Hey guys, I’m not having much luck getting a Yealink T42G SIP phone to register to my 3CX PBX through OpenVPN. I can confirm the PBX is set up properly, as I currently have two Yealink SIP phones registered to the PBX behind the same VyOS router through a site-to-site IPsec VPN. The SIP phones are local to me, the VyOS and 3CX PBX are hosted on cloud servers.
I can get the phone to connect to the OpenVPN, i can see the phone on the VPN from the VyOS with a ‘show openvpn server status’, but I cannot ping the phone’s IP from the VyOS. Looking at the syslog on the phone, I can see a successful VPN connection established, but the phone will not register to the PBX.
To sum up the above, phones work fine through IPsec site-to-site, phones do not register to PBX via OpenVPN client/cert VPN.
Below is my VyOS configuration:
[code]firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects enable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address VYOS_PUBLIC_IP/24
description OUTSIDE
duplex auto
firewall {
}
hw-id 00:16:b9:88:79:73
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.122.224.1/24
description INSIDE
duplex auto
hw-id 00:16:27:8e:97:22
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
mode server
server {
domain-name DOMAIN_NAME
name-server 10.122.224.1
push-route 10.122.224.0/24
subnet 10.122.222.0/24
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/cc-ovpn.crt
dh-file /config/auth/dh1024.pem
key-file /config/auth/cc-ovpn.key
}
}
}
nat {
destination {
rule 5 {
destination {
address VYOS_PUBLIC_IP
port 222,1194
}
inbound-interface eth0
protocol tcp_udp
translation {
address VYOS_PUBLIC_IP
}
}
rule 10 {
destination {
address VYOS_PUBLIC_IP
port 22,80,222,443,5015,5060,5090,5432,9000-9500
}
inbound-interface eth0
protocol tcp_udp
translation {
address 10.122.224.5
}
}
}
source {
rule 50 {
destination {
address 192.168.101.0/24
}
exclude
outbound-interface eth0
source {
address 10.122.224.0/24
}
}
rule 100 {
outbound-interface eth0
source {
address 10.122.224.0/24
}
translation {
address masquerade
}
}
}
}
service {
dns {
forwarding {
cache-size 0
listen-on eth1
listen-on vtun0
name-server 8.8.8.8
name-server 8.8.4.4
}
}
ssh {
port 222
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 115200
}
}
gateway-address 23.90.82.1
host-name vyos
login {
user vyos {
authentication {
encrypted-password PASSWORD
plaintext-password “”
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password “”
url http://packages.vyos.net/vyos
username “”
}
repository squeeze {
components “main contrib non-free”
distribution jessie
password “”
url Index of /debian
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 72.45.241.244 {
authentication {
mode pre-shared-secret
pre-shared-secret IPSEC_PSK
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address VYOS_PUBLIC_IP
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.122.224.0/24
}
remote {
prefix 192.168.101.0/24
}
}
}
}
}
}
/* Warning: Do not remove the following line. /
/ === vyatta-config-version: “cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1” === /
/ Release version: VyOS 1.1.5 */
[/code]
Here are the server and client openvpn configs:
server:
local VYOS_PUBLIC_IP
port 1194
proto udp
dev tun
log-append /var/log/openvpn.log
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/cc-ovpn.crt
key /etc/openvpn/keys/cc-ovpn.key
dh /etc/openvpn/keys/dh1024.pem
server 10.122.222.0 255.255.255.0
push "route 10.122.224.0 255.255.255.0"
push "route 192.168.10.0 255.255.255.0"
push "route 10.122.222.0 255.255.255.0"
client-to-client
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
client:
client
setenv SERVER_POLL_TIMEOUT 4
nobind
remote VYOS_PUBLIC_IP 1194 udp
dev tun
dev-type tun
ns-cert-type server
reneg-sec 604800
sndbuf 100000
rcvbuf 100000
auth-retry nointeract
comp-lzo no
verb 3
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/222.crt
key /yealink/config/openvpn/keys/222.key