This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM SSL VPN and GrandStream Phones

 GrandStream phones have an OpenVPN client built in but they only allow the .ca. crt. key to be uploaded to the phone as well as putting inthe VPN server IP, port and protocol. It doesn't allow a login/password field.  Contacting Grandstream support they just tell me not to use a login/password. Is this even possible with the UTM.  Keeping in mine I have about 150 VPN users so making a major change to the SSL VPN isn't an option because those 150 would need to redownload configs.

 

Can you make a local user who is cert based only?

 

all our others users are AD/Radius backend sync



This thread was automatically locked due to age.
Parents
  • If they don't have a builtin user and password, you're out of luck with the UTM's implementation of OpenVPN.  There's no way to create a blank user with a blank password.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • That is what I was afraid of.  And they are telling me to just turn off the login/pass option on the OpenVPN server and just use certs.

  • Funny you said that.    12hours ago I posted to them.

     

    We cannot change our server side to remove logins/passwords. It is NOT a secure way to run a VPN. If you use only certs someone can get those certs and gain full access without logins to stop them as certs can be transferred via email and other methods with or without someones knowledge. 

    Your phone firmware should provide a place to put logins/passwords it is 2 fields it shouldn't be very difficult to add rather than asking customers to redesigned there network infrastructure.

    If I was able to change the server side I would need to have 200 VPN users in my company redownload all the configs to change the client side which I am not willing to do.

  • I made headway. It is now with the devs.

  • Hi JayMan,

    That's great news! Tbh, I would love to use the Grandstream phones that I've deployed to our company in an SSL VPN fashion as that means I can hand a salesperson who switches locations regularly a phone which has ACLs that they can do premium rate calls only from HO IPs, atm I have to allow them to do anything from anywhere.

    Would love to hear how it goes!

    Emile

  • JayMan said:

    I made headway. It is now with the devs.

     

     

    Hey this is great to hear. Have you had any update from Grandstream Devs?

    I also have Remote workers and hate the fact that I have to but a RED for people that have Public Dynamic IP's and having to create rules for those that have Statics.

  • Not a peep. I say put in a ticket like  I did. 

  • Well now here is some breaking news. The newest beta firmware for the GrandStream  21xxx models has a LOGIN AND PASSWORD option for OpenVPN. I was able to get it working on my UTM  today with very little effort.

     

    Just download the Linux openvpn files from the UTM and upload the crts and the key and away you go.  You do need to make sure compression is enabled on the UTM for the OpenVPN/SSL Options.

  • Holy CRAP something actually worked.....

    Just attached my 2160 to a XG135... Now to do some serious testing...

     

    Good eye on the firmware, to be honest I gave up on this months ago.

    Are you running UTM or XG? I didnt see any compression settings in my XG but in all the excitement I could have overlooked it.

     

  • UTM and it is under the VPN settings.

  • Hmm ok. Im running XG.

     

    Did some basic testing and was able to get the phone connected to the remote network but not to my PBX.

    So I still have some work to do. setting up a VOIP ssl vpn group and apply rules to route them to a specific Vlan.

  • I may have to setup a firewall rule or even ACL's outside of the UTM to say the VPN DHCP Pool can reach your PBX.

     

    Also on the phone I had to set Nat Transverse to VPN or I just got one sided audio.

Reply Children
No Data