+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: Dect Phone Series (/forumdisplay.php?fid=6)
+--- Forum: W52P (Wireless) (/forumdisplay.php?fid=23)
+--- Thread: W52P Openvpn with mikrotik (/showthread.php?tid=15052)
W52P Openvpn with mikrotik - info@quantiss.com - 05-15-2016 01:31 AM
Hello,
Seeking help on configuring the W52P (version 25.73.0.40 ) , openvpn features to connect to Mikrotik routerboard.
I have spent lots of time trying to figure out a working solution but all went into vain.
I was successful in making the W52P openvpn connect to Mikrotik however it is resetting every 72 seconds.
Even when it is connected the sip is not registering, there is no route from the W52P to my mikrotik.
My certificates were generated with openvpn and they were done according to Yealink manual.
The vpn.cnf file :
client
proto tcp
nobind
remote xxx.xxx.xxx.xxx
port 1194
dev tun
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
auth-user-pass /config/openvpn/secret
comp-lzo
verb 6
I hope someone can help me with this task. My implementation depends on this feature.
RE: W52P Openvpn with mikrotik - info@quantiss.com - 05-15-2016 06:13 PM
update.
I changed from tun tcp to tun tap the situation is better now however I seem to still have a routing problem
vpn.cnf configuration file :
------------
client
setenv SERVER_POLL_TIMEOUT 4
nobind
persist-key
remote xxx.xxx.xxx.xxx
port 1194
proto tcp
; dev tun
dev tap
; persist-tun
ns-cert-type server
tls-client
pull
reneg-sec 604800
;sndbuf 100000
;rcvbuf 100000
auth-retry nointeract
comp-lzo no
verb 3
ping 10
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client1.crt
key /config/openvpn/keys/client1.key
auth-user-pass /config/openvpn/secret
cipher aes-128-cbc
redirect-gateway def1
route xx.xx.xx.0 255.255.255.0 < my openvpn lan on mikrotik
route xx.xx.xx.xx 255.255.255.0 < my voip segment on remote lan
-------------------------
I still cannot ping the yealink openvpn address
The yealink is not able to register
My connection openvpn is now stable no disconnections
RE: W52P Openvpn with mikrotik - enzain - 08-23-2016 09:17 PM
Hi,
Anythyng work on this device with mikrotik routers?
Wery need see example of working config on yealink and how configured mikrotik device
RE: W52P Openvpn with mikrotik - info@quantiss.com - 08-23-2016 09:52 PM
Hi,
OVPN of yealink does not work with Mikrotik, that was confirmed by yealink.
They claim that Mikrotik is the cause, in my opinion that is a false excuse.
Yealink answer :
------------------------------------------------------------------------------
From the server side, to calculate the MTU, the length of Ethernet frame is 59(non-standard) instead of 60, and from Yealink, our engineer cannot set the VPN configuration or release a new firmware to make it compatible, suggest you buy the extra Mikrotik router to fix the issue, hope your understanding.
I have to say sorry, since we already tried to find the potential causes about the issue, and the provided solutions all with no luck.
Our engineer told me that we cannot dig further.
-----------------------------------------------------------------------------
In conclusion the OPEN VPN advertised by Yealink will not work with Mikrotik at least for now until they get some serious pressure from fellow users.
RE: W52P Openvpn with mikrotik - Harms_Kubiak - 04-11-2021 06:25 AM
Hi,
sorry for riviving this old thread, but I had almost the same problem.
Now (today, 4 1/2 years later) it is working. I just want to share my config to everyone who will find this thread.
My phone is "Enterprise IP Phone SIP-T42G", I know: another model! Firmware version "29.82.0.20"
The Routerboard/MikroTik I use is "hex" "Model: RB750Gr3" with Firmware version "RouterOS v6.47.7 (stable)"
The content of vpn.cfg is:
Code:
client
nobind
remote FQDN-of-Server 1200 tcp
dev tun
dev-type tun
verb 3
resolv-retry infinite
persist-key
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
auth-user-pass /config/openvpn/keys/auth-user-pass.txt
# here is the pbx I want to register/use; setting up the route
route 192.168.0.0 255.255.255.0
cipher AES-256-CBCDo not use
Code:
comp-lzoSure, improvements are needed. No Checking wether the server is the right is not a good way ... hint:
Code:
tls-remote / verify-x509-nameThe MikroTik OpenVPN-Server settings are:
Code:
[admin@VPN-Router] > /interface ovpn-server server print
enabled: yes
port: 1200
mode: ip
netmask: 24
mac-address: FE:26:01:xx:xx:xx
max-mtu: 1500
keepalive-timeout: 60
default-profile: default-encryption
certificate: Name-of-certificate
require-client-certificate: no
auth: sha1,md5
cipher: blowfish128,aes128,aes192,aes256Code:
[admin@VPN-Router] > /ppp profile print
Flags: * - default
0 * name="default" use-mpls=default use-compression=default use-encryption=default only-one=default change-tcp-mss=yes
use-upnp=default address-list="" on-up="" on-down=""
1 * name="default-encryption" local-address=192.168.210.1 remote-address=pool-OpenVPN use-mpls=default
use-compression=default use-encryption=yes only-one=default change-tcp-mss=yes use-upnp=default address-list=""
on-up="" on-down=""Code:
[admin@VPN-Router] > /ip pool print
# NAME RANGES
0 default-dhcp 192.168.88.10-192.168.88.254
1 pool-OpenVPN 192.168.210.10-192.168.210.99Sure, improvements are possible ... like removing auth:md5; cipher:blowfish ... feel free. I tested many configurations and "here and there is some dirt ..."
Some hints about debugging (at least my way)
- Instead of installing a syslog-server in my (windows)machine, I used "Wireshark". The phone (WebUI: Settings / Configuration / Syslog Server) was pointed to my machine and the Wireshark-capture-filter was set to "host IP-of-yealink" the display-filter was set to "syslog". So I got as less packets as possible . "syslog Level" has been set to "6" (instead of 3, default); "Enable" syslog ...
- So I was able to read the "syslog-data" easily. In Syslog I get all what the openvpn process writes out. So I was able to tweak the config-file step-by-step / error-by-error / warning-by-warning
- I "learned" to reboot the phone after uploading a new "openvpn.tar"-file
Problems on my way ...
- The docs (pdf and support-site) of Yealink I read did not offer which version of OpenVPN is installed in which Firmware-version of the phone
- I did not knew which certificate-signature-mechanism is "allowed/understood" in the implementation of Yealink. I have sha512. I know this is a problem in OpenVPN 2.3.6 (very old version)
- There are different informations about "auth-user-pass"-compatiblity in Yealink. Some users write: impossible. I found: Yealink had an example. So it should work ... MikroTik needs user/pass!
- Up to now I do not know wether it is possible to use <cert>...</cert>, <ca>...</ca> and <key>...</key> in the vpn.cfg instead of referencing the files in the /keys - folder . this is another test in the future.
- I did not found a list of compatible ciphers (like on the command line). So I went backward to the default of OpenVPN (BF-CBC; which is "blowfish 128 cbc" and "insecure") and tested one cipher after the other ...Code:
openvpn --show-ciphers
I spend many hours on this issue ...
... Now I have many different Yealink-phones to configure, cordless (dect), corded, ... Most of them are on a remote site ... Hopefully I will not loose the connection to the phones ...
Enjoy your own issue-digging ....