Registering Phones with Open-VPN
1 - Introduction
This document aims to guide through the process of registering phones, in IP- Brick, via OpenVPN (VPN-SSL). NOTE: IPBRICK v6.0 enables you to use VOIP TLS certificates, no longer making it necessary to use SSL-VPN to register phones - it’s simpler to use TLS certificates, equally safe, lighter in terms of traffic and simpler to set up.
2 - Registering Phones
Please follow this procedure:
1. VPN SSL Service:
(a) Activate the VPN-SSL: Advanced Configurations > System > Services
(b) Configure the VPN-SSL: IPBrick .C > VPN > SSL
(c) Use UDP (manufacturer’s confirmation is required)
(d) Create a phone certificate (eg. PhoneCert001) and download the file.
2. Create the phone’s account in IPBrick:
IPBrick.I > Machines Management (Insert)
- use a strong password
3. Supress the .key file password
Linux (recommended!):
#openssl rsa -in phoneCert001.key -out /NEW/client.key Windows - you may use the Cygwin app: $openssl rsa -in phoneCert001.key -out ../NEW/client.key
IPBrick Console:
openssl rsa -in /etc/openvpn/1/keys/phoneCert001.key -out /tmp/client.key **download the certificate file \\ipbrick_IP\tmp\client.key**
4. Upgrade the phone’s firmware;
5. Alter VPN SSL file certificates;
Model for the IPBrick certificate:
/phoneCert001.ovpn /ca-server-mail.crt /phoneCert001.crt /phoneCert001.key
Model for the imported certificate:
/vpn.cnf (rename and adjust the phoneCert001.ovpn file) /Keys/ (create directory) /keys/ca.crt (rename and move the ca-server-mail.crt file) /keys/client.crt (rename and move the phoneCert001.crt file) /keys/client.key (copy the client.key file to his directory)
6. Validate the vpn.cnf contents according to your phone’s model - you may find additional info at the manufacturer’s website (examples in the appendixes of this document);
7. Alter the vpn.cnf file content:
.. ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/client.crt key /yealink/config/openvpn/keys/client.key ..
8. Compact the certificate and name it: openvpn.tar openvpn.tar {vpn.cnf + Keys}
9. Access the phone’s web interface
- Upload the openvpn.tar file
- Enable the VPN functionality
- Apply configurations
10. Other phone configurations:
- Ensure that you have access to the destination public IP set to the openvpn connection
- Configure a SIP phone account and direct the registry to the IPBrick internal IP (eth0)
- Validate the operation of the VPN - when connected, the phone’s screen displays a ’VPN’ TAG
Appendix 1
Yealink specifications for the vpn.cnf file:
-----------(T21P vpn.cnf) ----------- client setenv SERVER_POLL_TIMEOUT 4 nobind remote 41.63.164.103 1194 udp dev tun dev-type tun ns-cert-type server reneg-sec 604800 sndbuf 100000 rcvbuf 100000 auth-retry nointeract comp-lzo no verb 3 ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/client.crt key /yealink/config/openvpn/keys/client.key ----------------------------------------
http://www.yealink.com/Upload/T2X/20131125/OpenVPN_Feature_on_Yealink_IP_Phones.pdf
http://phone_IP/openvpn.tar
Edit the vpn.cnf file:
The directories vary between different IP phone models:
/yealink/config/ for SIP-T2xP IP phones /phone/config/ for SIP-T3xG IP phones /config/ for SIP-T21P, SIP-T4x and VP530 IP phones
We present path examples to the certificate files for SIP-T2xP phones:
ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/client.crt key /yealink/config/openvpn/keys/client.key
Appendix 2
At this link you will find a video example of a VPN-SS
https://www.youtube.com/watch?v=fCOScMG0utM