Directly connect IP Phones to Yeastar build-in OpenVPN Server will bring great convenience to small and medium company who does not build up a VPN network for whole company, especially for the remote extensions. With the VPN connection, field implementation engineer won't need to consider the networking setting such as NAT, port forwarding for the SIP and RTP which related to the one-way audio and register failure problem. In the mean time, VPN provide a high-level security VoIP network to prevent phone theft and attacks to PBX server.
Yeastar S Series PBX offer a Graphical User Interface for administrator to build up a OpenVPN server. Please follow the guide here: VPN server guide
To build up the OpenVPN Server in Yeastar S Series PBX, we need to follow by the main steps below:
- Generate Certificates and Keys.
- Setup OpenVPN Server on Yeastar S-Series PBX
- Manage VPN Client configuration packet on Yealink IP Phone.
- In this document, we focus on how to setup the correct Yealink OpenVPN conf packet. Since Yealink phone not provide the GUI interface for OpenVPN Client settings, we need to prepare a OpenVPN client packet including all the certifications, keys and configuraion settings altogether.
- The packet structure:
We put all the certification and keys needed on the folder "Keys" and create a "vpn.cnf" file for client parameter settings on the root directory. and zip all these files on a .tar file. Refer the details steps below.
1. Create an folder on computer whatever you named it, I named it as OpenVPN for example.
2. Create an folder named "keys" under the "OpenVPN" directory.
3. Put all the certification and keys on the folder "keys", (ta.key needed if you enable the TLS authentication)
4. Write a vpn.cnf with notepad, and input the correct settings for OpenVPN client, here I enclosed an example for reference,
dev tap //Choose the correct Device Mode, TAP or TUN
proto udp // Choose the correct protocol, UDP or TCP
remote yeastartx.xxxxxxx.com 1194 // input the OpenVPN Server's address and port
cipher BF-CBC //Encryption type, BlowFish: BF-CBS, AES-128:AES-128-CBC, AES-256: AES-256-CBC, Triple-DES: DES-EDE3-CBC;
ca /config/openvpn/keys/ca.crt //Point to the CA Cert
cert /config/openvpn/keys/phones.crt //Point to the Cert
key /config/openvpn/keys/phones.key //Point to the Key
tls-auth /config/openvpn/keys/ta.key 1 //Enable the TLS Authentication and Point to the TA key. remove this line to disable the TLS authentication.
comp-lzo // Enabled the Compression
5. Select the folder "keys" and file "vpn.cnf", then zip them to a file OpenVPN.tar using the software 7z.
6. Upload the OpenVPN.tar to Yealink IP phone, path: Network → Advanced → VPN. then active the VPN, (Attention: we must upload the OpenVPN.tar first, then enable the VPN on Yealink phone, or Yealink phone won't take the configuration), Yealink phone will reboot itself to apply changes. After phone rebooting, we can check if the VPN connection status by checking the VPN indicator shown in the Yealink LCD screen.