This section will cover how to create a VPN server as well as a VPN client on a Far South unit. The section will also demonstrate how to configure a SIP handset to register an extension via the VPN server created.
1. Navigate to the units' GUI and under the configuration section find the "Networking" tab. Find the listed VPN server "vpns1". Right click to edit and tick enable. Choose am appropriate !P address and netmask. Under the VPN tab you can configure the protocol and set the public IP and port.
Routes are added by selecting the Routes tab once configuring the interface. Routes on VPN interfaces are added as with any other network interface, as described in the Administrator Guide (https://fsn-doc1.dyn.commanet.co.za/index.php/docs/1-5-administrators-guide/commissioning-the-unit/network-configuration/ethernet-interface-configuration/managing-ip-routes/)
2. Accept, Review/Apply and your server should come up green and status must read "OK"
In order for a device to authenticate as a client with the Com.X VPN server, the client needs to present its certificate issued by that server. The appropriate certificates are generated and packaged by the Com.X.
3. Right-click the Vpns1 interface in the interfaces list, and select VPN clients.
4. Select New, and name the new client sensibly.
5. Apply the configuration to generate certificates.
6. Select the client from the clients list and select Get Configuration. The certificates are available in a variety of packages, to suit the client device.
Note: Changes must be applied after the creation of a client before requesting configuration. No client configuration is created before the changes are applied, and so no configuration will available for un-applied clients.
To revoke certification for a client device, right-click on the desired device in the VPN Served Clients list, and select Revoke. Clients authenticating with revoked certificates will be denied. Note that a certificate, once revoked, cannot be used again. A new client certificate will have to be issued.
For a unit to register as a VPN client, the certificate needs to be generated as shown in step 6 above. The PKCS12 file is the one needed.
To add a new VPN client interface, navigate to the network tab of the Comma GUI.
1. Select Options, "New VPN..."
2. Tick the enable box
3. Under the VPN tab input the remote server address and upload the PKCS12 file by clicking the ellipses "..." \
4. Select the appropriate file, accept and Review/Apply
Note that the VPN client will generate an IP in the range of the VPN server subnet. If the client does not come up green you may have to restart the opnevpn service under the status tab.
1. Right-click the Vpns1 interface in the interfaces list, and select VPN clients.
2. Select the client from the clients list and select Get Configuration.
3. For Yealink handsets, select Config(tar) and then either Yealink (for devices with older firmware) or Yealink 70 (for devices running firmware version .70 or more recent). Save this folder to your PC or terminal, to later be uploaded onto the relevant IP endpoint.
A generic SIP extension needs to be configured on the Com.X. The remote phone will register as this extension, through the VPN tunnel.
1. Navigate to the extensions tab of the Com.X GUI and select Add, Generic SIP.
2. Select a suitable name and extension number and make note of the generated password. (It would be best to record this password and extension number as you will later need to configure the handset with these details).
3. Review/Apply
Your handset will need to have the VPN settings and the extension account settings configured manually. For this example, a Yealink is configured as a remote extension on the VPN. You will be working on the GUI of the handset.
1. Navigate to the advanced Network settings page, enable VPN and upload the .tar certificates file that you downloaded from the Com.X GUI. Confirm the VPN settings.
2. Then navigate to the account settings and configure the handset with the corresponding extension number and password configured on the Com.X.
3. Set the Server IP address to that of the VPN server on the Com.X (the server IP port is the correct IP, not the public IP, which is used only for the VPN to be authenticated.
Once the VPN is active, the device can contact the VPN server through the VPN tunnel)