Directly connect IP Phones to Yeastar build-in OpenVPN Server will bring great convenience to small and medium company who does not build up a VPN network for whole company, especially for the remote extensions. With the VPN connection, field implementation engineer won't need to consider the networking setting such as NAT, port forwarding for the SIP and RTP which related to the one-way audio and register failure problem. In the mean time, VPN provide a high-level security VoIP network to prevent phone theft and attacks to PBX server.
Yeastar S Series PBX offer a Graphical User Interface for administrator to build up a OpenVPN server. Please follow the guide here: VPN server guide
To build up the OpenVPN Server in Yeastar S Series PBX, we need to follow by the main steps below:
- Generate Certificates and Keys.
- Setup OpenVPN Server on Yeastar S-Series PBX
- Manage VPN Client configuration packet on Yealink IP Phone.
- In this document, we focus on how to setup the correct Yealink OpenVPN conf packet. Since Yealink phone not provide the GUI interface for OpenVPN Client settings, we need to prepare a OpenVPN client packet including all the certifications, keys and configuraion settings altogether.
- The packet structure:
We put all the certification and keys needed on the folder "Keys" and create a "vpn.cnf" file for client parameter settings on the root directory. and zip all these files on a .tar file. Refer the details steps below.
1. Create an folder on computer whatever you named it, I named it as OpenVPN for example.
2. Create an folder named "keys" under the "OpenVPN" directory.
3. Put all the certification and keys on the folder "keys", (ta.key needed if you enable the TLS authentication)
4. Write a vpn.cnf with notepad, and input the correct settings for OpenVPN client, here I enclosed an example for reference,
dev tap //Choose the correct Device Mode, TAP or TUN
proto udp // Choose the correct protocol, UDP or TCP
remote yeastartx.xxxxxxx.com 1194 // input the OpenVPN Server's address and port
cipher BF-CBC //Encryption type, BlowFish: BF-CBS, AES-128:AES-128-CBC, AES-256: AES-256-CBC, Triple-DES: DES-EDE3-CBC;
ca /config/openvpn/keys/ca.crt //Point to the CA Cert
cert /config/openvpn/keys/phones.crt //Point to the Cert
key /config/openvpn/keys/phones.key //Point to the Key
tls-auth /config/openvpn/keys/ta.key 1 //Enable the TLS Authentication and Point to the TA key. remove this line to disable the TLS authentication.
comp-lzo // Enabled the Compression
5. Select the folder "keys" and file "vpn.cnf", then zip them to a file OpenVPN.tar using the software 7z.
6. Upload the OpenVPN.tar to Yealink IP phone, path: Network → Advanced → VPN. then active the VPN, (Attention: we must upload the OpenVPN.tar first, then enable the VPN on Yealink phone, or Yealink phone won't take the configuration), Yealink phone will reboot itself to apply changes. After phone rebooting, we can check if the VPN connection status by checking the VPN indicator shown in the Yealink LCD screen.
Hi Pixy, very useful article. Just one question: I have successfully set up a VPN environment between S-Series and both Windows and Android clients, as explained in Yeastar's VPN setup manual. Now I need to add Yealink phones. Shall I just generate a new Key & Cert for the phone or do I need to start the whole process all over again? What part of Yeastar's manual should I execute to generate the tar file for the phone? Thank you.
Hello, if I will make VPN with T22P can I have one account at the local network and one in the VPN network? Thank you.
Do you mean one account registered to local pbx, and other one account registered to the PBX within the VPN?
If so, the answer is yest.
Yes! Thank you!
Hello, is there a way to access the logs files of the OpenVPN server in S-Series PBX?
once you are on the 'support' prompt , just run the command:
nc localhost 8094
These will activate real-time OpenVPN logging on the console.
Thanks Gustavo Garcia!
Hola realice todo el proceso al pie de la letra con teléfono Yealink T21 E 2 pero no consigo que se levante la VPN, la yeastar que tengo es una S50, el tipo de certificados que estoy generando los estoy creando con firma MD5