MyLilServer.net

Networking Articles

  • Cisco AnyConnect idle timeout
  • Disabling SIP-ALG on FortiOS
  • HTTPS over SSH tunnels
  • IPv6 SLAAC and DHCP - Juniper
  • JNCIS-SP Study Guide
  • Mac network utility
  • Sweep network utility
  • Troubleshoot Fortigate IPsec VPN
  • Ubiquiti Edgerouter VPN with Policy Based routing

Unix Articles

  • Boot windows as KVM on serprate HDD
  • OpenVPN on Thirdlane PBX server for Yealink phones
    • Installing and configuring OpenVPN
    • Installing and configuring dnsmask
    • Open up iptables firewalld
    • Setup Yealink OpenVPN client config
  • Starting Iperf3 remotely using xinitd
  • xnee/cnee mouse automation

Go articles

  • Golang open smtp relay
  • Pingsweep icmp sweep package
  • Scrapligo platform drivers

Network notes

  • Calix notes
  • Fortinet Notes
  • FS switch notes
  • Mirkotik notes
  • Ubiquiti Edgerouter notes
  • Ubiquiti UISP notes
  • Wireshark notes

Unix Notes

  • Thirdlane PBX
  • Virsh notes

Other projects

  • Media
  • MyLilServer.net
  • Raspbery Pi Digital Billboard
  • Resume
MyLilServer.net
  • OpenVPN on Thirdlane PBX server for Yealink phones
  • View page source

OpenVPN on Thirdlane PBX server for Yealink phones

In this article we are going to install OpenVPN on a Thirdlane PBX server. The server will be Alma Linux 8, the perfered distribution for Thirdlane PBX at the time of writing this article.

Installing and configuring OpenVPN

## Install and enable EPEL, then install openvpn and cd to /etc/openvpn/server. Check update will just update the repos without installing packages, you can substitute dnf update if you like.

dnf install epel-release -y
dnf check-update
dnf install openvpn easy-rsa -y
cd /etc/openvpn/server

## Setup new PKI and generate dh key pair and root ca cert. build-ca requires a password, you will need this to interact with the CA, keep it in a secure place.

/usr/share/easy-rsa/3.0.8/easyrsa init-pki
/usr/share/easy-rsa/3.0.8/easyrsa gen-dh
/usr/share/easy-rsa/3.0.8/easyrsa build-ca

## Generate server and client certs and keys. These commands are all interactive and will need to be entered one at a time.

/usr/share/easy-rsa/3.0.8/easyrsa gen-req server nopass
/usr/share/easy-rsa/3.0.8/easyrsa sign-req server server
/usr/share/easy-rsa/3.0.8/easyrsa gen-req client nopass
/usr/share/easy-rsa/3.0.8/easyrsa sign-req client client

## Configure /etc/openvpn/server/server.conf as follows, you can change the server ip range.

local 10.0.0.61
port 1194
proto udp
dev tun
cipher AES-128-CBC
push "dhcp-option DNS 10.8.0.1"
ca /etc/openvpn/server/pki/ca.crt
cert /etc/openvpn/server/pki/issued/server.crt
key /etc/openvpn/server/pki/private/server.key
dh /etc/openvpn/server/pki/dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-to-client
keepalive 10 120
persist-key
persist-tun
status openvpn-status.log
verb 3
tls-version-min 1.0
management 127.0.0.1 5555
duplicate-cn

## Test server config, there should be no issues at this point.

openvpn --config /etc/openvpn/server/server.conf --verb 3

## Start and enable the openvpn service. the “server” after the @ is the name of the config file (server.conf).

systemctl enable --now openvpn-server@server
systemctl status openvpn-server@server

Installing and configuring dnsmask

## We will setup a dnsmask server on the PBX server to push the new DNS address to clients.
## Install dnsmasq
dnf install dnsmasq -y
nano /etc/dnsmasq.conf

## Add this line to the end of /etc/dnsmasq.conf. This will be the dns record we push to the phones. You can add multiple records here.

# DNS entry to redirect PBX traffic
address=/pbx2.bnt.com/10.192.61.1

## Start and enable dnsmask service

systemctl enable --now dnsmasq.service
systemctl status dnsmasq.service

Open up iptables firewalld

## Alma linux 8 uses firewalld by default, thirdlane disables this in favor of iptables. Lets make a backup of the current iptables and then edit the file.

cp /etc/sysconfig/iptables /etc/sysconfig/iptables.back
nano /etc/sysconfig/iptables

## Add these lines near the end of the file, before the final commit

# Allow connections to Openvpn and dns ports
-A INPUT -p udp --dport 1194 -j ACCEPT
-A INPUT -p udp -s 10.192.61.0/24 --dport 53 -j ACCEPT

## Restart iptables and verify changes

systemctl restart iptables
iptables -L

Setup Yealink OpenVPN client config

## Setup the directory for client config. The folder structure of this directory is very important. The config file must also be called vpn.cnf.

cd /etc/openvpn/server/
mkdir client
cd client
mkdir keys

## Copy keys to client folder

cp /etc/openvpn/server/pki/ca.crt /etc/openvpn/server/client/keys/
cp /etc/openvpn/server/pki/issued/client.crt /etc/openvpn/server/client/keys/
cp /etc/openvpn/server/pki/private/client.key /etc/openvpn/server/client/keys/

## Configure /etc/openvpn/server/client/vpn.cnf

client
dev tun
proto udp
remote 10.0.0.61 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key
remote-cert-tls server
cipher AES-128-CBC
verb 3

## Package up client files

cd /etc/openvpn/server/client
tar -cvpf openvpn.tar *

## Next export the opnevpn.tar file. You will upload this to the phone.

tar -cvpf openvpn.tar *

## To setup the VPN on the pnone, navigate to Network, advanced, enable VPN and set to OpenVPN if available. Phones without the OpenVPN option use it by default. Browse for the openvpn.tar file and upload. The phone may prompt you to reboot, select yes. Save the config and reboot the phone (Settings - Upgrade - Reboot).

This has been tested with Yealink t27p, t27g, and t53w phones.

Previous Next

Last updated on Nov 04, 2024.

Built with Sphinx using a theme provided by Read the Docs.