Yealink Forums
T28P - OpenVPN TLS error: Unsupported protocol - Printable Version

+- Yealink Forums (
+-- Forum: IP Phone Series (/forumdisplay.php?fid=4)
+--- Forum: Phone specific topic (/forumdisplay.php?fid=12)
+---- Forum: T2xP Series (/forumdisplay.php?fid=21)
+---- Thread: T28P - OpenVPN TLS error: Unsupported protocol (/showthread.php?tid=46774)

T28P - OpenVPN TLS error: Unsupported protocol - 1sae - 07-18-2023 06:50 AM

Hi I know this phone is pretty old now, but I'm not in the habit of replacing business phones every few years. I have an off site employee that we gave a T28P phone to that has been connecting through openvpn for a couple of years now with no problem. My office firewall is pfSense and was using the 2.6 release with the yealink firmware.

My issue came out when I updated pfSense to v2.7 that updated openvpn. Now I get the following error in the phone log:

Jul 17 22:16:33 openvpn[439]: TLS Error: TLS handshake failed
Jul 17 22:16:33 openvpn[439]: SIGUSR1[soft,tls-error] received, process restarting
Jul 17 22:16:35 openvpn[439]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 17 22:16:35 openvpn[439]: Re-using SSL/TLS context
Jul 17 22:16:35 openvpn[439]: UDPv4 link local (bound): [undef]:1194
Jul 17 22:16:35 openvpn[439]: UDPv4 link remote: 76.XXX.XXX.XX:1197

and get this in my firewall log:
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS_ERROR: BIO read tls_read_plaintext error
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS object -> incoming plaintext read error
Jul 17 15:15:33     openvpn     55123     98.XXX.XXX.XXX:1194 TLS Error: TLS handshake failed

My guess is that the phone is using an old version of openvpn because the same configuration worked before. Here's a copy of my vpn.cnf:
remote 1197 udp
dev tun
##ncp-ciphers AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
auth SHA1
resolv-retry infinite
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client1.crt
key /yealink/config/openvpn/keys/client1.key
remote-cert-tls server

I've also tried a number of different ciphers that didn't work (BF-CBC, CF-CFB, AES-256-CBC, AES-128-GCM).

Any suggestions would be greatly appreciated!