Below you will find a guide that walks you through the steps to allow Clearly Devices module to setup a Clearly IP phone to use the System Admin OpenVPN certs that are generated for a client. Support for OpenVPN with Clearly Devices module required version 14.0.8.9 or greater.
Configure OpenVPN Server in FreePBX System Admin Module
First we need to setup the VPN Server in FreePBX Sysadmin Admin module. This is a paid feature from Sangoma called System Admin Pro module.
Navigate to the System Admin module on your PBX and click on VPN Server in the right menu of the System Admin module
On the settings tab make sure you have the VPN server enabled
Server range can be left as default. This is the IP range that the VPN server will use when giving clients a IP Address
Server Remote Address is the IP address of the PBX/VPN Server. This needs to be a IP that the remote phone can reach to connect to the OpenVPN server on the PBX so its usually your external IP address or FQDN. Make sure you have the OpenVPN port 1194 opened on your firewall and pointing to the PBX IP address.
Submit your changes and press the Red Apply config button
Configure OpenVPN Clients in User Management module
Navigate to the User Management module on your PBX and edit either the User or the group to verify and enable OpenVPN for any users or groups that you want to have a VPN Client
Under the VPN tab either set Enabled to be Yes or if editing a user you can set it to Inherit as long as the group they belong to has the VPN enabled
Now that the user has been enabled for VPN and a client certificate has been generated we can now tell your Clearly Phone to use the VPN client and which devices for the user should use the VPN client.
Give a User permissions in User Management to use the VPN Client for Clearly Devices
In User Management either under the User or the Group if the user will inherit the permission from the group we need to tell Clearly Devices module it can use the System Admin VPN cert that was generated for the user.
Click on the Clearly Devices tab from within the user or group and click on the VPN tab
VPN option should be set to Enable or Inherit. Only set to Inherit if you want the user to inherit the permission from the group they belong to and the group has been enabled for VPN
Use System Administration Generated Client to Yes to have it use the client generated by System admin earlier. We would only set this to No if we wanted to have the user pull its VPN certificate from a different VPN server that was not setup or managed by the System Admin module.
Submit your Changes
Create Template in Clearly Devices using VPN IP
We now need to go create a template in Clearly Devices that has the template use the VPN IP address of the PBX. The VPN IP address of your PBX is going to be the x.x.x.1 of the Server Range that you defined in System Admin VPN Setup. By default the range is 10.8.0.0 unless you changed it so the IP Address to reach the PBX across the VPN would be 10.8.0.1
Navigate the the Clearly Devices module and create a new Template Layout from the right menu
Setup the Template like you have for your other Template. The only difference will be the changes below
Set the Primary Host which is the Asterisk server to be the VPN IP address
We recommend you not move phone provisioning to use the VPN but instead allow access to the phone provisioning port through your firewall to the PBX. The reason is a lot of things in phone provisioning happen after the local network on the phone is brought up but before the VPN is full established so if you try and use the VPN for phone provisioning you may encounter problems so we recommend not trying to use the VPN for this.
Phone App URL put in the IP address of the VPN Server
Submit your changes
Tell a Device to use VPN and VPN Template
Lastly we just need to tell Clearly Devices module what specific devices we want to use the VPN. Earlier we setup VPN cert for a user but since a user can have more than 1 device and some devices may need VPN whiles others for the same user do not we need to edit Device Mappings for a specific MAC address now and enable that device to use the VPN cert from the user.
Navigate to Clearly Devices and on the right menu click on Device Mappings
Click on the Edit icon for the device you want to enable VPN for.
Check the box for VPN.
Press the Submit button it will rebuild the config for the phone and if the phone is registered to the PBX it will push an updated config to the phone. If the phone is not registered you will now need to have it pull down an updated config which will cause it to reboot to change the networking to OpenVPN.
Verify Phone is using VPN
Once the phone is properly provisioned to use the VPN you will see a small VPN icon on the top menu of the phones idle screen as shown below.