Connect Snom Phone with openVPN



  • Hi,
    i try to get a snom phone (D715) to my Pfsense box with openvpn.

    I tried that for days with no success. I like to throw those phone out of the window. I never saw such a complicated and slow way.

    I patched the phone with version 8.9.3.80 and the vpn patch.

    I installed a webserver to deploy the tarball.
    I made a CA on my pfsense, i created a server cert with that ca.

    Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds

    I made a server cert for the openvpn Server.
    I exported the client a dozend times. Installed it, waited for the phone to reboot.

    But there is no connection.

    Is there a howto to to this? Has anybody got it working?

    Thx Wolfgang



  • I've got this working and will reply later with my current configuration details



  • 1. Create a new CA with default settings
    Edit Descriptive Name, Common Name & location data to match your individual preferences.

    2. Create a server certificate
    Select the CA you've just created, add a descriptive Name and a common name (also don't forget to add your WAN-IP/Hostname as alternative names)
    Don't change the cryptographic settings. sha256 & 2048 key length is fine. Don't forget to actually select "Server certificate" as Certificate type.

    3. Create a certificate for the phone(s)
    Again, select the CA you've created in the first step. I like to use the phone's MAC address (without colons) as common name here, since it clearly identifies the phone. This will come in handy when troubleshooting or creating client specific overrides.

    4. Install OpenVPN Client Export-Package
    This package will create a finished, bundled configuration file for your phone. If you haven't installed this yet, do it now.

    5. Create an OpenVPN Server
    Server Mode: Remote Access (SSL/TLS)
    Protocol: UDP on IPv4 only
    Device mode: tun
    Interface: any (adjust according to your requirements)
    Local port: Use any port (above 1024) you want, which is still free. This will be the port on the WAN-side that Clients will connect to.
    TLS Configuration: Check "Use a TLS Key" & "Automatically generate a TLS Key."0
    TLS keydir direction: Use default direction
    Peer Certificate Authority: The CA you've created in the first step
    Server certificate: The server certificate you've generated in the second step.
    DH Parameter Length: 2048 bit
    ECDH Curve: Use Default
    Encryption Algorithm: AES-256-GCM (you'll eventually have to adjust this based on which phones you're using. If you have questions regarding that, I'll happily provide you with a list of supported encryption algorithms for the phones you're using).
    Enable NCP: Uncheck
    Auth digest algorithm: SHA256
    Certificate Depth: One
    IPv4 Tunnel Network: Enter a local subnet which isn't yet used by anything else. For example "10.0.9.0/24".
    IPv4 Local network(s): Enter the local subnet in which the pbx resorts.
    Concurrent connections: Adjust based on how many phones you want to connect.
    Compression: No LZO Compression [Legacy style, comp-lzo no]
    Dynamic IP: Checked
    Ping settings: 0 (will disable that feature)
    Gateway creation: IPv4

    Adjust "DNS Default Domain", "DNS Server enable" & "NTP Server enable" according to your needs. None of that is necessary, but can be quite helpful.
    If using pfsense as DNS/NTP, add the first IP of the subnet you've configured in "IPv4 Tunnel Network" here. This is assigned to your pfSense appliance.
    Also don't forget to adjust the ACLs in the DNS Resolver-Tab.

    6. Create an OpenVPN Client
    You'll have to create an OpenVPN client for every device you're looking forward to connect.

    Server mode: Peer to Peer ( SSL/TLS )
    Protocol: UDP on IPv4 only
    Device mode: tun
    Interface: any
    Local port: Leave empty
    Server host or address: WAN-IP/Hostname of your appliance (has to be the same as configured in the OpenVPN Server certificate)
    Server port: Has to match "Local Port" from the server configuration
    Proxy Authentication: None
    Username: Leave empty
    Password: Leave empty
    TLS Configuration: Check "Use a TLS Key"
    TLS Key Usage Mode: TLS Authentication
    Peer Certificate Authority: The CA you've created in the first step
    Client Certificate: The Certificate you've created in the third step
    Encryption Algorithm: AES-256-GCM (you'll eventually have to adjust this based on which phones you're using. If you have questions regarding that, I'll happily provide you with a list of supported encryption algorithms for the phones you're using).
    Enable NCP: Uncheck
    Auth digest algorithm: SHA256
    Compression: No LZO Compression [Legacy style, comp-lzo no]
    Topology: Subnet
    Ping settings: 0 (will disable that feature)
    Gateway creation: IPv4

    7. Firewall rules
    A NAT-rule for UPD4 should've been automatically created to let traffic in through the port you've configured in step 5 as "Local port".
    However, you'll still have to create the local rules yourself, so that your phones can speak to the pbx. For that, go to the OpenVPN-Tab in your firewall rules.
    Now create a rule allowing traffic from the IPv4 Tunnel Network (configured in step 5) to your local PBX.
    Similarly, create a rule in the subnet your pbx resides in, which will allow your pbx to access the Tunnel network.

    8. Export the configuration
    Go to the "Client Export"-Tab of OpenVPN and select the VPN-Server you've just created in the dropdown menu.
    Now select the correct Host Name Resolution-Method (usually "Interface IP Address" is fine, this will use the WAN-IP", however you can optionally switch to hostname resolution or other methods.). Under "Verify Server CN", choose automatic.

    If you've chosen to configure DNS in the 5th step, you can optionally tick the "Block Outside DNS"-Checkbox. You should check "Legacy Client" & "Use Random Local Port" aswell. Everything else after that should be unchecked/empty.

    Now scroll down to "OpenVPN Clients", you should see your client from the 6th step there. Choose the export option for snom phones, upload it to a http server and configure the URL in your phone. It'll then fetch the packet, install the configuration files and should connect without any issues.

    That's it!

    If you have any further questions, feel free to ask!

    To get a better understanding of everything, here you can find screenshots of my production config: https://imgur.com/a/UGBLOk5



  • @arndtw said in Connect Snom Phone with openVPN:

    Openvpn Log shows TLS Error: TLS key negotiation failed to occur within 60 seconds

    Mostly when you get this, the client can't basically access the server on the given port and protocol.

    So ensure that the clients packets are arriving on the servers public side interface.
    You can use Diagnostic > Packet capture for investigation.


Log in to reply