Content
Index:
Note:Â this guide is valid for the public announcement system PA1+ as well (but not its predecessor PA1).
Overview
Snom deskphones include the ability to build secure VoIP-Infrastructures via the OpenVPN Technology. Snom decided to use OpenVPN because it is compatible with SSL/RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices. OpenVPN is Open Source and is licensed under the GPL.
This article explains the step-by-step implementation of OpenVPN on Snom phones, including server installation and setup, creating the phone configuration and applying it on the phone.
Install and configure the OpenVPN server
The OpenVPN server is available for free and there are various guides available on installing and configuring it. This section contains one out of several methods to install and set up a minimal OpenVPN server on Linux and Windows. For more options and detailed information, see https://openvpn.net or the available documentation for your server.
OpenVPN server on Linux
Versions used for this section:
- Ubuntu 18.04
- OpenVPN 2.4.4
- OpenSSL 1.1.1
The installation steps require that you are logged in as root on the Ubuntu system.
Update the apt-sources
# apt-get update
Install OpenVPN and easy-rsa packages
# apt-get install openvpn # apt-get install easy-rsa
Create the Certificate Authority
Copy the
easy-rsa
directory to/etc/openvpn
:# make-cadir /etc/openvpn/easy-rsa
Enter the created directory:
# cd /etc/openvpn/easy-rsa
Edit the vars file with your favorite editor, for example using
vim
:# vim vars
and scroll down until you find the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Edit these to fit your server. Don’t leave any of these parameters blank.
Next, initialize the PKI:
# . ./vars # ./clean-all
If when running ". ./vars" you get error "No /etc/openvpn/easy-rsa/openssl.cnf file could be found", link openssl.cnf to the latest available cnf file insider the directory, for example using command: "ln -s openssl-1.0.0.cnf openssl.cnf
". Then, run". ./vars"
again.The next command (
build-ca
) will build the certificate authority (CA) certificate and key:# ./build-ca
Here is a detailed example showing how to run this command:
In the above sequence, most queried parameters were defaulted to the values that you have set in the vars file.
Create the server certificate
# ./build-key-server server
Here is a detailed example showing how to run this command:Create the Diffie Hellman parameter
# ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................+........ ++*++*++*++*
Create the phone certificate
Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:# ./build-key 000413A30591
Here is a detailed example showing how to run this command:
Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:The phone configuration requires some naming that is mandatory and should not be changed:
- All file paths in your config file must be set to /openvpn/filename
- The configuration file must be named vpn.cnf
In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.
Filename Purpose Needed by ca.crt Root CA certificate server + all clients ca.key Root CA private key server only dh{n}.pem Diffie Hellman parameters server.crt Server Certificate server.key Server private key 000413A30591.crt Certificate for phone 000413A30591 phone 000413A30591 only 000413A30591.key Private key for phone 000413A30591 Create server configuration for OpenVPN
Create configuration file, for example using thetouch
command:# touch /etc/openvpn/server.conf
Edit the file with your favorite editor, for example usingvim
:# vim /etc/openvpn/server.conf
Paste the following content into the file:port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt client-to-client keepalive 10 120 persist-key persist-tun status /var/log/openvpn-status.log verb 6
This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.8.0.0/24Enable packet forwarding
This step is optional and is only needed if you would like to configure your OpenVPN server to act as a VPN gateway for a LAN. See also https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/
Edit/etc/sysctl.conf
and uncomment the following line (remove the '#
' at the beginning) to enable IP forwarding:net.ipv4.ip_forward=1
Then save the file and reload sysctl:# sysctl -p /etc/sysctl.conf
Run the OpenVPN server
To check for any fatal errors preventing the server to start, you can try run the server in the foreground like this:# openvpn /etc/openvpn/server.conf
If the service starts and prints several lines finished by "Initialization Sequence Completed", then the try run was successful. You can stop the try run with CTRL+C.
Now you can start the OpenVPN server:# sudo systemctl start openvpn@server
Next, check if OpenVPN created atun0
interface. You should see something like this:# ip addr show dev tun0 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8fc2:3403:fbac:1f35/64 scope link stable-privacy valid_lft forever preferred_lft forever
Configure OpenVPN to run at startup
Running OpenVPN at system startup is optional but often preferred on server machines.
Edit/etc/default/openvpn
and add the following line, which instructs the system to start openvpn with configuration file /etc/openvpn/server.conf:AUTOSTART="server"
Then reload systemctl and restart the OpenVPN service:# systemctl daemon-reload # systemctl restart openvpn.service
OpenVPN server on Windows
OpenVPN is available for free, see more details here: https://openvpn.net/ .
Versions used for this section:
- Windows 10, 64-bit
- Installation file: openvpn-install-2.4.9-I601-Win10.exe
- Download and run the OpenVPN installer file
At the time of this article the installation file could be found here: https://openvpn.net/community-downloads/- Double click the installation file. You will see the installation wizard.
- Press Next until you reach the Choose Components section.
- Make sure EasyRSA is enabled (add a green tick):
- Follow the install wizard to finish the installation.
- Initialize the PKI and create the Certificate Authority
Navigate to the C:\Program Files\OpenVPN\easy-rsa folder on an elevated command prompt:- Open the search box next to the Start menu
- Type "
cmd
" - Right-click on Command Prompt and choose "Run as Administrator"
- Right-click the menu item "Command Prompt"
- On the pop up User Account Control window, Click "Yes"
Navigate to the easy-rsa folder:
cd "C:\Program Files\OpenVPN\easy-rsa"
Initialize the OpenVPN configuration:
init-config
Only run init-config once, during installation.
Open the vars.bat file in a text editor:
notepad vars.bat
- Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:
- Save the file and exit notepad.
Run the following commands:
vars clean-all
Build the certificate authority (CA) certificate and key. When prompted, enter your country, etc. These will have default values (from the
vars
file), which appear in brackets.build-ca
Here is a detailed example showing how to run this command:
Create the server certificate
build-key-server server
Here is a detailed example showing how to run this command:Create the Diffie Hellman parameter
C:\Program Files\OpenVPN\easy-rsa>build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................+........ ++*++*++*++*
Create the phone certificate
Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:build-key 000413A30591
Here is a detailed example showing how to run this command:
Now we will find our newly-generated keys and certificates in the C:\Program Files\OpenVPN\easy-rsa\keys folder. Here is an explanation of the relevant files:Filename Purpose Needed by ca.crt Root CA certificate server + all clients ca.key Root CA private key server only dh{n}.pem Diffie Hellman parameters server.crt Server Certificate server.key Server private key 000413A30591.crt Certificate for phone 000413A30591 phone 000413A30591 only 000413A30591.key Private key for phone 000413A30591 Create the server configuration for OpenVPN
Create file server.ovpn using command:
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
When asked if you want to create a new file, click Yes.
Enter the following configuration:
port 1194 proto udp dev tun ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\server.crt" key "C:\\Program Files\\OpenVPN\\config\\server.key" dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem" server 10.9.0.0 255.255.255.0 client-to-client keepalive 10 120 persist-key persist-tun verb 6
Save the file and exit notepad.
This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.9.0.0/24Copy the configuration files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server by typing the following in the command prompt:
robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt dh2048.pem server.crt server.key server.ovpn
NOTE: In the robocopy command above. the space at the end of the path in each string is important.
Run the OpenVPN server
Run OpenVPN from: Start Menu -> OpenVPN -> OpenVPN GUI
This will create a new icon in the system tray. Double click the icon to initiate the connection. The resulting dialog should show the status shortly and then close upon a successful start:Now if you open Network Connections (from Control Panel → Network and Internet → View Network Status and tasks → Change adapter settings), you should see a new connection of type TAP-Windows Adapter V9:
If you right click this connection and then click Status → Details you should be able to see the configured IP address:
Running OpenVPN as a Service
Running OpenVPN as a service will allow OpenVPN to be started automatically on system startup. This is often preferred on a server machine.Run the Windows Service administrative tool:
- Press Windows Key + R
- Type "
services.msc
" and press Enter.
- Find the OpenVPN service, and set its Startup Type to "Automatic". Press Apply.
- Optionally, start the service now.
- Firewall Configuration
If you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194. (Win+R "wf.msc
")
Install and configure OpenVPN on the Snom phones
Install the VPN patch on the Snom phone
The VPN feature is not shipped with the default firmware due to security considerations. Snom provides the VPN feature in a small firmware patch which needs to be installed. This patch contains only the VPN feature and thus is very small in size.
To install the VPN feature patch follow one of the following procedures:
Manual Installation
- Find out your currently installed firmware version. See this link for information on how to do this
- Open the Firmware Update Center and click on your version
- Scroll down to "VPN Feature Updates"
- Copy the download link appropriate for your phone model
- Open the phone web user interface and select "Software Update" from the left hand menu
- Paste the link in the "Manual Software Update" field and click "Load"
The phone will reboot and install the patch. Afterwards you will be able to use the VPN feature
Automatic installation via SRAPS
It is also possible to install the VPN patch automatically via SRAPS, as part of the provisioning or even prior to the settings being fetched by the phone. See details here.
IMPORTANT: A network recovery will remove the VPN patch, so the VPN patch instalation is necessary after each TFTP rescue mode update!
How to tell if the VPN patch installation was successful
If the VPN installation was successful, the VPN feature will be available. Here is now you can check that the VPN feature is available:
- The VPN option is now visible in the Phone's Web Interface under Advanced → QOS/Security. If the VPN patch installation was successful, you should see here the VPN setting (it will be set to off at first because the VPN feature was installed, but it is not yet enabled)
- The VPN line is now added to the System Info screen in the Phone Menu. Open the "Settings" menu by pressing the phone button with the gear symbol, then navigate to "Information" and select "System Info".
You should see the VPN line (it will show VPN off at first because the VPN feature was installed, but is not yet enabled) - After installing the VPN patch, the phone will add the X-snom-vpn: available HTTP header to the provisioning requests. Using this header you can distinguish between devices with VPN enabled and devices not supporting the VPN.
VPN feature patch for older versions
If your phone is running version 8.x, you can find the instructions for the VPN patch here .
Create the VPN configuration tarball for the phone on Linux
Create client/phone configuration file
The content of the configuration file is usually the same on all clients/phones. To avoid having to configure both files, client and server, in one directory, create a subfolder called client-config:
# mkdir /etc/openvpn/client-config
The configuration file for the phone must be called vpn.cnf:
# touch /etc/openvpn/client-config/vpn.cnf
Edit this file with your favorite editor:
# vim /etc/openvpn/client-config/vpn.cnf
Paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:
client dev tun proto udp remote <Server-IP/-name> 1194 resolv-retry infinite nobind persist-key persist-tun ca /openvpn/ca.crt cert /openvpn/client.crt key /openvpn/client.key remote-cert-tls server ping 10 ping-restart 60
Note
If you want to use OpenVPN configurations from phones with fw v8 now in fw v10 on the same OpenVPN server you may need to add the parameter
ncp-ciphers "BF-CBC"
to phone's vpn.cnf if the server's OpenVPN version is < 2.5
The phone configuration requires some naming that is mandatory and should not be changed:
- All file paths in your config file must be set to /openvpn/filename
- The configuration filen must be named vpn.cnf
In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.
Put together the configuration files for the phone
For this example we are using the same MAC we used to create the client certificate.
Create a temporary directory to hold the needed files:
# mkdir /etc/openvpn/client-config/tmp
Put together the files in a tarball:
# cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/ #the configuration file # cp /etc/openvpn/easy-rsa/keys/000413A30591.crt /etc/openvpn/client-config/tmp/client.crt #the client certificate # cp /etc/openvpn/easy-rsa/keys/000413A30591.key /etc/openvpn/client-config/tmp/client.key #the client private key # cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt #the CA # cd /etc/openvpn/client-config/tmp/ # chown -Rf root:root * # chmod -R 700 * # tar cvpf vpnclient-000413A30591.tar * #this command creates the actual tar file # rm client.* #remove the used certificate and private key as they are no longer needed in the tmp directory
Now you should be able to find the tarball file vpnclient-000413A30591.tar inside the /etc/openvpn/client-config/tmp/ directory. We will use this file in the next step when providing it to the phone.
Create the VPN configuration tarball for the phone on Windows
Create client/phone configuration file
In the Command Prompt, create file vpn.cnf by running:
notepad C:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf
When asked if you want to create a new file, click Yes. Copy and paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:
client dev tun proto udp remote <Server-IP/-name> 1194 resolv-retry infinite nobind persist-key persist-tun ca /openvpn/ca.crt cert /openvpn/client.crt key /openvpn/client.key remote-cert-tls server ping 10 ping-restart 60
The phone configuration requires some naming that is mandatory and should not be changed:
- All file paths in your config file must be set to /openvpn/filename
- The configuration file must be named vpn.cnf
In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.
Save the file
vpn.cnf
Put together the configuration files for the phone
- Navigate in File Explorer to
C:\Program Files\OpenVPN\easy-rsa\keys\
. Inside this folder, create a new folder called000413A30591
- Copy the following files from
C:\Program Files\OpenVPN\easy-rsa\keys\
into the000413A30591
folder:ca.crt
000413A30591.crt
000413A30591.key
vpn.cnf
- Now your folder
000413A30591
should look like this: - Rename
000413A30591.crt
toclient.crt
- Rename
000413A30591.key
toclient.key
- Now your folder
000413A30591
should look like this: In the command prompt, navigate to the new created directory by typing:
cd C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591
Now create the tarball archive by typing:
tar cvpf C:\vpnclient-000413A30591.tar *
You should see the following:
C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591>tar cvpf C:\vpnclient-000413A30591.tar * a client.crt a client.key a ca.crt a vpn.cnf
Now you should be able to find the tarball file
vpnclient-000413A30591.tar
underC:\
. We will use this file in the next step when providing it to the phone.
Structure reference for the configuration tarball
When creating the tar archive for Snom phones, it is very important to keep the file structure and naming as in the above examples.
Below is the content of the tar file created in this example, vpnclient-000413A30591.tar. Note that there are no subdirectories, the files must be placed in the root of the tarball:
ca.crt
client.crt
client.key
vpn.cnf
You can download this example file here: vpnclient-000413A30591.tarÂ
Put the VPN configuration tarball on an HTTP server
This section also includes the download and set up of a minimal HTTP server using the SPLiT application. If you already have an HTTP server, you can just upload the tar file created in the previous section to your existing HTTP server and skip this section.
Setup an HTTP server on Windows
- Download the SPLiT executable file (for this example we used SPLiT-1.1.3_w32.exe)
- Create directory SPLiT in a location of your choice, for example C:\SPLiT
- Move SPLiT-1.1.3_w32.exe into the SPLiT directory
- Create a new directory called
http
inside the SPLiT directory - Move the tar file created in the previous section from C:\ to the
http
directory - Go back to the SPLiT directory
- Run the SPLiT executable SPLiT-1.1.3_w32.exe as Administrator
- Once the software has started you should see a user interface window:
- Click on the Debug check box
- Insert your computer IP address into the IP Address field
- Verify that the HTTP Directory fields contains the
http
value - Click on the Start HTTP Server button
- Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
This should present you with the option to download the tarball file.
Setup an HTTP server on Linux
- Open a terminal
Install python if it is not already installed
# apt-get install python
Get and start SPLiT:
# mkdir /usr/local/SPLiT # cd /usr/local/SPLiT # wget https://github.com/pbertera/SPLiT/archive/1.1.3.tar.gz # tar -xvzf 1.1.3.tar.gz # cd SPLiT-1.1.3/ # mkdir http # sudo python SPLiT.py -i <Server-IP/-name> --http #replace <Server-IP/-name> with your server's IP/Hostname
Now that the HTTP server is running, place the tar file created on previous version in the http directory inside the SPLiT directory:
# cp /etc/openvpn/client-config/tmp/vpnclient-000413A30591.tar /usr/local/SPLiT/SPLiT-1.1.3/http
Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
This should present you with the option to download the tarball file.
Apply the VPN configuration to the Snom phone
- Make sure the phone's date and time is correct in order to be able to validate the certificates
- Under Advanced → QOS/Security, find the VPN Parameter:
- Enable the VPN parameter by clicking
on
. The Unzipped VPN config tarball parameter will become available:
 - Enter the HTTP(S)-URL of the tarball file e.g. http://<Server-IP/name>/vpnclient-000413A30591.tar with the openVPN configuration:
- Scroll down and click Apply
- In case the phone presents you with
Some settings are not yet stored permanently
, click Save . If this text does not appear you can ignore this step. - Click Reboot
- After the reboot, the phone will show a notification VPN is active and display the VPN icon on the phone taskbar.
Here is an example:
- Pressing the Info key will show:
- After you have pressed the Info key and seen the Status Info, the "VPN is active" notification will disappear
Changing the VPN configuration tarball at a later time
The Unzipped VPN config tarball parameter is designed to be provisioned only once: every time this parameter is configured the phone downloads the tarball and then the setting gets emptied.
If you wish to change the phone's VPN configuration you have to configure the tarball URL again in order to make the phone download and apply the new configuration.
It is not necessary to give the tarball a new name, you can use the original name.
Adding another phone to the VPN at a later time
If you wish to set up a new phone in the VPN at a later time, you can use the following steps:
open command prompt and then run
vars
on Linux by using commands:cd /etc/openvpn/easy-rsa . ./vars
on Windows by using commands:cd "C:\Program Files\OpenVPN\easy-rsa" vars
- repeat step Create the phone certificate
- repeat step Create the VPN configuration tarball for the phone (you can skip the part where you create
vpn.cnf
because this was already created and it is usually the same for all clients) - repeat step Put the VPN configuration tarball on an HTTP server
repeat step Apply the VPN configuration to the Snom phone
Advanced examples
Additional authentication with a username/password
In some cases the VPN server requires a username and password, in addition to the certificate. Here is how to configure up a VPN username/password for the Snom phone:
 Add auth-user-pass to your vpn.cnf, like this (do not change the path):
auth-user-pass /openvpn/pass.txt
Create file pass.txt with the following content, replacing the text
username
andpassword
with your actual username and password.username password
- When creating the configuration tarball (see step Create the VPN configuration tarball for the phone), also include file pass.txt to the tarball.
Make sure that the file pass.txt is in the same path of the tarball as the other configuration files.
Troubleshooting
Everything works as described, but the phone seems to reject my server certificate. What's wrong?
Make sure the phone has the right date and time. Try to configure an NTP server that the phone can reach on its native network (not via VPN). If the phone has a wrong date it might assume that all certificates are not valid (yet).
How to view the OpenVPN logs
You can set the phone to send all VPN logs to a "Netcat Server". To do this:
Install and run netcat on a host that is reachable to the phone:
netcat -l -p 5000
Set the IP address of this host under Advanced → Qos/security → Netcat Server:
Once you apply this and reboot tht phone, you will see the phone's VPN logs on the host running netcat. If you have not added a custom verbosity level in vpn.cnf, you should see the following (for a successfull connection):
Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019 Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10 Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 UDP link local: (not bound) Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500 Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Oct 20 11:58:21 2020 Initialization Sequence Completed
What is my IP in the VPN?
The phone does not show the IP address received over VPN in the web interface per default, but there are some other ways to view this:
Option 1: from the SIP logs
Set up a test identity on the phone, with Registrar set to an IP address inside the VPN network. It does not matter what IP address it is, it just needs to be routed inside the VPN network. Set only the Account and the Registrar for this identity:
Â
Then click on SIP Trace, you will see some SIP messages. Look at the IP address from which these were sent:
Sent to Udp:10.8.0.1:5060
from Udp:10.8.0.6
:55786 at Oct 19 23:54:43.886 (717 bytes):
REGISTER sip:10.8.0.1 SIP/2.0
Via: SIP/2.0/UDP 10.8.0.6:55786;branch=z9hG4bK-2yig1rmxrpir;rport
From: <sip:100@10.8.0.1>;tag=r06il7bz6r
To: <sip:100@10.8.0.1>.....
If your VPN network is routing packets correctly, you will see here the phone's IP address (in this example it is
10.8.0.6
)
Option 2: from the netcat logs
From the netcat logs (see above " How to view the OpenVPN logs "). If you have not added a custom verbose level in vpn.cnf, at the beginning of the connection, the netcat logs will also show the IP address that the phone receives.
Here is an example:
Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019 Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10 Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 UDP link local: (not bound) Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500 Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 <-------- this means that our local address in the VPN is 10.8.0.6 Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Oct 20 11:58:21 2020 Initialization Sequence Completed
Further Information
Related articles