
Configuration
Configuration of OpenVPN can be performed via the phone's web UI. Â This section will cover configuration via the phone's configuration file.
A2x VPN Configuration Example
<<VOIP CONFIG FILE>>Version:2.0000000000
Â
<VPN CONFIG MODULE>
VPN mode :2
Enable VPN Tunnel :1
Â
<AUTOUPDATE CONFIG MODULE>
Auto etc Url :https://user:password@server.example.com/openvpn/etc.tar.gz
<<END OF FILE>>
The VPN mode element controls the type of VPN to be used.  In this case, we are configuring for OpenVPN, so the  value is 2.
The Enable VPN Tunnel element controls whether or not the phone is to start up the OpenVPN connection.  It defaults to 0, so it must be set to 1.
The Auto etc Url element contains the URL path to a .tar.gz package of the OpenVPN configuration files, containing:
ca.crt
client.crt
client.key
client.ovpn
Â
A30 VPN Configuration Example
<<VOIP CONFIG FILE>>Version:2.0000000000
Â
<VPN CONFIG MODULE>
VPN mode :2
Enable VPN :1
Â
<AUTOUPDATE CONFIG MODULE>
Auto etc Url :https://user:password@server.example.com/openvpn/etc.tar.gz
<<END OF FILE>>
Â
The .tar.gz file should contain the configuration files and may be constructed as such:
tar czvf etc.tar.gz ca.crt client.crt client.key client.ovpn
Â
When the VPN is Enabled
When the Enable VPN Tunnel element is enabled on the phone, the phone will display a lock in the status bar, e.g.:
Which differs from the normal, not connected to a VPN, icon:
Â
The VPN-connected IP address is visible only in the phone's web UI, in the Network>VPN screen under "Virtual Private Network (VPN) Status."
Â
The OpenVPN configuration file
OpenVPN has myriad configuration options, and not all can be or have been tested with Sangoma's A-Series phones. Â A tested, sample configuration file is provided here:
client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
Â
Within this file you must pass in the ca, cert, and key parameters as ca.crt, client.crt, and client.key.  Further, they must be passed in without directory declarations - OpenVPN will search for them in the local directory.
It is not possible to in-line the ca, cert, or key parameters.