FreePBX VPN with Yealink phones


(United States) #1

Good day All

I have been bouncing around all the forums looking for the fix.

I am running FreePBX 15.0.16.53 small phone system with 16 extensions I am trying configure 6 extensions for remote users. I have a mix of yealink phones.

one T20P with firmware 9.73.0.50 running.
two T21PE2 firmware 9.73.0.50 running Open VPN configured and running great
three T42G firmware 29.83.0.50 running

The T21PE2 phones are up and running with no issues for over 3 months. they are configured with Admin Pro Commercial module with EPM.

I followed the same configuration steps for the other 4 phones and the VPN doses not work, teh auto provisioning does set the phone up for VPN it is enabled however I can’t see the VPN Client config on the phone. I did a log 6 review and it looks like it is there however the VPN signal light on the desplay never turns on.

Looking at the forums I see that some yealink phones need the vpn config up loaded to the GUI I did this via text file and compressed it with TAR. uploaded to the phone was successfully uploaded however still nothing works.

I have reached the end of the internet with info about how to get this done.

Has anyone done this, could you share thoughts or comments. Anything at this point would be amazing!

this is my redacted VPN.CNF.TAR file

client
remote XX.XX.XX.X4 # WAN ADDRESS
port 1194
dev tun
proto udp
resolv-retry 60
nobind
persist-key
persist-tun
remote-cert-tls server
comp-lzo
verb 3

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

-----BEGIN CERTIFICATE----- bla bla bla -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=FreePBX Validity Not Before: Jun 9 15:50:21 2020 GMT Not After : Jun 7 15:50:21 2030 GMT Subject: CN=clientXX Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: bla bla bla Exponent: 65XXX (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX X509v3 Authority Key Identifier: keyid:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX DirName:/CN=FreePBX serial:XX:XX:XX:XX:XX:XX:XX:DB
        X509v3 Extended Key Usage: 
            TLS Web Client Authentication
        X509v3 Key Usage: 
            Digital Signature
Signature Algorithm: sha256WithRSAEncryption
    bla bla bla

-----BEGIN CERTIFICATE-----
bla bla bla
-----END CERTIFICATE-----


-----BEGIN PRIVATE KEY-----
bla bla bla
-----END PRIVATE KEY-----


(Moussa) #2

Try this

https://wiki.freepbx.org/display/FDT/[How-to]+Set+up+VPN+on+Yealink+Phone


(United States) #3

Moussa845

thanks for the link that was my first try. did not do anything so I found this on this forums page


also with the same result.


(Joel Buhr) #4

OK this may be a dumb question. Is the TAR file being made on the FreePBX system? I am trying to sort this out as well, mixture of 28P and 48 yealink phones.


(United States) #5

Joel

So for the T21PE2 freepbx automatically generated these config from me from the internal Openvpn server running on FreePBX. and now that I have the phone firmware updates on the T42G’s they also pull their vpn config onto the phone. however the T42G will not connect. The T21PE2 connect great and are working very well.

Because the VPN config file is hidden and I can’t see what FreePBX installed on the phone I am making a manual vpn config file and uploading it to the phone myself. with no luck. It would be amazing if I could extract the auto configured vpn file from FreePBX / Openvpn so I know the proper format to send the phone at this point I am guessing the Forums suggestions are all different.

let’s stay in touch if I find a solution I will post it ASAP


(United States) #6

you can find the VPN certs info on your Freepbx server here /etc/asterisk/keys/[yourFQDN]

also your users cert info is in this location: /etc/openvpn/clients


(Lorne Gaetz) #7

There is no need to go browsing around the file structure for vpn tarballs. Enable VPN in UCP for the user in User Management and then you can dload a vpn tarball directly from UCP.


(United States) #8

Good point I don’t use the UCP much, I forgot about that. For sure a better and safer way …My Bad :wink:


(James) #9

T42G does not support the FreePBX version of openvpn on the newer v83+ t42g firmware. I had the same issue and Yealink confirmed that v83 firmware does not support the latest versions of OpenVPN that Sysadmin uses. If you roll back to v82 it should connect fine. Not ideal so if anyone has any other solution I’d be happy to try it as well.


(United States) #10

Good day All

I have finally got one Yeallink T42G to work via VPN. The process so far is

Firmware 29.82.0.20 provision phone after provision is complete add VPN connection thru EPM on FreePBX once phone reboots it should work with vpn.cnf file auto provisioned from FreePBX / OpenVPN.

I still don’t know the correct VPN config format for doing it manually trying to get that.

I have one T42G that has Fonality firmware on it, the VPN with FreePBX will not work with Fonality firmware on the device. In process of getting that removed.

Cheers,


(Joel Buhr) #11

When I go into my UCP and go to my user settings, I get the ability to download the VPN but it does so as a ZIP file. What am I missing here?


(Lorne Gaetz) #12

And when you decompress the zip file …?


(Joel Buhr) #13

It has the following in the folder.
sysadmin_ca.crt
sysadmin_client0.conf
sysadmin_client0.crt
sysadmin_client0.key
sysadmin_client0.key


(United States) #14

Joel

If you are auto provisioning the phone and using EPM. the phone should pull its VPN info with all of those files for you. If it is not I would try changing the firmware on the phone. doing the TAR upload is very frustrating. I could not get a consistent flow manually from phone to phone.

Checking auto provision is working - from EPM make sure you have the VPN selected for extension.
on the phone GUI - go to Network - Advanced - scroll to bottom in the VPN section this should be enabled and the upload box marked “Upload VPN Config” should have vpn.cnf. If it doesn’t the phone has a different configuration need for vpn config files. try different firmware for the phone. With my phones I had an issue with T42G once I got the phone to the correct firmware Freepbx with EPM auto configured the VPN settings.

let me know how it goes.


(Joel Buhr) #15

Tried to do a provision on my network.

FreePBX is on 192.168.0.X/24 network
Phones are on 192.168.3.X/24 network

When I do a scan nothing comes up, moved a phone to the same network as the PBX scanned and still nothing.

There has got to be something missing here. Any suggestions on where to start?


(United States) #16

Just sent you a private message.


(Bill Hegardt) #17

For the T42g, I contacted Yealink support and they gave me unreleased firmware that resolves the VPN issue. The version is 29.83.0123


(Bill Hegardt) #18

Make that version 29.83.0.123