Yeastar S-Series VoIP PBX supports TLS protocol. You can setup Yeastar S-Series VoIP PBX with Secure SIP (TLS) to secure the SIP messaging and the VPN also need the transmittal of the SIP messaging to ensure the communication between the different devices.
However some it’s not convenient for every user to create certificates. Therefore we have this article providing instructions on how to configure TLS without certificates on Yeastar IPPBX. While it’s less secure than the configuration with certificate, so please consider the risk before you start.
We tested with:
- Yeastar S100: firmware version 126.96.36.199; IP address: 192.168.5.150
- Yealink T46G: firmware version 188.8.131.52; IP address: 192.168.9.113
Port forwarding configuration
Step 1. Configure port forwarding on router
Example: The router’s public IP is 110.X.X.X.
Since Yeastar S-Series PBX is behind the router, register to Yeastar S-Series PBX remotely, you need to forward the SIP port on the router which is connected to Yeastar S-Series PBX, so that all the packets received on the router WAN port (110.X.X.X:5061) will be forwarded to the Yeastar S-Series PBX (192.168.5.150:5061). Below is the setting page in a Linksys router.
Note: we must map TCP port 5061 and TCP port 10000-12000.
Step 2. Configure NAT settings in Yeastar S-Series PBX.
Login Yeastar S-Series PBX web interface and go to “Setting > General > SIP > NAT”, configure the NAT settings according to the directions below.
NAT Type: choose “External IP Address”, you can choose “External Host” or “STUN” if you don’t have a static public IP address.
External IP Address: fill in the router’s public IP address
Local Network Address: fill in your local network segment and subnet mask (i.e.192.168.5.150/255.255.255.0)
NAT mode: Yes
Step 3. Setup up an extension in Yeastar S-Series PBX. (i.e. 1002).
Register Remotely: Yes
Configuring S100 with TLS
Step 1. Enable TLS on S100.
- Navigate to Settings > PBX > General > SIP > PBX > TLS.
- Check the checkbox of Enable TLS.
- Don't select any certificate of Certificate.
- Click Save and click Yes on the pop-up window to reboot the PBX.
Step 2. Set up a TLS extension.
Go to Settings > PBX > Extensions > Advanced, choose an extension and edit it, set the transport as TLS.
Configuring Yealink T46G with TLS
Step 1.Register the TLS extension.
1）Fill in the extension details.
2）Choose transport as TLS.
3）Click Confirm and check the extension status.
Step 2.Disabled the Only Accept Trusted Certificates.
1) Disabled the option of Only Accept Trusted Certificates.
2) Disabled the option of Common Name Validation.
3) Choose All Certificates as the CA Certificates.
4) Click Confirm and check the extension status.
How to Enable TLS Debug
This step is used to check the TLS issues where maybe cause. Because troubleshooting the PACP packets on the PBX web GUI which is encrypted and useless to analyze them. That’s the reason why need to capture the Asterisk CLI logs and acquire the SIP packets which is unencrypted.
Below is the file which will show how to capture Yeastar S-Series SIP Packets with Putty: