Yealink Forums
[FAQ]Frequently Asked Questions of OpenVPN - Printable Version

+- Yealink Forums (http://forum.yealink.com/forum)
+-- Forum: FAQs etc (/forumdisplay.php?fid=38)
+--- Forum: FAQs (/forumdisplay.php?fid=39)
+--- Thread: [FAQ]Frequently Asked Questions of OpenVPN (/showthread.php?tid=1843)



[FAQ]Frequently Asked Questions of OpenVPN - Yealink Support - 05-30-2014 07:17 PM

Phone can’t connect to OpenVPN server

(1). Check the OpenVPN server is running successfully

Under normal circumstances, the OpenVPN icon in the task bar will show green after the VPN server is running up. If you move the mouse to the icon , you can see the virtual IP address of OpenVPN server as following figure:

[Image: attachment.php?aid=768]

(2). Check the phone’s OpenVPN.tar

Decompression your customer’s or your OpenVPN.tar file, you should find a keys directory and a vpn.cnf file (directory name must be as keys, profile name must be a vpn.cnf, their names are not allowed to be changed), as following figure:

[Image: attachment.php?aid=769]

(3). Check whether keys for client and vpn.cnf is matched

Enter keys directory, the corresponding name of ca, crt, key certificates in vpn.cnf should be consistent with keys three files in the directory name.

[Image: attachment.php?aid=770]

(4). Check whether server.ovpnand vpn.cnf is matched

configurations in client marked with the red arrows should be consistent with the server.

[Image: attachment.php?aid=771]

(5). Check the validity of certificates

Make sure the time of phone is within the validity of the certificates.
If not, please rebuild certificate or change the phone time.

[Image: attachment.php?aid=775]


RE: [FAQ]Frequently Asked Questions of OpenVPN - Yealink Support - 05-30-2014 07:34 PM

(6). Check the Signature hash algorithm of certificates

Yealink phones support md5 and sha1 signature hash algorithm now;
We don’t support sha256 now. (V80 will add it )

[Image: attachment.php?aid=776]

Register issues debug

(1). Phone can connect to OpenVPN, but can’t register accounts

<1> Check whether the user's OpenVPN server has two network cards, you can ping the SIP server from OpenVPN server.

<2> Check if the OpenVPN server has enabled TCP/IP forwarding.

<3> Check to enable Internet connection sharing

<4> Check whether the OpenVPN server configuration file-server.ovpn has granted phone the permission to access the SIP server network segment.
For example:
SIP server IP address is 192.168.3.3, OpenVPN server configuration file-
server.ovpn has this configuration:
push "route 192.168.3.0 255.255.255.0“

(2). Phone can’t register accounts via DNS-SRV

<1> Check whether you have configured DNS server IP address in OpenVPN server configuration-server.ovpn
(To check whether there is a similar configuration in server.ovpn:
push “dhcp-option DNS 10.2.1.1“
)

<2> Check to ping IP address from phone

Voice issues debug

(1). Phone has no sound when in a call

Some SIP servers which don’t set up the proxy pattern are no longer responsible for calling on both sides of the RTP data forwarding after the establishment. The RTP data will be transmitted by two callers directly.

The phone can’t receive RTP packets because the OpenVPN server is not configured client-to-client option (the configuration was to allow the two clients to communicate directly).

So please add the configuration item and restart the OpenVPN server

(2). The voice quality is poor

<1> The problem is usually due to network conditions, bad network such as packet loss, delay will reduce this issue.
<2> Another situation is OpenVPN log level of phone is too high, which leads to the phone processing speed slow down.
Please set the log level in vpn.cnf to 3: verb 3

OpenVPN configuration items commonly used functions

Common configurations
Code:
port 1194  
# Uncomment this line to use a different port number than the default of 1194.
proto udp  
# Choose one of three protocols supported by OpenVPN. If left commented out, # defaults to udp.
dev tun  
# Enable 'dev tap' or 'dev tun' but not both!
dev-node MyTap  
# If you have set up more than one TAP-Win32 adapter on your system, you
# must refer to it by name. Linux doesn’t need this configuration.
comp-lzo
# enable LZO compression
verb 3
# Set log file verbosity.

Client configurations
Code:
nobind
#  Most clients don't need to bind to a specific local port number.
auth-user-pass [file]
# assign file path where stores the user name password.
askpass [file]
# assign file path where stores the certificates and keys.

Server configurations
Code:
server 10.8.0.0  255.255.255.0
#  Assigned to the client's virtual IP network segment.
push "route 10.2.1.0  255.255.255.0“
# push the private network segment to routing table that phone can connect to.
push "dhcp-option DNS  10.2.1.1“
# assign DNS server address for phone.
keepalive 20 60
# ping OpenVPN server every 20 seconds and re-connect to server after 60
# seconds ping fail.
client-to-client
# the configuration is to allow the two clients to communicate directly.
duplicate-cn
# Allow different clients to use the same certificate to connect to the VPN server.
client-cert-not-required
# Don't verify the client certificate.
auth-user-pass-verify ./checkpsw.sh via-env
# assign the specified user name password script.

Please be aware:

The purpose of these forums is to allow forum members collaborate and help each other.
Questions posted here won't be appreciated.
If you require assistance from Yealink technical support, please email to support@yealink.com or USA support support.usa@yealink.com