TUTORIAL Yealink < OpenVPN > IncrediblePBX

jaycos

Member
Joined
Sep 3, 2018
Messages
36
Reaction score
9
It took me a while to figure this out, so in case anyone else wants to try connecting a Yealink phone to an Incredible PBX using OpenVPN, here you go:

Setup
  • Vultr $5 server
  • CentOS 7
  • FQDN (pbx.mydomain.com)
  • Incredible PBX 16-15.1
  • Yealink T41S (Firmware 66.84.0.15)
Steps
  1. Install OpenVPN following Nerdvittles instructions:
    Code:
    cd /root
    curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
    chmod +x openvpn-install.sh
    sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" openvpn-install.sh
    sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" openvpn-install.sh
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
    ./openvpn-install.sh
  2. Run installer using recommended settings, except for Custom encrypt(no):
    • Server IP Address: using FQDN strongly recommended to ease migration issues
    • Enabled IPv6 (no): accept default
    • Port (1194): accept default
    • Protocol (UDP): accept default
    • DNS (3): change to 9 (Google)
    • Compression (no): accept default
    • Custom encrypt(no):yes
      • select 4) AES-128-CBC
      • use recommendations for remaining settings
  3. Create the first client, e.g. yealink1
  4. Gather some necessary data
    Code:
    mkdir -p /tmp/yealink/keys
    cd /etc/openvpn/easy-rsa
    cp pki/ca.crt pki/private/yealink1.key pki/issued/yealink1.crt /tmp/yealink/keys/
    cat /root/yealink1.ovpn
  5. From yealink1.ovpn copy the OpenVPN Static key including the BEGIN and END lines to a new file
    Code:
    cd /tmp/yealink
    nano keys/ta.key
  6. From yealink1.ovpn copy everything at the top, above <ca>, to a new file
    Code:
    nano vpn.cnf
  7. Add the following lines to vpn.cnf (I added them between persist-tun and remote-cert-tls server):
    Code:
    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/yealink1.crt
    key /config/openvpn/keys/yealink1.key
    tls-crypt /config/openvpn/keys/ta.key 1
  8. You should now have the following files in place:
    Code:
    /tmp/yealink/keys/ca.crt
    /tmp/yealink/keys/yealink1.crt
    /tmp/yealink/keys/yealink1.key
    /tmp/yealink/keys/ta.key
    /tmp/yealink/vpn.cnf
  9. Create a tar file
    Code:
    tar cvf openvpn.tar ./vpn.cnf ./keys
  10. Download openvpn.tar and upload it into your phone.
  11. Make sure your phone registers to 10.8.0.1
  12. Continue with Nerdvittles tutorial "to block all server access except via SSH or the VPN":
    Code:
    cd /etc/sysconfig
    wget http://incrediblepbx.com/iptables-openvpn.tar.gz
    tar zxvf iptables-openvpn.tar.gz
    rm -f iptables-openvpn.tar.gz
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p
    systemctl -f enable [email protected]
    systemctl start [email protected]
    systemctl status [email protected]
    systemctl enable [email protected]
    systemctl restart iptables
 
Last edited:

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
It took me a while to figure this out, so in case anyone else wants to try connecting a Yealink phone to an Incredible PBX using OpenVPN, here you go:

Setup
  • Vultr $5 server
  • CentOS 7
  • FQDN (pbx.mydomain.com)
  • Incredible PBX 16-15.1
  • Yealink T41S (Firmware 66.84.0.15)
Steps
  1. Install OpenVPN following Nerdvittles instructions:
    Code:
    cd /root
    curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
    chmod +x openvpn-install.sh
    sed -i "s|\techo 'push \"redirect-gateway|#\techo 'push \"redirect-gateway|" openvpn-install.sh
    sed -i "s|push \"redirect-gateway|#push \"redirect-gateway|" openvpn-install.sh
    sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
    ./openvpn-install.sh
  2. Run installer using recommended settings, except for Custom encrypt(no):
    • Server IP Address: using FQDN strongly recommended to ease migration issues
    • Enabled IPv6 (no): accept default
    • Port (1194): accept default
    • Protocol (UDP): accept default
    • DNS (3): change to 9 (Google)
    • Compression (no): accept default
    • Custom encrypt(no):yes
      • select 4) AES-128-CBC
      • use recommendations for remaining settings
  3. Create the first client, e.g. yealink1
  4. Gather some necessary data
    Code:
    mkdir -p /tmp/yealink/keys
    cd /etc/openvpn/easy-rsa
    cp pki/ca.crt pki/private/yealink1.key pki/issued/yealink1.crt /tmp/yealink/keys/
    cat /root/yealink1.ovpn
  5. From yealink1.ovpn copy the OpenVPN Static key including the BEGIN and END lines to a new file
    Code:
    cd /tmp/yealink
    nano keys/ta.key
  6. From yealink1.ovpn copy everything at the top, above <ca>, to a new file
    Code:
    nano vpn.cnf
  7. Add the following lines to vpn.cnf (I added them between persist-tun and remote-cert-tls server):
    Code:
    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/yealink1.crt
    key /config/openvpn/keys/yealink1.key
    tls-crypt /config/openvpn/keys/ta.key 1
  8. You should now have the following files in place:
    Code:
    /tmp/yealink/keys/ca.crt
    /tmp/yealink/keys/yealink1.crt
    /tmp/yealink/keys/yealink1.key
    /tmp/yealink/keys/ta.key
    /tmp/yealink/vpn.cnf
  9. Create a tar file
    Code:
    tar cvf openvpn.tar ./vpn.cnf ./keys
  10. Download openvpn.tar and upload it into your phone.
  11. Make sure your phone registers to 10.8.0.1
  12. Continue with Nerdvittles tutorial "to block all server access except via SSH or the VPN":
    Code:
    cd /etc/sysconfig
    wget http://incrediblepbx.com/iptables-openvpn.tar.gz
    tar zxvf iptables-openvpn.tar.gz
    rm -f iptables-openvpn.tar.gz
    echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
    sysctl -p
    systemctl -f enable [email protected]
    systemctl start [email protected]
    systemctl status [email protected]
    systemctl enable [email protected]
    systemctl restart iptables
Can you advise how you can verify the phone registers to 10.8.0.1? I also cannot get audio once I upload the openvpn.tar file. The phone calls out but there is no audio. I don't understand what I am missing?
 
Last edited:

jaycos

Member
Joined
Sep 3, 2018
Messages
36
Reaction score
9
I think what I meant was, edit the settings of the phone so that it registers to that IP, i.e. use 10.8.0.1 as the server host in your SIP account settings.
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
I think what I meant was, edit the settings of the phone so that it registers to that IP, i.e. use 10.8.0.1 as the server host in your SIP account settings.
Registration isn't working via VPN steps above. Is openvpn or neorouter the recommendation for vpn on remote extensions?
 

piaftnt

Member
Joined
Jul 16, 2010
Messages
93
Reaction score
17
First of all I want to say THANKS to @jaycos for this info. It enabled me to get 99% of the way there easily. Of course the last little piece is always what takes the longest to get right. In case anyone else is having issues with with audio not making it from the remote phone to the pbx, on ipbx13 you need to add 10.8.0.0/24 to the local networks in settings-> SIp settings. Otherwise you can make calls but the pbx routes the rtp packets to the wrong place and you end up with 1 way audio. Maybe I ran into this because my pbx is on my local network and is behind NAT but I am sure I am not the only doing this.

Also, because I run my own name servers internally, I added push "route 192.168.0.0 255.255.255.0" to the server config so that the vpn clients could talk to my internal network. This lets me simply enable or disable the vpn depending on if I am at my office or on the road.

Hope this helps.

Tom
 

Members online

Forum statistics

Threads
25,779
Messages
167,505
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top