Registering Yealink SIP Phone to PBX Behind VyOS OpenVPN Server

Hey guys, I’m not having much luck getting a Yealink T42G SIP phone to register to my 3CX PBX through OpenVPN. I can confirm the PBX is set up properly, as I currently have two Yealink SIP phones registered to the PBX behind the same VyOS router through a site-to-site IPsec VPN. The SIP phones are local to me, the VyOS and 3CX PBX are hosted on cloud servers.

I can get the phone to connect to the OpenVPN, i can see the phone on the VPN from the VyOS with a ‘show openvpn server status’, but I cannot ping the phone’s IP from the VyOS. Looking at the syslog on the phone, I can see a successful VPN connection established, but the phone will not register to the PBX.

To sum up the above, phones work fine through IPsec site-to-site, phones do not register to PBX via OpenVPN client/cert VPN.

Below is my VyOS configuration:

[code]firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
receive-redirects enable
send-redirects enable
source-validation disable
syn-cookies enable
twa-hazards-protection disable
}
interfaces {
ethernet eth0 {
address VYOS_PUBLIC_IP/24
description OUTSIDE
duplex auto
firewall {
}
hw-id 00:16:b9:88:79:73
smp_affinity auto
speed auto
}
ethernet eth1 {
address 10.122.224.1/24
description INSIDE
duplex auto
hw-id 00:16:27:8e:97:22
smp_affinity auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
mode server
server {
domain-name DOMAIN_NAME
name-server 10.122.224.1
push-route 10.122.224.0/24
subnet 10.122.222.0/24
}
tls {
ca-cert-file /config/auth/ca.crt
cert-file /config/auth/cc-ovpn.crt
dh-file /config/auth/dh1024.pem
key-file /config/auth/cc-ovpn.key
}
}
}
nat {
destination {
rule 5 {
destination {
address VYOS_PUBLIC_IP
port 222,1194
}
inbound-interface eth0
protocol tcp_udp
translation {
address VYOS_PUBLIC_IP
}
}
rule 10 {
destination {
address VYOS_PUBLIC_IP
port 22,80,222,443,5015,5060,5090,5432,9000-9500
}
inbound-interface eth0
protocol tcp_udp
translation {
address 10.122.224.5
}
}
}
source {
rule 50 {
destination {
address 192.168.101.0/24
}
exclude
outbound-interface eth0
source {
address 10.122.224.0/24
}
}
rule 100 {
outbound-interface eth0
source {
address 10.122.224.0/24
}
translation {
address masquerade
}
}
}
}
service {
dns {
forwarding {
cache-size 0
listen-on eth1
listen-on vtun0
name-server 8.8.8.8
name-server 8.8.4.4
}
}
ssh {
port 222
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 115200
}
}
gateway-address 23.90.82.1
host-name vyos
login {
user vyos {
authentication {
encrypted-password PASSWORD
plaintext-password “”
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password “”
url http://packages.vyos.net/vyos
username “”
}
repository squeeze {
components “main contrib non-free”
distribution jessie
password “”
url Index of /debian
username “”
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group ESP-1W {
compression disable
lifetime 28800
mode tunnel
pfs enable
proposal 1 {
encryption 3des
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ike-group IKE-1W {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
encryption 3des
hash sha1
}
proposal 2 {
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer 72.45.241.244 {
authentication {
mode pre-shared-secret
pre-shared-secret IPSEC_PSK
}
connection-type initiate
default-esp-group ESP-1W
ike-group IKE-1W
ikev2-reauth inherit
local-address VYOS_PUBLIC_IP
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
local {
prefix 10.122.224.0/24
}
remote {
prefix 192.168.101.0/24
}
}
}
}
}
}

/* Warning: Do not remove the following line. /
/
=== vyatta-config-version: “cluster@1:config-management@1:conntrack-sync@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@4:nat@4:qos@1:quagga@2:system@6:vrrp@1:wanloadbalance@3:webgui@1:webproxy@1:zone-policy@1” === /
/
Release version: VyOS 1.1.5 */
[/code]

Here are the server and client openvpn configs:

server:

local VYOS_PUBLIC_IP port 1194 proto udp dev tun log-append /var/log/openvpn.log ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/cc-ovpn.crt key /etc/openvpn/keys/cc-ovpn.key dh /etc/openvpn/keys/dh1024.pem server 10.122.222.0 255.255.255.0 push "route 10.122.224.0 255.255.255.0" push "route 192.168.10.0 255.255.255.0" push "route 10.122.222.0 255.255.255.0" client-to-client keepalive 10 120 comp-lzo persist-key persist-tun verb 3

client:

client setenv SERVER_POLL_TIMEOUT 4 nobind remote VYOS_PUBLIC_IP 1194 udp dev tun dev-type tun ns-cert-type server reneg-sec 604800 sndbuf 100000 rcvbuf 100000 auth-retry nointeract comp-lzo no verb 3 ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/222.crt key /yealink/config/openvpn/keys/222.key

For easy troubleshooting , I’d first try to test openvpn from a computer , then try ping the PBX or even register a softclient through the openvpn.
If that works, advance to openvpn on the phone

thanks for the reply. I have a successful openvpn connection from my computer, and am able to ping the vyos router and the pbx locally. i am also able to register 3CX Softphone client on my computer, and am able to make outbound and inbound calls