Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Yealink phones

    Scheduled Pinned Locked Moved OpenVPN
    30 Posts 7 Posters 13.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jaredadams
      last edited by

      We're looking at PBX's and may be going the 3CX route.  They list two following Yealink phones as supported: T42G and T46G.

      OpenVPN client export utlity mentions being able to export configs for T28, T38G (1), and T38G (2)

      Anyone know if the exported OpenVPN configs can be used with the T42G and T46G's?

      1 Reply Last reply Reply Quote 0
      • G
        gusdvg
        last edited by

        I've used T38G (2) for T46 and it works fine. The only thing that changes between the different VPN configurations is the path were the configs are saved to on the phones. I'm not sure if the others could work on the T4x because the first one I tried was the T38G (2) and it worked  ;D

        1 Reply Last reply Reply Quote 0
        • C
          C.Peleska
          last edited by

          Hi,
          The OpenVPN Server configuration for T-38G Phones drives me Nuts!
          I can´t get the tunnel to Work an I cant find a usable documentation…. the one from Yealink ist outdated and the others Mentioned in other Threads inaccessible!

          Would you Please be so nice an tell me your Options for the VPN Server an Client - i´d really really appreciate that  :D

          1 Reply Last reply Reply Quote 0
          • G
            gusdvg
            last edited by

            Yeah, Yealink phones don't have any form of status or logs to see whats going on with the VPN…

            Here are the relevant Server settings I'm using:

            • Server Mode: Remote Access (SSL/TLS)

            • Protocol: UDP

            • Device Mode: tun

            • Port: 1194

            • TLS Authentication: Enable (using 2048bit static key)

            • CA and server certificate used are generated at the Certificates menu

            • DH: 1024

            • Encryption: AES-128-CBC

            • Other settings: Using compression LZO, ToS IP header, Allow communication between clients

            • Client Settings: Provide a virtual adapter IP address to clients (checked). I also provide DNS domain, NetBIOS over TCP and WINS server

            • Advanced configuration: I push several routes from my network, but you might not need that

            Then using Client Export, like I mentioned, I use the T38G (2) file, upload it to the phone, and reboot.

            I guess it might help if you look at the openvpn logs while testing, to see what might be going on.

            1 Reply Last reply Reply Quote 0
            • S
              sscardefield
              last edited by

              pfSense 2.1
              OpenVPN Client Export Utility 1.1.3

              I am in the process of updating my Yealink OpenVPN document and have hit a snag. In my original document I was creating a user account with an associated certificate for each phone. The user account is really unnecessary as there is no User Auth with the Yealink OpenVPN client, so I would like to only generate the certificate. This is fine if you are manually creating the Yealink config tarball. However, when I go to export the config via the OpenVPN Client Export Utility there are no users to select from. I only get an option there if I create a user account.

              So for those of you using the Client Export Utility, are you creating a user account for each phone? If you are only generating the certificate and not a user account, how are you exporting it using the Client Export Utility?

              1 Reply Last reply Reply Quote 0
              • G
                gusdvg
                last edited by

                It looks like you don't have any user certificates, so the client export has nothing to export.

                1 Reply Last reply Reply Quote 0
                • S
                  sscardefield
                  last edited by

                  The user cert is there and as you can see issued by the correct CA:

                  1 Reply Last reply Reply Quote 0
                  • G
                    gusdvg
                    last edited by

                    Hmm., is the CA for your phone accounts defined in CAs and the OpenVPN Server? I do have one certificate for each phone and works fine.

                    1 Reply Last reply Reply Quote 0
                    • S
                      sscardefield
                      last edited by

                      Ok, I completely removed everything and started from scratch and the certs are now showing up in the Client Export Utility. Here is my updated doc for anyone who is interested.

                      http://www.sunstatetechnology.com/docs/YealinkOpenVPNGuide.pdf

                      1 Reply Last reply Reply Quote 0
                      • C
                        C.Peleska
                        last edited by

                        Hi Guys,
                        I have the same Problem with a Yealink-T38G, Firmware 38.70.150.2.
                        I Created the Psense Side according to the Yealink Documentation, with the Wizard and with sscardefield´s really,really Great Documentation - but nothing works.
                        I have even reinstalled Pfsense from Scratch….

                        I have found three things which doesnt´t work if you use the Export Utility
                        1. You have to unpack and repack the generated client.tar with 7zip on Windows - if you don´t your Phone wouldn´t import the File.
                        2. If you leave the Line "verify-x509-name PhoneServer name" in the generated vpn.cnf the Phone can´t import the file either.
                        3. There seems to be a problem with the generated Certificates, the Phone (If you set Phone >Configuration > Log Level to 6 you get a usable Logfile which you can export)
                        It shows the following Error:
                        Nov  7 21:20:48 openvpn[289]: IMPORTANT: OpenVPN's default port number is now 1194, based on an official port number assignment by IANA.  OpenVPN 2.0-beta16 and earlier used 5000 as the default port.
                        Nov  7 21:20:48 openvpn[289]: NOTE: OpenVPN 2.1 requires '–script-security 2' or higher to call user-defined scripts or executables
                        Nov  7 21:20:48 openvpn[289]: Re-using SSL/TLS context
                        Nov  7 21:20:48 openvpn[289]: LZO compression initialized
                        Nov  7 21:20:48 openvpn[289]: UDPv4 link local (bound): [undef]:1194
                        Nov  7 21:20:48 openvpn[289]: UDPv4 link remote: 213.221.100.187:1194
                        Nov  7 21:20:48 openvpn[289]: VERIFY ERROR: depth=1, error=certificate signature failure: /C=DE/ST=Hessen/L=Floersheim/O=Lorenzgroup/emailAddress=support@lorenzgroup.com/CN=PhoneCA
                        Nov  7 21:20:48 openvpn[289]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
                        Nov  7 21:20:48 openvpn[289]: TLS Error: TLS object -> incoming plaintext read error
                        Nov  7 21:20:48 openvpn[289]: TLS Error: TLS handshake failed

                        IOS, Android and PC Clients connect without Problems,i am now really out of Ideas - Anybody else please?!

                        1 Reply Last reply Reply Quote 0
                        • G
                          gusdvg
                          last edited by

                          Maybe the CA certificate is not correct or missing? I didn't need to re-zip anything, and it pretty much worked the first time… Also, I am not seeing the verify-x509-name line in my vpn.cnf file the Client Export Utility is creating for me. This is what my vpn.cnf looks like:

                          dev tun
                          persist-tun
                          persist-key
                          cipher AES-128-CBC
                          tls-client
                          client
                          resolv-retry infinite
                          remote [my server name] 1194 udp
                          tls-remote openvpn-pfsense
                          ca /config/openvpn/keys/ca.crt
                          cert /config/openvpn/keys/client1.crt
                          key /config/openvpn/keys/client1.key
                          tls-auth /config/openvpn/keys/ta.key 1
                          comp-lzo
                          passtos
                          
                          
                          1 Reply Last reply Reply Quote 0
                          • C
                            C.Peleska
                            last edited by

                            Hi Gus,
                            Thanks for the Info! Maybe you could be so nice an give me some more Information?!
                            Which Versions are you using?
                            Mine are the following!

                            pfSense:
                            2.1-RELEASE (i386)
                            built on Wed Sep 11 18:16:22 EDT 2013
                            FreeBSD 8.3-RELEASE-p11

                            Export Package:
                            1.1.3.

                            And did your Create the Certs and the Server via the Wizard or manually?!

                            I really appreciate your Help, so thanks in Advance!

                            1 Reply Last reply Reply Quote 0
                            • jimpJ
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              On pfSense 2.1 we increased the security of the certificates to use SHA256 as the default Digest Algorithm. From what I've heard, those Yealink phones may only support SHA1.

                              There was a small bug in 2.1 that prevented the GUI drop-down for Digest Algorithm from being respected so it always used SHA256. You can use the System Patches package to apply commit fd750cd064a46f364a7e06c9fe27d46ce11cd09a which will fix the selection of the Digest in the GUI.

                              If you apply that fix and then generate a new CA/certificate using SHA1, it should work

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 0
                              • G
                                gusdvg
                                last edited by

                                Just to confirm, my certificates are signed SHA1 so this might be your solution for Yealink phones.

                                1 Reply Last reply Reply Quote 0
                                • C
                                  C.Peleska
                                  last edited by

                                  Thanks to both of You!- You are a Great Help!
                                  According to yout suggestions I reinstalled PFsense from Scratch (again), installed Patch http://github.com/pfsense/pfsense/commit/fd750cd064a46f364a7e06c9fe27d46ce11cd09a.patch and Created new Ca,Certs,openVPN Server etc. then the Export Utility. (Because I like Clean installs to start…)

                                  The Export Utility won´t show me the Created User Certificate if I choose "SHA1" in Ca,ServerCert and User Cert and I don´t know why?!
                                  (Choosing SHA256 does work - but not with the Phones)

                                  I saw on tre Github Changelog that they changed it to " tls-remote is deprecated, use verify-x509-name, which also works on the iOS client so no need to exclude it from getting the line either." - but that doesn´t work with the Yealink Phones. Maybe it is possible that they Change this for the Yealink Export??

                                  But even if I export the Certificates manually and create the vpn.cnf by hand the Phones don´t accept the Certificates - i am not Sure if the Patch mentioned above does really cover all options to choose "SHA1".

                                  It would be really really Great if you Guys from PFsense could fix this - I thinc PFsense is a really really Great Choice for the many many People who use SIP Communication Systems an need /want Secure Communication....

                                  I can´t find a older Version of PFsense or the Export Utility -  i Think anybody who upgraded from 2.0.3 wit already created Certs and Export does not have this Problems?!

                                  1 Reply Last reply Reply Quote 0
                                  • G
                                    gusdvg
                                    last edited by

                                    Well, it looks like you are making a hobby of reinstalling pfSense from scratch  :D,  so with the current situation, how about installing from scratch on version 2.0, test out your Yealink phones, then upgrade to the latest 2.1? If you still want to to continue testing regarding SHA2, you can create new CA certificates on 2.1 until its resolved, but at least you now have a working setup for Yealinks in the meantime.

                                    I've been upgrading since version 1 so at least its working for me. I can understand your position on clean installs, but I don't think pfSense carries much trash from version to version, so I wouldn't worry about it too much.

                                    1 Reply Last reply Reply Quote 0
                                    • S
                                      sscardefield
                                      last edited by

                                      I played with this a bit today and here are my findings.

                                      pfSense 2.1
                                      Export Utility 1.1.3

                                      Before testing I applied the patch jimp mentioned via the Patches utility. From what I can tell it took:

                                      Afterwards, I recreated my server cert and user cert telling it to use SHA1 for both, then applied the new cert to my OpenVPN instance and exported the new config files via the Export Utility. Here is how it played out:

                                      T38

                                      38.70.0.105 - The phone won't accept the Export Utility config file T38 (1) or (2)
                                      38.70.0.180 - The phone won't accept the Export Utility config file T38 (1) or (2)

                                      T26

                                      6.71.0.140 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)
                                      6.71.0.149 - The phone accepts the Export Utility config file but makes no attempt to establish VPN connection during bootup (verified via packet capture)

                                      If I get some time tomorrow I will manually create the config files and see if they take.

                                      1 Reply Last reply Reply Quote 0
                                      • C
                                        C.Peleska
                                        last edited by

                                        Hi Guys,
                                        Yes I am a true Reinstall Enthusiast…. well more a "Revert to Snapshot" Enthusiast  ;)

                                        I get the same results as Seth, If I Use PFsense 2.0.3 everything works well - except the Export Utility which they updated to 2.1 I think.
                                        But You can Create all Certs and the Server without Problems. You have to export the Certs and make your own vpn.cf  - and If you use the latest Version of 7zip - you can get all of that together in a client.tar which Yealink Phones Accept! Works like a Charm!

                                        Soooo, If the Guys from the PFsense Team examines this Problem with Version 2.1 - I belive it´s something else than a plain GUI Issue -
                                        and Change the Export Utility back to a for Yealink Phones working Version, I would be more than Happy... and not just me I guess  ;D

                                        Does anyone know if there is an option to get an older Version of the Export Utility - or how to Contact the developers and inform them about this Issue?!

                                        1 Reply Last reply Reply Quote 0
                                        • C
                                          C.Peleska
                                          last edited by

                                          Hi Again,
                                          I have a Update for the Export Issue:
                                          You have to install it AFTER you Create your CA etc. I removed and reinstalled the Export utility Package an Voila: It shows the Certs an generates the client.tar.
                                          But the contents of the File are still incompatible with the Yealink Phones:

                                          The Export Utility generates this file:
                                          dev tun
                                          persist-tun
                                          persist-key
                                          cipher BF-CBC
                                          auth SHA1
                                          tls-client
                                          client
                                          resolv-retry infinite
                                          remote xxx.xxx.xxx.xxx 1194 udp
                                          verify-x509-name LGPhoneServerCert name
                                          ca /phone/config/openvpn/keys/ca.crt
                                          cert /phone/config/openvpn/keys/client1.crt
                                          key /phone/config/openvpn/keys/client1.key
                                          comp-lzo

                                          The Working one is:
                                          client
                                          dev tun
                                          persist-tun
                                          persist-key
                                          proto udp
                                          nobind
                                          remote xxx.xxx.xxx.xxx 1194
                                          resolv-retry infinite
                                          ns-cert-type server
                                          comp-lzo
                                          ca /phone/config/openvpn/keys/ca.crt
                                          cert /phone/config/openvpn/keys/client1.crt
                                          key /phone/config/openvpn/keys/client1.key

                                          So, if the revert their Update from "verify-x509-name LGPhoneServerCert name" back to "ns-cert-type server" it seems that everything will work with 2.0.3….

                                          1 Reply Last reply Reply Quote 0
                                          • jimpJ
                                            jimp Rebel Alliance Developer Netgate
                                            last edited by

                                            Reinstalling pfSense or the package in another order before/after creating certificates wouldn't matter. The export package reads the certificates directly from the config, and doesn't change them. Reinstalling may have pulled in a newer version of the export package than you had before, but otherwise wouldn't have changed anything substantial.

                                            I updated the export package to skip the verify-x509-name line if the export is happening for a Yealink or snom phone, or if the config is auth only.  I found last week that an auth-only setup would not even attempt to connect if that line was in the config, even on the latest client. And the Yealink/snom OpenVPN clients are so old/crippled they don't support it.

                                            Version 1.1.4 should show up in a few minutes.

                                            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                            Need help fast? Netgate Global Support!

                                            Do not Chat/PM for help!

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.