Configure Phone to use FreePBX System Admin OpenVPN Client

• First we need to setup the VPN Server in FreePBX Sysadmin Admin module.  This is a paid feature from Sangoma called System Admin Pro module.  
• Navigate to the System Admin module on your PBX and click on VPN Server in the right menu of the System Admin module
  
  
• On the settings tab make sure you have the VPN server enabled
  
  
• Server range can be left as default.  This is the IP range that the VPN server will use when giving clients a IP Address
  
  
• Server Remote Address is the IP address of the PBX/VPN Server.  This needs to be a IP that the remote phone can reach to connect to the OpenVPN server on the PBX so its usually your external IP address or FQDN.  Make sure you have the OpenVPN port 1194 opened on your firewall and pointing to the PBX IP address.
  
  
• Submit your changes and press the Red Apply config button
  
  

Configure OpenVPN Clients in User Management module

• Navigate to the User Management module on your PBX and edit either the User or the group to verify and enable OpenVPN for any users or groups that you want to have a VPN Client
  
  
• Under the VPN tab either set Enabled to be Yes or if editing a user you can set it to Inherit as long as the group they belong to has the VPN enabled
  
• Now that the user has been enabled for VPN and a client certificate has been generated we can now tell your Clearly Phone to use the VPN client and which devices for the user should use the VPN client.
  
  

Give a User permissions in User Management to use the VPN Client for Clearly Devices 

Create Template in Clearly Devices using VPN IP

• We now need to go create a template in Clearly Devices that has the template use the VPN IP address of the PBX.  The VPN IP address of your PBX is going to be the x.x.x.1 of the Server Range that you defined in System Admin VPN Setup.  By default the range is 10.8.0.0 unless you changed it so the IP Address to reach the PBX across the VPN would be 10.8.0.1
• Navigate the the Clearly Devices module and create a new Template Layout from the right menu
  
  
• Setup the Template like you have for your other Template. The only difference will be the changes below
• Set the Primary Host which is the Asterisk server to be the VPN IP address
  
  
• We recommend you not move phone provisioning to use the VPN but instead allow access to the phone provisioning port through your firewall to the PBX.  The reason is a lot of things in phone provisioning happen after the local network on the phone is brought up but before the VPN is full established so if you try and use the VPN for phone provisioning you may encounter problems so we recommend not trying to use the VPN for this. 
  
  
• Phone App URL put in the IP address of the VPN Server
  
  
• Submit your changes
  
  

Tell a Device to use VPN and VPN Template

• Lastly we just need to tell Clearly Devices module what specific devices we want to use the VPN.  Earlier we setup VPN cert for a user but since a user can have more than 1 device and some devices may need VPN whiles others for the same user do not we need to edit Device Mappings for a specific MAC address now and enable that device to use the VPN cert from the user.
• Navigate to Clearly Devices and on the right menu click on Device Mappings
  
  
• Click on the Edit icon for the device you want to enable VPN for.
  
  
• Check the box for VPN.
  
  
• Press the Submit button it will rebuild the config for the phone and if the phone is registered to the PBX it will push an updated config to the phone.  If the phone is not registered you will now need to have it pull down an updated config which will cause it to reboot to change the networking to OpenVPN.
  

Verify Phone is using VPN

• Once the phone is properly provisioned to use the VPN you will see a small VPN icon on the top menu of the phones idle screen as shown below.