› VitalPBX Community Support › General Discussion › OpenVPN Yealink issues
- This topic has 7 replies, 5 voices, and was last updated 9 months, 3 weeks ago by
jrosetto.
- Post
-
- March 12, 2020 at 7:09 pm
I am using the OpenVPN module and have everything setup and working properly with Fanvil phones. Yealink on the other hand doesn’t want to work. Here are the errors on the phone side.
Mar 12 19:01:59 openvpn[444]: NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
Mar 12 19:01:59 openvpn[444]: Re-using SSL/TLS context
Mar 12 19:01:59 openvpn[444]: LZO compression initialized
Mar 12 19:01:59 openvpn[444]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 12 19:01:59 openvpn[444]: Socket Buffers: R=[114688->131072] S=[114688->131072]
Mar 12 19:01:59 openvpn[444]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 12 19:01:59 openvpn[444]: Local Options hash (VER=V4): ‘22188c5b’
Mar 12 19:01:59 openvpn[444]: Expected Remote Options hash (VER=V4): ‘a8f55717’
Mar 12 19:01:59 openvpn[444]: UDPv4 link local: [undef]
Mar 12 19:01:59 openvpn[444]: UDPv4 link remote: 2.3.4.5:1194
Mar 12 19:01:59 openvpn[444]: TLS: Initial packet from 2.3.4.5:1194, sid=fb32116d 5892ad3c
Mar 12 19:01:59 openvpn[444]: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=CA
Mar 12 19:01:59 openvpn[444]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS object -> incoming plaintext read error
Mar 12 19:01:59 openvpn[444]: TLS Error: TLS handshake failed
Mar 12 19:01:59 openvpn[444]: TCP/UDP: Closing socket
Mar 12 19:01:59 openvpn[444]: SIGUSR1[soft,tls-error] received, process restarting
Mar 12 19:01:59 openvpn[444]: Restart pause, 2 second(s)Mar 12 19:02:02 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_CONTROL_V1)
Mar 12 19:02:04 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_ACK_V1)And here is the OpenVPN-Server side
Thu Mar 12 15:04:11 2020 1.2.3.4:1024 TLS: Initial packet from [AF_INET]1.2.3.4:1024, sid=f40bb29d 57d6b04e
Thu Mar 12 15:04:13 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:04:15 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS handshake failedI have change the public IP’s for safety. Any suggestions?
Thanks.
0
- Replies
-
- March 18, 2020 at 2:00 pm
So after testing with different Yealink phones and found that the older phones seem to be the ones having issues. I tested a SIP-T28P and it will not work. If I load the same config on a SIP-T29G everything connects and works fine. Is this an old MD5 encryption thing with the older phones? How can I tell what phones use the newer security profiles if that is the case?
0- March 18, 2020 at 3:02 pm
- March 19, 2020 at 2:33 pm
- March 19, 2020 at 2:36 pm
- March 25, 2020 at 3:54 pm
I have spent many hours on this here is what I have found
Older Yealink phones like the T28 need Ver 2.73.0.50 (73) and will only work with:
sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs
the openvpn server config file must also reference the location of dh1024 and certs
Also in the client vpn.cnf of the openvpn.tar file should look like this
client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type servercomp-lzo yes
auth-retry nointeract
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.keyIf you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.
It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X
0- March 25, 2020 at 5:06 pm
Posted by: @dannylarsenI have spent many hours on this here is what I have found
Older Yealink phones like the T28 need Ver 2.73.0.50 (73) and will only work with:
sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs
the openvpn server config file must also reference the location of dh1024 and certs
Also in the client vpn.cnf of the openvpn.tar file should look like this
client
setenv SERVER_POLL_TIMEOUT 4
nobind
proto udp
remote XXX.XXX.XXX.XXX
port 1194
dev tun
dev-type tun
persist-tun
persist-key
ns-cert-type servercomp-lzo yes
auth-retry nointeract
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.keyIf you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.
It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X
Any way to accomplish this through the GUI or does this all have to be done by hand?
0
- You must be logged in to reply to this topic.