TUTORIAL Yealink IP Phone OpenVPN Guide (WIP)

BeerCan

BeerCan

Guru
Joined
Nov 25, 2008
Messages
175
Reaction score
30
this is a WIP so bear with me

Overview

1. Create a new certificate authority (CA) for the vpn connected (remote) phones
2. Create a new server certificate for our OpenVPN server instance
3. Create a new OpenVPN server instance for the remote phones
4. Create necessary firewall rules
5. Create a new certificate for each vpn connected (remote) phone
6. Create the Yealink OpenVPN configuration file
7. Register the phone to the PBX and upload the OpenVPN configuration file


1. Create a new certificate authority (CA) for the vpn connected (remote) phones
Use the following settings for the new CA:
Descriptive Name: Remote Phone CA (or any descriptive name you choose)
Method: Create an internal Certificate Authority (many ways to do this depending on OS. Look for howto's on the web)
Digest Algorithm: SHA1 (this is important for Yealink phones. If you don't set this later versions of openvpn default to sha256)
Distinguished name: Your contact info
Common Name: RemotePhoneCA (or whatever you want to put here)

2. Create a new server certificate for our OpenVPN server instance
Use the following settings for your new server certificate:
Method: Create an internal Certificate
Descriptive name: Remote Phone Server Cert (or any descriptive name you choose)
Certificate authority: Remote Phone CA (make sure you use the cert you created above)
Digest Algorithm: SHA1 (again make sure this is sha1)
Certificate Type: Server Certificate
Distinguished name: Your contact info
Common Name: RemotePhoneServerCert (or whatever you want to put here)

3. Create a new OpenVPN server instance for the remote phones
Use the following settings for the new OpenVPN server instance:
Server Mode: Remote Access ( SSL/TLS ) note: client auth does not work with yealink phones
Protocol: UDP
Device Mode: tun
Interface: (The interface you want OpenVPN to listen on, usually WAN)
Local port: 1194 (Default OpenVPN port is 1194, but you can use any port not already in use)
Description: Remote Phone VPN (Or whatever descriptive name you would like)
TLS Authentication: "Enable authentication of TLS packets." ( Choose if you want this feature on or off)
Peer Certificate Authority: Remote Phone CA (or whatever you named the cert in step 1)
Server Certificate: Remote Phone Server Cert (or whatever you named the server cert in step 2)
Encryption algorithm: BF-CBC (128-bit)
Tunnel Network: xxx.xxx.xxx.xxx/xx (can be any network expressed in CIDR that is in RFC 1918 ) example 10.1.5.0/24
Local Network: xxx.xxx.xxx.xxx/xx The network your PBX is on, usually your LAN (expressed as CIDR) example 192.168.1.0/24
Concurrent connections: However many concurrent VPN sessions you want to allow

4. Create necessary firewall rules
Creating firewall rules is different depending on what you use. Use this as a starting point only.
Use the following settings for the new firewall rule(s):
Interface: WAN
Protocol: UDP
Destination: WAN address (the address OpenVPN is lisenting on
Destination port range: whatever port your OpenVPN instance defaults to 1194 but should be the same as what you used as local port in the openvpn server config above.
Description: OpenVPN Remote Phones
Interface: OpenVPN
Protocol: UDP
Source: Network xxx.xxx.xxx.xxx/xx (whatever tunnel network you used in OpenVPN)
Destination: Any
Destination port range: 5060
Description: Remote Phones – SIP
Interface: OpenVPN
Protocol: UDP
Source: Network xxx.xxx.xxx.xxx/xx (whatever tunnel network you used in OpenVPN)
Destination: Any
Destination port range: 7000-7499 (whatever RTP ports your PBX uses for internal
calls)
Description: Remote Phones – RTP

5. Create a new certificate for each vpn connected (remote) phone
Use the following settings for each certificate:
Method: Create an internal Certificate
Descriptive name: Descriptive name for the phone
Certificate authority: Remote Phone CA (cert from step 1 above)
Digest Algorithm: SHA1
Certificate Type: User Certificate
Distinguished name: Fill in all the information asked for

6. Create the Yealink OpenVPN configuration file
I use WinRAR created archive named client.tar
In it I have a folder named keys that contains ca.crt, client1.crt and client1.key (certs you made earlier).
Along with the folder I have a file called vpn.cnf. it contains the openvpn client connection information for the phone. Mine looks like this
Code: 
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194udp  (this is the ip /port you are connecting to most likely WAN IP)
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client1.crt
key /config/openvpn/keys/client1.key
ns-cert-type server

7. Register the phone to the PBX and upload the OpenVPN configuration file
1. Configure the phone to register to the PBX internally and verify it is working properly (if possible)
2. Log into the phones web configuration interface and navigate to Network  Advanced
3. Scroll down to the VPN section
4. Click Browse and find the OpenVPN configuration tar archive we made earlier
5. Click Import
6. Make sure VPN Active is set to Enabled, then scroll down to the bottom and click Confirm

Thats it. It should be working now.



For completedness sake here is what my server config looks like. Remeber to only use directives that are need in your setup.
Code: 
dev ovpns1
dev-type tun
tun-ipv6
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher BF-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.xxx (my wan ip)
tls-server
server 10.0.5.0 255.255.255.0  (my openvpn trunk ip)
client-config-dir /var/etc/openvpn-csc
tls-verify /var/etc/openvpn/server1.tls-verify.php
lport 1190
management /var/etc/openvpn/server1.sock unix
max-clients 15
push "route 192.168.150.0 255.255.255.0" (my internal network with the PIAF box)
push "dhcp-option DNS 192.168.150.222"  (my internal dns server)
ca /var/etc/openvpn/server1.ca
cert /var/etc/openvpn/server1.cert
key /var/etc/openvpn/server1.key
dh /etc/dh-parameters.1024

I will try and clean this up and make it clearer as I get time. Please feel free to add.
 
dad311

dad311

Guru
Joined
Jan 13, 2008
Messages
604
Reaction score
2
I have scripts that will create a OpenVPN server on your PBX and create client config files for the yealink phone. PM me if your interested.
 
You must log in or register to reply here.

Members online

Total: 99 (members: 1, guests: 98)

Latest Posts

Forum statistics

Threads
25,825
Messages
167,856
Members
19,250
Latest member
mark-curtis
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Top