Looking for consultant to connect Yealink VPN phones to OpenVPN server

I am running FreePBX 1.814.210.58-2. I am trying to connect some Yealink T-32G phones via the OpenVPN client on the phone so they can remotely connect to the PBX. I have the OpenVPN server up and running and am able to connect to it with a Windows desktop client. The phone can connect to the PBX when on the LAN.

I have spent hours trying to get the VPN part of the phone to connect with no success. At this point I am looking for a consultant who has done this before and can just get it done for us.

There’s a good posting from somebody who fought through it on an Elastix box:
http://www.elastix.org/dokuwiki/doku.php?id=yealink_sip-t28p_openvpn_configuration

Has a few good points to check both in terms of your OpenVPN server settings and the files that the Yealink phone needs to actually connect properly.

If it makes you feel any better I have 35+ years of *nix experience, 20 years of network/VPN’s and almost 10 years of Asterisk. I have spent at least 30 hours and can’t get it to work either.

It’s a big deal too, I promise to share my findings. Had to take a break from it for the holidays, time to dive back in.

Thanks, I appreciate it. I will share anything I get as well. There are different guides and methods of getting it working according to other people but so far I have been unsuccessful.

This may be something you already know…but if it can help: I’ve done some OpenVPN work, and lost some hair out in the process.

  • If you are going to have multiple end-points connecting to the server, then you must be running with certificates.
  • You must make sure that each endpoint has a different certificate (OpenVPN seems to allow endpoints to share a certificate, but I'm not sure how well this works). The server certificate purpose is critical, and must have 'Digital Signature' and 'Key Encipherment' set. I've found that a simple web server certificate will not work; OpenVPN won't use it. Notice that the Server and User certs differ subtly. Netscape Comment isn't just a comment, it is a certificate purpose. Server cert: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Cert Type: SSL Server Netscape Comment: OpenSSL Generated Server Certificate X509v3 Extended Key Usage: TLS Web Server Authentication X509v3 Key Usage: Digital Signature, Key Encipherment

    Client cert:
    X509v3 extensions:
    X509v3 Basic Constraints:
    CA:FALSE
    Netscape Comment:
    OpenSSL Generated User Certificate

  • The server must be configured in a remote access type scenario. server 192.168.255.0 255.255.255.0
  • The server must push routes for all reachable subnets or hosts eg:push "route 192.168.1.0 255.255.255.0"
  • The clients may need iroute commands in the client-config-dir (on the server) that match the certificate CN to push their local subnet to OpenVPN, and the server config must have the equivalent route commands. It is counter-intuitive to say the least! However I've found this setup to work reliably.
Just my 2¢

I just recently set up a Snom 720 with OpenVPN and it worked like a dream. Only had to import 2 certificates and a small config file to the phone.

Can you provide additional information on what your OpenVPN server configuration looks like and what you imported? I am using the OpenVPN appliance.

Here’s the resource I followed:

This looks very similar to how the Yealink work. I am building that OpenVPN server with the steps he has to see if that works better than the appliance that I am using. Did you have any issues or were you able to follow this guide to the letter.

No dice, I just ran through the setup and got the server up and the phone won’t connect. I had to use the following https://servertutz.wordpress.com/2011/08/14/installing-openvpn-on-centos/ to get OpenVPN up and running but then used the link you provided as much as possible.

I am using a different config file structure for the tar as the phones are different.

Just curious if you got the VPN working. I finally did.