Yealink Forums
T21P OpenVPN - Printable Version

+- Yealink Forums (
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Phone specific topic (/forumdisplay.php?fid=12)
+---- Forum: T2xP Series (/forumdisplay.php?fid=21)
+---- Thread: T21P OpenVPN (/showthread.php?tid=2756)

T21P OpenVPN - dlmc - 11-12-2014 11:51 PM

FW Version:

The Upload of openvpn.tar says it was successful.
The VPN=enable will not enable.

I have syslog enabled as level 6 (debug) and there is no indication of any problem that I can see.

$ tar -tf openvpn.tar
keys/ca.crt (2048bit RSA SHA1 self-signed)
keys/client.key (2048bit RSA SHA1 signed with ca.crt)

How do you get the enable to work and better some diagnostic output with a real error ?

RE: T21P OpenVPN - James_Yealink - 11-13-2014 12:15 AM

Hi Dlmc,

Can you attach the tar file and error syslog for a check?


RE: T21P OpenVPN - dlmc - 11-13-2014 03:10 AM

Hmm that makes no sense, the security data is meant to be private. I would need to generate a new CA and CLIENT certs to attach something.

The Yealink OpenVPN instructions are great and all, but what they really should consist of is a breakdown of the TAR file contents (with a working sample provided by Yealink) that can be used to prove an initial working state.

There is no clear indication of what feature set of OpenVPN is supported, like OpenVPN base version, what crypto support and version.

The instructions on how to compile kernels and OpenVPN and such are actually not very useful. I would not think many people do this but use a package manager to install openvpn.

The Web UI feedback about the upload of the file being successful is also not as useful a knowing the file uploaded, was processed and the contents found acceptable to install and then the installation succeeding.

The only thing in the syslog output is:

2014-11-12T15:52:45.432996+00:00 Log [357]: WEB <6+info > Upload VPN file success!

The other matter preventing enablement of OpenVPN support, after doing:
Login to Yealink T21P
Network -> Advanced
VPN [Upload VPN Config ... Browse]
Select the local path to the openvpn.tar file.
Click "Upload"
Get back browser alert dialog on screen "Upload VPN file success!" click "OK"
Click "OK" on the browser dialog above.
The web page now refreshes and reloads.

The problem here is that selecting
Network -> Advanced
VPN -> Active: Enabled
Clicking "Confirm"
Results in browser alert dialog "Please upload VPN config file first!"

This seems like JavaScript preventing the enable from being set. But due to the page reload between uploading the openvpn.tar and setting Active:Enabled it does not seen possible to enable it.

If I preform a system backup (Settings -> Configuration -> Export) the resulting "config.bin" file which is also a TAR file.

I can see my files with correct timestamp and file lengths in relation to my files, these are like factory/openvpn/vpn.conf and such.

Also note the ownership I set to root (uid=0) and root (gid=0) just in case there was an issue in that area.
Also the standard file permissions exist on the files, that is mode=0664 for vpn.conf, mode=0640 for *.crt and mode=0600 for *.key these are standard file system permissions for the files when they are created.
Providing the Yealink kernel runs openvpn client software as 'root' then everything should be fine.

RE: T21P OpenVPN - James_Yealink - 11-13-2014 03:43 PM

Hi Dlmc,

I attach a tar file sample please check. It contains necessry parameter.
I think your tar file is not compressed correclty.

Of course you can change or mask the private information of your tar file and then send it us. We jsut want to check the format and parameter in it.


RE: T21P OpenVPN - dlmc - 11-13-2014 08:46 PM

My openvpn.tar is an uncompressed TAR file as .tar (not a compressed TAR file, such as .tar.gz or .tar.bz2). There is no compression in use, so it can not be compressed incorrectly.

Looking at the sample you provided is also an uncompressed TAR file just like mine. So I do not think this is the issue.

RE: T21P OpenVPN - dlmc - 11-13-2014 10:41 PM

Ok the error is the filename "vpn.conf" in my TAR was wrong.

The file name needs to be "vpn.cnf".

RE: T21P OpenVPN - dlmc - 11-14-2014 02:34 AM

The only issue now is the server side refusing to verify the client certificate as valid. I am using RSA-2048bit+SHA1 so this isn't an issue with the MD5 signature hash being revoked by OpenSSL tooling defaults, nor the RSA-1024 being revoked. Both of these things are considered insecure now. I am using RSA-2048bit+SHA1 which is still allowed at this time.

UPDATE: This issue was resolved by not using a binary data type for the issue serial number, OpenVPN does not like this, it works fine with an integer serial number.