Hi I know this phone is pretty old now, but I'm not in the habit of replacing business phones every few years. I have an off site employee that we gave a T28P phone to that has been connecting through openvpn for a couple of years now with no problem. My office firewall is pfSense and was using the 2.6 release with the yealink 2.73.0.50 firmware.
My issue came out when I updated pfSense to v2.7 that updated openvpn. Now I get the following error in the phone log:
Code:
Jul 17 22:16:33 openvpn[439]: TLS Error: TLS handshake failed
Jul 17 22:16:33 openvpn[439]: SIGUSR1[soft,tls-error] received, process restarting
Jul 17 22:16:35 openvpn[439]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Jul 17 22:16:35 openvpn[439]: Re-using SSL/TLS context
Jul 17 22:16:35 openvpn[439]: UDPv4 link local (bound): [undef]:1194
Jul 17 22:16:35 openvpn[439]: UDPv4 link remote: 76.XXX.XXX.XX:1197
and get this in my firewall log:
Code:
Jul 17 15:15:33 openvpn 55123 98.XXX.XXX.XXX:1194 TLS error: Unsupported protocol. This typically indicates that client and server have no common TLS version enabled. This can be caused by mismatched tls-version-min and tls-version-max options on client and server. If your OpenVPN client is between v2.3.6 and v2.3.2 try adding tls-version-min 1.0 to the client configuration to use TLS 1.0+ instead of TLS 1.0 only
Jul 17 15:15:33 openvpn 55123 98.XXX.XXX.XXX:1194 OpenSSL: error:14209102:SSL routines:tls_early_post_process_client_hello:unsupported protocol
Jul 17 15:15:33 openvpn 55123 98.XXX.XXX.XXX:1194 TLS_ERROR: BIO read tls_read_plaintext error
Jul 17 15:15:33 openvpn 55123 98.XXX.XXX.XXX:1194 TLS Error: TLS object -> incoming plaintext read error
Jul 17 15:15:33 openvpn 55123 98.XXX.XXX.XXX:1194 TLS Error: TLS handshake failed
My guess is that the phone is using an old version of openvpn because the same configuration worked before. Here's a copy of my vpn.cnf:
Code:
remote XXX.XXXXX.com 1197 udp
dev tun
persist-tun
persist-key
##ncp-ciphers AES-128-CBC:AES-256-CBC
cipher AES-128-CBC
auth SHA1
tls-client
client
resolv-retry infinite
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client1.crt
key /yealink/config/openvpn/keys/client1.key
remote-cert-tls server
explicit-exit-notify
auth-nocache
I've also tried a number of different ciphers that didn't work (BF-CBC, CF-CFB, AES-256-CBC, AES-128-GCM).
Any suggestions would be greatly appreciated!