OpenVPN Yealink issues

VitalPBX Community Support General Discussion OpenVPN Yealink issues

Up
0
Down
  • Post
    jrosetto
    Participant

    I am using the OpenVPN module and have everything setup and working properly with Fanvil phones.  Yealink on the other hand doesn’t want to work.  Here are the errors on the phone side.

    Mar 12 19:01:59 openvpn[444]: NOTE: OpenVPN 2.1 requires ‘–script-security 2’ or higher to call user-defined scripts or executables
    Mar 12 19:01:59 openvpn[444]: Re-using SSL/TLS context
    Mar 12 19:01:59 openvpn[444]: LZO compression initialized
    Mar 12 19:01:59 openvpn[444]: Control Channel MTU parms [ L:1558 D:138 EF:38 EB:0 ET:0 EL:0 ]
    Mar 12 19:01:59 openvpn[444]: Socket Buffers: R=[114688->131072] S=[114688->131072]
    Mar 12 19:01:59 openvpn[444]: Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
    Mar 12 19:01:59 openvpn[444]: Local Options hash (VER=V4): ‘22188c5b’
    Mar 12 19:01:59 openvpn[444]: Expected Remote Options hash (VER=V4): ‘a8f55717’
    Mar 12 19:01:59 openvpn[444]: UDPv4 link local: [undef]
    Mar 12 19:01:59 openvpn[444]: UDPv4 link remote: 2.3.4.5:1194
    Mar 12 19:01:59 openvpn[444]: TLS: Initial packet from 2.3.4.5:1194, sid=fb32116d 5892ad3c
    Mar 12 19:01:59 openvpn[444]: VERIFY ERROR: depth=1, error=certificate signature failure: /CN=CA
    Mar 12 19:01:59 openvpn[444]: TLS_ERROR: BIO read tls_read_plaintext error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    Mar 12 19:01:59 openvpn[444]: TLS Error: TLS object -> incoming plaintext read error
    Mar 12 19:01:59 openvpn[444]: TLS Error: TLS handshake failed
    Mar 12 19:01:59 openvpn[444]: TCP/UDP: Closing socket
    Mar 12 19:01:59 openvpn[444]: SIGUSR1[soft,tls-error] received, process restarting
    Mar 12 19:01:59 openvpn[444]: Restart pause, 2 second(s)

    Mar 12 19:02:02 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_CONTROL_V1)
    Mar 12 19:02:04 openvpn[444]: TLS Error: Unroutable control packet received from 13.92.230.65:1194 (si=3 op=P_ACK_V1)

    And here is the OpenVPN-Server side

    Thu Mar 12 15:04:11 2020 1.2.3.4:1024 TLS: Initial packet from [AF_INET]1.2.3.4:1024, sid=f40bb29d 57d6b04e
    Thu Mar 12 15:04:13 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
    Thu Mar 12 15:04:15 2020 1.2.3.4:1024 TLS: new session incoming connection from [AF_INET]1.2.3.4:1024
    Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
    Thu Mar 12 15:05:11 2020 1.2.3.4:1024 TLS Error: TLS handshake failed

     

    I have change the public IP’s for safety.  Any suggestions?

    Thanks.

    0
Viewing 7 replies - 1 through 7 (of 7 total)
  • Replies
    jrosetto
    Participant

    Am I the only one with this issue?

    0
    jrosetto
    Participant

    So after testing with different Yealink phones and found that the older phones seem to be the ones having issues.  I tested a SIP-T28P and it will not work.  If I load the same config on a SIP-T29G everything connects and works fine.  Is this an old MD5 encryption thing with the older phones?  How can I tell what phones use the newer security profiles if that is the case?

    0

    I think this issue is related to the OpenVPN version that phones are using.

    0
    Nolhan
    Participant

    How to use a free VPN? Can you please help me?

    0
    0
    DannyLarsen
    Participant
    none

    I have spent many hours on this here is what I have found

    Older Yealink phones like the T28 need Ver 2.73.0.50   (73) and will only work with:

    sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

    the openvpn server config file must also reference the location of  dh1024 and certs

    Also in the client vpn.cnf of the openvpn.tar file should look like this 

    client
    setenv SERVER_POLL_TIMEOUT 4
    nobind
    proto udp
    remote XXX.XXX.XXX.XXX
    port 1194
    dev tun
    dev-type tun
    persist-tun
    persist-key
    ns-cert-type server

    comp-lzo yes

    auth-retry nointeract

    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/client.crt
    key /config/openvpn/keys/client.key

     

    If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.

    It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X

    0
    jrosetto
    Participant
    Posted by: @dannylarsen

    I have spent many hours on this here is what I have found

    Older Yealink phones like the T28 need Ver 2.73.0.50   (73) and will only work with:

    sha1 (not sha256) hash algorithm, and dh1024 (not dh2048) certs

    the openvpn server config file must also reference the location of  dh1024 and certs

    Also in the client vpn.cnf of the openvpn.tar file should look like this 

    client
    setenv SERVER_POLL_TIMEOUT 4
    nobind
    proto udp
    remote XXX.XXX.XXX.XXX
    port 1194
    dev tun
    dev-type tun
    persist-tun
    persist-key
    ns-cert-type server

    comp-lzo yes

    auth-retry nointeract

    ca /config/openvpn/keys/ca.crt
    cert /config/openvpn/keys/client.crt
    key /config/openvpn/keys/client.key

     

    If you have a mix of old and new yealink phones these lower encryption files can also be used on the T46S ver .8X – .84 phones but are less secure.

    It is best to use then newer sha256 if you have all newer yealink phones T4X or T5X

    Any way to accomplish this through the GUI or does this all have to be done by hand?

    0
Viewing 7 replies - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.