Connect a Yealink phone to Yeastar S-Series build-in OpenVPN server

Directly connect IP Phones to Yeastar build-in OpenVPN Server will bring great convenience to small and medium company who does not build up a VPN network for whole company, especially for the remote extensions. With the VPN connection, field implementation engineer won't need to consider the networking setting such as NAT, port forwarding for the SIP and RTP which related to the one-way audio and register failure problem. In the mean time, VPN provide a high-level security VoIP network to prevent phone theft and attacks to PBX server.


Yeastar S Series PBX offer a Graphical User Interface for administrator to build up a OpenVPN server. Please follow the guide here: http://www.yeastar.com/download/S_Series/VPN_Server_Configuration_Guide_en.pdf.

To build up the OpenVPN Server in Yeastar S Series PBX, we need to follow by the main steps below:

  1. Generate Certificates and Keys.
  2. Setup OpenVPN Server on Yeastar S-Series PBX
  3. Manage VPN Client configuration packet on Yealink IP Phone.
  4. In this document, we focus on how to setup the correct Yealink OpenVPN conf packet. Since Yealink phone not provide the GUI interface for OpenVPN Client settings, we need to prepare a OpenVPN client packet including all the certifications, keys and configuraion settings altogether.
  5. The packet structure:

 

We put all the certification and keys needed on the folder "Keys" and create a "vpn.cnf" file for client parameter settings on the root directory. and zip all these files on a .tar file. Refer the details steps below.


1. Create an folder on computer whatever you named it, I named it as OpenVPN for example.

2. Create an folder named "keys" under the "OpenVPN" directory.
3. Put all the certification and keys on the folder "keys", (ta.key needed if you enable the TLS authentication)

 

4. Write a vpn.cnf with notepad, and input the correct settings for OpenVPN client, here I enclosed an example for reference,

client
dev tap //Choose the correct Device Mode, TAP or TUN
proto udp // Choose the correct protocol, UDP or TCP
remote yeastartx.xxxxxxx.com 1194 // input the OpenVPN Server's address and port
remote-random
resolv-retry infinite
nobind
persist-key
persist-tun
cipher BF-CBC //Encryption type, BlowFish: BF-CBS, AES-128:AES-128-CBC, AES-256: AES-256-CBC, Triple-DES: DES-EDE3-CBC;
ns-cert-type server
verb 3
ca /config/openvpn/keys/ca.crt //Point to the CA Cert
cert /config/openvpn/keys/phones.crt //Point to the Cert
key /config/openvpn/keys/phones.key //Point to the Key
tls-auth /config/openvpn/keys/ta.key 1 //Enable the TLS Authentication and Point to the TA key. remove this line to disable the TLS authentication.
comp-lzo // Enabled the Compression

5. Select the folder "keys" and file "vpn.cnf", then zip them to a file OpenVPN.tar using the software 7z.

6. Upload the OpenVPN.tar to Yealink IP phone, path: Network → Advanced → VPN. then active the VPN, (Attention: we must upload the OpenVPN.tar first, then enable the VPN on Yealink phone, or Yealink phone won't take the configuration), Yealink phone will reboot itself to apply changes. After phone rebooting, we can check if the VPN connection status by checking the VPN indicator shown in the Yealink LCD screen.

Have more questions? Submit a request

1 Comments

  • -1
    Avatar

    Hi Pixy, very useful article.  Just one question: I have successfully set up a VPN environment between S-Series and both Windows and Android clients, as explained in Yeastar's VPN setup manual.  Now I need to add Yealink phones. Shall I just generate a new Key & Cert for the phone or do I need to start the whole process all over again?  What part of Yeastar's manual should I execute to generate the tar file for the phone?  Thank you.

Please sign in to leave a comment.