FreePBX VPN with Yealink phones

I am using the OpenVPN setup in the Distro with EPM and UCP all registered.

I’ve worked with Yealink to figure out how to upload the correctly formatted vpn.tar file

I would LOVE for FreePBX to build a config to be exported via UCP.

Currently when i download via UCP i get which contains the following files.


Now Yealink needs a .tar file to upload to the phones. So i start by creating VPN.tar and from there i create the following files.


If you see the key, crt, and ca,crt are just the sysadmin files renamed.

Now your sysadmin_client##.conf needs to be changed to vpn.cnf and a couple lines need to be changed to work properly.

I will display my sysadmin_client26.conf files below and then vpn.cnf so you can see the minor changes i needed to make for it to work.

Configuration automatically generated via Sysadmin RPM


Generated at: Mon, 09 Jan 2017 14:33:17 +0000

dev tun
proto udp
resolv-retry 60
remote-cert-tls server
ca sysadmin_ca.crt
cert sysadmin_client26.crt
key sysadmin_client26.key
verb 3
remote 1194
remote 1194

Now my Yealink vpn.cnf file that has been modified and works is below.

port 1194
dev tun
proto udp
resolv-retry 60
remote-cert-tls server
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

Do you see my changes well i do and they work. I’ve tested this on W56P and T48G phones. Can FreePBX add the download for Yealink phones following my recommendations above?

Seems I’m having the same issue with the T46G. Weird thing is this used to work( haven’t tested for a few months so not sure what version of EPM worked) so something must have changed with EPM. Have you submitted a bug report?

Great information. We need the same thing for Grandstream as well!!

I have not submitted a bug report or anything i just posted this all here.

I submitted this to the webinar today in 3 hours that Sangoma is hosted called.

Secure Remote User Management with FreePBX/PBXact : Using Built-in VPN Server.

Actually disregard my comment. It is working for me using EPM. There was a config issue on my end. Seems like if it works on the T46 it should work on the T48 unless they handle the VPN config differently? What firmware and EPM version are you using? I’ll do some more testing. Are you creating the VPN clients in sysadmin or are they being autogenerated by user manager?

I can confirm it is working with the T41.

I am creating the VPN clients through Sysadmin and then when the user logs into UCP they pull the config’s down. I need to edit them individually. There is a flag you can change if you don’t mind all your VPN clients having the same cert/key.


I got this in the /var/log/messages file when utilizing

tail -f /var/log/messages | grep vpn

Jan 12 01:58:43 localhost openvpn[20760]: MULTI: new connection by client ‘client14’ will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect.

If you want to see a specific client’s sessions

cat /var/log/messages | grep vpn | grep client##

Firmware on the T48G is

Firmware on the W56P is
Base for W52P&
and for the handset

My one issues is that the templates are still generating the wrong IP address for by Apps buttons. I have my VPN users on and my phones are on but when ever i create templates even through i select that they are VPN users its destination for the apps are always… So I change that to 161 and my apps work again.

So any way for vpn client to download a new format for yealink phones in my above setup?

Juesor we actually use T46, T48 and T42 phones for our installs with a number our clients and a few use the VPN. We use PBXact systems but there shouldnt be a difference as long as your using the commerical EPM.

  1. Setup your VPN server and make sure you have created the correct routes to allow your 161 subnet to talk to your 160 subnet in the phone system.
  2. Setup the user to allow VPN Access under User Management for the Auto Create and Link
  3. Go to the EndPoint Manager and assign the user their VPN then tell the phones to update

At this point it should auto download the file and restart the phone. Yes the phone DOES need to be locally connected to the phone system for this to work but its one method to get it to work. After the initial time its connected it no longer needs to be on the same network. As well as long as the routes are setup right you shouldn’t have an issue with phone apps. I have gone to random customers networks and plugged in for demos and everything worked. Hell i used my cell phone broadcasting wifi and a wifi module once. :slight_smile:

I’ve used enough VPN phones now but i still have to manually create the tar files EPM does not provide a proper config file for the Yealink phones.

Do you have that same issue?

And i found that i do not need to have the phones on a direct connection to the PBX because once i have the VPN connected.

Go to the phones web page.
Click Settings
Click Auto Provison
Set Server URL to tftp:// <- this is the ip that my PBX is listening tftp on
Click Auto Provision Now

BOOM phone will auto provision and you can even look in /var/log/messages | grep tftp and you can see the phone try to pull the cfg files and templates.

We had the same issue with the W52P. We ended up putting a real support ticket in on this one and worked with Robert for some time. He could only get some of the test Yealinks to work with the VPN, but not all. I believe they reached out to the developer at the time and they let us know that it was not supported or designed for the Yealink phones. At the end of the day I learned that it is possible to work with some yealinks and if the condition’s are right ex. Firmware. We never could get the W52P to work on the VPN on PBXact UCC.

I figured it out this VPN problem with the old Yealink models (or not updated models)

The problem with the Yealink phones that have a firmware < 80 DO NOT SUPPORT SHA256 as a signature method, they only support SHA1

In the default Freepbx with commercial VPN run this command:

cat /etc/openvpn/sysadmin_server1.crt |grep Signature

It will probably return:

Signature Algorithm: sha256WithRSAEncryption

If this is the case, you cant use Yealink phones with a firmware <.80 because they do not support SHA256 only SHA1 & MD5 and redeploy all your certificates again :-/ but at least your old phones will be VPN available too :slight_smile:

Personally I am thinking of adding an additional VPN server with MD5 certificates only for deployment of the old Yealink/Tiptel phones.

Workaround: Update your phone to firmware x.80+
Or if your phone is an old hardware model, change your certificate into MD5 explained below in the yealink forum link.



Great find!!! This has long been a question in many forums I have come across.


Grab easyrsa scripts and build a self signed certificate etc google there are a lot of descriptions how to do that.

  1. Create a new set of server keys and make sure you signed it with SHA1. You can force this by adding/changing the line inside the openssl.cnf

“default_md = sha1”

You can check it with: cat *.crt |grep Signature
It should say SHA1 else you need to re-create the keys again and make sure this time the self signed cert is done with SHA1

I also use the Diffy Hellman protection on top of the VPN see:

  1. Login to your FreePBX server and create a new directory inside /etc/openvpn/my_server2_keys
    also create empty directories log and ccd2
  2. Place the keys needed for the 2nd VPN server inside that directory (not needed but keeps stuff tidy and separated from the SysadminPro files)
  3. Created a new OpenVPN server manually on a different port than the original OpenVPN server. below is an example

port 1195
proto udp
dev tun
user nobody
group nobody
ca my_server2_keys/ca.crt
cert my_server2_keys/flash-01.crt
key my_server2_keys/flash-01.key
dh my_server2_keys/dh1024.pem
tls-auth my_server2_keys/ta.key 0 # <-- Optional DH protection recommended by me :slight_smile:

crl-verify my_server2_keys/crl.pem
ifconfig-pool-persist ipp2.txt

keepalive 10 120
client-config-dir ccd2
status log/openvpn-status.log

verb 3

Now also create a new client file vpn.conf:

dev tun
proto udp
remote 1195 # <-- CHANGE ME!!!
resolv-retry infinite

ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/certificate.crt
key /yealink/config/openvpn/keys/private.key

tls-auth /yealink/config/openvpn/keys/ta.key 1

ns-cert-type server
verb 3
mute 20

I made a little script that bakes all the Yealink vpn tar’s. Copy your vpn.conf you’ve created above here also near this script so it can combine the keys and the conf together to the package. All the legacy hardware is marked with a *-vpn-L.tar Also check the script for working dirs I use to create the skeleton of the vpn-tar

# Updates the VoIP OpenVPN Certificates
# Make sure you have all the certificates & keys for the clients inside the keys directory of your easyrsa
# Name the keys to the MAC address of you phone
# © Wessel de Roode
# $Id: 254 2017-02-26 22:17:47Z wessel $
echo -e "\033[1;35;40mY E A L I N K L E G A C Y O P E N V P N T A R C R E A T I O N V2.0\033[0m"
cd keys
for file in 00*.key
rm …/clients/client/keys/*
cp ca.crt ta.key …/clients/client/keys/

cp ${mac}.crt …/clients/client/keys/certificate.crt
cp ${mac}.key …/clients/client/keys/private.key
cd …/clients/client/
tar cf …/${mac}-vpn-L.tar .
echo -e "Created ${mac}-vpn-L.tar …"
cd …/…/keys

Copy all the *-vpn-L.tar files on your freepbx server /tftboot/

The biggest trick is you adjust the EndPointManager yealink template. Make a copy of the default yealink template and change it with the basic-edit function:

network.vpn_enable = 1
openvpn.url =$MAC-vpn-L.tar

  • Switch off VPN for the yealink template.
  • adjust the server ip for your “Destination Address” inside the endpoint manager template for the yealink into custom address
  • Open up your firewall to the new 1195 custom service with UDP protocol and make it external,

restart the openvpn server, check if the port is bind with:

# lsof -i -P |grep vpn
openvpn 17984 nobody 6u IPv4 860832 0t0 UDP *:1194
openvpn 17995 root 6u IPv4 860863 0t0 UDP *:1195

Now tail that http server:

tail -f /var/log/httpd/*

Go to your Yealink and kick the provision button and you should see somewhere fly by:

xx.yy.zz.uu - username [26/Feb/2017:21:25:05 +0100] “GET /YOUR PHONE MAC-vpn-L.tar HTTP/1.1” 200 20480 “-” “Yealink SIP-T28P”

If you see that 200 fly by than you know the VPN configuration was picked up.

Now check your phone does it find the VPN ? in some minutes you should see the vpn logo on the phone get activated
You can double check if the VPN server has it too by cat the log:

# cat /etc/openvpn/log/openvpn-status.log

Final check is, did the phone register it’s account? you should be able to see that on the telephone.

Well done if you made it through here, you got your old legacy hardware working again on FreePBX and fully deployable through EndPointManager like all the other phones :smiley:

Look at that someone else here puts time and effort into FreePBX and Yealink phones.

Great write up.

I’m going to borrow the scripts you have for creating your vpn.tar files as currently I have my phone technician downloading from UCP and creating files manually.

Sorry I never got back to you on that question from the other week. No we dont have that issue. I also relayed info in an odd way. What I meant about needing the phone on the network is only for initially setting it up. After it downloads the files through endpoint manager then you can take the phone off network and it works great

We have done with no special modifications or changes to EPM or VPN. This worked with T46 and T48 phones running firmware 80 or 81. I have not tried with other models yet. We only use those when selling phone systems for the most part.

I can say i have not tried downloading through UCP and uploading manually or with older models that dont support new authentication methods.

Also setting up option 66 in DHCP to point to your server and you wont need to touch the yealink phones for provisioning. it will happen automatically. :slight_smile: I would die without it. lol

1 Like

Ok so sorry to bring up an old thread but I recently had issues with phones that would go in a disconnected state and not recover without a reboot.

I opened a ticket with Yealink on this issue and their response was the following.

Good day and thanks for your ticket .

For this issue, please check if the server.ovpn and vpn.cnf file contain below parameter:

keepalive 20 60

// This parameter configure the reconnect mechanical of VPN, for this setting, the phone will ping the VPN server every 20 seconds and if failed after 60 seconds , then phone will try to reconnect the VPN server again //

So since i cannot apply the keepalive in freepbx’s config I worked up a small bash script that does the work for me.

for filename in *-vpn.tar; do
mkdir $noExten
tar -xvf $filename -C /tftpboot/$noExten/
cd $noExten
echo “keepalive 20 60” >> vpn.cnf
tar -pcvf $filename *
mv $filename …
cd …
rm -rf $noExten
chmod 755 *
chown asterisk:asterisk *.tar

I put this script in the /tftpboot/ directory and right now i execute the script every time i rebuild config’s.

1 Like

Trying to get this to work. Is the above still valid?

It still works for me. Add the Keepalive to seems to have fixed an issue with Yealink phones and VPN stability. Also i run that script and all my tar’s are created with the vpn.cnf file.