Content

Page tree

Index:

Note:  this guide is valid for the public announcement system PA1+ as well (but not its predecessor PA1).


Overview

Snom deskphones include the ability to build secure VoIP-Infrastructures via the OpenVPN Technology. Snom decided to use OpenVPN because it is compatible with SSL/RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices. OpenVPN is Open Source and is licensed under the GPL.

This article explains the step-by-step implementation of OpenVPN on Snom phones, including server installation and setup, creating the phone configuration and applying it on the phone.


Install and configure the OpenVPN server

Note: If you already have a VPN server, you can skip this section.

The OpenVPN server is available for free and there are various guides available on installing and configuring it. This section contains one out of several methods to install and set up a minimal OpenVPN server on Linux and Windows. For more options and detailed information, see https://openvpn.net or the available documentation for your server.

OpenVPN server on Linux


Versions used for this section:

  • Ubuntu 18.04
  • OpenVPN 2.4.4
  • OpenSSL 1.1.1

The installation steps require that you are logged in as root on the Ubuntu system.

  1. Update the apt-sources

    # apt-get update
  2. Install OpenVPN and easy-rsa packages

    # apt-get install openvpn
    # apt-get install easy-rsa
  3. Create the Certificate Authority

    1. Copy the easy-rsa directory to /etc/openvpn:

      # make-cadir /etc/openvpn/easy-rsa
    2. Enter the created directory:

      # cd /etc/openvpn/easy-rsa
    3. Edit the vars file with your favorite editor, for example using vim:

      # vim vars
    4. and scroll down until you find the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Edit these to fit your server. Don’t leave any of these parameters blank.

    5. Next, initialize the PKI:

      # . ./vars
      # ./clean-all
      If when running ". ./vars" you get error "No /etc/openvpn/easy-rsa/openssl.cnf file could be found", link openssl.cnf to the latest available cnf file insider the directory, for example using command: "ln -s openssl-1.0.0.cnf openssl.cnf". Then, run ". ./vars" again.
    6. The next command (build-ca) will build the certificate authority (CA) certificate and key:

      # ./build-ca
      
    7. Here is a detailed example showing how to run this command:

      # ./build-ca
      Generating a RSA private key
      ...............................................................................+++++
      .......................................................................................+++++
      writing new private key to 'ca.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [DE]:
      State or Province Name (full name) [Berlin]:
      Locality Name (eg, city) [Berlin]:
      Organization Name (eg, company) [Snom Test]:
      Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
      Common Name (eg, your name or your server's hostname) [Snom Test CA]:
      Name [EasyRSA]:
      Email Address [test@myhost.mydomain]:
    8. In the above sequence, most queried parameters were defaulted to the values that you have set in the vars file.

  4. Create the server certificate

    # ./build-key-server server
    


    Here is a detailed example showing how to run this command:

    # ./build-key-server server
    Generating a RSA private key
    .+++++
    ..............+++++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [Berlin]:
    Locality Name (eg, city) [Berlin]:
    Organization Name (eg, company) [Snom Test]:
    Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
    Common Name (eg, your name or your server's hostname) [server]:192.168.137.102          <--------- the IP address/hostname that the phone will use to reach the server
    Name [EasyRSA]:
    Email Address [test@myhost.mydomain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:    
    An optional company name []:
    Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'Berlin'
    localityName          :PRINTABLE:'Berlin'
    organizationName      :PRINTABLE:'Snom Test'
    organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
    commonName            :PRINTABLE:'192.168.137.102'
    name                  :PRINTABLE:'EasyRSA'
    emailAddress          :IA5STRING:'test@myhost.mydomain'
    Certificate is to be certified until Oct 11 16:03:20 2030 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  5. Create the Diffie Hellman parameter

    # ./build-dh
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ..............................................................................+........
    ++*++*++*++*
  6. Create the phone certificate
    Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
    It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

    # ./build-key 000413A30591
    


    Here is a detailed example showing how to run this command:

    # ./build-key 000413A30591
    Generating a RSA private key
    ....................................................................................+++++
    ........................................................+++++
    writing new private key to '000413A30591.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [Berlin]:
    Locality Name (eg, city) [Berlin]:
    Organization Name (eg, company) [Snom Test]:
    Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
    Common Name (eg, your name or your server's hostname) [000413A30591]:
    Name [EasyRSA]:
    Email Address [test@myhost.mydomain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'Berlin'
    localityName          :PRINTABLE:'Berlin'
    organizationName      :PRINTABLE:'Snom Test'
    organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
    commonName            :PRINTABLE:'000413A30591'
    name                  :PRINTABLE:'EasyRSA'
    emailAddress          :IA5STRING:'test@myhost.mydomain'
    Certificate is to be certified until Oct 11 11:54:12 2030 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated


    Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

    The phone configuration requires some naming that is mandatory and should not be changed:

    • All file paths in your config file must be set to /openvpn/filename
    • The configuration file must be named vpn.cnf

    In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

    FilenamePurposeNeeded by
    ca.crtRoot CA certificateserver + all clients
    ca.keyRoot CA private keyserver only

    dh{n}.pemDiffie Hellman parameters
    server.crtServer Certificate
    server.keyServer private key
    000413A30591.crtCertificate for phone 000413A30591phone 000413A30591 only
    000413A30591.keyPrivate key for phone 000413A30591



  7. Create server configuration for OpenVPN
    Create configuration file, for example using the touch command:

    # touch /etc/openvpn/server.conf


    Edit the file with your favorite editor, for example using vim:

    # vim /etc/openvpn/server.conf 


    Paste the following content into the file:

    port 1194
    proto udp
    dev tun
    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key 
    dh /etc/openvpn/easy-rsa/keys/dh2048.pem
    server 10.8.0.0 255.255.255.0
    ifconfig-pool-persist /var/log/openvpn/ipp.txt
    client-to-client
    keepalive 10 120
    persist-key
    persist-tun
    status /var/log/openvpn-status.log
    verb 6


    This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.8.0.0/24

  8. Enable packet forwarding
    This step is optional and is only needed if you would like to configure your OpenVPN server to act as a VPN gateway for a LAN. See also https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/
    Edit /etc/sysctl.conf and uncomment the following line (remove the '#' at the beginning) to enable IP forwarding:

    net.ipv4.ip_forward=1 


    Then save the file and reload sysctl:

    # sysctl -p /etc/sysctl.conf 
  9. Run the OpenVPN server
    To check for any fatal errors preventing the server to start, you can try run the server in the foreground like this:

    # openvpn /etc/openvpn/server.conf


    If the service starts and prints several lines finished by "Initialization Sequence Completed", then the try run was successful. You can stop the try run with CTRL+C.

    Now you can start the OpenVPN server:

    # sudo systemctl start openvpn@server


    Next, check if OpenVPN created a tun0 interface. You should see something like this:

    # ip addr show dev tun0
    9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
        link/none 
        inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
           valid_lft forever preferred_lft forever
        inet6 fe80::8fc2:3403:fbac:1f35/64 scope link stable-privacy 
           valid_lft forever preferred_lft forever
  10. Configure OpenVPN to run at startup
    Running OpenVPN at system startup is optional but often preferred on server machines.
    Edit /etc/default/openvpn and add the following line, which instructs the system to start openvpn with configuration file /etc/openvpn/server.conf:

    AUTOSTART="server"


    Then reload systemctl and restart the OpenVPN service:

    # systemctl daemon-reload
    # systemctl restart openvpn.service 

OpenVPN server on Windows

OpenVPN is available for free, see more details here: https://openvpn.net/ .


Versions used for this section:

  • Windows 10, 64-bit
  • Installation file: openvpn-install-2.4.9-I601-Win10.exe

  1. Download and run the OpenVPN installer file
    At the time of this article the installation file could be found here: https://openvpn.net/community-downloads/
    1. Double click the installation file. You will see the installation wizard.
    2. Press Next until you reach the Choose Components section.
    3. Make sure EasyRSA is enabled (add a green tick):



    4. Follow the install wizard to finish the installation.

  2. Initialize the PKI and create the Certificate Authority
    Navigate to the C:\Program Files\OpenVPN\easy-rsa folder on an elevated command prompt:
    1. Open the search box next to the Start menu
    2. Type "cmd"
    3. Right-click on Command Prompt and choose "Run as Administrator"
    4. Right-click the menu item "Command Prompt"
    5. On the pop up User Account Control window, Click "Yes"
    6. Navigate to the easy-rsa folder:

      cd "C:\Program Files\OpenVPN\easy-rsa"
    7. Initialize the OpenVPN configuration:

      init-config

      Only run init-config once, during installation.

    8. Open the vars.bat file in a text editor:

      notepad vars.bat
    9. Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:

    10. Save the file and exit notepad.

    11. Run the following commands:

      vars
      clean-all
    12. Build the certificate authority (CA) certificate and key. When prompted, enter your country, etc. These will have default values (from the vars file), which appear in brackets.

      build-ca


      Here is a detailed example showing how to run this command:

      C:\Program Files\OpenVPN\easy-rsa>build-ca
      Generating a RSA private key
      ........................................++++
      .............................................................................................................................................................................................................................................................................................................................................................................................................................++++
      writing new private key to 'keys\ca.key'
      -----
      You are about to be asked to enter information that will be incorporated
      into your certificate request.
      What you are about to enter is what is called a Distinguished Name or a DN.
      There are quite a few fields but you can leave some blank
      For some fields there will be a default value,
      If you enter '.', the field will be left blank.
      -----
      Country Name (2 letter code) [DE]:
      State or Province Name (full name) [BLN]:
      Locality Name (eg, city) [Berlin]:
      Organization Name (eg, company) [SnomTest]:
      Organizational Unit Name (eg, section) [changeme]:Test
      Common Name (eg, your name or your server's hostname) [192.168.137.142]:   
      Name [changeme]:Test
      Email Address [mail@host.domain]:
  3. Create the server certificate

    build-key-server server


    Here is a detailed example showing how to run this command:

    C:\Program Files\OpenVPN\easy-rsa>build-key-server server
    Ignoring -days; not generating a certificate
    Generating a RSA private key
    ............................................++++
    ............++++
    writing new private key to 'keys\server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [BLN]:
    Locality Name (eg, city) [Berlin]:
    Organization Name (eg, company) [SnomTest]:
    Organizational Unit Name (eg, section) [changeme]:Test
    Common Name (eg, your name or your server's hostname) [192.168.137.142]:
    Name [changeme]:Test
    Email Address [mail@host.domain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'BLN'
    localityName          :PRINTABLE:'Berlin'
    organizationName      :PRINTABLE:'SnomTest'
    organizationalUnitName:PRINTABLE:'Test'
    commonName            :PRINTABLE:'192.168.137.142'
    name                  :PRINTABLE:'Test'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Oct 18 12:29:34 2030 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated
  4. Create the Diffie Hellman parameter

    C:\Program Files\OpenVPN\easy-rsa>build-dh
    Generating DH parameters, 2048 bit long safe prime, generator 2
    This is going to take a long time
    ..............................................................................+........
    ++*++*++*++*
  5. Create the phone certificate
    Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
    It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

    build-key 000413A30591


    Here is a detailed example showing how to run this command:

    C:\Program Files\OpenVPN\easy-rsa>build-key 000413A30591
    Ignoring -days; not generating a certificate
    Generating a RSA private key
    ...............................................................................++++
    .............................................................................++++
    writing new private key to 'keys\000413A30591.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [BLN]:
    Locality Name (eg, city) [Berlin]:
    Organization Name (eg, company) [SnomTest]:
    Organizational Unit Name (eg, section) [changeme]:Test
    Common Name (eg, your name or your server's hostname) [192.168.137.142]:000413A30591
    Name [changeme]:Phone000413A30591
    Email Address [mail@host.domain]:
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    Using configuration from openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'DE'
    stateOrProvinceName   :PRINTABLE:'BLN'
    localityName          :PRINTABLE:'Berlin'
    organizationName      :PRINTABLE:'SnomTest'
    organizationalUnitName:PRINTABLE:'Test'
    commonName            :PRINTABLE:'000413A30591'
    name                  :PRINTABLE:'Phone000413A30591'
    emailAddress          :IA5STRING:'mail@host.domain'
    Certificate is to be certified until Oct 18 13:00:29 2030 GMT (3650 days)
    Sign the certificate? [y/n]:y
    
    
    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated


    Now we will find our newly-generated keys and certificates in the C:\Program Files\OpenVPN\easy-rsa\keys folder. Here is an explanation of the relevant files:

    FilenamePurposeNeeded by
    ca.crtRoot CA certificateserver + all clients
    ca.keyRoot CA private keyserver only

    dh{n}.pemDiffie Hellman parameters
    server.crtServer Certificate
    server.keyServer private key
    000413A30591.crtCertificate for phone 000413A30591phone 000413A30591 only
    000413A30591.keyPrivate key for phone 000413A30591



  6. Create the server configuration for OpenVPN

    1. Create file server.ovpn using command:

      notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"
    2. When asked if you want to create a new file, click Yes.

    3. Enter the following configuration:

      port 1194
      proto udp
      dev tun
      ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
      cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
      key "C:\\Program Files\\OpenVPN\\config\\server.key"
      dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
      server 10.9.0.0 255.255.255.0
      client-to-client
      keepalive 10 120
      persist-key
      persist-tun
      verb 6
    4. Save the file and exit notepad.
      This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.9.0.0/24

    5. Copy the configuration files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server by typing the following in the command prompt:

      robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt dh2048.pem server.crt server.key server.ovpn

      NOTE: In the robocopy command above. the space at the end of the path in each string is important.

  7. Run the OpenVPN server

    1. Run OpenVPN from: Start Menu -> OpenVPN -> OpenVPN GUI
      This will create a new icon in the system tray. Double click the icon to initiate the connection. The resulting dialog should show the status shortly and then close upon a successful start:



    2. Now if you open Network Connections (from Control Panel → Network and Internet → View Network Status and tasks → Change adapter settings), you should see a new connection of type TAP-Windows Adapter V9:



    3. If you right click this connection and then click Status → Details you should be able to see the configured IP address:



  8. Running OpenVPN as a Service
    Running OpenVPN as a service will allow OpenVPN to be started automatically on system startup. This is often preferred on a server machine.

    1. Run the Windows Service administrative tool:

      1. Press Windows Key + R
      2. Type "services.msc" and press Enter.
    2. Find the OpenVPN service, and set its Startup Type to "Automatic". Press Apply.
    3. Optionally, start the service now.

  9. Firewall Configuration
    If you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194. (Win+R "wf.msc")



Install and configure OpenVPN on the Snom phones

Install the VPN patch on the Snom phone

The VPN feature is not shipped with the default firmware due to security considerations. Snom provides the VPN feature in a small firmware patch which needs to be installed. This patch contains only the VPN feature and thus is very small in size.

To install the VPN feature patch follow one of the following procedures:

Manual Installation

  1. Find out your currently installed firmware version. See this link for information on how to do this
  2. Open the Firmware Update Center and click on your version
  3. Scroll down to "VPN Feature Updates"
  4. Copy the download link appropriate for your phone model
  5. Open the phone web user interface and select "Software Update" from the left hand menu
  6. Paste the link in the "Manual Software Update" field and click "Load"

The phone will reboot and install the patch. Afterwards you will be able to use the VPN feature

Automatic installation via SRAPS

It is also possible to install the VPN patch automatically via SRAPS, as part of the provisioning or even prior to the settings being fetched by the phone. See details here.

IMPORTANT: A network recovery will remove the VPN patch, so the VPN patch instalation is necessary after each TFTP rescue mode update!

How to tell if the VPN patch installation was successful

If the VPN installation was successful, the VPN feature will be available. Here is now you can check that the VPN feature is available:

  1. The VPN option is now visible in the Phone's Web Interface under Advanced → QOS/Security. If the VPN patch installation was successful, you should see here the VPN setting (it will be set to off at first because the VPN feature was installed, but it is not yet enabled)


  2. The VPN line is now added to the System Info screen in the Phone Menu. Open the "Settings" menu by pressing the phone button with the gear symbol, then navigate to "Information" and select "System Info".
    You should see the VPN line (it will show VPN off at first because the VPN feature was installed, but is not yet enabled)



  3. After installing the VPN patch, the phone will add the X-snom-vpn: available HTTP header to the provisioning requests. Using this header you can distinguish between devices with VPN enabled and devices not supporting the VPN.

VPN feature patch for older versions

If your phone is running version 8.x, you can find the instructions for the VPN patch here .



Create the VPN configuration tarball for the phone on Linux

Create client/phone configuration file

  1. The content of the configuration file is usually the same on all clients/phones. To avoid having to configure both files, client and server, in one directory, create a subfolder called client-config:

    # mkdir /etc/openvpn/client-config
  2. The configuration file for the phone must be called vpn.cnf:

    # touch /etc/openvpn/client-config/vpn.cnf
  3. Edit this file with your favorite editor:

    # vim /etc/openvpn/client-config/vpn.cnf
  4. Paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

    client
    dev tun
    proto udp
    remote <Server-IP/-name> 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /openvpn/ca.crt
    cert /openvpn/client.crt
    key /openvpn/client.key
    remote-cert-tls server
    ping 10
    ping-restart 60

Note

If you want to use OpenVPN configurations from phones with fw v8 now in fw v10 on the same OpenVPN server you may need to add the parameter

ncp-ciphers "BF-CBC"

to phone's vpn.cnf if the server's OpenVPN version is < 2.5


    

The phone configuration requires some naming that is mandatory and should not be changed:

  • All file paths in your config file must be set to /openvpn/filename
  • The configuration filen must be named vpn.cnf

In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

Put together the configuration files for the phone

For this example we are using the same MAC we used to create the client certificate.

  1. Create a temporary directory to hold the needed files:

    # mkdir /etc/openvpn/client-config/tmp
  2. Put together the files in a tarball:

    # cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/    #the configuration file
    # cp /etc/openvpn/easy-rsa/keys/000413A30591.crt /etc/openvpn/client-config/tmp/client.crt  #the client certificate
    # cp /etc/openvpn/easy-rsa/keys/000413A30591.key /etc/openvpn/client-config/tmp/client.key  #the client private key
    # cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt     #the CA
    # cd /etc/openvpn/client-config/tmp/
    # chown -Rf root:root *    
    # chmod -R 700 *           
    # tar cvpf vpnclient-000413A30591.tar *   #this command creates the actual tar file
    # rm client.*     #remove the used certificate and private key as they are no longer needed in the tmp directory


    Now you should be able to find the tarball file vpnclient-000413A30591.tar inside the /etc/openvpn/client-config/tmp/ directory. We will use this file in the next step when providing it to the phone.



Create the VPN configuration tarball for the phone on Windows

Create client/phone configuration file

  1. In the Command Prompt, create file vpn.cnf by running:

    notepad C:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf
  2. When asked if you want to create a new file, click Yes. Copy and paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

    client
    dev tun
    proto udp
    remote <Server-IP/-name> 1194
    resolv-retry infinite
    nobind
    persist-key
    persist-tun
    ca /openvpn/ca.crt
    cert /openvpn/client.crt
    key /openvpn/client.key
    remote-cert-tls server
    ping 10
    ping-restart 60

    The phone configuration requires some naming that is mandatory and should not be changed:

    • All file paths in your config file must be set to /openvpn/filename
    • The configuration file must be named vpn.cnf

    In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

  3. Save the file vpn.cnf

Put together the configuration files for the phone

  1. Navigate in File Explorer to C:\Program Files\OpenVPN\easy-rsa\keys\. Inside this folder, create a new folder called 000413A30591
  2. Copy the following files from C:\Program Files\OpenVPN\easy-rsa\keys\ into the 000413A30591 folder:
    • ca.crt
    • 000413A30591.crt
    • 000413A30591.key
    • vpn.cnf

  3. Now your folder 000413A30591 should look like this:



  4. Rename 000413A30591.crt to client.crt

  5. Rename 000413A30591.key to client.key

  6. Now your folder 000413A30591 should look like this:



  7. In the command prompt, navigate to the new created directory by typing:

    cd C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591
  8. Now create the tarball archive by typing:

    tar cvpf C:\vpnclient-000413A30591.tar *
  9. You should see the following:

    C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591>tar cvpf C:\vpnclient-000413A30591.tar *
    a client.crt
    a client.key
    a ca.crt
    a vpn.cnf
  10. Now you should be able to find the tarball file vpnclient-000413A30591.tar under C:\ . We will use this file in the next step when providing it to the phone.



Structure reference for the configuration tarball

When creating the tar archive for Snom phones, it is very important to keep the file structure and naming as in the above examples.

Below is the content of the tar file created in this example, vpnclient-000413A30591.tar. Note that there are no subdirectories, the files must be placed in the root of the tarball:

  • ca.crt
  • client.crt
  • client.key
  • vpn.cnf

You can download this example file here: vpnclient-000413A30591.tar 



Put the VPN configuration tarball on an HTTP server

This section also includes the download and set up of a minimal HTTP server using the SPLiT application. If you already have an HTTP server, you can just upload the tar file created in the previous section to your existing HTTP server and skip this section.

Setup an HTTP server on Windows

  1. Download the SPLiT executable file (for this example we used SPLiT-1.1.3_w32.exe)
  2. Create directory SPLiT in a location of your choice, for example C:\SPLiT
  3. Move SPLiT-1.1.3_w32.exe into the SPLiT directory
  4. Create a new directory called http inside the SPLiT directory
  5. Move the tar file created in the previous section from C:\ to the http directory
  6. Go back to the SPLiT directory
  7. Run the SPLiT executable SPLiT-1.1.3_w32.exe as Administrator
  8. Once the software has started you should see a user interface window:
    • Click on the Debug check box
    • Insert your computer IP address into the IP Address field
    • Verify that the HTTP Directory fields contains the http value
    • Click on the Start HTTP Server button


  9. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
    This should present you with the option to download the tarball file.

Setup an HTTP server on Linux

  1. Open a terminal
  2. Install python if it is not already installed

    # apt-get install python
  3. Get and start SPLiT:

    # mkdir /usr/local/SPLiT
    # cd /usr/local/SPLiT
    # wget https://github.com/pbertera/SPLiT/archive/1.1.3.tar.gz
    # tar -xvzf 1.1.3.tar.gz
    # cd SPLiT-1.1.3/
    # mkdir http
    # sudo python SPLiT.py -i <Server-IP/-name> --http   #replace <Server-IP/-name> with your server's IP/Hostname
  4. Now that the HTTP server is running, place the tar file created on previous version in the http directory inside the SPLiT directory:

    # cp /etc/openvpn/client-config/tmp/vpnclient-000413A30591.tar /usr/local/SPLiT/SPLiT-1.1.3/http
  5. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
    This should present you with the option to download the tarball file.



Apply the VPN configuration to the Snom phone

  1. Make sure the phone's date and time is correct in order to be able to validate the certificates
  2. Under Advanced → QOS/Security, find the VPN Parameter:


  3. Enable the VPN parameter by clicking on . The Unzipped VPN config tarball parameter will become available:

     

  4. Enter the HTTP(S)-URL of the tarball file e.g. http://<Server-IP/name>/vpnclient-000413A30591.tar with the openVPN configuration:


  5. Scroll down and click Apply

  6. In case the phone presents you with Some settings are not yet stored permanently , click Save . If this text does not appear you can ignore this step.

  7. Click Reboot

  8. After the reboot, the phone will show a notification VPN is active and display the VPN icon on the phone taskbar.

    Here is an example:


  9. Pressing the Info key will show:


  10. After you have pressed the Info key and seen the Status Info, the "VPN is active" notification will disappear



Changing the VPN configuration tarball at a later time

The Unzipped VPN config tarball parameter is designed to be provisioned only once: every time this parameter is configured the phone downloads the tarball and then the setting gets emptied.
If you wish to change the phone's VPN configuration you have to configure the tarball URL again in order to make the phone download and apply the new configuration.
It is not necessary to give the tarball a new name, you can use the original name.



Adding another phone to the VPN at a later time

If you wish to set up a new phone in the VPN at a later time, you can use the following steps:

  1. open command prompt and then run vars
    on Linux by using commands:

    cd /etc/openvpn/easy-rsa
    . ./vars


    on Windows by using commands:

    cd "C:\Program Files\OpenVPN\easy-rsa"
    vars


  2. repeat step Create the phone certificate
  3. repeat step Create the VPN configuration tarball for the phone (you can skip the part where you create vpn.cnf because this was already created and it is usually the same for all clients)
  4. repeat step Put the VPN configuration tarball on an HTTP server
  5. repeat step Apply the VPN configuration to the Snom phone



Advanced examples

Additional authentication with a username/password

In some cases the VPN server requires a username and password, in addition to the certificate. Here is how to configure up a VPN username/password for the Snom phone:

  1.  Add auth-user-pass to your vpn.cnf, like this (do not change the path):

    auth-user-pass /openvpn/pass.txt
  2. Create file pass.txt with the following content, replacing the text username and password with your actual username and password.

    username
    password
  3. When creating the configuration tarball (see step Create the VPN configuration tarball for the phone), also include file pass.txt to the tarball.
    Make sure that the file pass.txt is in the same path of the tarball as the other configuration files.



Troubleshooting


  • Everything works as described, but the phone seems to reject my server certificate. What's wrong?

Make sure the phone has the right date and time. Try to configure an NTP server that the phone can reach on its native network (not via VPN). If the phone has a wrong date it might assume that all certificates are not valid (yet).


  • How to view the OpenVPN logs

You can set the phone to send all VPN logs to a "Netcat Server". To do this:

    1. Install and run netcat on a host that is reachable to the phone:

      netcat -l -p 5000
    2. Set the IP address of this host under Advanced → Qos/security → Netcat Server:


    3. Once you apply this and reboot tht phone, you will see the phone's VPN logs on the host running netcat. If you have not added a custom verbosity level in vpn.cnf, you should see the following (for a successfull connection):


      Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019
      Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
      Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:19 2020 UDP link local: (not bound)
      Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened
      Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500
      Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
      Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Tue Oct 20 11:58:21 2020 Initialization Sequence Completed


  • What is my IP in the VPN?

The phone does not show the IP address received over VPN in the web interface per default, but there are some other ways to view this:

Option 1: from the SIP logs

Set up a test identity on the phone, with Registrar set to an IP address inside the VPN network. It does not matter what IP address it is, it just needs to be routed inside the VPN network. Set only the Account and the Registrar for this identity:

 

Then click on SIP Trace, you will see some SIP messages. Look at the IP address from which these were sent:

Sent to Udp:10.8.0.1:5060 from Udp:10.8.0.6 :55786 at Oct 19 23:54:43.886 (717 bytes):

REGISTER sip:10.8.0.1 SIP/2.0

Via: SIP/2.0/UDP 10.8.0.6:55786;branch=z9hG4bK-2yig1rmxrpir;rport

From: <sip:100@10.8.0.1>;tag=r06il7bz6r

To: <sip:100@10.8.0.1>

.....

If your VPN network is routing packets correctly, you will see here the phone's IP address (in this example it is 10.8.0.6 )

Option 2: from the netcat logs

From the netcat logs (see above " How to view the OpenVPN logs "). If you have not added a custom verbose level in vpn.cnf, at the beginning of the connection, the netcat logs will also show the IP address that the phone receives.

Here is an example:

Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019
Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 UDP link local: (not bound)
Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened
Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5         <-------- this means that our local address in the VPN is 10.8.0.6
Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 20 11:58:21 2020 Initialization Sequence Completed


The source code of components licensed under GPL used in snom VoIP phones can be downloaded from here. The original GPL license text can be downloaded from here.