OpenVPN HowTo for Yealink IP phones



  • I spent the better part of today creating a guide that walks you through setting up an OpenVPN server as well as configuring the Yealink IP phones to connect to the OpenVPN server. I am too lazy right now to copy, paste, and format the guide into a thread, but it is available as a PDF on our website. If somebody else would like to turn it into a thread or if there is somewhere better to put it, just let me know. I'll be happy to share the original Word doc with you.

    http://www.sunstatetechnology.com/docs/YealinkOpenVPNGuide.pdf


  • Rebel Alliance Developer Netgate

    The OpenVPN client export package can export Yealink (and snom) format configs automatically now.

    Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.
    You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internal…" and select the right CA, then just fill in the cn and descr.)



  • @jimp:

    The OpenVPN client export package can export Yealink (and snom) format configs automatically now.

    I just noticed that there is a new version of the exporter (.25), I was on .20. I see that in .25 there is now 2.3 beta on the windows installer and an option for Viscosity, but don't see anything for Yealink or Snom. Where do you do that at?

    Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.

    I know, I actually had it using the wizard at first. But there was another setting or two along with the Mode that you had to go in a change (forget what it is now), as well as wanting to go in and restrict the auto generated firewall rule further led me to just do it manually.

    You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internal…" and select the right CA, then just fill in the cn and descr.)

    Didn't even think of that, thanks.


  • Rebel Alliance Developer Netgate

    The Yealink/Snom options only show up for a tunnel that's SSL/TLS - if it's user auth at all, they won't appear.



  • Ahhh, there we go. Thanks. What is the difference between the two T38 options? The only difference I can see if the path to the keys. In one it's /phone/config/openvpn/keys/ and the other it's /config/openvpn/keys/. When would you use the /phone/.. path?

    Also, I see it uses the interface IP address in the config. If you have dynamic DNS enabled on the interface you're running OpenVPN on, is there any way to get it to use that instead?


  • Rebel Alliance Developer Netgate

    Different firmware revisions require different paths. I've encountered (via several customers) different subtle variations.

    The details are here:
    https://github.com/bsdperimeter/pfsense-packages/blob/master/config/openvpn-client-export/openvpn-client-export.inc#L236



  • Gotcha. Thanks for all the info.



  • Sorry for the holy thread resurrection Batman, but i've followed your guide to the letter Seth, and my T32G Yealink now gets a VPN session with pfSense but:

    1. the Vpn appears to go down maybe once a minute - it'll reconnect after about 5 seconds but it's a bit disconcerting that it's happening like that - is this your experience too of VPN on Yealink? and is that something I can do something about??

    2. despite the V appearing in the top right of the Yealink, I don't appear to be able to register my line across the VPN.

    3. Originally the VPN config tarfile didn't work - so I spoke to Yealink support and they said that 7-ZIP would do the Tarfile and pointed me to an example replacement vpn.cnf file which looks like this:

    client
    setenv SERVER_POLL_TIMEOUT 4
    nobind
    remote 10.2.4.148 1194 udp
    remote 10.2.4.148 443 tcp
    dev tun
    dev-type tun
    ns-cert-type server
    ca /phone/config/openvpn/keys/ca.crt
    cert /phone/config/openvpn/keys/client.crt
    key /phone/config/openvpn/keys/client.key
    comp-lzo no
    verb 3

    Silence repeating messages

    ;mute 20

    Putting this in place of the one I had made all the difference in the world and I was able to connect up the VPN but it left me with the problems outlined in 1 and 2 above.

    (It does appear that the Linux tar creation requirement isn't still a requirement now though).

    Any help anyone can give would be appreciated.

    Cheers,
    Mike.



  • @jimp:

    The OpenVPN client export package can export Yealink (and snom) format configs automatically now.

    Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.
    You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internal…" and select the right CA, then just fill in the cn and descr.)

    Is there a manual for your solution or do i have to stick to the one posted by sscardefield ?

    I'm kind of new to the whole vpn stuff and have 6 Yealink phones sitting on my desk waiting to get used via OpenVPN.


Locked