Instructions on configuring a Yealink phone to connect to an Asterisk PBX over an OpenVPN virtual private network.
Summary
A VPN (or Virtual Private Network) allows two devices on the Internet to communicate over an encrypted connection. Since the data that goes between the devices can not be read by a third party, it is as if they were on a private network, hence VPN.
Yealink handsets have the facility to connect to a corporate network (or directly to an Asterisk PBX) using an OpenVPN virtual private network. This allows the handset to securely connect to the PBX, register a SIP account and make calls, without the need to expose the PBX SIP interface to the Internet.
For example, using OpenVPN would allow a home user to connect their Yealink handset to the company Asterisk server as if it was simply another extension of the PBX. This can be much simpler than trying to configure a home DSL router to establish a VPN connection, and much more secure than allowing unencrypted SIP connections over the Internet.
Yealink Phones (T28/T26) support Open VPN feature in firmware version 60 (x.60.x.x) and higher.
Yealink models T20 and T22 have supported Open VPN since version 70.0.140 of the firmware.
Key File Format
==== WARNING = WARNING = WARNING ====
Yealink Phones (T28/T26) support Open VPN feature in firmware version 60 (x.60.x.x) and higher.
Using an earlier version is likely to turn your phone into a brick.
==== WARNING = WARNING = WARNING ====
Before you start
Before you attempt to upload a key into your phone start by making certain that the time on the phone is synchronised with your VPN server. If the time is out by more than a few minutes the key will not validate and the VPN session will not start!
Generating keys
Note that the Yealink VPN client only supports authentication by client certificate - neither username/password authentication nor static pre-shared key authentication can be used.
Start by generating a client key for the handset on the OpenVPN server.
You will need 3 files from the OpenVPN server:
client.crt - the client certificate generated for this handset.
client.key - the key for this client handset.
ca.crt - the Root Certificate Authority certificate for the OpenVPN server.
You will then have to create a VPN client configuration file, called vpn.cnf. Use the following as a template and check that the settings match those specified on the OpenVPN server:
# Specify that this is a client configuration: client # Check whether the server is using a TUN or TAP interface, use the same here: dev tun ;dev tap # Check whether the server is using TCP or UDP protocol, use the same here: proto udp ;proto tcp # Specify the host name and OpenVPN port of the server: remote openvpn.example.com 1194 # Specify the file names of your certificates and key - these should not need changing. # The path names must be exactly as detailed below: ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/client.crt key /yealink/config/openvpn/keys/client.key # # NOTE: For Yealink-T32 or T38 phone, omit the initial /yealink directory , like this: # # ca /config/openvpn/keys/ca.crt # cert /config/openvpn/keys/client1.crt # key /config/openvpn/keys/client1.key # The rest of these settings should be unchanged: resolv-retry infinite nobind persist-key persist-tun mute-replay-warnings ns-cert-type server comp-lzo verb 3 mute 10
Now that you have the files, create the necessary directory tree layout:
- openvpn (folder)
- vpn.cnf
- keys (folder)
- ca.crt
- client.crt
- client.key
Use this directory layout to create a tar file that will be loaded on to your Yealink handset:
$ cd openvpn $ tar cvf openvpn.tar vpn.cnf keys
Configuring The Handset To Use OpenVPN
Once you have prepared the tar file you need to upload it to the handset and configure the handset to enable Open VPN.
Settings
- Find the handset's IP address. (On the handset, press Menu, then choose Status to view IP address.)
- Open the phone’s web configuration (http://<phone IP address>/). Log in (default user name and password are admin/admin).
- From the phones web interface select “Network -> Advanced”.
- Scroll to the VPN Section:
- Click Browse and find the tar file created above.
- Click Import.
- Then, check that VPN Active is set to Enabled, scroll to the botton of the page and click "Confirm".
- Go to the "Account" tab.
- Ensure that "SIP Server" is specified as the address of the Asterisk PBX as seen over the VPN*.
* In some cases the PBX may be visible both over the VPN and directly on the Internet, although this is not recommended. In these cases, if the Internet visible address of the PBX is used the handset will connect directly, not over the encrypted VPN, so ensure the VPN visible address is used.
Note: if you make a mistake and have to recreate and re-load you tar file then you must first disable the VPN setting, upload the new key and the re-enable the VPN. The new key will not upload if you fail to do this!
Firewall Implications
For the VPN to work, the phone must be able to make a connection to the remote PBX via OpenVPN.
For our configuration, that means that the phone must be able to make an outbound connection to the Internet on UDP Port 1194. This can be restricted to the PBX IP address if desired.
Your PBX must be able to accept connections on UDP Port 1194 as well - these can be restricted to Phone IP addresses if you know where your phones will connect from, but in general the PBX should accept OpenVPN connections from anywhere.
Diagnosing issues
The yealink handsets allows you to download a log file which can be quite useful in diagnosing issues. Search for the keywoard 'openvpn' in the logs.