...
A VPN (or Virtual Private Network) allows two devices on the Internet to communicate over an encrypted connection. Since the data that goes between the devices can not cannot be read by a third party, it is as if they were on a private network, hence VPN.
...
Note: if you make a mistake and have to recreate and re-load you the tar file then you must first disable the VPN setting, upload the new key and the re-enable the VPN. The new key will not upload if you fail to do this!
Firewall Implications
For the VPN to work, the phone must be able to make a connection to the remote PBX via OpenVPN.
...
Your PBX must be able to accept connections on UDP Port 1194 as well - these can be restricted to Phone IP addresses if you know where your phones will connect from, but in general the PBX should accept OpenVPN connections from anywhere.
Diagnosing issues
The yealink Yealink handsets allows you to download a log file which can be quite useful in diagnosing issues. Search for the keywoard keyword 'openvpn' in the logs.
Trouble Shooting
Hangs during boot on 'Unable to obtain IP Address'.
If the 'remote' server in you vpn.cnf file contains a FQDN then the phone will need to resolve the FQDN to an IP address before it can start the VPN service.
If it is unable to resolve the FQDN the phone will hang with the above error message.
Resolution:
Change the 'remote' in the vpn.cfn file to be the IP address of the remote.
To stop the phone hanging login to the handsets 'Advanced' settings (not via the web interface as that won't be working).
Select Network and then scroll down to 'VPN'. Disable the VPN and reboot the phone.
You will now be able to upload the new tar file with the 'remote' set to the vpn server's IP address rather than the FQDN.