OpenVPN HowTo for Yealink IP phones
-
I spent the better part of today creating a guide that walks you through setting up an OpenVPN server as well as configuring the Yealink IP phones to connect to the OpenVPN server. I am too lazy right now to copy, paste, and format the guide into a thread, but it is available as a PDF on our website. If somebody else would like to turn it into a thread or if there is somewhere better to put it, just let me know. I'll be happy to share the original Word doc with you.
http://www.sunstatetechnology.com/docs/YealinkOpenVPNGuide.pdf
-
The OpenVPN client export package can export Yealink (and snom) format configs automatically now.
Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.
You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internalā¦" and select the right CA, then just fill in the cn and descr.) -
The OpenVPN client export package can export Yealink (and snom) format configs automatically now.
I just noticed that there is a new version of the exporter (.25), I was on .20. I see that in .25 there is now 2.3 beta on the windows installer and an option for Viscosity, but don't see anything for Yealink or Snom. Where do you do that at?
Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.
I know, I actually had it using the wizard at first. But there was another setting or two along with the Mode that you had to go in a change (forget what it is now), as well as wanting to go in and restrict the auto generated firewall rule further led me to just do it manually.
You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internalā¦" and select the right CA, then just fill in the cn and descr.)
Didn't even think of that, thanks.
-
The Yealink/Snom options only show up for a tunnel that's SSL/TLS - if it's user auth at all, they won't appear.
-
Ahhh, there we go. Thanks. What is the difference between the two T38 options? The only difference I can see if the path to the keys. In one it's /phone/config/openvpn/keys/ and the other it's /config/openvpn/keys/. When would you use the /phone/.. path?
Also, I see it uses the interface IP address in the config. If you have dynamic DNS enabled on the interface you're running OpenVPN on, is there any way to get it to use that instead?
-
Different firmware revisions require different paths. I've encountered (via several customers) different subtle variations.
The details are here:
https://github.com/bsdperimeter/pfsense-packages/blob/master/config/openvpn-client-export/openvpn-client-export.inc#L236 -
Gotcha. Thanks for all the info.
-
Sorry for the holy thread resurrection Batman, but i've followed your guide to the letter Seth, and my T32G Yealink now gets a VPN session with pfSense but:
-
the Vpn appears to go down maybe once a minute - it'll reconnect after about 5 seconds but it's a bit disconcerting that it's happening like that - is this your experience too of VPN on Yealink? and is that something I can do something about??
-
despite the V appearing in the top right of the Yealink, I don't appear to be able to register my line across the VPN.
-
Originally the VPN config tarfile didn't work - so I spoke to Yealink support and they said that 7-ZIP would do the Tarfile and pointed me to an example replacement vpn.cnf file which looks like this:
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote 10.2.4.148 1194 udp
remote 10.2.4.148 443 tcp
dev tun
dev-type tun
ns-cert-type server
ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client.crt
key /phone/config/openvpn/keys/client.key
comp-lzo no
verb 3Silence repeating messages
;mute 20
Putting this in place of the one I had made all the difference in the world and I was able to connect up the VPN but it left me with the problems outlined in 1 and 2 above.
(It does appear that the Linux tar creation requirement isn't still a requirement now though).
Any help anyone can give would be appreciated.
Cheers,
Mike. -
-
The OpenVPN client export package can export Yealink (and snom) format configs automatically now.
Also most of the first steps can be avoided by simply using the wizard and at the end, change it from SSL/TLS+User Auth to just SSL/TLS.
You don't need to create users, you can just create certificates for the phones under the cert manager (Cert tab, click +, "Create internalā¦" and select the right CA, then just fill in the cn and descr.)Is there a manual for your solution or do i have to stick to the one posted by sscardefield ?
I'm kind of new to the whole vpn stuff and have 6 Yealink phones sitting on my desk waiting to get used via OpenVPN.