It took me a while to figure this out, so in case anyone else wants to try connecting a Yealink phone to an Incredible PBX using OpenVPN, here you go:
Setup
Setup
- Vultr $5 server
- CentOS 7
- FQDN (pbx.mydomain.com)
- Incredible PBX 16-15.1
- Yealink T41S (Firmware 66.84.0.15)
- Install OpenVPN following Nerdvittles instructions:
Code:
cd /root curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh chmod +x openvpn-install.sh sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" openvpn-install.sh sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" openvpn-install.sh sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh ./openvpn-install.sh
- Run installer using recommended settings, except for Custom encrypt(no):
- Server IP Address: using FQDN strongly recommended to ease migration issues
- Enabled IPv6 (no): accept default
- Port (1194): accept default
- Protocol (UDP): accept default
- DNS (3): change to 9 (Google)
- Compression (no): accept default
- Custom encrypt(no):yes
- select 4) AES-128-CBC
- use recommendations for remaining settings
- Create the first client, e.g. yealink1
- Gather some necessary data
Code:
mkdir -p /tmp/yealink/keys cd /etc/openvpn/easy-rsa cp pki/ca.crt pki/private/yealink1.key pki/issued/yealink1.crt /tmp/yealink/keys/ cat /root/yealink1.ovpn
- From yealink1.ovpn copy the OpenVPN Static key including the BEGIN and END lines to a new file
Code:
cd /tmp/yealink nano keys/ta.key
- From yealink1.ovpn copy everything at the top, above <ca>, to a new file
Code:
nano vpn.cnf
- Add the following lines to vpn.cnf (I added them between persist-tun and remote-cert-tls server):
Code:
ca /config/openvpn/keys/ca.crt cert /config/openvpn/keys/yealink1.crt key /config/openvpn/keys/yealink1.key tls-crypt /config/openvpn/keys/ta.key 1
- You should now have the following files in place:
Code:
/tmp/yealink/keys/ca.crt /tmp/yealink/keys/yealink1.crt /tmp/yealink/keys/yealink1.key /tmp/yealink/keys/ta.key /tmp/yealink/vpn.cnf
- Create a tar file
Code:
tar cvf openvpn.tar ./vpn.cnf ./keys
- Download openvpn.tar and upload it into your phone.
- Make sure your phone registers to 10.8.0.1
- Continue with Nerdvittles tutorial "to block all server access except via SSH or the VPN":
Code:
cd /etc/sysconfig wget http://incrediblepbx.com/iptables-openvpn.tar.gz tar zxvf iptables-openvpn.tar.gz rm -f iptables-openvpn.tar.gz echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf sysctl -p systemctl -f enable [email protected] systemctl start [email protected] systemctl status [email protected] systemctl enable [email protected] systemctl restart iptables
Last edited: