I am running FreePBX 1.814.210.58-2. I am trying to connect some Yealink T-32G phones via the OpenVPN client on the phone so they can remotely connect to the PBX. I have the OpenVPN server up and running and am able to connect to it with a Windows desktop client. The phone can connect to the PBX when on the LAN.
I have spent hours trying to get the VPN part of the phone to connect with no success. At this point I am looking for a consultant who has done this before and can just get it done for us.
If it makes you feel any better I have 35+ years of *nix experience, 20 years of network/VPN’s and almost 10 years of Asterisk. I have spent at least 30 hours and can’t get it to work either.
It’s a big deal too, I promise to share my findings. Had to take a break from it for the holidays, time to dive back in.
Thanks, I appreciate it. I will share anything I get as well. There are different guides and methods of getting it working according to other people but so far I have been unsuccessful.
This may be something you already know…but if it can help: I’ve done some OpenVPN work, and lost some hair out in the process.
If you are going to have multiple end-points connecting to the server, then you must be running with certificates.
You must make sure that each endpoint has a different certificate (OpenVPN seems to allow endpoints to share a certificate, but I'm not sure how well this works).
The server certificate purpose is critical, and must have 'Digital Signature' and 'Key Encipherment' set. I've found that a simple web server certificate will not work; OpenVPN won't use it. Notice that the Server and User certs differ subtly. Netscape Comment isn't just a comment, it is a certificate purpose.
Server cert:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Key Usage:
Digital Signature, Key Encipherment
The server must be configured in a remote access type scenario. server 192.168.255.0 255.255.255.0
The server must push routes for all reachable subnets or hosts eg:push "route 192.168.1.0 255.255.255.0"
The clients may need iroute commands in the client-config-dir (on the server) that match the certificate CN to push their local subnet to OpenVPN, and the server config must have the equivalent route commands. It is counter-intuitive to say the least! However I've found this setup to work reliably.
This looks very similar to how the Yealink work. I am building that OpenVPN server with the steps he has to see if that works better than the appliance that I am using. Did you have any issues or were you able to follow this guide to the letter.