Connect Fanvil phones to 3CX via L2TP tunnel on Mikrotik

Introduction

In this article, I will describe my experience of connecting Fanvil X2, X3S, X4, X5S and X6 phones (a new line of Fanvil IP phones) to the 3CX server via the L2TP VPN tunnel built into the phone firmware.

First of all, I will explain what it is for. Suppose you have a remote employee (or even several) working from home. You can connect his “home office” via VPN, but this requires support for the VPN from his home router and setting various restrictions on access to corporate resources from this employee’s home network. You can also connect your phone directly via an RPS server, as described in this guide . However, the disadvantage of this approach is that you have to open SIP-port 5060 for the whole world. Although the 3CX is a very solid system of its own security , this configuration should be used with caution. The second problem is that not all routers “allow” IP phones to work correctly through NAT . In addition, you will not be able to quickly connect to the web interface of the IP phone (after all, it is located in the user's home network).

A good way to connect remote users is the proprietary 3CX Tunnel technology in the 3CX SBC utility . But in this case, you will have to install a device of the Raspberry Pi type or install the utility on the user's PC . The disadvantage is that the connection will be only when the computer is running.
')
Connecting the phone through the L2TP VPN tunnel eliminates almost all these disadvantages:

• The phone looks local to 3CX - no need to open the SIP port and you can easily connect to the device’s web interface
  
• No need to use 3CX SBC
  
• Very simple setup
  

Note! According to the Fanvil documentation , the L2TP tunnel does not encrypt traffic. This can make an OpenVPN tunnel, but its configuration is rather laborious and is beyond the scope of this article. Also, traffic encryption is implemented in 3CX Tunnel technology.

Setting up a connection consists of three steps:

1. Modification of the stock template Fanvil
   
2. Autotune your phone with a modified template
   
3. Setting up L2TP tunnel on Mikrotik router and creating users
   
4. Connection check
   

Modification of the stock template Fanvil

Modification of the pattern is needed to automate the configuration of the L2TP tunnel on the phones (so as not to configure the address and credentials of the tunnel manually on each phone). The easiest way is to use the same credentials for the L2TP user as for the SIP account. These parameters will be automatically inserted into the template via 3CX auto-tuning variables .

To understand what exactly needs to be changed, we will do two things.

Configure L2TP manually as you need (Network section - VPN).



Open the phone configuration (System - Configurations) and search it for the keyword vpn.



This is what needs to be changed in the stock template 3CX.



Copy the template, call it fanvil_l2tp and specify the following variables:

• VPN Mode - 1 (L2TP)
  
• L2TP_LNS_IP - external address / server name 3CX
  
• L2TP_User_Name - SIP username
  
• L2TP_Password - SIP user password
  
• Enable_VPN_Tunnel - 1 (On)
  

Click OK and the template will be ready.

Autotune your phone with a modified template

Now the pattern can be customized phones. However, before this, be sure to manually flash them with the officially supported 3CX firmware , so that the auto-tuning patterns from 3CX can be correctly applied to them.

After manual firmware, configure the phone on the local network with a stock template from 3CX, as indicated here . You can then re-upgrade the firmware if available. But now it is done automatically from the section of the 3CX control interface. Phones - Firmware button.



After the phone is successfully flashed, configured and connected, go to the Users - User - Autotune phone section, delete the attached phone (stock template) and replace it with the modified template.

After that, go to the Phones section, select the user, and click the Migrate button.



The phone will update the pattern and enable the L2TP tunnel.

Note! Official 3CX technical support does not apply to modified templates.
Note! When the updated stock template 3CX is released, you should again create its modified version and reconfigure the phones.

Configuring the L2TP tunnel on the Mikrotik router

There are many similar guidelines for configuring the L2TP tunnel in Mikrotik. I will describe the fastest way, which, however, requires some modifications.

If you have a new router, configure it via the Quick Set menu and enable VPN access.



Note! On the router, go to the section PPP - Profiles - default-encryption and be sure to specify the DNS server that will be issued to the phones. Without this setting, Fanvil phones are not connected.



In the screenshot above, the local address of the L2TP server is 192.168.89.1, phone addresses are issued from the pool of vpn addresses, and the DNS server is the IP address of the Mikrotik local network interface (or bridge).

Now, in the PPP - Secrets section, add phone authorization credentials. As mentioned, they match the SIP credentials. If you want to automate this, export users from 3CX, edit the export file and create users with a script in Mikrotik. We will omit this process.



If you want to use IP phone connections (L2TP interfaces) in different router rules, I recommend creating L2TP Server Binding for each phone (PPP - Interface - L2TP Server Binding). This allows you to create static interfaces that will not disappear from the rules when the VPN client is disabled.



This completes the configuration of the Mikrotik L2TP server.

Connection check

Turn on the phone on the remote network. It should receive an IP address from your L2TP server.



And successfully register for 3CX.



The corresponding dynamic L2TP interface should appear on Mikrotik.



Dial on the phone * 777 (echotest 3CX). Talk into the phone - you have to hear yourself. This means that the connection is working correctly.

Conclusion

While testing various Fanvil models, I noticed that the X2, X3S and X4 phones are connected and working correctly. At the same time, the X5 and X6 models do not connect via VPN. Maybe it's the phone firmware. We are currently working on this issue with Fanvil tech support.