How to get Yealink phones connecting over VPN

Posted on December 5, 2012
Filed Under IT Solutions | 15 Comments

Yealink T26P

Yealink T26P has a in built OpenVPN Client

Yealink phones are very feature rich VOIP handsets. However the documentation only covers the really basic stuff to get you working out of the box

All the cool stuff like

All this information you are going to have to hunt for in their forums and other people blog posts.

The Feature I’m talking about here is a VPN feature in the T26P phone upwards which allows you to create a secure tunnel to your phone system. This allows all your SIP and RTP traffic to be sent over the internet using encryption. Not only do you get a secure path for all your traffic, You also bypass all the pain of hitting NAT and Firewall Application Layer Gateways messing with your traffic.

The problem with this is yealink have not documented it very well. This post is to document what I have found works.

This may change with future firmware updates, so be aware.

I used the IPBRICK unified comms product  which has a built in OpenVPN server which is what the Yealink phones use. I have used the IPBRICK VPN client tool and also T26P phones.

stage 1

Grab the latest firmware for your phone.

After the phone has performed the update and rebooted, power off the phone and turn it back on again after about 15-20 seconds

Stage 2

OpenVPN has 4 main files which the phone requires.

What ever OpenVPN system you are using, You will need to create these files for each of your phones. On IPBrick, this is easy…. I just follow the SSL client configuration in the SSL web management interface, and download the generated zip file.


The yealink phones expect a .tar file to be uploaded under the network->advanced web management.

This tar file has to be in a specific format.

In the above zip file you will find some upload instructions , and a sample Client.tar file. Rename your generated CA.crt, Cleint.key and Client.crt files to match the ones in the sample config file.

You also need to create the matching file structure

→keys (folder)

If your OpenVPN server generates a pass-phrase on your client key, you will need to remove it. This is because you have no way of entering the pass-phrase on the phone.

openssl rsa -in generatedclient.key -out keys/client.key

This is where you may need to do some more research. There are differences in the VPN.cnf file. After I had made the changes to the CA and client cert and key. I took the example VPN.cnf file and just changed the external remote server address to match my server.

You might need to change a few more settings, But just try this first.

Now create your .tar file:

tar cvf openvpn.tar ./vpn.cnf ./keys

Follow the documentation in the zip file your downloaded in the zip file from yealink to upload the .tar file.

After the phone reboots, you should see a [VPN] Icon in the top right hand corner of the screen on your phone.

You can now SIP register as though your phone was an internal phone.

I would appreciate if you could let me knoe if you found this usefull. Hopefully I have saved you a few hours of your time.


15 Responses to “How to get Yealink phones connecting over VPN”

  1. Richard on November 4th, 2013 4:25 pm

    Thank You very much for taking your time to publish this article.
    Was very help full to me.

  2. Chad Erisman on November 13th, 2013 4:49 am

    Using the T26P and latest firmware ( I was able to get this to work by using the below paths in the vpn.cnf as well as removing the user and group lines:

    ca /yealink/config/openvpn/keys/ca.pem
    cert /yealink/config/openvpn/keys/client1.pem
    key /yealink/config/openvpn/keys/client1.key

    The openvpn.tar file had the structure:

    →keys (folder)

    Thanks for this article!

  3. anto on February 23rd, 2014 10:41 am

    How we can check VPN connected or not?

  4. Jason Simmons on February 24th, 2014 10:03 am

    You will get a small icon in the corner of the screen [VPN], Plus you will see on your appliance that a VPN session is created, and your phone should have registered on your Phone SYstem

  5. Toggi on February 24th, 2014 11:00 am

    Thanks jason. This is great. We need more guys like you in the world.

  6. Jason Simmons on February 24th, 2014 11:27 am

    Most kind…. I’m glad you found it useful

  7. Guillermo Dewey on July 9th, 2014 9:10 pm

    the link to download the tar file structure is not longer available. webserver shows 404

  8. Giomel on October 2nd, 2014 11:01 pm

    I have a problem whit that, i triying to conect a yealink t28p whit a watchguard firewall but doenst work any one have some idea….

  9. ja on November 25th, 2014 6:46 pm

    Do you know how to put login and password into the config file? Serwer requires username and password I’ve tried auth-user-pass /config/vpn/keys/client but phone says that the file /config/vpn/keys/client does not exis, but it is present in the tar file

  10. Jason Simmons on November 26th, 2014 6:50 pm

    Everything I have seen says that Yealink phones need certificates , not user and passwords. for this type of use I dont think a user and password is a good idea. At least if it was interactive a user could supply the password when prompted. A phone cant do that. Sorry you really need PKI/ Certs infrastructure.

  11. Jason Simmons on November 26th, 2014 6:54 pm

    It could be a number of things. As s start check that you are on the latest firmware for the phone and you are using the correct VPN format. Each yealink phone is all different

  12. Alan on December 26th, 2014 6:42 pm

    I am able to connect to my pbx server via BPN tunnel no issues. However, I notice SIP registration will fail after about 30 minutes. Only by rebooting my phone will it re-register. Odd thing is I can still ping the phone after the sip registration fails, so I know my tunnel is ok. Any ideas?

  13. Jason Simmons on December 26th, 2014 8:45 pm

    Hi Alan,
    Yeah this is odd. I’m assuming before registration fails you can make and receive calls. Check your handset is on the latest firmware Yealink phones change behavior quite a lot based on firmware. To home in on the problem check your firmware, If you have a statefull firewall in the path of the VPN have a look any state tables or any SIP inspections the firewall may be doing. Also run a SIP DEBUG on your PBX to look for any clues.

    The other thing to try is to run the VPN client on your laptop and use a Softphone such as Zoiper to see if the problem exists outside of the Yealink handsets.

    From the information you have stated, I think it is a Firmware issue, or some security appliance applying some kind of state full inspection.

  14. Alan on December 29th, 2014 6:49 pm

    Hi Jason,

    Quick note, the firmware update did not seem to help my issue. I am testing the Yealink behind a different firewall now and I have had my SIP registration active for about 3 hours (longest yet!). I feel confident it was as you suggested, something with my security appliance was causing the SIP registration to end after 30 minutes. Thank you for taking the time to reply.

  15. Jason Simmons on January 3rd, 2015 10:59 pm

    No problem, Glad you got it working. I will be doing an update soon on using TLS certificates for SIP and RTP.

Leave a Reply

rss xml image rss xml image