12 June 2013

Yealink T38 OpenVPN configuration

Well it's been a long time since I posted another tutorial, but here is a nice one.
I needed to configure a Yealink T38 to connect over VPN to a remote location. As you may or may not know, the T38 comes with openVPN support. However as always with yealink , the documentation on how to do it is poor to say the least...

There are other tutorials; but none are complete imho.

This tutorial will show you how to setup an openVPN server on Ubuntu, and how to configure the Yealink to use VPN.
Please note the following:

*I'm using a TUNNEL(routed) connection for the OpenVPN , so if you need a bridged one, DON'T follow this guide (for the OpenVPN setup that is)
*This has been done with a Yealink T38 running FW 38.70.23.9 (although others should work too)
*The procedure to do this with a Yealink T26/T28 is the same, except for the location of the certificates; more on that later on.

So let's start with the Ubuntu & Openvpn setup.

1)Let's make sure everything is up-to-date

apt-get update && apt-get upgrade

2)Download the packages for OpenVPN

apt-get install openvpn udev

3)Copy everything to another location to make sure they don't get overwritten by updates

cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
4)Configure the vars file to include all the info to generate certficates.
  Edit the following lines to match you country etc...
export KEY_COUNTRY="COUNTRY"
export KEY_PROVINCE="STATE"
export KEY_CITY="CITY"
export KEY_ORG="ORGANIZATION NAME"
export KEY_EMAIL="YOUR EMAIL"
5)Now we need to load the vars , clean up and build the CA.

cd into /etc/openvpn/easy-rsa/2.0
Run: 
. /etc/openvpn/easy-rsa/2.0/vars

(NOTE: In case you get an error about openssl.conf being the wrong version; 
issue the following: cp openssl.1.0.0.conf openssl.conf

Now to clean up run:
. /etc/openvpn/easy-rsa/2.0/clean-all

Now we need to build the CA, run:

. /etc/openvpn/easy-rsa/2.0/build-ca
It will ask you for some settings,but they should already be correctly taken 
from the vars file.So just Enter to continue. When done it will ask you to build 
and write, so enter Y to confirm.

6) Now we need to build the certificate and key for the server itself. So run:

. /etc/openvpn/easy-rsa/2.0/build-key-server <YOUR SERVER NAME>

Again the settings should match the ones you entered before. but note the server name should be the one you chose for your server.

7) Now we need to generate the client certificate & key file. So run:

. /etc/openvpn/easy-rsa/2.0/build-key <YOUR CLIENT>

Again note the client name should be the same as the one entered in the above command.

8) Now generate the DH file for the key exchanges.

. /etc/openvpn/easy-rsa/2.0/build-dh   

9)Now that we have the required files , let's put them somewhere safe for further 
adjustment.
  
To copy the client files, make a dir somewhere. 
f.e: mkdir /tmp/yealinknow go to the dir with the client files:
cd /etc/openvpn/easy-rsa/2.0/keys
Copy the files to the new dir:
cp ca.crt <clientname>.crt <clientname>.key 
 
10)Now we need to move the certificates for the server to a location where the 
   openvpn service can find them.   So change back to the dir with the certs=
 
cd /etc/openvpn/easy-rsa/2.0/keys
   copy the certs
cp ca.crt ca.key dh1024.pem <YOURSERVERNAME>.crt <YOURSERVERNAME>.key /etc/openvpn
 
11)Now this is done we need to modify the server config file to match our needs. 
   There are examples provided with openvpn docs, so should make life easy.


cd /usr/share/doc/openvpn/examples/sample-config-files 
gunzip -d server.conf.gz
mv server.conf /etc/openvpn/>YOURSERVERNAME<.conf
 
   Edit the file using your fav. editor. I'll use nano:
nano /etc/openvpn/>YOURSERVERNAME.conf<Uncomment following : 
push "redirect-gateway def1"
push "dhcp-option DNS 10.8.0.1"
   (Here you can also specify your port & protocol etc...)
 
12)Now we need to setup the server to forward the VPN traffic
   Edit the sysctl.conf file ( nano /etc/sysctl.conf ) 
   Uncomment the following line:
 
net.ipv4.ip_forward=1

12)Now punch a hole in IPtables to allow for traffic:
 
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT 
  
13)That's it, you're done for the server side, now let's move to the client side.
   cd to the folder where you dropped the client files (see step 9)
   Here you need to create a config file for the yealink , for your convenience 
   i've made one you can copy paste and adjust some lines.
   You need to save this file as vpn.cnf and (DON'T COPY THE -------)
 
-------------------------------------------------------------------
client

;dev tap
dev tun


;dev-node MyTap

;proto tcp
proto udp

remote >YOURSERVERWANIP OR HOSTNAME< >YOURPORT<

;remote-random


resolv-retry infinite

nobind

;user nobody
;group nogroup

.
persist-key
persist-tun

;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

;mute-replay-warnings

ca /phone/config/openvpn/keys/ca.crt
cert /phone/config/openvpn/keys/client.crt
key /phone/config/openvpn/keys/client.key

ns-cert-type server
 
;cipher x

comp-lzo


verb 6

;mute 20 
----------------------------------------------------------------------
 
14)Now if you're still with me you should have the following in your dir: 
   ca.crt + client.crt + client.key + vpn.cnf
   If so, then let's continue.
   Make a new dir named keys (mkdir keys And move the certs & keys there , 
   but not the .cfn file.
 
15)Almost there, now we need to make a tar that the yealink can use. 
   Yealink expects a very strange folderstructure, with the topfolder being named 
   "."
   Now the way I found to do this is as follows: while in the directory where the 
   .cfn file and the "keys"folder is located issue:
 
"tar -cf client.tar ."
 
   If all goes well you should have a tar named 'client' now.
   If that is the case, you now need to move this tar file to a pc where you can 
   access the Yealink webinterface.
 
16)Log into the Yealink phone, and move to the NETWORK tab, then click ADVANCED in 
   the left side pane.
 
17)Now there is an option VPN , which is disabled by default. But first you need 
   to upload your client tar file. Click browse and upload the file.
   Once this is done you can enable the VPN functionality, the phone will reboot.
 
18)If all went well , you should now have a working VPN to the openvpn server. 
   This is shown by a small V icon on the T38.
 
Now you can connect to the remote PBX and all should be well. 
Just note that you might need to add routes to the VPN subnet (10.8.0.0/24) 
 
As a side note: in the config file above you will see the certificate locations are
: /phone/config...
This is only correct for Yealink T3x, if you are using a T2X , you should use : 
/yealink/config...
All the other steps should remain the same.

In case you still don't get it to work , drop me a message.

3 comments:

Anonymous said...

Would you happen to know or is there a way to determine the proper paths for the new T46G phone? My config file successfully uploads to the phone but the phones log indicates it can't find the client1.crt file.

I have an email into Yealink but so far they replied with outdated info.

Brian

$3t4*$0uj1r0 said...

To Brian:

Not sure what happened, but your comment is not listed here for some reason.

Anyway, it could be that you need to enter the path as with the T2x series (/yealink/config...) , otherwise I'm don't have an answer for now. However I will have the nex phones soon, so I will test and post and update.

Unknown said...

I am sure this paragraph has touched all the internet visitors, its really really pleasant piece of writing on building up new weblog.
Best vpn