OpenVPN Yealink issues

This topic has 7 replies, 5 voices, and was last updated 4 months, 3 weeks ago by jrosetto.

Down

Post

- March 12, 2020 at 7:09 pm
- Quote
Up
0
Down

jrosetto
Participant

I am using the OpenVPN module and have everything setup and working properly with Fanvil phones. Yealink on the other hand doesn’t want to work. Here are the errors on the phone side.

Mar 12 19:01:59 openvpn[444]: NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Mar 12 19:01:59 openvpn[444]: Re-using SSL/TLS context
Mar 12 19:01:59 openvpn[444]: LZO compression initialized
Mar 12 19:01:59 openvpn[444]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 12 19:01:59 openvpn[444]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Mar 12 19:01:59 openvpn[444]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 12 19:01:59 openvpn[444]: Local Options hash (VER=V4): ‘22188c5b’
Mar 12 19:01:59 openvpn[444]: Expected Remote Options hash (VER=V4): ‘a8f55717’
Mar 12 19:01:59 openvpn[444]: UDPv4 link local: [undef]
Mar 12 19:01:59 openvpn[444]: UDPv4 link remote: 2.3.4.5:1194
Mar 12 19:01:59 openvpn[444]: TLS: Initial packet from 2.3.4.5:1194, sid=fb32116d 5892ad3c
Mar 12 19:01:59 openvpn[444]: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=CA
Mar 12 19:01:59 openvpn[444]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS object -> incoming plaintext read error
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS handshake failed
Mar 12 19:01:59 openvpn[444]: TCP/UDP: Closing socket
Mar 12 19:01:59 openvpn[444]: SIGUSR1[soft,tls-error] received, process restarting
Mar 12 19:01:59 openvpn[444]: Restart pause, 2 second(s)

Mar 12 19:02:02 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_CONTROL_V1)
Mar 12 19:02:04 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_ACK_V1)

And here is the OpenVPN-Server side

Thu Mar 12 15:04:11 2020 1.2.3.4:1024 TLS: Initial packet from [AF_INET]1.2.3.4:1024, sid=f40bb29d 57d6b04e
Thu Mar 12 15:04:13 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:04:15 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS handshake failed

I have change the public IP’s for safety. Any suggestions?

Thanks.

0

Viewing 7 replies - 1 through 7 (of 7 total)

Replies

- March 17, 2020 at 1:03 pm
- Quote
Up
0
Down

jrosetto
Participant

Am I the only one with this issue?

0
- March 18, 2020 at 2:00 pm
- Quote
Up
0
Down

jrosetto
Participant

So after testing with different Yealink phones and found that the older phones seem to be the ones having issues. I tested a SIP-T28P and it will not work. If I load the same config on a SIP-T29G everything connects and works fine. Is this an old MD5 encryption thing with the older phones? How can I tell what phones use the newer security profiles if that is the case?

0
- March 18, 2020 at 3:02 pm
- Quote
Up
0
Down

Jose Miguel Rivera
Keymaster

I think this issue is related to the OpenVPN version that phones are using.

0
- March 19, 2020 at 2:33 pm
- Quote
Up
0
Down

Nolhan
Participant

How to use a free VPN? Can you please help me?

0
- March 19, 2020 at 2:36 pm
- Quote
Up
0
Down

Rodrigo Cuadra
Keymaster

You can watch this video:

https://www.youtube.com/watch?v=dLdiQM40KDs

0
- March 25, 2020 at 3:54 pm
- Quote
Up
0
Down

DannyLarsen
Participant

I have spent many hours on this here is what I have found

Older Yealink phones like the T28 need Ver 2.73.0.50 (73) and will only work with:

sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

the openvpn server config file must also reference the location of dh1024 and certs

Also in the client vpn.cnf of the openvpn.tar file should look like this

client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type server

comp-lzo yes

auth-retry nointeract

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.

It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X

0
- March 25, 2020 at 5:06 pm
- Quote
Up
0
Down

jrosetto
Participant

Posted by: @dannylarsen

I have spent many hours on this here is what I have found

Older Yealink phones like the T28 need Ver 2.73.0.50 (73) and will only work with:

sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

the openvpn server config file must also reference the location of dh1024 and certs

Also in the client vpn.cnf of the openvpn.tar file should look like this

client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type server

comp-lzo yes

auth-retry nointeract

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.

It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X

Any way to accomplish this through the GUI or does this all have to be done by hand?

0