NO JOY Yealink T46G and OpenVPN - not quite there

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
I have an OpenVPN config working on one of my RentPBX machines. I can log in using a Win7 laptop and pull up the PIAF web for the config (10.8.0.1).

I can't, however, log in with the Yealink T46G. The problem is likely either the client or server config files.

My client file (vpn.cnf) reads:

Code:
client
persist-tun
persist-key
resolve-retry infinite
remote RENTPBXIP
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

When building my .tar file, the vpn.cnf was in /etc/openvpn/client and the keys are in /etc/openvpn/client/keys. The .tar file was created, while in the client directory with the command:

tar -cvpf openvpn.tar *

So, I have a boo-boo somewhere, but I'm getting tunnel vision.


Andrew


My server.conf reads:

Code:
local RENTPBXIP
port 1194
proto udp
dev tun
mode server
server 10.8.0.0 255.255.255.0
push "route 10.2.1.0 255.255.255.0"
push "dhcp-option DNS 10.2.1.1"
keepalive 20 60
client-to-client
duplicate-cn
comp-lzo
verb 3
ca ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
log-append /etc/openvpn/openvpn.log
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
OK, maybe I'm missing something. The Red V (per the instructions) indicates that OpenVPN is running.
However, I'm getting, per the phone's OK button, a 192.168.40.x as my IP address for the phone. Shouldn't I get 10.8.x from the OpenVPN setup?

My confusion really sucks.

Andrew
 
Joined
Oct 18, 2013
Messages
220
Reaction score
20
The phone should have 2 IP addresses - 1 for the network it is directly connected to (probably that 192 network you are seeing), and then 1 for the VPN tunnel interface. Normally I'd say ping the VPN gateway..but I don't think you can do that from a phone (unless it has some network test tools built in?).
 
Joined
Oct 18, 2013
Messages
220
Reaction score
20
Something else I noticed - your client config is using full paths to the cert files. That could very well break it. I'd probably remove the paths in that config and put the cert files in the same directory as the config file, or put them in a subdirectory and use relative paths.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
Mark,

Thanks for your response. The phone apparently requires the format I'm using - people have had difficulty not following the Yealink directions to the letter. For example, the client must be called vpn.cnf - nothing else will work. The tar file which is downloaded to the machine must have a /keys directory with the certs, etc.

When I look at the CLI, the phone shows as registered from my home LAN's public IP address - as though I configured it with NAT and allowed my IP in the whitelist. I would have expected it to show (under sip show peers) the 10.8.x.x IP address. I have a second phone registered from this location without VPN (a Mitel 5224) and they share the same registration appearance in the CLI.

Since I dont' have problems with phones from here (I don't have FIOS or a 2wire), this config doesn't help me diagnose the problem or confirm that I'm actually registering under the VPN.

Can someone point out how their Yealink shows up in the CLI if they connect remotely over VPN?

Andrew
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
I don't have a T46G, but I've got T20p & T26P using openvpn. The file path is different for the 20 & 26 from the 32 & 38
my client.cnf for a t20 is
Code:
dev tun
;dev tap
 
proto udp
;proto tcp
 
remote 96.10.xxx.xxx 1194
 
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
 
 
resolv-retry infinite
nobind
persist-key
persist-tun
;mute-replay-warnings
ns-cert-type server
;comp-lzo
verb 3
;mute 10

I'm running openvpn on my routers, pushing the routers address with a subnet 192.168.70.0
Sip Info has the phone with an address of 192.168.70.x on the asterisk server.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
Islandtech,

Would you mind posting the server.conf which goes with the client settings?

Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
So, I took the phone to a neighbor. The neighbors IP is not whitelisted.
Registration failed on the phone although the Red V was lit on the T46G; i.e. it thinks OpenVPN is running, but no registration occurred.

So, do I have a problem with:
iptables - blocking the attempt?
openvpn - not allowing the connection?

I suppose I will have to take the laptop to Starbucks and see if I can VPN in under Win7 to confirm/deny the first.

So, anyone with a working VPN config (client/server) they want to share for the Yealink?

Anyone have any additional pointers on my possible iptables failure?

Andrew
 

BeerCan

Guru
Joined
Nov 25, 2008
Messages
175
Reaction score
30
Make sure your certs are sha1 nothing else will work. I have about 8 of these phones working fine. The sha1 thing bit me in the beginning. I have my vpn addresses set as local net in Freepbx --> Asterisk sip settings
Client config (phone)
Code:
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1190 udp
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client1.crt
key /config/openvpn/keys/client1.key
ns-cert-type server

Server config
Code:
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx
tls-server
server 10.0.5.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1190
management /var/etc/openvpn/server1.sock unix
max-clients 15
push "route 192.168.150.0 255.255.255.0"
push "dhcp-option DNS 192.168.150.222"
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024

2014-07-29_145721.jpg
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
I used this link for the basics. My router has openvpn preinstalled. From my router forum I ended up with this section of code
Code:
islandtech@ubnt-sb# show interfaces openvpn vtun0
mode server
server {
    push-route 192.168.10.0/24
    subnet 192.168.70.0/24
}
tls {
    ca-cert-file /config/auth/ca.crt
    cert-file /config/auth/prs-sb.crt
    dh-file /config/auth/dh1024.pem
    key-file /config/auth/prs-sb.key
}
Following the yealink openvpn client documentation, I created and downloaded the files for the yealink phone.
when the phone boots, it gets an address from the local lan, then starts the vpn session back to the PBX.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
OK,

I have made some changes to my server.conf and vpn.cnf (client) config files. The client now reads:

Code:
client
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
ns-cert-type server
remote 209.159.159.231
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

The server.conf file now reads:

Code:
local 209.159.159.231
port 1194
proto udp
dev tun
# added based on pbxinaflash.com input
daemon
persist-tun
persist-key
cipher BF-CBC
tls-server
#end added
 
mode server
server 10.8.0.0 255.255.255.0
push "route 10.2.1.0 255.255.255.0"
push "dhcp-option DNS 10.2.1.1"
keepalive 20 60
client-to-client
duplicate-cn
comp-lzo
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
log-append /etc/openvpn/openvpn.log

My log file indicates a connection. The Red V icon is lit on the phone.

The registration in 'sip show peers' is still the public IP of my office (not the RentPBX site or the VPN setting. This is the same as it has been; I fear that if I hook the phone up at the neighbor again I'll have the same failure.

In FreePBX's "Asterisk SIP Settings", I have NAT set to Yes, Static IP, External IP set to the RentPBX IP, and 'Local Networks' includes 10.8.0.2/255.255.255.255, 209.159.159.224/255.255.255.224, and 209.159.159.0/255.255.255.0

ifconfig on the RentPBX site shows:

Code:
eth0      Link encap:Ethernet  HWaddr AA:00:70:A3:21:01
          inet addr:RENTPBX_IP  Bcast:209.159.159.255  Mask:255.255.255.224
          inet6 addr: fe80::a800:70ff:fea3:2101/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52568 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10630 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4235866 (4.0 MiB)  TX bytes:4335128 (4.1 MiB)
          Interrupt:17
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:11647 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11647 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1484730 (1.4 MiB)  TX bytes:1484730 (1.4 MiB)
 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:17 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:1022 (1022.0 b)  TX bytes:0 (0.0 b)

So, my issue appears to be that the VPN functions on the phone and machine, but the registration reverts to my 'standard' way of connecting.

On the T46G I have the following settings:

Under Account -> Register, Outbound Proxy Server is diabled, Transport is UDP, NAT is set on Stun, stun server is set to stun.3cx.com.

Sip Server 1 is set to:

Server Host - RentPBX_IP Port 5060
Server Expires - 3600
Server Retry Counts 3


Any more follow up thoughts?


Andrew
 

BeerCan

Guru
Joined
Nov 25, 2008
Messages
175
Reaction score
30
On my phones NAT is set to disable and I don't use a stun server. I don't think you need it with a vpn.

Did you look at the phone logs to see if there are any clues there?
Settings --> configuration --> export log
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
Since the phone's ip on the vpn is 192.168.70.2, I had to add 192.168.70.0/255.255.255.0 to local networks in asterisk sip settings . I've never used a stun server, all my systems are hardware at customer locations.
 

BeerCan

Guru
Joined
Nov 25, 2008
Messages
175
Reaction score
30
I saw in another thread that you had this Server Host - RentPBX_IP Port 5060 instead of an IP. I thought you had that there to sanitize it, but yeah it needs to be a real ip address :)
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
BeerCan, it was there to sanitize. RentPBX is 209.159.x.x.

I changed the SIP server host in Asterisk's advance sip settings to 10.8.0.1 and BANG I was in.

Then I passed that along to the tech guys where I bought the phone (we have had a running dialog with them trying to offer help - much better solutions were offered here).

They suggested that my route push command is totally wrong (although I copied it from the Yealink directions). Although the example they gave me is wrong (they wanted me to push to the internal IP of my home office), they think if I push route 209.159.x.0 (I think, or maybe it is some other IP) I will be connected over the VPN and can use the public IP from the RentPBX machine in my Sip setup (or I don't know what they are saying).

The exact advice they gave was:

I'm sure you'd find that if you created a route to the 192.168.40.X (using a route push) you could use the actual private IP of the PBX instead of the 10.8.0.1 IP (which happens to be the VPN IP address of the PBX), but the net result is the same, you do have to make sure the phone connects to the private LAN, the public IP of the PBX has no bearing. That's exactly the concept we were trying to explain. You can remove the route push 10.2.1.X stuff, that's really not used (or needed) in your setup.

Now, I'm not even sure what the private IP of the RentPBX machine is. See abvove for the ipconfig results. So what would I change to follow their directions? My concern is that my 'solution' might not work if I have 2 or more remote phones trying to go extension to extension. I'm probably fine, but I'd hate to find out after I've sent phones everywhere.

I'm working (for now) and happy, but any thoughts about what they have said? 192.168.40.x is the wrong private IP (it's my OpenWRT router, not the RentPBX site). Other than that, I'm not sure what they are really saying to do or how to implement it, or even if they are right.

Thanks, all.

Andrew
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top