How to get Yealink phones connecting over VPN

Yealink T26P has a in built OpenVPN Client

Yealink phones are very feature rich VOIP handsets. However the documentation only covers the really basic stuff to get you working out of the box

All the cool stuff like

Secure VPN connectivity to your voice system
LDAP Address book integration
Resilient server registration using DNS SRV records
etc etc

All this information you are going to have to hunt for in their forums and other people blog posts.

The Feature I’m talking about here is a VPN feature in the T26P phone upwards which allows you to create a secure tunnel to your phone system. This allows all your SIP and RTP traffic to be sent over the internet using encryption. Not only do you get a secure path for all your traffic, You also bypass all the pain of hitting NAT and Firewall Application Layer Gateways messing with your traffic.

The problem with this is yealink have not documented it very well. This post is to document what I have found works.

This may change with future firmware updates, so be aware.

I used the IPBRICK unified comms productÂ which has a built in OpenVPN server which is what the Yealink phones use. I have used the IPBRICK VPN client tool and also T26P phones.

stage 1

Grab the latest firmware for your phone.

http://www.yealink.co.uk/Firmware

After the phone has performed the update and rebooted, power off the phone and turn it back on again after about 15-20 seconds

Stage 2

OpenVPN has 4 main files which the phone requires.

OpenVPN CA Cert
Client Cert
Client Key
VPN Configuration file

What ever OpenVPN system you are using, You will need to create these files for each of your phones. On IPBrick, this is easy…. I just follow the SSL client configuration in the SSL web management interface, and download the generated zip file.

Stage3

The yealink phones expect a .tar file to be uploaded under the network->advanced web management.

This tar file has to be in a specific format.

http://www.jsimmons.co.uk/wp-content/uploads/2018/01/OpenVPN_Feature_on_Yealink_IP_Phones_V81_20.pdf

In the above zip file you will find some upload instructions , and a sample Client.tar file. Rename your generated CA.crt, Cleint.key and Client.crt files to match the ones in the sample config file.

You also need to create the matching file structure

â†’keys (folder)
â†’â†’ca.crt
â†’â†’client.crt
â†’â†’client.key

If your OpenVPN server generates a pass-phrase on your client key, you will need to remove it. This is because you have no way of entering the pass-phrase on the phone.

openssl rsa -in generatedclient.key -out keys/client.key

This is where you may need to do some more research. There are differences in the VPN.cnf file. After I had made the changes to the CA and client cert and key. I took the example VPN.cnf file and just changed the external remote server address to match my server.

You might need to change a few more settings, But just try this first.

Now create your .tar file:

tar cvf openvpn.tar ./vpn.cnf ./keys

Follow the documentation in the zip file your downloaded in the zip file from yealink to upload the .tar file.

After the phone reboots, you should see a [VPN] Icon in the top right hand corner of the screen on your phone.

You can now SIP register as though your phone was an internal phone.

I would appreciate if you could let me knoe if you found this usefull. Hopefully I have saved you a few hours of your time.

Comments:

Thank You very much for taking your time to publish this article.
Was very help full to me.
Comment by Richard, November 2013 04:25:03 PM

Using the T26P and latest firmware (6.71.0.140) I was able to get this to work by using the below paths in the vpn.cnf as well as removing the user and group lines:

ca /yealink/config/openvpn/keys/ca.pem
cert /yealink/config/openvpn/keys/client1.pem
key /yealink/config/openvpn/keys/client1.key

The openvpn.tar file had the structure:

â†’vpn.cnf
â†’keys (folder)
â†’â†’ca.pem
â†’â†’client1.pem
â†’â†’client1.key

Thanks for this article!
Comment by Chad Erisman, November 2013 04:49:20 AM

How we can check VPN connected or not?
Comment by anto, February 2014 10:41:46 AM

Thanks jason. This is great. We need more guys like you in the world.
Comment by Toggi, February 2014 11:00:23 AM

the link to download the tar file structure is not longer available. webserver shows 404
Comment by Guillermo Dewey, July 2014 09:10:47 PM

I have a problem whit that, i triying to conect a yealink t28p whit a watchguard firewall but doenst work any one have some idea….
http://forum.yealink.com/forum/showthread.php?tid=2051
Comment by Giomel, October 2014 11:01:15 PM

Do you know how to put login and password into the config file? Serwer requires username and password I’ve tried auth-user-pass /config/vpn/keys/client but phone says that the file /config/vpn/keys/client does not exis, but it is present in the tar file
Comment by ja, November 2014 06:46:46 PM

I am able to connect to my pbx server via BPN tunnel no issues. However, I notice SIP registration will fail after about 30 minutes. Only by rebooting my phone will it re-register. Odd thing is I can still ping the phone after the sip registration fails, so I know my tunnel is ok. Any ideas?
Comment by Alan, December 2014 06:42:57 PM

Hi Jason,

Quick note, the firmware update did not seem to help my issue. I am testing the Yealink behind a different firewall now and I have had my SIP registration active for about 3 hours (longest yet!). I feel confident it was as you suggested, something with my security appliance was causing the SIP registration to end after 30 minutes. Thank you for taking the time to reply.
Comment by Alan, December 2014 06:49:10 PM

One issue that I had was that the phone was logging a certificate error. The yealink devices only seem to support SHA1 or MD5 by default EasyRSA was creating a SHA256 certificate i had to edit the openssl.cfg in EasyRSA.

default_md = md5

might be useful to someone ..

this was using OpenVPN installed on a Centos server.
Comment by Matthew Aston, November 2015 08:59:01 AM

I enjoy looking through a post that will make people think.
Also, thank you for allowing me to comment!
Comment by test, May 2017 06:33:06 AM

Still now (2017-Oct-05) the yealink devices only seem to support SHA1 or MD5 ?
Comment by Maurizio Marini, October 2017 08:02:50 PM

Hi, could you put the vpn.cnf file for us?
Comment by Hi, October 2017 09:26:41 PM

Hello Jason,

Thank you for your useful documentation.
I have the same IP Phone and try to configure OpenVPN with Synology DiskStation as vpn server. The generated file with Synology doesn’t have the same format asked from Yealink. It’s a zip file containing ca.crt, readme.txt and VPNConfig.ovpn

I am not comfortable with the vpn to continue the configuration with what I have in my hands. Would you have gone through a Synology NAS to set up a VPN for Yealink or would you have some idea of what to do next please ?

Thank you for advance

Best regards
Comment by Khaled, November 2018 04:34:43 PM

Hello and thank you for your useful video.
I am using Mikrotik router for my OpenVpn and as far as understood it only supports tcp-client for protocols, do you know for Yealink T21 vpn config file can the proto except tcp-client or it needs to be udp?

Best regards
Hossein
Comment by Hossein, April 2020 02:16:38 PM

regading this:
“One issue that I had was that the phone was logging a certificate error. The yealink devices only seem to support SHA1 or MD5 by default EasyRSA was creating a SHA256 certificate i had to edit the openssl.cfg in EasyRSA.

default_md = md5

might be useful to someone ..

this was using OpenVPN installed on a Centos server.

Comment by Matthew Aston, November 2015 08:59:01 AM”

Any one could expaing more?
How to use EasyRsa ?
I will need to create new certificate and Keys or is just to Change on server.conf file and vpn.cnf to use SHA1 or MD5 ?
Comment by Sergio Danielius, January 2021 04:38:22 PM