Registering Phones with Open-VPN

From wiki.IPBRICK.COM
Revision as of 09:36, 11 September 2014 by Daraujo (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

1 - Introduction

This document aims to guide through the process of registering phones, in IP- Brick, via OpenVPN (VPN-SSL). NOTE: IPBRICK v6.0 enables you to use VOIP TLS certificates, no longer making it necessary to use SSL-VPN to register phones - it’s simpler to use TLS certificates, equally safe, lighter in terms of traffic and simpler to set up.


2 - Registering Phones

Please follow this procedure:

1. VPN SSL Service:

(a) Activate the VPN-SSL: Advanced Configurations > System > Services

(b) Configure the VPN-SSL: IPBrick .C > VPN > SSL

(c) Use UDP (manufacturer’s confirmation is required)

(d) Create a phone certificate (eg. PhoneCert001) and download the file.


2. Create the phone’s account in IPBrick:

IPBrick.I > Machines Management (Insert)

  • use a strong password

3. Supress the .key file password

Linux (recommended!):

#openssl rsa -in phoneCert001.key -out /NEW/client.key
Windows - you may use the Cygwin app:
$openssl rsa -in phoneCert001.key -out ../NEW/client.key

IPBrick Console:

openssl rsa -in /etc/openvpn/1/keys/phoneCert001.key -out /tmp/client.key
**download the certificate file \\ipbrick_IP\tmp\client.key**

4. Upgrade the phone’s firmware;

5. Alter VPN SSL file certificates;

Model for the IPBrick certificate:

/phoneCert001.ovpn
/ca-server-mail.crt
/phoneCert001.crt
/phoneCert001.key

Model for the imported certificate:

/vpn.cnf (rename and adjust the phoneCert001.ovpn file)
/Keys/ (create directory)
/keys/ca.crt (rename and move the ca-server-mail.crt file)
/keys/client.crt (rename and move the phoneCert001.crt file)
/keys/client.key (copy the client.key file to his directory)

6. Validate the vpn.cnf contents according to your phone’s model - you may find additional info at the manufacturer’s website (examples in the appendixes of this document);

7. Alter the vpn.cnf file content:

..
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
..

8. Compact the certificate and name it: openvpn.tar openvpn.tar {vpn.cnf + Keys}

9. Access the phone’s web interface

- Upload the openvpn.tar file

- Enable the VPN functionality

- Apply configurations

10. Other phone configurations:

- Ensure that you have access to the destination public IP set to the openvpn connection

- Configure a SIP phone account and direct the registry to the IPBrick internal IP (eth0)

- Validate the operation of the VPN - when connected, the phone’s screen displays a ’VPN’ TAG


Appendix 1

Yealink specifications for the vpn.cnf file:

-----------(T21P vpn.cnf) -----------
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote 41.63.164.103 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
comp-lzo no
verb 3
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
----------------------------------------
http://www.yealink.com/Upload/T2X/20131125/OpenVPN_Feature_on_Yealink_IP_Phones.pdf
http://phone_IP/openvpn.tar

Edit the vpn.cnf file:

The directories vary between different IP phone models:

/yealink/config/ for SIP-T2xP IP phones
/phone/config/ for SIP-T3xG IP phones
/config/ for SIP-T21P, SIP-T4x and VP530 IP phones

We present path examples to the certificate files for SIP-T2xP phones:

ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key


Appendix 2

At this link you will find a video example of a VPN-SS

[1]