I have spent many hours on this here is what I have found
Older Yealink phones like the T28 need Ver 2.73.0.50 (73) and will only work with:
sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs
the openvpn server config file must also reference the location of dh1024 and certs
Also in the client vpn.cnf of the openvpn.tar file should look like this
client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type server
comp-lzo yes
auth-retry nointeract
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.
It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X
