How to get Yealink phones connecting over VPN

Posted on December 5, 2012
Filed Under IT Solutions | 6 Comments

Yealink T26P

Yealink T26P has a in built OpenVPN Client

Yealink phones are very feature rich VOIP handsets. However the documentation only covers the really basic stuff to get you working out of the box

All the cool stuff like

All this information you are going to have to hunt for in their forums and other people blog posts.

The Feature I’m talking about here is a VPN feature in the T26P phone upwards which allows you to create a secure tunnel to your phone system. This allows all your SIP and RTP traffic to be sent over the internet using encryption. Not only do you get a secure path for all your traffic, You also bypass all the pain of hitting NAT and Firewall Application Layer Gateways messing with your traffic.

The problem with this is yealink have not documented it very well. This post is to document what I have found works.

This may change with future firmware updates, so be aware.

I used the IPBRICK unified comms product  which has a built in OpenVPN server which is what the Yealink phones use. I have used the IPBRICK VPN client tool and also T26P phones.

stage 1

Grab the latest firmware for your phone.

http://www.yealink.co.uk/downloads/

After the phone has performed the update and rebooted, power off the phone and turn it back on again after about 15-20 seconds

Stage 2

OpenVPN has 4 main files which the phone requires.

What ever OpenVPN system you are using, You will need to create these files for each of your phones. On IPBrick, this is easy…. I just follow the SSL client configuration in the SSL web management interface, and download the generated zip file.

Stage3

The yealink phones expect a .tar file to be uploaded under the network->advanced web management.

This tar file has to be in a specific format.

http://www.yealink.co.uk/assets/Document-Downloads/Open VPN.zip

In the above zip file you will find some upload instructions , and a sample Client.tar file. Rename your generated CA.crt, Cleint.key and Client.crt files to match the ones in the sample config file.

You also need to create the matching file structure

→keys (folder)
→→ca.crt
→→client.crt
→→client.key

If your OpenVPN server generates a pass-phrase on your client key, you will need to remove it. This is because you have no way of entering the pass-phrase on the phone.

openssl rsa -in generatedclient.key -out keys/client.key

This is where you may need to do some more research. There are differences in the VPN.cnf file. After I had made the changes to the CA and client cert and key. I took the example VPN.cnf file and just changed the external remote server address to match my server.

You might need to change a few more settings, But just try this first.

Now create your .tar file:

tar cvf openvpn.tar ./vpn.cnf ./keys

Follow the documentation in the zip file your downloaded in the zip file from yealink to upload the .tar file.

After the phone reboots, you should see a [VPN] Icon in the top right hand corner of the screen on your phone.

You can now SIP register as though your phone was an internal phone.

I would appreciate if you could let me knoe if you found this usefull. Hopefully I have saved you a few hours of your time.



Comments

6 Responses to “How to get Yealink phones connecting over VPN”

  1. Richard on November 4th, 2013 4:25 pm

    Thank You very much for taking your time to publish this article.
    Was very help full to me.

  2. Chad Erisman on November 13th, 2013 4:49 am

    Using the T26P and latest firmware (6.71.0.140) I was able to get this to work by using the below paths in the vpn.cnf as well as removing the user and group lines:

    ca /yealink/config/openvpn/keys/ca.pem
    cert /yealink/config/openvpn/keys/client1.pem
    key /yealink/config/openvpn/keys/client1.key

    The openvpn.tar file had the structure:

    →vpn.cnf
    →keys (folder)
    →→ca.pem
    →→client1.pem
    →→client1.key

    Thanks for this article!

  3. anto on February 23rd, 2014 10:41 am

    How we can check VPN connected or not?

  4. Jason Simmons on February 24th, 2014 10:03 am

    You will get a small icon in the corner of the screen [VPN], Plus you will see on your appliance that a VPN session is created, and your phone should have registered on your Phone SYstem

  5. Toggi on February 24th, 2014 11:00 am

    Thanks jason. This is great. We need more guys like you in the world.

  6. Jason Simmons on February 24th, 2014 11:27 am

    Most kind…. I’m glad you found it useful

Leave a Reply




rss xml image rss xml image