Difference between revisions of "Registering Phones with Open-VPN"

Latest revision as of 12:42, 27 September 2014

1 - Introduction

This page aims to guide through the process of registering phones, in IPBrick, via OpenVPN (VPN-SSL).

IPBRICK v6.0 enables you to use VOIP TLS certificates, no longer making it necessary to use SSL-VPN to register phones - it’s simpler to use TLS certificates, equally safe, lighter in terms of traffic and simpler to set up.

2 - Registering Phones

Please follow this procedure:

1. VPN SSL Service:

(a) Activate the VPN-SSL: Advanced Configurations > System > Services

(b) Configure the VPN-SSL: IPBrick .C > VPN > SSL

(c) Use UDP (manufacturer’s confirmation is required)

(d) Create a phone certificate (eg. PhoneCert001) and download the file.

2. Create the phone’s account in IPBrick:

IPBrick.I > Machines Management (Insert)

• use a strong password

3. Supress the .key file password

Linux (recommended!):

#openssl rsa -in phoneCert001.key -out /NEW/client.key
Windows - you may use the Cygwin app:
$openssl rsa -in phoneCert001.key -out ../NEW/client.key

IPBrick Console:

openssl rsa -in /etc/openvpn/1/keys/phoneCert001.key -out /tmp/client.key
**download the certificate file \\ipbrick_IP\tmp\client.key**

4. Upgrade the phone’s firmware;

5. Alter VPN SSL file certificates;

Model for the IPBrick certificate:

/phoneCert001.ovpn
/ca-server-mail.crt
/phoneCert001.crt
/phoneCert001.key

Model for the imported certificate:

/vpn.cnf (rename and adjust the phoneCert001.ovpn file)
/Keys/ (create directory)
/keys/ca.crt (rename and move the ca-server-mail.crt file)
/keys/client.crt (rename and move the phoneCert001.crt file)
/keys/client.key (copy the client.key file to his directory)

6. Validate the vpn.cnf contents according to your phone’s model - you may find additional info at the manufacturer’s website (examples in the appendixes of this document);

7. Alter the vpn.cnf file content:

..
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
..

8. Compact the certificate and name it: openvpn.tar openvpn.tar {vpn.cnf + Keys}

9. Access the phone’s web interface

- Upload the openvpn.tar file

- Enable the VPN functionality

- Apply configurations

10. Other phone configurations:

- Ensure that you have access to the destination public IP set to the openvpn connection

- Configure a SIP phone account and direct the registry to the IPBrick internal IP (eth0)

- Validate the operation of the VPN - when connected, the phone’s screen displays a ’VPN’ TAG

Appendix 1

Yealink specifications for the vpn.cnf file:

-----------(T21P vpn.cnf) -----------
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote 41.63.164.103 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
comp-lzo no
verb 3
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
----------------------------------------

http://www.yealink.com/Upload/T2X/20131125/OpenVPN_Feature_on_Yealink_IP_Phones.pdf

http://phone_IP/openvpn.tar

Edit the vpn.cnf file:

The directories vary between different IP phone models:

/yealink/config/ for SIP-T2xP IP phones
/phone/config/ for SIP-T3xG IP phones
/config/ for SIP-T21P, SIP-T4x and VP530 IP phones

We present path examples to the certificate files for SIP-T2xP phones:

ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key

Appendix 2

At this link you will find a video example of a VPN-SSL configuration.

https://www.youtube.com/watch?v=fCOScMG0utM