Set up VPN on Yealink T-22P phone


(Hawk McDuck) #1

FreePBX 15.0.17.24 / Asterisk 16.15.1 / all modules up to date

I am trying to set up VPN on a Yealink T-22P phone to connect remotely to an OpenVPN server on FreePBX using the standard port 1194. The FreePBX server is at 11.22.15.72 (anonomized), and the public IP of the remote Yealink phone is 11.22.23.21 (anonomized). I have set up two Sangoma S500 phones as VPN clients on the same remote network 11.22.23.21 and they work perfectly as VPN clients. Note that I am using a pfSense firewall and port 1194 has been opened to 11.22.23.21 and forwarded to FreePBX.

The T-22P phone was Reset to Factory. Note that I have no problem connecting the T-22P as a remote phone from 11.22.13.21 but it fails when I try to set it up to connect to the OpenVPN server on FreePBX.

I am using this procedure in the link in the FreePBX wiki:

https://wiki.freepbx.org/display/FDT/[How-to]+Set+up+VPN+on+Yealink+Phone

and generate the following files from UCP for the Yealink extension: sysadmin_ca.crt, sysadmin_client1.conf, sysadmin_client109.crt, sysadmin_client109.key, and sysadmin_client109.ovpn.

Here is my vpn.cnf file with the .ca (i.e., sysadmin_ca.crt), .crt (i.e., sysadmin_client109.crt) and .key (i.e., sysadmin_client109.key) info removed:

client
dev tun
proto udp
remote 11.22.15.72
port 5061
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
auth SHA256
comp-lzo
verb 3

<ca>
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----
</ca>
<cert>
Certificate:

-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----
</key>

The vpn.cnf file has been tar-red as follows:

tar cvf vpn.cfg.tar vpn.cnf

In the Network==>Advanced menu of the Yealink phone GUI I am able to upload the vpn.cfg.tar file. When I press Confirm, the Yealink phone GUI indicates “Operating Please Wait” which I believe should indicate that the file was successfully uploaded.

Here is a tcpdump of port 1194 (IP address anonomized). Note that ports 40976 and 52272 are the Sangoma S500 phones which are set up to connect with the OpenVPN server on FreePBX. There is no indication that the T-22P is sending out anything over port 1194.

[stewart@freepbx15vb asterisk]$ sudo tcpdump port 1194
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
08:34:40.533376 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 53
08:34:40.533492 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.52272: UDP, length 53
08:34:44.237803 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:34:44.246830 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:34:45.257676 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:34:45.267826 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:34:46.485358 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:34:46.493595 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:34:47.465923 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:34:47.475943 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:34:48.672334 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.40976: UDP, length 53
08:34:50.789614 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.52272: UDP, length 53
08:34:56.005310 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 53
08:34:57.843753 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 53
08:34:58.999197 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.40976: UDP, length 53
08:35:01.062391 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.52272: UDP, length 53
08:35:04.236986 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:35:05.258603 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:35:05.268837 IP 11-22-23-21.dyn.novuscom.net.40976 > freepbx15vb.openvpn: UDP, length 69
08:35:06.486154 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:35:06.493629 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:35:07.464571 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:35:07.473915 IP 11-22-23-21.dyn.novuscom.net.52272 > freepbx15vb.openvpn: UDP, length 69
08:35:08.639106 IP freepbx15vb.openvpn > 11-22-23-21.dyn.novuscom.net.40976: UDP, length 53
^C
24 packets captured
26 packets received by filter
0 packets dropped by kernel
[stewart@freepbx15vb asterisk]$

Any suggestions would be appreciated.


Generate server certificate on Yealink T-22P to work with VPN
#2

Shouldn’t that be port 1194?


(Hawk McDuck) #3

@Stewart1 Initially in the vpn.cnf text file, I indeed had put:

remote 11.22.15.72
port 1194

After this didn’t work, I took a closer look at the FreePBX wiki and it says:

remote [SERVER_IP]
port [SERVER_PORT]

After thinking about this for a while (“SERVER PORT” seems ambiguous to me) and then checking the Sangoma S500 GUI (where the phones are registering over VPN) where the “Primary SIP server” field is 10.8.0.1:5061, I decided to use 5061.

However, I’ve gone back, changed vpn.cnf to:

remote 11.22.15.72
port 1194

re-tar-red vpn.cfg.tar and rebooted the Yealink T-22P.

Note that the two S500 phones which have successfully connected to the OpenVPN server have extensions 4001, 4002, 4003, 4004 and 4011, 4012, 4013 and 4014. Here is what sngrep shows for those two phones:

^Idx Method SIP From SIP To Msgs Source Destination Call State
[ ] 212 REGISTER 4002@10.8.0.1:5061 4002@10.8.0.1:5061 4 10.8.0.3:5160 10.8.0.1:5061
[ ] 213 REGISTER 4004@10.8.0.1:5061 4004@10.8.0.1:5061 4 10.8.0.3:5360 10.8.0.1:5061
[ ] 216 REGISTER 4001@10.8.0.1:5061 4001@10.8.0.1:5061 4 10.8.0.3:5060 10.8.0.1:5061
[ ] 217 REGISTER 4003@10.8.0.1:5061 4003@10.8.0.1:5061 4 10.8.0.3:5260 10.8.0.1:5061
[ ] 225 REGISTER 4011@10.8.0.1:5061 4011@10.8.0.1:5061 4 10.8.0.4:5060 10.8.0.1:5061
[ ] 226 REGISTER 4013@10.8.0.1:5061 4013@10.8.0.1:5061 4 10.8.0.4:5260 10.8.0.1:5061
[ ] 236 REGISTER 4012@10.8.0.1:5061 4012@10.8.0.1:5061 4 10.8.0.4:5160 10.8.0.1:5061
[ ] 237 REGISTER 4014@10.8.0.1:5061 4014@10.8.0.1:5061 4 10.8.0.4:5360 10.8.0.1:5061

Note that the Yealink T-22P has extension 7221, the FreePBX server is 172.16.0.175, and by trying different values in the Account menu on the Yealink, here’s what sngrep shows:

[ ] 66 REGISTER 7221@11.22.15.72:5061 7221@64.46.15.72:5061 8 11.22.23.21:5061 172.16.0.175:1194
[ ] 162 REGISTER 7221@11.22.15.72:5061 7221@64.46.15.72:5061 4 11.22.23.21:5061 172.16.0.175:1194
[ ] 165 REGISTER 7221@172.16.0.175:5061 7221@172.16.0.175:5061 10 11.22.23.21:5061 172.16.0.175:1194


(Hawk McDuck) #4

Update: I contacted Yealink support and here is the reply I received.

Dear Customer,

Please provide the VPN file you uploaded to the phone for us to check and test. For old phones like T22P, the file format may be different.

BR
East


(Hawk McDuck) #5

After sending the VPN file to Yealink support, here is the reply I received:

Dear Customer,

In the vpn.cnf file, I found that you would like to use SHA256, but T22P is too old to support that. I think “cipher AES-128-CBC” is not supported either.

Please try lower encryption methods, such as MD5 or SHA1. You will need to change the settings on the server side, and rebuild the CAs.

BR
East