[SOLVED] OpenVPN not doing anything T42G V83

[Danariel]

Hello,
I've been searching in the forum and Google about how to configure properly the server and the phone to connect using OpenVPN.

The server is running OpenVPN 2.4.4
I've created the keys using easy-rsa3 with the option nopass and using the SHA1 method
As an additional information, the server is an AWS and I've tested to connect with a local openVPN client and the tunnel and IP assignation is done correctly
OpenSSL in the server is 1.0.2k

Code:

server.conf

local xx.xx.xx.xx
port 1194
proto udp
dev tun
tls-server
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
status openvpn-status.log
;log openvpn.log

The phone is a T42G running the firmware 29.83.0.50
From the logs, the version of OpenVPN running is 2.4.2

For the phone, I've created the folder keys, put the certs inside and the vpn.cnf outside. Then using tar -cvpf (as told in the PDF from yealink) I create the tar file and uploaded to the phone. After upload, the field changes to vpn.cnf
What I don't know if the certificates have been imported correctly because I don't know if there is a way to check the files structure of the phone and search them.

Code:

vpn.cnf

client
dev tun
proto udp
port 1194
remote xx.xx.xx.xx
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/phone.crt
key /config/openvpn/keys/phone.key
comp-lzo
verb3

As additional information, I've been writing the vpn.cnf line by line and uploading it to the phone and then rebooting to check the logs.
Errors appear only if the remote/port/proto and the keys are missing
After that, if the command is correct for OpenVPN, no error is shown except for the one below:
openvpn[1118]: OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] built on

I've seen the option
auth SHA1
I'm not sure if it's needed to specify the "auth SHA1" or it's the default

Hope that's all the information needed to explain my problem
Thanks in advance for any help

[jolouis]

What are you seeing on the server? i.e. does the server show the phone even trying to connect, is it rejecting it, or?
Turn logging up on the server, reload, then try and see what happens.

For the phone itself you can increase the overall log level under settings->Log Level. Turn that up to 6 and you should see all kinds of messages about OpenVPN doing stuff.

Check both of those and see if any obvious errors or messages stand out.

[Danariel]

Thanks for the answer jolouis
the logs boot and sys at level 6 are showing:

Code:

<134>Aug  2 00:00:09 sys [939]: SYS <6+info  > run openvpn
<132>Aug  2 00:00:09 ATP [997]: ATP <4+warnin> Network check fail, sleep 1s
<134>Aug  2 00:00:09 sys [939]: LLDP<6+info  > proto LLDP, multicast filter for <add> success.
<134>Aug  2 00:00:09 sys [939]: LLDP<6+info  > proto CDPv2, multicast filter for <add> success.
<134>Aug  2 00:00:09 sua [1014]: APP <6+info  > [SIP] <IPC_rcv >:msg:0x00000004, wparam:0x00000001, lparam:0xc4097a18, id:Undefined recv msg string
<134>Aug  2 00:00:09 sua [1014]: APP <6+info  > [SIP] <IPC_rcv >:msg:0x00000084, wparam:0x00000013, lparam:0x00000000, id:Undefined recv msg string
<133>Aug  2 00:00:09 ipvp[1008]: IPVP<5+notice> 009.746.986:Message=0x00000004(0x00000001+0xc4097a18+0)
<133>Aug  2 00:00:09 ipvp[1008]: IPVP<5+notice> 009.936.253:Message=0x00000084(0x00000013+0x00000000+0)
<29>Aug  2 00:00:09 openvpn[1118]: OpenVPN 2.4.2 arm-unknown-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] built on Oct 20 2017
<134>Aug  2 00:00:09 sua [1014]: APP <6+info  > [SIP] <IPC_rcv >:msg:0x00000004, wparam:0x00000000, lparam:0xc4097a18, id:Undefined recv msg string
<134>Aug  2 00:00:09 sua [1014]: APP <6+info  > [SIP] <IPC_rcv >:msg:0x00000085, wparam:0x00000013, lparam:0x00000000, id:Undefined recv msg string
<133>Aug  2 00:00:09 ipvp[1008]: IPVP<5+notice> 009.964.082:Message=0x00000004(0x00000000+0xc4097a18+0)
<133>Aug  2 00:00:09 ipvp[1008]: IPVP<5+notice> 009.964.777:Message=0x00000085(0x00000013+0x00000000+0)
<134>Aug  2 00:00:09 sys [939]: SRV <6+info  > arm_set_lan_port
<134>Aug  2 00:00:09 sys [939]: SYS <6+info  > close pc port
<134>Aug  2 00:00:09 sys [939]: SRV <6+info  > arm_set_port_speed
<134>Aug  2 00:00:09 sys [939]: SRV <6+info  > lan_link_mode 0
<131>Aug  2 00:00:09 sys [939]: SRV <3+error > set net 1 interface, bsp speed 100, level 4: bsw level success.
<132>Aug  2 00:00:09 sys [939]: SYS <4+warnin> set lan speed 100, level 4
<131>Aug  2 00:00:09 sys [939]: SRV <3+error > Command Failed, EMAC_SIOCG_SPEED

Other than that there is no mention of the certificate files, the ip of the VPN server or any info that I can link with an attempt to connect to the VPN

I've re-created all the certificates (the server's and phone's) and created a new conf file with the same content but using the port 1195 instead
The server is waiting incoming connections. Just showing the message "Initialization Sequence Complete". I've checked all the process to start the server an no error is visible. Then I tried to connect with the same certificates but from a laptop and the server receives the connection and assigns the tunnel and IP.
Both the laptop and the phone are in the same network and using the same public IP and router to go out to internet, so it's not a problem of firewall block or blocked IP from the other end.

Any other suggestion?
Downgrade the firmware and check if the V82 or V81 versions are working?

Thanks in advance

EDIT: I tested to edit the routes in the vpn.cnf file to see if there was any error message as "file not found" or something, but it's accepting all the routes:
- /yealink/config/openvpn/keys
- /config/openvpn/keys
- /openvpn/keys
- /keys

The error message about CA or crt file missing is only if there is no entry in the vpn.cnf and not a file checking?
In that way, if the file is not present you don't receive an error message?

I've also changed the name of the ca file to ca1 and there is no error message

[Danariel]

I'm going to close the thread because I solved it just downgrading the firmware of the phone to the V82
I don't know if there is a workaround with the V83, but I'd not found it.
No explicit error message so no specific fix.
Thanks for the comment.
At least I'd learnt a lot about the commands to configure the server and client and now I know what commands are going to be deprecated (like the comp-lzo that is now compress -> V82 still needs comp-lzo)

[benaam433]

If you saw this problem in the future then you should try another VPN like X VPN Premium Version instead of updating the firmware of the phone. Because updaing the firmware takes a lot of time. So changing a VPN is an easy process.
Hope, it will help you in future if you saw this problem again.
Regards,
Benaam

[jamesg224]

I am also having this issues and a downgrade to 29.82.0.20 solved the problem. The issue appeared in all V83 firmware. Is there a different way of configuring the VPN for T42 V83?