Child pages
  • How to auto-provision VPN Patch to your desk phone

Contents

Since Firmware version 8.7.5.15 and 8.9.3.5 the VPN feature is no longer shipped with the default firmware due to security considerations. Snom now separates the base firmware and the VPN patch as two separate files.

VPN Script for V10
<?php

/*
 * This function returns the local URL from where this script is served 
 */
function get_current_url() {
    $protocol = ((isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] == "on") ? "https" : "http");
    $base_url = $protocol . "://" . $_SERVER['HTTP_HOST'];
    $complete_url =   $base_url . $_SERVER["PHP_SELF"];
    return $complete_url;
}

/*
 * This function performs the fw update in case the header X-snom-vpn is not present
 * or differs from "available". In case the request comes from a version < than 10.1.33.33
 * we dont' perform any update.
 *
 * If the VPN feature is not supported this function generates the XML setting the
 * firmware_status pointing to this script setting the snom-vpn-patch-fw GET parameter
 *
 * If the the URI contains the snom-vpn-patch-fw=true parameter the script returns the
 * XML firmware container
 *
 * If debug is True the funcion logs some debug messages into the error log.
 *
 * IMPORTANT NOTE: in case the script detects that the VPN feature is not available
 * after sending the XML response the script stops the execution calling the die() function.
 */
function vpn_auto_patch ($debug = False){
    global $VPN_PATCH_URL;

    if($_SERVER['HTTP_X_SNOM_VPN'] == "available"){
        if($debug){
            error_log("VPN patch already installed, ignoring");
        }
        return;
    }

    if($debug){
        error_log("VPN patch not installed");
    }
    
    /* get the user agent to grab the firmware version */
    $agent = $_SERVER['HTTP_USER_AGENT'];

    if (!preg_match("/(snom[^-]+)-SIP ([0-9.]+)/", $agent, $matches)) {
        die("ERROR: Unknown user agent (Not a snom phone? Not a regular release?): $agent");
    }

    $phone_type = $matches[1];
    $software_version = $matches[2];
    $software_version_parts = explode('.', $software_version);
    $major = $software_version_parts[0];
    $minor = $software_version_parts[1];
    $release = $software_version_parts[2];
    $patch = $software_version_parts[3];
   
    if($debug){
        error_log("Version: $software_version");
    } 
    if($major < 10){ /* FW < 10.X */
        if($debug){
            error_log("Software major version < 10, ignoring");
        }
        return;
    }
    if($major == 10 and $minor < 1){ /* FW < 10.1.X */
        if($debug){
            error_log("Software minor version < 10.1, ignoring");
        }
        return;
    }
    if($major == 10 and $minor == 1 and $release < 33){ /* FW < 10.1.33.X */
        if($debug){
            error_log("Software release version < 10.1.33, ignoring");
        }
        return;
    }
    if($major == 10 and $minor == 1 and $release == 33 and $patch < 33){ /* FW < 10.1.33.33 */
        if($debug){
            error_log("Software patch version < 10.1.33.33, ignoring");
        }
        return;
    }
   
    
    if($debug){
        error_log("Phone Type: $phone_type");
    }    
    
    header("Content-type: text/xml");
    
    if($_GET["snom-vpn-patch-fw"] == "true"){
        if($debug){
            error_log("Generating the firmware container");
            error_log("VPN Patch URL: $VPN_PATCH_URL[$phone_type]");
        }
	/*
 * Array containing all the VPN patch mapper per-device.
 * Please double check the URLs here.
 */
$VPN_PATCH_URL = array (
    "snomD315" => "http://downloads.snom.com/fw/$software_version/vpn/snomD315-$software_version-vpnfeature-r.bin",
    "snomD335" => "http://downloads.snom.com/fw/$software_version/vpn/snomD335-$software_version-vpnfeature-r.bin",
    "snomD345" => "http://downloads.snom.com/fw/$software_version/vpn/snomD345-$software_version-vpnfeature-r.bin",
    "snomD375" => "http://downloads.snom.com/fw/$software_version/vpn/snomD375-$software_version-vpnfeature-r.bin",
    "snomD385" => "http://downloads.snom.com/fw/$software_version/vpn/snomD385-$software_version-vpnfeature-r.bin",
    "snomD712" => "http://downloads.snom.com/fw/$software_version/vpn/snomD712-$software_version-vpnfeature-r.bin",
    "snomD715" => "http://downloads.snom.com/fw/$software_version/vpn/snomD715-$software_version-vpnfeature-r.bin",
    "snomD717" => "http://downloads.snom.com/fw/$software_version/vpn/snomD717-$software_version-vpnfeature-r.bin",
    "snomD725" => "http://downloads.snom.com/fw/$software_version/vpn/snomD725-$software_version-vpnfeature-r.bin",
    "snomD735" => "http://downloads.snom.com/fw/$software_version/vpn/snomD735-$software_version-vpnfeature-r.bin",
    "snomD745" => "http://downloads.snom.com/fw/$software_version/vpn/snomD745-$software_version-vpnfeature-r.bin",
    "snomD765" => "http://downloads.snom.com/fw/$software_version/vpn/snomD765-$software_version-vpnfeature-r.bin",
    "snomD785" => "http://downloads.snom.com/fw/$software_version/vpn/snomD785-$software_version-vpnfeature-r.bin"
);	
		
?>
<?xml version="1.0" encoding="utf-8"?>
<firmware-settings>
    <firmware perm=""><?php echo $VPN_PATCH_URL[$phone_type]?></firmware>
</firmware-settings>
<?php
    die();
    } else {
        if($debug){
            error_log("Generating the settings");
        }
        $fw_status = get_current_url() . "?snom-vpn-patch-fw=true";
?>
<?xml version="1.0" encoding="utf-8"?>
<settings e="2">
    <phone-settings e="2">
        <update_policy>auto_update</update_policy>
        <firmware_status><?php echo $fw_status?></firmware_status>
    </phone-settings>
</settings>
<?php
    die();
    }
}
?>

VPN patch script for version 10.txt


Due to the change, to update the firmware on your phones via provisioning, or manual upgrade, you must;

  1. update the firmware 
  2. change the firmware link to the VPN one and update again.


Unfortunately, it isn't possible to combine the VPN patch and the firmware via Provisioning. During provisioning, you can distinguish between phones with VPN enabled and the phones that do not, using the "X-snom-Vpn: supported" HTTP header. This header is added to the provisioning requests by phones with the VPN patch already installed. In this way, you can deploy the VPN patch to the phones that do not have the header.


  • Attached you can find the check_vpn.php script.
  • This example shows how to patch the Snom D765; Modify it as needed.
  • This script defines the function vpn_auto_patch( )


Such function do the following tasks:

  • if the firmware version is prior to 8.7.5.15 => do nothing
  • if the firmware version is prior to 8.9.3.5 => do nothing
  • if the request contains the X-snom-vpn: available => do nothing

in all the other cases provides the XML to perform the upgrade:

<?xml version="1.0" encoding="utf-8"?>
<settings e="2">
    <phone-settings e="2">
        <update_policy>auto_update</update_policy>
        <firmware_status>{{THE_SCRIPT_URL}}?snom-vpn-patch-fw=true</firmware_status>
    </phone-settings>
</settings>

and in case the request contains snom-vpn-patch-fw=true in the query string:

<?xml version="1.0" encoding="utf-8"?>
<firmware-settings>
    <firmware perm="">http://downloads.snom.com/fw/snom760-vpnfeature-r.bin</firmware>
</firmware-settings>

The firmware patch URL comes from the array defined at the top of the file.


I modified the snomD765-vpn.php adding the following 2 lines:

require_once('check_vpn.php');
vpn_auto_patch();

Example:

<?php
require_once('check_vpn.php');
vpn_auto_patch();


if (isset($_GET['mac']) && !empty($_GET['mac'])){
    $mac = $_GET['mac'];
}else{
    $mac = "generic";
}