Forum

Unified Communications PBX System

Notifications
Clear all

OpenVPN Yealink issues  

  RSS

jrosetto
(@jrosetto)
Trusted Member
Joined: 3 months ago
Posts: 59
12/03/2020 1:09 pm  

I am using the OpenVPN module and have everything setup and working properly with Fanvil phones.  Yealink on the other hand doesn't want to work.  Here are the errors on the phone side.

Mar 12 19:01:59 openvpn[444]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mar 12 19:01:59 openvpn[444]: Re-using SSL/TLS context
Mar 12 19:01:59 openvpn[444]: LZO compression initialized
Mar 12 19:01:59 openvpn[444]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 12 19:01:59 openvpn[444]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Mar 12 19:01:59 openvpn[444]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 12 19:01:59 openvpn[444]: Local Options hash (VER=V4): '22188c5b'
Mar 12 19:01:59 openvpn[444]: Expected Remote Options hash (VER=V4): 'a8f55717'
Mar 12 19:01:59 openvpn[444]: UDPv4 link local: [undef]
Mar 12 19:01:59 openvpn[444]: UDPv4 link remote: 2.3.4.5:1194
Mar 12 19:01:59 openvpn[444]: TLS: Initial packet from 2.3.4.5:1194, sid=fb32116d 5892ad3c
Mar 12 19:01:59 openvpn[444]: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=CA
Mar 12 19:01:59 openvpn[444]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS object -> incoming plaintext read error
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS handshake failed
Mar 12 19:01:59 openvpn[444]: TCP/UDP: Closing socket
Mar 12 19:01:59 openvpn[444]: SIGUSR1[soft,tls-error] received, process restarting
Mar 12 19:01:59 openvpn[444]: Restart pause, 2 second(s)

Mar 12 19:02:02 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_CONTROL_V1)
Mar 12 19:02:04 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_ACK_V1)

And here is the OpenVPN-Server side

Thu Mar 12 15:04:11 2020 1.2.3.4:1024 TLS: Initial packet from [AF_INET]1.2.3.4:1024, sid=f40bb29d 57d6b04e
Thu Mar 12 15:04:13 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:04:15 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS handshake failed

 

I have change the public IP's for safety.  Any suggestions?

Thanks.


Quote
jrosetto
(@jrosetto)
Trusted Member
Joined: 3 months ago
Posts: 59
17/03/2020 7:03 am  

Am I the only one with this issue?


ReplyQuote
jrosetto
(@jrosetto)
Trusted Member
Joined: 3 months ago
Posts: 59
18/03/2020 8:00 am  

So after testing with different Yealink phones and found that the older phones seem to be the ones having issues.  I tested a SIP-T28P and it will not work.  If I load the same config on a SIP-T29G everything connects and works fine.  Is this an old MD5 encryption thing with the older phones?  How can I tell what phones use the newer security profiles if that is the case?


ReplyQuote
mrivera
(@ing-joserivera26)
Developer Admin
Joined: 2 years ago
Posts: 2355
18/03/2020 9:02 am  

I think this issue is related to the OpenVPN version that phones are using.


ReplyQuote
Nolhan
(@nolhan)
New Member
Joined: 3 months ago
Posts: 2
19/03/2020 8:33 am  

How to use a free VPN? Can you please help me?


ReplyQuote
Rodrigo Cuadra
(@rcuadra)
Member Admin
Joined: 3 years ago
Posts: 127
19/03/2020 8:36 am  

You can watch this video:

https://www.youtube.com/watch?v=dLdiQM40KDs


ReplyQuote
DannyLarsen
(@dannylarsen)
Estimable Member
Joined: 2 years ago
Posts: 160
25/03/2020 9:54 am  

I have spent many hours on this here is what I have found

Older Yealink phones like the T28 need Ver 2.73.0.50   (73) and will only work with:

sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

the openvpn server config file must also reference the location of  dh1024 and certs

Also in the client vpn.cnf of the openvpn.tar file should look like this 

client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type server

comp-lzo yes

auth-retry nointeract

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

 

If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X - .84 phones but are less secure.

It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X


ReplyQuote
jrosetto
(@jrosetto)
Trusted Member
Joined: 3 months ago
Posts: 59
25/03/2020 11:06 am  
Posted by: @dannylarsen

I have spent many hours on this here is what I have found

Older Yealink phones like the T28 need Ver 2.73.0.50   (73) and will only work with:

sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

the openvpn server config file must also reference the location of  dh1024 and certs

Also in the client vpn.cnf of the openvpn.tar file should look like this 

client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type server

comp-lzo yes

auth-retry nointeract

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

 

If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X - .84 phones but are less secure.

It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X

Any way to accomplish this through the GUI or does this all have to be done by hand?


ReplyQuote
Share: