Yealink phones are very feature rich VOIP handsets. However the documentation only covers the really basic stuff to get you working out of the box
All the cool stuff like
- Secure VPN connectivity to your voice system
- LDAP Address book integration
- Resilient server registration using DNS SRV records
- etc etc
All this information you are going to have to hunt for in their forums and other people blog posts.
The Feature I’m talking about here is a VPN feature in the T26P phone upwards which allows you to create a secure tunnel to your phone system. This allows all your SIP and RTP traffic to be sent over the internet using encryption. Not only do you get a secure path for all your traffic, You also bypass all the pain of hitting NAT and Firewall Application Layer Gateways messing with your traffic.
The problem with this is yealink have not documented it very well. This post is to document what I have found works.
This may change with future firmware updates, so be aware.
I used the IPBRICK unified comms product which has a built in OpenVPN server which is what the Yealink phones use. I have used the IPBRICK VPN client tool and also T26P phones.
Grab the latest firmware for your phone.
After the phone has performed the update and rebooted, power off the phone and turn it back on again after about 15-20 seconds
OpenVPN has 4 main files which the phone requires.
- OpenVPN CA Cert
- Client Cert
- Client Key
- VPN Configuration file
What ever OpenVPN system you are using, You will need to create these files for each of your phones. On IPBrick, this is easy…. I just follow the SSL client configuration in the SSL web management interface, and download the generated zip file.
The yealink phones expect a .tar file to be uploaded under the network->advanced web management.
This tar file has to be in a specific format.
In the above zip file you will find some upload instructions , and a sample Client.tar file. Rename your generated CA.crt, Cleint.key and Client.crt files to match the ones in the sample config file.
You also need to create the matching file structure
→keys (folder) →→ca.crt →→client.crt →→client.key
If your OpenVPN server generates a pass-phrase on your client key, you will need to remove it. This is because you have no way of entering the pass-phrase on the phone.
openssl rsa -in generatedclient.key -out keys/client.key
This is where you may need to do some more research. There are differences in the VPN.cnf file. After I had made the changes to the CA and client cert and key. I took the example VPN.cnf file and just changed the external remote server address to match my server.
You might need to change a few more settings, But just try this first.
Now create your .tar file:
tar cvf openvpn.tar ./vpn.cnf ./keys
Follow the documentation in the zip file your downloaded in the zip file from yealink to upload the .tar file.
After the phone reboots, you should see a [VPN] Icon in the top right hand corner of the screen on your phone.
You can now SIP register as though your phone was an internal phone.
I would appreciate if you could let me knoe if you found this usefull. Hopefully I have saved you a few hours of your time.