NO JOY Openvpn with yealink isnt working

ghurty · Oct 9, 2013

I downlded and ran both parts and generated a key, loaded the config into the phone but it isnt working.

I opene the proper ports on the router 1194 but it still didnt work.

What debugging steps can I take? There is nothing wrong with the phone, because if I load a different vpn profile it works.

I entered ifconfig on the server and it is showing that a network adapter with the ip address of 10.8.0.1.

I even turned off IPtables, but that also didnt help.
Thanks
Here is the log from the phone:

Feb 21 00:00:07 openvpn[335]: OpenVPN 2.1.3 mipsel-unknown-linux-uclibc [SSL] [LZO2] [EPOLL] built on Jun 27 2012
Feb 21 00:00:07 openvpn[335]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 21 00:00:07 openvpn[335]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 21 00:00:07 openvpn[335]: WARNING: file '/yealink/config/openvpn/keys/bo.key' is group or others accessible
Feb 21 00:00:07 openvpn[335]: Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 21 00:00:07 openvpn[335]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Feb 21 00:00:07 openvpn[335]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Feb 21 00:00:07 openvpn[335]: Local Options hash (VER=V4): '3514370b'
Feb 21 00:00:07 openvpn[335]: Expected Remote Options hash (VER=V4): '239669a8'
Feb 21 00:00:07 openvpn[338]: UDPv4 link local: [undef]
Feb 21 00:00:07 openvpn[338]: UDPv4 link remote:xx.xx.xxx.xxx:1194
Feb 21 00:00:07 openvpn[338]: write UDPv4 []: Network is unreachable (code=128)
Feb 21 00:00:09 openvpn[338]: write UDPv4 []: Network is unreachable (code=128)
Oct 9 03:41:32 openvpn[338]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 9 03:41:32 openvpn[338]: TCP/UDP: Closing socket
Oct 9 03:41:32 openvpn[338]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 9 03:41:32 openvpn[338]: Restart pause, 2 second(s)

rjaiswal · Oct 9, 2013

ghurty said:
I downlded and ran both parts and generated a key, loaded the config into the phone but it isnt working.

I opene the proper ports on the router 1194 but it still didnt work.

What debugging steps can I take? There is nothing wrong with the phone, because if I load a different vpn profile it works.

I entered ifconfig on the server and it is showing that a network adapter with the ip address of 10.8.0.1.

I even turned off IPtables, but that also didnt help.
Thanks
Here is the log from the phone:

Feb 21 00:00:07 openvpn[335]: OpenVPN 2.1.3 mipsel-unknown-linux-uclibc [SSL] [LZO2] [EPOLL] built on Jun 27 2012
Feb 21 00:00:07 openvpn[335]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Feb 21 00:00:07 openvpn[335]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Feb 21 00:00:07 openvpn[335]: WARNING: file '/yealink/config/openvpn/keys/bo.key' is group or others accessible
Feb 21 00:00:07 openvpn[335]: Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Feb 21 00:00:07 openvpn[335]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Feb 21 00:00:07 openvpn[335]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Feb 21 00:00:07 openvpn[335]: Local Options hash (VER=V4): '3514370b'
Feb 21 00:00:07 openvpn[335]: Expected Remote Options hash (VER=V4): '239669a8'
Feb 21 00:00:07 openvpn[338]: UDPv4 link local: [undef]
Feb 21 00:00:07 openvpn[338]: UDPv4 link remote:xx.xx.xxx.xxx:1194
Feb 21 00:00:07 openvpn[338]: write UDPv4 []: Network is unreachable (code=128)
Feb 21 00:00:09 openvpn[338]: write UDPv4 []: Network is unreachable (code=128)
Oct 9 03:41:32 openvpn[338]: [UNDEF] Inactivity timeout (--ping-restart), restarting
Oct 9 03:41:32 openvpn[338]: TCP/UDP: Closing socket
Oct 9 03:41:32 openvpn[338]: SIGUSR1[soft,ping-restart] received, process restarting
Oct 9 03:41:32 openvpn[338]: Restart pause, 2 second(s)

From the looks of the log, you haven't configured a route to the pbx subnet. The line with error code 128 basically says what's wrong.

Can you post your openvpn conf, the pbx subnet, and the subnet you're using for openvpn?

ghurty · Oct 9, 2013

Where do I get the openvpn conf file? Here is the conf file from the tar that was generated when I created the key:
client

Code:

dev tun
proto udp
remote xxx.xxx.xx.xx
 
1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/bo.crt
key /yealink/config/openvpn/keys/bo.key
verb 3
mute 10
nobind

Here is the server.conf file from etc\openpvpn:

Code:

port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
verb 3
cipher AES-128-CBC
tls-auth ta.key 0
comp-lzo
#Uncomment the line below to allow different clients to be able to see each other.
;client-to-client

And here is a copy of ifconfig:

Code:

eth0      Link encap:Ethernet  HWaddr D0:27:88:65:8B:1C
          inet addr:192.168.1.143  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::d227:88ff:fe65:8b1c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:46204298 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35527550 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:73157593 (69.7 MiB)  TX bytes:3844841716 (3.5 GiB)
          Interrupt:29 Base address:0xc000
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:5002412 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5002412 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1072840297 (1023.1 MiB)  TX bytes:1072840297 (1023.1 MiB)
 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

Thank you

rjaiswal · Oct 9, 2013

I'm assuming that the openvpn service is not running on the pbx, and is hosted on the gateway.

You need to add a push route statement to your openvpn server.conf

push "route 192.168.1.0 255.255.255.0"

This will allow the endpoint to connect to the pbx subnet.

If openvpn is hosted on a different machine, make sure that you've enabled IP and TUN/TAP forwarding.

rjaiswal · Oct 9, 2013

Although, the 10.8.0.0 address for the server is valid, it's also used to identify subnets. I would change that to .1, just so there aren't any broadcast issues.

ghurty · Oct 9, 2013

The openvpn service is running on the pbx. I am using the script that is posted on this forum http://pbxinaflash.com/community/index.php?threads/easy-openvpn.9009/

It's all good · Oct 9, 2013

I assume you used the Yealink version of the client creation script?
create-EasyOpenVPN-yealink-client.sh

ghurty · Oct 9, 2013

It's all good · Oct 9, 2013

In /var/log/messages, what do you get when a tunnel is being established? I get the following:

Code:

Oct  9 12:05:58 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 TLS: new session incoming connection from 198.X.X.X:1262
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 VERIFY OK: depth=1, /C=US/ST=CA/L=City/O=Organization/CN=server/name=Technology/[email protected]
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 VERIFY OK: depth=0, /C=US/ST=CA/L=city/O=Organization/CN=ExampleUser/[email protected]
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Oct  9 12:06:03 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Oct  9 12:06:05 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 PUSH: Received control message: 'PUSH_REQUEST'
Oct  9 12:06:05 example-pbx openvpn[3057]: ExampleUser/198.X.X.X:1262 SENT CONTROL [ExampleUser]: 'PUSH_REPLY,route 10.60.1.1,topology net30,ping 10,ping-restart 120,ifconfig 10.60.1.6 10.60.1.5' (status=1)

ghurty · Oct 9, 2013

A lot of errors re TLS Error: cannot locate HMAC

Code:

Oct  9 15:23:38 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2006
Oct  9 15:23:39 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2006
Oct  9 15:23:43 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2006
Oct  9 15:23:52 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2006
Oct  9 15:24:08 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2006
Oct  9 15:24:40 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2007
Oct  9 15:24:41 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2007
Oct  9 15:24:45 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2007
Oct  9 15:24:53 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:2007
Oct  9 15:25:42 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:1024
Oct  9 15:25:47 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:1027
Oct  9 15:25:50 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:1027
Oct  9 15:25:54 pbx openvpn[22194]: TLS Error: cannot locate HMAC in incoming packet from YY.YY.YY.YY:1027

Thanks

It's all good · Oct 9, 2013

I think the "cannot locate HMAC" message is related to not having the same key on the server and client. That would be difficult to make happen using the scripts. There must be something else misconfigured.

ghurty · Oct 9, 2013

SHould I just generate a new key for the client?

tbrummell · Oct 9, 2013

In your client config, the 1194 does follow the IP address of the server and that is just a formatting problem, right? That's all I see that is out of line...

ghurty · Oct 9, 2013

Correct. I just nulled it out to hide it

ghurty · Oct 9, 2013

I just ran the script to generate a new key for the phone and I get the same TLS Error: cannot locate HMAC in incoming packet from error.

Can I flush everything and start again?

tbrummell · Oct 9, 2013

http://ubuntuforums.org/showthread....3a257d8cee31d26037cca&p=10128480#post10128480

ghurty · Oct 9, 2013

It looks like getting somehwere. Now the VPN logo appears on the phone (not dark though), but I can not register to an extension. I tried 101 for example and it fails. Nothing shows up in the asterisk log.
Thank you

Here is the phone log

Code:

Oct  9 20:17:16 openvpn[338]: [server] Inactivity timeout (--ping-restart), restarting
Oct  9 20:17:16 IPP[449]: IPP <4+warnin>836.062.473:unkown msg,00010102,00000000,00000000
Oct  9 20:17:16 openvpn[338]: TCP/UDP: Closing socket
Oct  9 20:17:16 openvpn[338]: SIGUSR1[soft,ping-restart] received, process restarting
Oct  9 20:17:16 openvpn[338]: Restart pause, 2 second(s)
Oct  9 20:17:18 openvpn[338]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Oct  9 20:17:18 openvpn[338]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Oct  9 20:17:18 openvpn[338]: Re-using SSL/TLS context
Oct  9 20:17:18 openvpn[338]: Control Channel MTU parms [ L:1541 D:138 EF:38 EB:0 ET:0 EL:0 ]
Oct  9 20:17:18 openvpn[338]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Oct  9 20:17:18 openvpn[338]: Data Channel MTU parms [ L:1541 D:1450 EF:41 EB:4 ET:0 EL:0 ]
Oct  9 20:17:18 openvpn[338]: Local Options hash (VER=V4): '3514370b'
Oct  9 20:17:18 openvpn[338]: Expected Remote Options hash (VER=V4): '239669a8'
Oct  9 20:17:18 openvpn[338]: UDPv4 link local: [undef]
Oct  9 20:17:18 openvpn[338]: UDPv4 link remote: xx.xxx.xxx.xxx7:1194
Oct  9 20:17:18 openvpn[338]: TLS: Initial packet from 67.82.56.107:1194, sid=bcc7bf98 95fb7b8d
Oct  9 20:17:18 openvpn[338]: VERIFY OK: depth=1, /C=XX/ST=XX/L=XXX/O=BnotYisrael/CN=XXX/[email protected]
Oct  9 20:17:18 openvpn[338]: VERIFY OK: depth=0, /C=XX/ST=XX/L=XXX/O=BnotYisrael/CN=XXX/[email protected]
Oct  9 20:17:19 mini_httpd[496]: pipe = 1, sum_cnnt_task = 2
Oct  9 20:17:19 mini_httpd[588]: mini_httpd.c(1924):path:/cgi-bin/ConfigManApp.com,query:Id=27
Oct  9 20:17:20 openvpn[338]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1541', remote='link-mtu 1558'
Oct  9 20:17:20 openvpn[338]: WARNING: 'cipher' is used inconsistently, local='cipher BF-CBC', remote='cipher AES-128-CBC'
Oct  9 20:17:20 openvpn[338]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
Oct  9 20:17:20 openvpn[338]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct  9 20:17:20 openvpn[338]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 20:17:20 openvpn[338]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct  9 20:17:20 openvpn[338]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct  9 20:17:20 openvpn[338]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Oct  9 20:17:20 openvpn[338]: [server] Peer Connection Initiated with XXX.XXX.XXX.XXX:1194
Oct  9 20:17:22 openvpn[338]: SENT CONTROL [server]: 'PUSH_REQUEST' (status=1)
Oct  9 20:17:22 openvpn[338]: PUSH: Received control message: 'PUSH_REPLY,route 10.8.0.1,topology net30,ifconfig 10.8.0.6 10.8.0.5'
Oct  9 20:17:22 openvpn[338]: OPTIONS IMPORT: --ifconfig/up options modified
Oct  9 20:17:22 openvpn[338]: OPTIONS IMPORT: route options modified
Oct  9 20:17:22 openvpn[338]: Preserving previous TUN/TAP instance: tun0
Oct  9 20:17:22 openvpn[338]: Initialization Sequence Completed
Oct  9 20:17:22 IPP[449]: IPP <4+warnin>842.753.270:unkown msg,00010102,00000001,00000000

It's all good · Oct 9, 2013

Are you trying to register to 10.8.0.1? Also, is the 10.8.0.0/24 subnet added to Local Networks in SIP Settings in FreePBX?

ghurty · Oct 9, 2013

Yes and yes

rjaiswal · Oct 9, 2013

Shouldn't it try to register to the 192.168.x.xxx IP address of the pbx? I don't think asterisk is listening to the tun adaptor...

NO JOY Openvpn with yealink isnt working

Senior Member

Active Member

Senior Member

Active Member

Active Member

Senior Member

Guru

Senior Member

Guru

Senior Member

Guru

Senior Member

Guru

Senior Member

Senior Member

Guru

Senior Member

Guru

Senior Member

Active Member

Forum statistics