Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Connect Snom Phone with openVPN

    Scheduled Pinned Locked Moved OpenVPN
    4 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      arndtw
      last edited by

      Hi,
      i try to get a snom phone (D715) to my Pfsense box with openvpn.

      I tried that for days with no success. I like to throw those phone out of the window. I never saw such a complicated and slow way.

      I patched the phone with version 8.9.3.80 and the vpn patch.

      I installed a webserver to deploy the tarball.
      I made a CA on my pfsense, i created a server cert with that ca.

      Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds

      I made a server cert for the openvpn Server.
      I exported the client a dozend times. Installed it, waited for the phone to reboot.

      But there is no connection.

      Is there a howto to to this? Has anybody got it working?

      Thx Wolfgang

      V 1 Reply Last reply Reply Quote 0
      • T
        Tenou
        last edited by

        I've got this working and will reply later with my current configuration details

        1 Reply Last reply Reply Quote 0
        • T
          Tenou
          last edited by

          1. Create a new CA with default settings
          Edit Descriptive Name, Common Name & location data to match your individual preferences.

          2. Create a server certificate
          Select the CA you've just created, add a descriptive Name and a common name (also don't forget to add your WAN-IP/Hostname as alternative names)
          Don't change the cryptographic settings. sha256 & 2048 key length is fine. Don't forget to actually select "Server certificate" as Certificate type.

          3. Create a certificate for the phone(s)
          Again, select the CA you've created in the first step. I like to use the phone's MAC address (without colons) as common name here, since it clearly identifies the phone. This will come in handy when troubleshooting or creating client specific overrides.

          4. Install OpenVPN Client Export-Package
          This package will create a finished, bundled configuration file for your phone. If you haven't installed this yet, do it now.

          5. Create an OpenVPN Server
          Server Mode: Remote Access (SSL/TLS)
          Protocol: UDP on IPv4 only
          Device mode: tun
          Interface: any (adjust according to your requirements)
          Local port: Use any port (above 1024) you want, which is still free. This will be the port on the WAN-side that Clients will connect to.
          TLS Configuration: Check "Use a TLS Key" & "Automatically generate a TLS Key."0
          TLS keydir direction: Use default direction
          Peer Certificate Authority: The CA you've created in the first step
          Server certificate: The server certificate you've generated in the second step.
          DH Parameter Length: 2048 bit
          ECDH Curve: Use Default
          Encryption Algorithm: AES-256-GCM (you'll eventually have to adjust this based on which phones you're using. If you have questions regarding that, I'll happily provide you with a list of supported encryption algorithms for the phones you're using).
          Enable NCP: Uncheck
          Auth digest algorithm: SHA256
          Certificate Depth: One
          IPv4 Tunnel Network: Enter a local subnet which isn't yet used by anything else. For example "10.0.9.0/24".
          IPv4 Local network(s): Enter the local subnet in which the pbx resorts.
          Concurrent connections: Adjust based on how many phones you want to connect.
          Compression: No LZO Compression [Legacy style, comp-lzo no]
          Dynamic IP: Checked
          Ping settings: 0 (will disable that feature)
          Gateway creation: IPv4

          Adjust "DNS Default Domain", "DNS Server enable" & "NTP Server enable" according to your needs. None of that is necessary, but can be quite helpful.
          If using pfsense as DNS/NTP, add the first IP of the subnet you've configured in "IPv4 Tunnel Network" here. This is assigned to your pfSense appliance.
          Also don't forget to adjust the ACLs in the DNS Resolver-Tab.

          6. Create an OpenVPN Client
          You'll have to create an OpenVPN client for every device you're looking forward to connect.

          Server mode: Peer to Peer ( SSL/TLS )
          Protocol: UDP on IPv4 only
          Device mode: tun
          Interface: any
          Local port: Leave empty
          Server host or address: WAN-IP/Hostname of your appliance (has to be the same as configured in the OpenVPN Server certificate)
          Server port: Has to match "Local Port" from the server configuration
          Proxy Authentication: None
          Username: Leave empty
          Password: Leave empty
          TLS Configuration: Check "Use a TLS Key"
          TLS Key Usage Mode: TLS Authentication
          Peer Certificate Authority: The CA you've created in the first step
          Client Certificate: The Certificate you've created in the third step
          Encryption Algorithm: AES-256-GCM (you'll eventually have to adjust this based on which phones you're using. If you have questions regarding that, I'll happily provide you with a list of supported encryption algorithms for the phones you're using).
          Enable NCP: Uncheck
          Auth digest algorithm: SHA256
          Compression: No LZO Compression [Legacy style, comp-lzo no]
          Topology: Subnet
          Ping settings: 0 (will disable that feature)
          Gateway creation: IPv4

          7. Firewall rules
          A NAT-rule for UPD4 should've been automatically created to let traffic in through the port you've configured in step 5 as "Local port".
          However, you'll still have to create the local rules yourself, so that your phones can speak to the pbx. For that, go to the OpenVPN-Tab in your firewall rules.
          Now create a rule allowing traffic from the IPv4 Tunnel Network (configured in step 5) to your local PBX.
          Similarly, create a rule in the subnet your pbx resides in, which will allow your pbx to access the Tunnel network.

          8. Export the configuration
          Go to the "Client Export"-Tab of OpenVPN and select the VPN-Server you've just created in the dropdown menu.
          Now select the correct Host Name Resolution-Method (usually "Interface IP Address" is fine, this will use the WAN-IP", however you can optionally switch to hostname resolution or other methods.). Under "Verify Server CN", choose automatic.

          If you've chosen to configure DNS in the 5th step, you can optionally tick the "Block Outside DNS"-Checkbox. You should check "Legacy Client" & "Use Random Local Port" aswell. Everything else after that should be unchecked/empty.

          Now scroll down to "OpenVPN Clients", you should see your client from the 6th step there. Choose the export option for snom phones, upload it to a http server and configure the URL in your phone. It'll then fetch the packet, install the configuration files and should connect without any issues.

          That's it!

          If you have any further questions, feel free to ask!

          To get a better understanding of everything, here you can find screenshots of my production config: https://imgur.com/a/UGBLOk5

          1 Reply Last reply Reply Quote 0
          • V
            viragomann @arndtw
            last edited by

            @arndtw said in Connect Snom Phone with openVPN:

            Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds

            Mostly when you get this, the client can't basically access the server on the given port and protocol.

            So ensure that the clients packets are arriving on the servers public side interface.
            You can use Diagnostic > Packet capture for investigation.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.