I finally got the vpn funcionality to work on the Yealink T38G and thought I’d write a decent post about it once. There are a few other tutorials out there, but none are complete imho.
This tutorial will show you how to setup an OpenVPN server on Ubuntu, and how to configure the Yealink to use VPN.
- I’m using a TUNNEL(routed) connection for the OpenVPN , so if you need a bridged one, DON’T follow this guide (for the OpenVPN setup that is)
- This has been done with a Yealink T38 running FW 188.8.131.52 (although others should work as well)
- The procedure to do this with a Yealink T26/T28 is the same, except for the location of the certificates; more on that later on.
So let’s start with the Ubuntu & OpenVPN setup.
1)Let’s make sure everything is up-to-date
- apt-get update && apt-get upgrade
2)Download the OpenVPN packages
- apt-get install openvpn udev
3)Copy everything to another location and make sure they don’t get overwritten by updates
- cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn
4)Configure the vars file (it’s located in the easy-rsa/2.0/ folder you just moved) to include all the info to generate certficates, Edit the following lines to match you country etc…
- export KEY_COUNTRY=”COUNTRY”
export KEY_ORG=”ORGANIZATION NAME”
export KEY_EMAIL=”YOUR EMAIL”
5)change directory to the etc/openvpn/easy-rsa/2.0 folder, and run the following:
- . /etc/openvpn/easy-rsa/2.0/vars
Note: in case you get an error about openssl.conf being the wrong version,issue the following: cp openssl.1.0.0.conf openssl.conf
- source ./varsNow to clean up
- . /etc/openvpn/easy-rsa/2.0/clean-all
Now we must build the CA , so run:
- . /etc/openvpn/easy-rsa/2.0/build-ca
Note: it will ask several questions/settings but they should be good since it will use the vars file you created earlier. When done it will ask to build and write, so enter y
6)Now we need to build the certificate and key for the server itself.
- . /etc/openvpn/easy-rsa/2.0/build-key-server <yourchosenname>
7) Now we need to generate the client certificate & key file.
- . /etc/openvpn/easy-rsa/2.0/build-dh
9)So we have the required files, let’s put them somewhere safe for further configuration.
Make a directory somewhere. e.g mkdir /tmp/yealink, now go to the directory witht the client files (/easy-rsa/2.0/keys)
- cp ca.crt <yourchosenname>.crt <yourchosenname>.key /tmp/yealink
10)Now we must move the files to a location where the OpenVPN service can find them. So in the /keys directory:
- cp ca.crt ca.key dh1024.pem <yourchosenname>.crt <yourchosenname>.key /etc/openvpn
11) So now we have to modify the OpenVPN server config file to match our needs, there are lots of documents describing different setups/configs, so it should be a breeze for different setups from this.
- cd /usr/share/doc/openvpn/examples/sample-config-files
- gunzip -d server.conf.gz
- mv server.conf /etc/openvpn/yourchosenname.conf
12)Now edit the copied file using an editor,
- nano /etc/openvpn/OPENVPN.conf and uncomment the following lines
- push “redirect-gateway def1″
push “dhcp-option DNS 10.8.0.1″
Note:You can edit more settings like port and protocol should you need it.
13)Now we need to setup the vpn server to forward traffic from the VPN client.
- Edit the sysctl.cof file (/etc/sysctl.conf)
14)Let’s punch a hole in IPTables to allow the traffic
- iptables -A FORWARD -m state –state RELATED,ESTABLISHED -j ACCEPT
- iptables -A FORWARD -s 10.8.0.0/24 -j ACCEPT
That’s it for the server side, now let’s move on to the yealink
15) change directory to the folder where you stored a copy of the client files in step 9, here you need to create a config file (vpn.cnf) for the phone to use. To make your life easy I’ve created one and you can just copy/paste it. Note that you need to modify some settings like protocol/port etc… to match your config.
remote >YOURSERVERWANIP OR HOSTNAME< >YOURPORT<
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
16)Now if you’re still with me you should have 4 files in your dir as seen below. if so, let’s continue if not review the previous steps. So now we need to make another dir in the folder where the files are called “keys” and then move all file there except the vpn.cnf
- mkdir /tmp/yealink/keys
mv ca.crt <yourchosenname>.key <yourchosenname>.crt /tmp/yealink/keys
17)Almost there, now we must make a tarball for the yealink to use. Yealink expects a very strange folderstructure for the tarball with the topfolder being named “.” Now the way I found to do this is while in the directory issue the following:
- tar -cf client.tar .
Note: it will probably pass an error, but the tar will still be created as shown.
Now you need to move the tarball to somewhere you can access from the yealink phones webinterface.
18) Now log into the webinterface of your Yealink phone and navigate to the “Network” tab and then click “advanced” on the left.
19) You will see the VPN section, but don’t enable just yet. You should first upload your tar. To do so, click browse and then “Import” , when that’s done you can enable the VPN and the phone will reboot.
Now if all went well the phone reboots and connects to your VPN server and then you can configure the PBX settings, or if there were previously configured it should just work given. The phone will show a small “V” icon on the screen to show it’s connected to the VPN server.
Now as a side note: The config file for the Yealink uses a structure like : /phone/config… This is only for the T3x series, if you are trying to setup VPN for the 2x series you should use /yealink/config…
All other steps should remain the same.
If you still don’t get it going then drop me a line and i’ll try and help.