Yealink phones
-
Yeah, Yealink phones don't have any form of status or logs to see whats going on with the VPN…
Here are the relevant Server settings I'm using:
-
Server Mode: Remote Access (SSL/TLS)
-
Protocol: UDP
-
Device Mode: tun
-
Port: 1194
-
TLS Authentication: Enable (using 2048bit static key)
-
CA and server certificate used are generated at the Certificates menu
-
DH: 1024
-
Encryption: AES-128-CBC
-
Other settings: Using compression LZO, ToS IP header, Allow communication between clients
-
Client Settings: Provide a virtual adapter IP address to clients (checked). I also provide DNS domain, NetBIOS over TCP and WINS server
-
Advanced configuration: I push several routes from my network, but you might not need that
Then using Client Export, like I mentioned, I use the T38G (2) file, upload it to the phone, and reboot.
I guess it might help if you look at the openvpn logs while testing, to see what might be going on.
-
-
pfSense 2.1
OpenVPN Client Export Utility 1.1.3I am in the process of updating my Yealink OpenVPN document and have hit a snag. In my original document I was creating a user account with an associated certificate for each phone. The user account is really unnecessary as there is no User Auth with the Yealink OpenVPN client, so I would like to only generate the certificate. This is fine if you are manually creating the Yealink config tarball. However, when I go to export the config via the OpenVPN Client Export Utility there are no users to select from. I only get an option there if I create a user account.
So for those of you using the Client Export Utility, are you creating a user account for each phone? If you are only generating the certificate and not a user account, how are you exporting it using the Client Export Utility?
-
It looks like you don't have any user certificates, so the client export has nothing to export.
-
The user cert is there and as you can see issued by the correct CA:
-
Hmm., is the CA for your phone accounts defined in CAs and the OpenVPN Server? I do have one certificate for each phone and works fine.
-
Ok, I completely removed everything and started from scratch and the certs are now showing up in the Client Export Utility. Here is my updated doc for anyone who is interested.
http://www.sunstatetechnology.com/docs/YealinkOpenVPNGuide.pdf
-
Hi Guys,
I have the same Problem with a Yealink-T38G, Firmware 38.70.150.2.
I Created the Psense Side according to the Yealink Documentation, with the Wizard and with sscardefield´s really,really Great Documentation - but nothing works.
I have even reinstalled Pfsense from Scratch….I have found three things which doesnt´t work if you use the Export Utility
1. You have to unpack and repack the generated client.tar with 7zip on Windows - if you don´t your Phone wouldn´t import the File.
2. If you leave the Line "verify-x509-name PhoneServer name" in the generated vpn.cnf the Phone can´t import the file either.
3. There seems to be a problem with the generated Certificates, the Phone (If you set Phone >Configuration > Log Level to 6 you get a usable Logfile which you can export)
It shows the following Error:
Nov 7 21:20:48 openvpn[289]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA. OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
Nov 7 21:20:48 openvpn[289]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
Nov 7 21:20:48 openvpn[289]: Re-using SSL/TLS context
Nov 7 21:20:48 openvpn[289]: LZO compression initialized
Nov 7 21:20:48 openvpn[289]: UDPv4 link local (bound): [undef]:1194
Nov 7 21:20:48 openvpn[289]: UDPv4 link remote: 213.221.100.187:1194
Nov 7 21:20:48 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=DE/ST=Hessen/L=Floersheim/O=Lorenzgroup/emailAddress=support@lorenzgroup.com/CN=PhoneCA
Nov 7 21:20:48 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
Nov 7 21:20:48 openvpn[289]: TLS Error: TLS handshake failedIOS, Android and PC Clients connect without Problems,i am now really out of Ideas - Anybody else please?!
-
Maybe the CA certificate is not correct or missing? I didn't need to re-zip anything, and it pretty much worked the first time… Also, I am not seeing the verify-x509-name line in my vpn.cnf file the Client Export Utility is creating for me. This is what my vpn.cnf looks like:
dev tun persist-tun persist-key cipher AES-128-CBC tls-client client resolv-retry infinite remote [my server name] 1194 udp tls-remote openvpn-pfsense ca /config/openvpn/keys/ca.crt cert /config/openvpn/keys/client1.crt key /config/openvpn/keys/client1.key tls-auth /config/openvpn/keys/ta.key 1 comp-lzo passtos -
Hi Gus,
Thanks for the Info! Maybe you could be so nice an give me some more Information?!
Which Versions are you using?
Mine are the following!pfSense:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11Export Package:
1.1.3.And did your Create the Certs and the Server via the Wizard or manually?!
I really appreciate your Help, so thanks in Advance!
-
On pfSense 2.1 we increased the security of the certificates to use SHA256 as the default Digest Algorithm. From what I've heard, those Yealink phones may only support SHA1.
There was a small bug in 2.1 that prevented the GUI drop-down for Digest Algorithm from being respected so it always used SHA256. You can use the System Patches package to apply commit fd750cd064a46f364a7e06c9fe27d46ce11cd09a which will fix the selection of the Digest in the GUI.
If you apply that fix and then generate a new CA/certificate using SHA1, it should work
-
Just to confirm, my certificates are signed SHA1 so this might be your solution for Yealink phones.
-
Thanks to both of You!- You are a Great Help!
According to yout suggestions I reinstalled PFsense from Scratch (again), installed Patch http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e06c9fe27d46ce11cd09a.patch and Created new Ca,Certs,openVPN Server etc. then the Export Utility. (Because I like Clean installs to start…)The Export Utility won´t show me the Created User Certificate if I choose "SHA1" in Ca,ServerCert and User Cert and I don´t know why?!
(Choosing SHA256 does work - but not with the Phones)I saw on tre Github Changelog that they changed it to " tls-remote is deprecated, use verify-x509-name, which also works on the iOS client so no need to exclude it from getting the line either." - but that doesn´t work with the Yealink Phones. Maybe it is possible that they Change this for the Yealink Export??
But even if I export the Certificates manually and create the vpn.cnf by hand the Phones don´t accept the Certificates - i am not Sure if the Patch mentioned above does really cover all options to choose "SHA1".
It would be really really Great if you Guys from PFsense could fix this - I thinc PFsense is a really really Great Choice for the many many People who use SIP Communication Systems an need /want Secure Communication....
I can´t find a older Version of PFsense or the Export Utility - i Think anybody who upgraded from 2.0.3 wit already created Certs and Export does not have this Problems?!
-
Well, it looks like you are making a hobby of reinstalling pfSense from scratch :D, so with the current situation, how about installing from scratch on version 2.0, test out your Yealink phones, then upgrade to the latest 2.1? If you still want to to continue testing regarding SHA2, you can create new CA certificates on 2.1 until its resolved, but at least you now have a working setup for Yealinks in the meantime.
I've been upgrading since version 1 so at least its working for me. I can understand your position on clean installs, but I don't think pfSense carries much trash from version to version, so I wouldn't worry about it too much.
-
I played with this a bit today and here are my findings.
pfSense 2.1
Export Utility 1.1.3Before testing I applied the patch jimp mentioned via the Patches utility. From what I can tell it took:
Afterwards, I recreated my server cert and user cert telling it to use SHA1 for both, then applied the new cert to my OpenVPN instance and exported the new config files via the Export Utility. Here is how it played out:
T38
38.70.0.105 - The phone won't accept the Export Utility config file T38 (1) or (2)
38.70.0.180 - The phone won't accept the Export Utility config file T38 (1) or (2)T26
6.71.0.140 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)
6.71.0.149 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)If I get some time tomorrow I will manually create the config files and see if they take.
-
Hi Guys,
Yes I am a true Reinstall Enthusiast…. well more a "Revert to Snapshot" Enthusiast ;)I get the same results as Seth, If I Use PFsense 2.0.3 everything works well - except the Export Utility which they updated to 2.1 I think.
But You can Create all Certs and the Server without Problems. You have to export the Certs and make your own vpn.cf - and If you use the latest Version of 7zip - you can get all of that together in a client.tar which Yealink Phones Accept! Works like a Charm!Soooo, If the Guys from the PFsense Team examines this Problem with Version 2.1 - I belive it´s something else than a plain GUI Issue -
and Change the Export Utility back to a for Yealink Phones working Version, I would be more than Happy... and not just me I guess ;DDoes anyone know if there is an option to get an older Version of the Export Utility - or how to Contact the developers and inform them about this Issue?!
-
Hi Again,
I have a Update for the Export Issue:
You have to install it AFTER you Create your CA etc. I removed and reinstalled the Export utility Package an Voila: It shows the Certs an generates the client.tar.
But the contents of the File are still incompatible with the Yealink Phones:The Export Utility generates this file:
dev tun
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote xxx.xxx.xxx.xxx 1194 udp
verify-x509-name LGPhoneServerCert name
ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client1.crt
key /phone/config/openvpn/keys/client1.key
comp-lzoThe Working one is:
client
dev tun
persist-tun
persist-key
proto udp
nobind
remote xxx.xxx.xxx.xxx 1194
resolv-retry infinite
ns-cert-type server
comp-lzo
ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client1.crt
key /phone/config/openvpn/keys/client1.keySo, if the revert their Update from "verify-x509-name LGPhoneServerCert name" back to "ns-cert-type server" it seems that everything will work with 2.0.3….
-
Reinstalling pfSense or the package in another order before/after creating certificates wouldn't matter. The export package reads the certificates directly from the config, and doesn't change them. Reinstalling may have pulled in a newer version of the export package than you had before, but otherwise wouldn't have changed anything substantial.
I updated the export package to skip the verify-x509-name line if the export is happening for a Yealink or snom phone, or if the config is auth only. I found last week that an auth-only setup would not even attempt to connect if that line was in the config, even on the latest client. And the Yealink/snom OpenVPN clients are so old/crippled they don't support it.
Version 1.1.4 should show up in a few minutes.
-
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
-
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
Really? it didn't work for my T20P phones this way….
Even when you create your certificates selecting SHA1 encryption (1024 or 2048 key) the signature algorithm is still sha256RSA instead of sha1RSA and that didn't work for my Phones.
What i did was make the certificates for CA, Server and User (the phones) in PfSense 2.0.3 and export them and after that import them on PfSense 2.1.
Then create the OpenVPN server with these certificates and export the T28 client, with 1.1.5 that works again. -
Alright, I think we are good now. I removed everything and started from scratch (I'm weird like that too). So now using Client Export Utility 1.1.4 and SHA1, both the T26 and T38 successfully connect. And just to verify, I reset everything and used SHA256 and neither phone would connect. So the OpenVPN client on the Yealinks definitely only works with SHA1.
Thanks for all the help jimp.
Really? it didn't work for my T20P phones this way….
Even when you create your certificates selecting SHA1 encryption (1024 or 2048 key) the signature algorithm is still sha256RSA instead of sha1RSA and that didn't work for my Phones.
What i did was make the certificates for CA, Server and User (the phones) in PfSense 2.0.3 and export them and after that import them on PfSense 2.1.
Then create the OpenVPN server with these certificates and export the T28 client, with 1.1.5 that works again.You must not have applied the patch I posted earlier in the thread. Without that patch the GUI doesn't properly let you select SHA1.
