Provision phone TLS

[ElecBoy]

I am trying to provision a phone with TLS using FusionPBX "Devices" menu. I already have port 5061 and TLS running, if I put it manually I see in registrations TLS-UDP, but if I try to do it via the provision page it always connects normal via port 5060.



This is a picture I took using TLS with port 5061.

This is the phone Registering without TLS.

This is me changing the port manually in the phone.

What I am missing? Thanks!

 

[Caleb]

We use GXP 2130's and a 2160 (current firmware version is 1.0.9.26, but we did the setup originally on an older version... 1.0.7.something?). We needed to set the "SRTP mode" in Accounts > Account (#) > Audio Settings to "Enabled and forced." This causes the phone to send only the SAVP in its SDP to FreeSwitch (as opposed to sending just the AVP (default), or both). I don't know what the respective P-option is off the top of my head, but it's not hard to find that in the config template.

 

[EasyBB]

Wouldn't it be easier to just run OpenVPN between Fusion and the phone rather than setting up TLS for voice? I run OpenVPN with a Yealink phone; I believe Grandstream and Snom have built-in openvpn clients as well.

 

[Caleb]

Potentially. We also use some softphone apps on mobile devices (primarily the Grandstream Wave app) which don't support OpenVPN. Since we decided we would like all internal SIP connections secure, it was simplest for us to just use TLS and SRTP all around instead of configuring two categories.

We did try using the OpenVPN connect app on the mobile devices to connect to our VPN server that's connected to the same subnet as our FusionPBX server, but we were having all sorts of routing issues with that setup. The issues may have been resolved by connecting the OpenVPN app to an OpenVPN server instance on the FusionPBX server, but that would require users to install two apps on the device to make that work, so we didn't pursue that option.