Configuring VPN

This section will cover how to create a VPN server as well as a VPN client on a Far South unit. The section will also demonstrate how to configure a SIP handset to register an extension via the VPN server created.

Configuring a VPN server

1. Navigate to the units' GUI and under the configuration section find the "Networking" tab. Find the listed VPN server "vpns1". Right click to edit and tick enable. Choose am appropriate !P address and netmask. Under the VPN tab you can configure the protocol and set the public IP and port.

Routes are added by selecting the Routes tab once configuring the interface. Routes on VPN interfaces are added as with any other network interface, as described in the Administrator Guide (https://fsn-doc1.dyn.commanet.co.za/index.php/docs/1-5-administrators-guide/commissioning-the-unit/network-configuration/ethernet-interface-configuration/managing-ip-routes/)

2. Accept, Review/Apply and your server should come up green and status must read "OK"

In order for a device to authenticate as a client with the Com.X VPN server, the client needs to present its certificate issued by that server. The appropriate certificates are generated and packaged by the Com.X.

3. Right-click the Vpns1 interface in the interfaces list, and select VPN clients.

4. Select New, and name the new client sensibly.

5. Apply the configuration to generate certificates.

6. Select the client from the clients list and select Get Configuration. The certificates are available in a variety of packages, to suit the client device.

Note: Changes must be applied after the creation of a client before requesting configuration. No client configuration is created before the changes are applied, and so no configuration will available for un-applied clients.

Revoking Client certificates

To revoke certification for a client device, right-click on the desired device in the VPN Served Clients list, and select Revoke. Clients authenticating with revoked certificates will be denied. Note that a certificate, once revoked, cannot be used again. A new client certificate will have to be issued.

Configuring a VPN client

For a unit to register as a VPN client, the certificate needs to be generated as shown in step 6 above. The PKCS12 file is the one needed.

To add a new VPN client interface, navigate to the network tab of the Comma GUI.

1. Select Options, "New VPN..."

2. Tick the enable box

3. Under the VPN tab input the remote server address and upload the PKCS12 file by clicking the ellipses "..." \

4. Select the appropriate file, accept and Review/Apply

Note that the VPN client will generate an IP in the range of the VPN server subnet. If the client does not come up green you may have to restart the opnevpn service under the status tab.

Configuring a handset and a VPN extension

Generating Certificates for Client devices

1. Right-click the Vpns1 interface in the interfaces list, and select VPN clients.

2. Select the client from the clients list and select Get Configuration.

3. For Yealink handsets, select Config(tar) and then either Yealink (for devices with older firmware) or Yealink 70 (for devices running firmware version .70 or more recent). Save this folder to your PC or terminal, to later be uploaded onto the relevant IP endpoint.

Configuring a Sip Extension

A generic SIP extension needs to be configured on the Com.X. The remote phone will register as this extension, through the VPN tunnel.

1. Navigate to the extensions tab of the Com.X GUI and select Add, Generic SIP.

2. Select a suitable name and extension number and make note of the generated password. (It would be best to record this password and extension number as you will later need to configure the handset with these details).

3. Review/Apply