Yealink SIP-T28P OpenVPN

Discussion in 'IP Phones' started by ChooseOpen, Aug 6, 2010.

  1. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
    That latest firmware release from Yealink supposedly supports OpenVPN. Unfortunately, I cant find any documentation on how to configure it.

    I did a little digging and found that the web GUI expects the config file to be in TAR format. I tried TARballing all of the OpenVPN client certificates and an .ovpn config file with no luck. The GUI actually accepted the TAR upload, but the OpenVPN client still doesnt connect.

    Anyone have any ideas? :eek:hmy:


    Thanks!
    Jason
     
  2. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    did you figure it out?
     
  3. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
  4. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    yes that's true that Yealink guide for VPN is not huge :)

    So the file needs to in tar and include exectly:
    VPN conf file
    keys folder incuded all certyficates and key

    Am I right?
     
  5. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
    You are mostly correct. The TAR archive has an unusual structure. The upper most folder is a "." folder. I had a hell of a time finding a graphical archiving tool in Ubuntu Linux that could handle it. I ended up using Xarchiver.

    To be more precise, the TAR archive folder structure is:

    # . <-folder
    # vpn.cnf <-standard OpenVPN client config file
    # keys <-folder
    ## ca.crt
    ## client.crt
    ## client.key

    EDIT: Updated the Wiki article.
     
  6. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    thank you,

    my concern regards dh2048.pem that is icluded in zip generated by OpenVpn server,

    if you could give the right directory direction I would appreciate it

    thank you
     
  7. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
    My OpenVPN server is running on my Vyatta router (so your setup might be different). I followed the stock instructions located at the link below to setup my Certificate Authority and generate my client keys. According to the table in this document, the dh2048.pem file is only for the OpenVPN server. It should not be needed by the Yealink clients.

    http://www.openvpn.net/index.php/open-source/documentation/howto.html#pki
     
  8. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    in yealink tar file vpn config has name vpn.cnf but real OpenVpn name is conf .....

    I don't know if this matter


    so far no luck there is any indication hows the vpn went .... i believe I can only check OpenVpn server status and logs on the server ....
     
  9. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
    Yep, you want your tar file to contain vpn.cnf NOT vpn.conf
    It is simply a text file that you can edit in a text editor (Notepad, gedit, etc). Rename yours to "vpn.cnf"
    Or, use the Yealink supplied version as a guide and edit it to suit your environment. My client vpn.cnf file only contains the following lines:

    client
    dev tun
    remote 99.99.99.99 1194
    tls-client
    proto udp
    # Comment out the following line if you dont have comp-lzo compression enabled on the server
    comp-lzo
    ca ca.crt
    cert client.crt
    key client.key
    ping 10



    As for logging, I couldnt find any way to check the client-side logs on the Yealink.

    Another tip... I found it easier to get a MS Windows workstation to connect to the OpenVPN server and then steal the working configuration file from it. At least that way you know that you OpenVPN server is working.
     
  10. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    Thank You

    That's what I exactly did. I put config for a remote laptop to check it first and it works: I can ping Elastix and only Elastix since this is POINT to POINT VPN connection.

    By the way I have received answer from YEALINK support to ask the local agents or the seller, they will provide helpful information for me.

    Well they did not even provide the stupid link with default configuration which is ridiculous .....

    Once again thank you for advices and I am goint to work on that VPN .....

    Cheers
     
  11. ChooseOpen

    Joined:
    Aug 4, 2010
    Messages:
    11
    Likes Received:
    0
    Yealink support sucks. They told me the same thing. I doubt the website I bought my phones from was going to be any help, so I figured it out myself. Hoverer, the T-28 is an awesome phone. We decided to deploy them to all of our desks.

    Lets do some basic troubleshooting:

    1. Does your OpenVPN server logs show any connection attempts from the Yealink phones. *ANY* attempt is a good sign, even if it didnt fully negotiate and got dropped. If you dont see any connection attempt in your logs, then you must have a serious problem with your Yealink TAR.

    2. In your vpn.cnf, are you specifying your OpenVPN servers's IP address instead of hostname? Just a long-shot, but use the IP address instead of the hostname in case DNS lookups aren't working.

    3. If you DO see unsuccessful connection attempts in your logs, make sure your comp-lzo settings match on both sides.

    As a last-ditch effort, if you want to send me your vpn.cnf and sample key files, I will assemble them and send them back to you. I think this is most-likely your problem. The Yealink phone will accept a malformed TAR archive without complaining, and OpenVPN simply wont work! You can email me at jason <at> chooseopen <dot> com
     
  12. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    problem is with number 1 .... I have already send an email ....

    Thank you
     
  13. logtech

    Joined:
    Apr 9, 2010
    Messages:
    147
    Likes Received:
    0
    I would like to thank you Jason for free of charge advices. I really appreciate this kind of help on this forum. Jason spend alomst all day sending emails and explaining how to do stuff from scratch. He did not say " I am better than you and you are moran, please read guide or etc..... I would call this real help on forum ..... Jason belongs to a few people that provide excelent forum support. He supposed to get a couples of carma....

    one more time THANK YOU Jason for your help!!!!!!!!!!!!
     
  14. Ninoska

    Joined:
    Jan 17, 2011
    Messages:
    1
    Likes Received:
    0
    Re: Re:Yealink SIP-T28P OpenVPN

    Hey Jason, I email you, I have the number one problem.
    Thanks you so much If you can help me.
     
  15. Liakopoulos

    Joined:
    Feb 24, 2010
    Messages:
    37
    Likes Received:
    0
    Hello everyone,

    I started working on the vpn feature of a T38G Yealink phone.

    After a lot of messing around with it I discovered that the path that the configuration
    file and the keys directory is saved is actually /config/openvpn

    If you try to use the vpn feature of this phone please remember to adjust the path for the certificates in vpn.cnf accordingly.

    Best Regards,

    Panagiotis
     
  16. hca

    hca

    Joined:
    Aug 7, 2011
    Messages:
    3
    Likes Received:
    0
    Hi Folks,

    I am trying to get some new T26p's to use VPN on my elastix box but could not seem to the the VPN up in webadmin, but its actually up. Testing to it with an XP box connects and drops on crypto. Thus there are a few weird things but I google it up and see some versions of openvpn have crypto issues.

    However after deleting all the keys, and a fresh start it now seems to work with the xp box with AES-128-CBC. It seems I have OpenVPN version 2.0_rc16, OpenSSL version 0.9.7e with the OpenVPN + CA webadmin module.

    The phones are new T26p's firmware 6.60.0.110 and work normally with the server on a local subnet.

    I think I have the tar file format correct, it loads apparently with out error, but there is no evidence of the connect attempt to the server or vpn indication on the phone.

    Solved now. maybe it helps someone else.

    Could the T26p have a slightly different tar file layout to the T28? What I found made them work was renaming the ovpn file and editing the paths rather in it than the using conf file, the only difference being the use of windows style carriage returns.

    Also I note the phones take a little while to bring up the vpn indicator.














    Reg HCA
     

Share This Page