TUTORIAL Setting up vtun1 on Edgerouter for Yealink phones

[rjaiswal]

Hi,

Haven't posted in a while. Had a freak accident last year. 4 surgeries later, I'm now on the road to a somewhat full recovery.

Just got this working for myself. I have a new full time job, and wanted to keep a desk phone hooked up to my personal PBX, so if my old clients needed to get a hold of me, while I was at the office, I could still take the call. Didn't want to do the follow me, because I don't have good cell coverage at the office, and the wifi calling doesn't work.

So, I have an OpenVPN instance, that I use for my iPhone and laptop, to remote back into the house. I couldn't use this instance, because it's setup for user-pass login. Yealink phones only support certificate authentication. It took a lot of trial and error, and reading multiple posts on the Yealink forum, and Ubiquiti forum to get this to work.

Here is the portion of my router config that pertains to the new OpenVPN instance that's just for my remote phones.

server.conf
admin@router# show interfaces openvpn vtun1
 description "Remote Phones"
 encryption aes128
 hash sha1
 mode server
 openvpn-option "--proto udp"
 openvpn-option "--push route 192.168.16.0 255.255.255.0"
 openvpn-option --persist-key
 openvpn-option --persist-local-ip
 openvpn-option --persist-remote-ip
 openvpn-option "--port 1195"
 openvpn-option "--push redirect-gateway def1"
 openvpn-option "--link-mtu 1472" ;(check mtu settings on site)
 openvpn-option "dhcp-option DNS 8.8.8.8"
 openvpn-option "--verb 1"
 server {
  subnet 192.168.91.0/24
  topology subnet
 }
 tls {
  ca-cert-file /config/auth/remotephones/cacert.pem
  cert-file /config/auth/remotephones/remotephones.pem
  dh-file /config/auth/remotephones/dh1024.pem
  key-file /config/auth/remotephones/remotephones.key
 }
[edit]

This is the vpn.cnf for the Yealink phone. The cert paths are for a T21p E2. You'll have to look at the Yealink vpn guide for the proper path for the model of phone that you're setting up.

client.ovpn (vpn.cnf)
client
dev tun
proto udp
remote 72.80.184.41 1195
cipher AES-128-CBC
nobind
persist-key
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
;comp-lzo
verb 1
;mute 20
tun-mtu 1472

The tun-mtu is set for my openvpn instance. I tested my connection using a ping command, that I found using google, to determine my mtu size.

 

[islandtech]

Hi take a look at the EdgeRouter X runs same software as the ERL 5 gig ports, can be powered by passive POE on port 0 with poe passthru to port 5. Installing one in a couple of weeks.
Back to the original topic:
I’ve been using this basic default configuration on a EdgeRouter Lite since Aug. 2013.

adminiti@scpain# show interfaces openvpn vtun0
 mode server
 server {
     push-route 192.168.5.0/24
     subnet 192.168.70.0/24
 }
 tls {
     ca-cert-file /config/auth/ca.crt
     cert-file /config/auth/painserver.crt
     dh-file /config/auth/dh1024.pem
     key-file /config/auth/painserver.key
 }
[edit

4 remote Yealink T20P phones

vpn.cnf file

client

dev tun
;dev tap

proto udp
;proto tcp

remote 66.153.129.185 1194

ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key


resolv-retry infinite
nobind
persist-key
persist-tun
;mute-replay-warnings
ns-cert-type server
;comp-lzo
verb 3
;mute 10

This router is also providing two point-to-point tunnels.

 

[rjaiswal]

I was looking at the ER-X series of routers. They don't have the packet performance of the ERL. I think it could be a good device if you use all UBNT equipment. I just use the routers for installs. I use HP switches for wired devices and Aruba IAPs for wifi. Have lost too much money using unifi devices.

 

[islandtech]

Most of my installs are only 5 to 30 phones, all but 2 systems (3 phones each) are on separate physical networks.
My unify controller with 7 sites is hosted on cloud@cost.
Using many Unifi-AP and Unifi-AP AC-Lites and 1 Unifi US-16-150W poe switch.
Been using ERLs since they been on the market, a few EdgeRouter-POE and now an ER-X.
Only had 2 router failures, a lighting hit and the other (firmware corruption) was due customer turning the unit on and off several times.
So far, can’t beat the price/performance for my installs.
I really like how easy it is to configure remote access to the router, and the equipment behind it.

 

[rjaiswal]

I've been hit with the bad usb drives in 4 ERL routers. I've been able to fix them, by replacing the drives with Sandisk cruisers, and using the recovery utility Ubiquti has.

And you're right about the price/performance. Nothing can come close. I wish they had a paid tier for phone support. Sometimes reading the forums for an answer takes a while, and you can get old info from the forums.

I stopped installing Unifi AP's after I lost alot of money replacing the original AC (square) access points. In New York, especially in the city, not having a wifi network that can scan for open channels and reconfigure the APs for an every shifting wireless environment is crazy. I know the Unifi stuff scans once when an AP comes online, but it should scan periodically so that the APs are on the best channel all the time...