I got it working!! ALMOST PLEASE HOLD SOME LAST BUGS I’M INVESTING NOW 
Grab easyrsa scripts and build a self signed certificate etc google there are a lot of descriptions how to do that.
- Create a new set of server keys and make sure you signed it with SHA1. You can force this by adding/changing the line inside the openssl.cnf
“default_md = sha1”
You can check it with: cat *.crt |grep Signature
It should say SHA1 else you need to re-create the keys again and make sure this time the self signed cert is done with SHA1
I also use the Diffy Hellman protection on top of the VPN see: diffie hellman - Why OpenVPN is using both certificates and DH? - Information Security Stack Exchange
https://community.openvpn.net/openvpn/wiki/Hardening
- Login to your FreePBX server and create a new directory inside /etc/openvpn/my_server2_keys
also create empty directories log and ccd2 - Place the keys needed for the 2nd VPN server inside that directory (not needed but keeps stuff tidy and separated from the SysadminPro files)
- Created a new OpenVPN server manually on a different port than the original OpenVPN server. below is an example
port 1195
proto udp
dev tun
user nobody
group nobody
ca my_server2_keys/ca.crt
cert my_server2_keys/flash-01.crt
key my_server2_keys/flash-01.key
dh my_server2_keys/dh1024.pem
tls-auth my_server2_keys/ta.key 0 # ← Optional DH protection recommended by me
crl-verify my_server2_keys/crl.pem
server 10.8.1.0 255.255.255.0 # ← USE A DIFFERENT IP RANGE
ifconfig-pool-persist ipp2.txt
keepalive 10 120
client-config-dir ccd2
comp-lzo
persist-key
persist-tun
status log/openvpn-status.log
verb 3
client-to-client
Now also create a new client file vpn.conf:
client
dev tun
proto udp
remote vpn.yourdomain.com 1195 # ← CHANGE ME!!!
resolv-retry infinite
nobind
persist-key
persist-tun
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/certificate.crt
key /yealink/config/openvpn/keys/private.key
tls-auth /yealink/config/openvpn/keys/ta.key 1
ns-cert-type server
comp-lzo
verb 3
mute 20
I made a little script that bakes all the Yealink vpn tar’s. Copy your vpn.conf you’ve created above here also near this script so it can combine the keys and the conf together to the package. All the legacy hardware is marked with a *-vpn-L.tar Also check the script for working dirs I use to create the skeleton of the vpn-tar
#!/bin/bash
#
# Updates the VoIP OpenVPN Certificates
# Make sure you have all the certificates & keys for the clients inside the keys directory of your easyrsa
# Name the keys to the MAC address of you phone
#
# (c) Wessel de Roode
# $Id: doint.sh 254 2017-02-26 22:17:47Z wessel $
echo -e “\033[1;35;40mY E A L I N K L E G A C Y O P E N V P N T A R C R E A T I O N V2.0\033[0m”
cd keys
for file in 00*.key
do
rm …/clients/client/keys/*
cp ca.crt ta.key …/clients/client/keys/mac=${file:0:12}
cp ${mac}.crt …/clients/client/keys/certificate.crt
cp ${mac}.key …/clients/client/keys/private.key
cd …/clients/client/
tar cf …/${mac}-vpn-L.tar .
echo -e “Created ${mac}-vpn-L.tar …”
cd …/…/keys
done
Copy all the *-vpn-L.tar files on your freepbx server /tftboot/
The biggest trick is you adjust the EndPointManager yealink template. Make a copy of the default yealink template and change it with the basic-edit function:
network.vpn_enable = 1
openvpn.url = http://_username_:[email protected]:84/$MAC-vpn-L.tar
- Switch off VPN for the yealink template.
- adjust the server ip for your “Destination Address” inside the endpoint manager template for the yealink into custom 10.8.1.1 address
- Open up your firewall to the new 1195 custom service with UDP protocol and make it external,
restart the openvpn server, check if the port is bind with:
# lsof -i -P |grep vpn
openvpn 17984 nobody 6u IPv4 860832 0t0 UDP *:1194
openvpn 17995 root 6u IPv4 860863 0t0 UDP *:1195
Now tail that http server:
tail -f /var/log/httpd/*
Go to your Yealink and kick the provision button and you should see somewhere fly by:
xx.yy.zz.uu - username [26/Feb/2017:21:25:05 +0100] “GET /YOUR PHONE MAC-vpn-L.tar HTTP/1.1” 200 20480 “-” “Yealink SIP-T28P 2.73.0.50”
If you see that 200 fly by than you know the VPN configuration was picked up.
Now check your phone does it find the VPN ? in some minutes you should see the vpn logo on the phone get activated
.
You can double check if the VPN server has it too by cat the log:
# cat /etc/openvpn/log/openvpn-status.log
Final check is, did the phone register it’s account? you should be able to see that on the telephone.
Well done if you made it through here, you got your old legacy hardware working again on FreePBX and fully deployable through EndPointManager like all the other phones 