TUTORIAL Yealink < OpenVPN > IncrediblePBX

jaycos

New Member
Joined
Sep 3, 2018
Messages
13
Reaction score
5
It took me a while to figure this out, so in case anyone else wants to try connecting a Yealink phone to an Incredible PBX using OpenVPN, here you go:

Setup
  • Vultr $5 server
  • CentOS 7
  • FQDN (pbx.mydomain.com)
  • Incredible PBX 16-15.1
  • Yealink T41S (Firmware 66.84.0.15)
Steps
  1. Install OpenVPN following Nerdvittles instructions:
    Code:
    cd /root
    curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
    chmod +x openvpn-install.sh
    sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" openvpn-install.sh
    sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" openvpn-install.sh
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
    ./openvpn-install.sh
  2. Run installer using recommended settings, except for Custom encrypt(no):
    • Server IP Address: using FQDN strongly recommended to ease migration issues
    • Enabled IPv6 (no): accept default
    • Port (1194): accept default
    • Protocol (UDP): accept default
    • DNS (3): change to 9 (Google)
    • Compression (no): accept default
    • Custom encrypt(no):yes
      • select 4) AES-128-CBC
      • use recommendations for remaining settings
  3. Create the first client, e.g. yealink1
  4. Gather some necessary data
    Code:
    mkdir -p /tmp/yealink/keys
    cd /etc/openvpn/easy-rsa
    cp pki/ca.crt pki/private/yealink1.key pki/issued/yealink1.crt /tmp/yealink/keys/
    cat /root/yealink1.ovpn
  5. From yealink1.ovpn copy the OpenVPN Static key including the BEGIN and END lines to a new file
    Code:
    cd /tmp/yealink
    nano keys/ta.key
  6. From yealink1.ovpn copy everything at the top, above <ca>, to a new file
    Code:
    nano vpn.cnf
  7. Add the following lines to vpn.cnf (I added them between persist-tun and remote-cert-tls server):
    Code:
    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/yealink1.crt
    key /config/openvpn/keys/yealink1.key
    tls-crypt /config/openvpn/keys/ta.key 1
  8. You should now have the following files in place:
    Code:
    /tmp/yealink/keys/ca.crt
    /tmp/yealink/keys/yealink1.crt
    /tmp/yealink/keys/yealink1.key
    /tmp/yealink/keys/ta.key
    /tmp/yealink/vpn.cnf
  9. Create a tar file
    Code:
    tar cvf openvpn.tar ./vpn.cnf ./keys
  10. Download openvpn.tar and upload it into your phone.
  11. Make sure your phone registers to 10.8.0.1
  12. Continue with Nerdvittles tutorial "to block all server access except via SSH or the VPN":
    Code:
    cd /etc/sysconfig
    wget http://incrediblepbx.com/iptables-openvpn.tar.gz
    tar zxvf iptables-openvpn.tar.gz
    rm -f iptables-openvpn.tar.gz
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p
    systemctl -f enable [email protected]
    systemctl start [email protected]
    systemctl status [email protected]
    systemctl enable [email protected]
    systemctl restart iptables
 
Last edited:
  • Like
Reactions: Jake and wardmundy

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
365
Reaction score
17
It took me a while to figure this out, so in case anyone else wants to try connecting a Yealink phone to an Incredible PBX using OpenVPN, here you go:

Setup
  • Vultr $5 server
  • CentOS 7
  • FQDN (pbx.mydomain.com)
  • Incredible PBX 16-15.1
  • Yealink T41S (Firmware 66.84.0.15)
Steps
  1. Install OpenVPN following Nerdvittles instructions:
    Code:
    cd /root
    curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
    chmod +x openvpn-install.sh
    sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" openvpn-install.sh
    sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" openvpn-install.sh
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
    ./openvpn-install.sh
  2. Run installer using recommended settings, except for Custom encrypt(no):
    • Server IP Address: using FQDN strongly recommended to ease migration issues
    • Enabled IPv6 (no): accept default
    • Port (1194): accept default
    • Protocol (UDP): accept default
    • DNS (3): change to 9 (Google)
    • Compression (no): accept default
    • Custom encrypt(no):yes
      • select 4) AES-128-CBC
      • use recommendations for remaining settings
  3. Create the first client, e.g. yealink1
  4. Gather some necessary data
    Code:
    mkdir -p /tmp/yealink/keys
    cd /etc/openvpn/easy-rsa
    cp pki/ca.crt pki/private/yealink1.key pki/issued/yealink1.crt /tmp/yealink/keys/
    cat /root/yealink1.ovpn
  5. From yealink1.ovpn copy the OpenVPN Static key including the BEGIN and END lines to a new file
    Code:
    cd /tmp/yealink
    nano keys/ta.key
  6. From yealink1.ovpn copy everything at the top, above <ca>, to a new file
    Code:
    nano vpn.cnf
  7. Add the following lines to vpn.cnf (I added them between persist-tun and remote-cert-tls server):
    Code:
    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/yealink1.crt
    key /config/openvpn/keys/yealink1.key
    tls-crypt /config/openvpn/keys/ta.key 1
  8. You should now have the following files in place:
    Code:
    /tmp/yealink/keys/ca.crt
    /tmp/yealink/keys/yealink1.crt
    /tmp/yealink/keys/yealink1.key
    /tmp/yealink/keys/ta.key
    /tmp/yealink/vpn.cnf
  9. Create a tar file
    Code:
    tar cvf openvpn.tar ./vpn.cnf ./keys
  10. Download openvpn.tar and upload it into your phone.
  11. Make sure your phone registers to 10.8.0.1
  12. Continue with Nerdvittles tutorial "to block all server access except via SSH or the VPN":
    Code:
    cd /etc/sysconfig
    wget http://incrediblepbx.com/iptables-openvpn.tar.gz
    tar zxvf iptables-openvpn.tar.gz
    rm -f iptables-openvpn.tar.gz
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p
    systemctl -f enable [email protected]
    systemctl start [email protected]
    systemctl status [email protected]
    systemctl enable [email protected]
    systemctl restart iptables
Can you advise how you can verify the phone registers to 10.8.0.1? I also cannot get audio once I upload the openvpn.tar file. The phone calls out but there is no audio. I don't understand what I am missing?
 
Last edited:

jaycos

New Member
Joined
Sep 3, 2018
Messages
13
Reaction score
5
I think what I meant was, edit the settings of the phone so that it registers to that IP, i.e. use 10.8.0.1 as the server host in your SIP account settings.
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
365
Reaction score
17
I think what I meant was, edit the settings of the phone so that it registers to that IP, i.e. use 10.8.0.1 as the server host in your SIP account settings.
Registration isn't working via VPN steps above. Is openvpn or neorouter the recommendation for vpn on remote extensions?
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,562
Messages
138,886
Members
14,671
Latest member
Joatmon