Provisioning when using OpenVPN
- PeterF (Deactivated)
Provisioning a Yealink when using OpenVPN provides an additional degree of complexity.
Firstly you need to understand the order that the phone boots in.
1. If OpenVPN is enabled then a VPN session is created.
2. If provisioning is enabled the handset goes through its provisioning sequence.
This order is important from a security and configuration perspective.
As provisioning affectively hands out SIP access (including the username and password of the SIP account) you can't afford to leave a provisioning services exposed to the internet. However the fact that you are using OpenVPN suggests that the handset will be located remotely and you will want to provision it remotely.
The following is our suggested deployment path.
1. Configure OpenVPN server and note the ip address of the tun interface.
2. Configure your provisioning server to listen on the tun ip address.
3. Manually set the time or ntp service on the phone or use an internal 'temporary' provisioning service to provide initial provisioning details to the handset which includes the NTP server.
4. Allocate VPN keys using the phones MAC address as the key name.
The reason we suggest this is that until the handset is provisioned you won't know its extension number (unless your provisioning system makes you go through the time consuming process of pre-allocate extension numbers to MAC address). If you use a random key name then when it comes time to diagnose VPN issues it will be difficult to see if the phone is connected from the OpenVPN console if you don't know which key it is using.
5. Upload the key to the phone.
6. Configure any internal URL's or Server IP address in the Yealink configuration files so that they all use the TUN ip address.
7. Reboot the phone and it should connect to the OpenVPN server and then provision itself.