Child pages
  • Configuring VPN on Snom Deskphones

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

IMPORTANT: A network recovery will remove

Automatic installation via SRAPS

It is also possible to install the VPN patch

, so please note that these steps are necessary after each TFTP rescue mode update!After installing the VPN patch the phone will add the X-snom-vpn: available HTTP header to the provisioning requests. Using such header you can distinguish between devices with VPN enabled and devices not supporting the VPN.

automatically via SRAPS, as part of the provisioning or even prior to the settings being fetched by the phone. See details here.

English

Table of Contents



Overview

Snom deskphones include the ability to build secure VoIP-Infrastructures via the OpenVPN Technology. Snom decided to use OpenVPN because it is compatible with SSL/RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices. OpenVPN is Open Source and is licensed under the GPL.

This article explains the step-by-step implementation of OpenVPN on Snom phones, including server installation and setup, creating the phone configuration and applying it on the phone.


Install and configure the OpenVPN server

Note: If you already have a VPN server, you can skip this section.

The OpenVPN server is available for free and there are various guides available on installing and configuring it. This section contains one out of several methods to install and set up a minimal OpenVPN server on Linux and Windows. For more options and detailed information, see https://openvpn.net or the available documentation for your server.

OpenVPN server on Linux

Versions used for this section:

  • Ubuntu 18.04
  • OpenVPN 2.4.4
  • OpenSSL 1.1.1

The installation steps require that you are logged in as root on the Ubuntu system.


1. Update the apt-sources

Code Block
# apt-get update

2. Install OpenVPN and easy-rsa packages

Code Block
# apt-get install openvpn


# apt-get install easy-rsa

3. Create the Certificate Authority

Copy the easy-rsa directory to /etc/openvpn:

Code Block
# make-cadir /etc/openvpn/easy-rsa

Enter the created directory:

Code Block
# cd /etc/openvpn/easy-rsa

Edit the vars file with your favorite editor, for example using vim:

Code Block
# vim vars

and scroll down until you find the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Edit these to fit your server. Don’t leave any of these parameters blank.

Next, initialize the PKI:

Code Block
# . ./vars


# ./clean-all


Note
Note: if
If when running ". ./vars" you get error "No /etc/openvpn/easy-rsa/openssl.cnf file could be found", link openssl.cnf to the latest available cnf file insider the directory, for example using command: "ln -s openssl-1.0.0.cnf openssl.cnf". Then, run ". ./vars" again.


The next command (build-ca) will build the certificate authority (CA) certificate and key:

Code Block
languagebash
# ./build-ca

Here is a detailed example showing how to run this command:

Code Block
languagebash
collapsetrue
# ./build-ca
Generating a RSA private key
...............................................................................+++++
.......................................................................................+++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Berlin]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Snom Test]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [Snom Test CA]:
Name [EasyRSA]:
Email Address [test@myhost.mydomain]:

Note that in In the above sequence, most queried parameters were defaulted to the values that you have set in the vars file.


4. Create the server certificate

Code Block
languagebash
# ./build-key-server server

Here is a detailed example showing how to run this command:

Code Block
languagebash
collapsetrue
# ./build-key-server server
Generating a RSA private key
.+++++
..............+++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Berlin]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Snom Test]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [server]:192.168.137.102          <--------- the IP address/hostname that the phone will use to reach the server
Name [EasyRSA]:
Email Address [test@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:    
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Berlin'
localityName          :PRINTABLE:'Berlin'
organizationName      :PRINTABLE:'Snom Test'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'192.168.137.102'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'test@myhost.mydomain'
Certificate is to be certified until Oct 11 16:03:20 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


5. Create the Diffie Hellman parameter

Code Block
languagebash
# ./build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................................+........
++*++*++*++*


6. Create the phone certificate

Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.

It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

Code Block
languagebash
# ./build-key 000413A30591
Generating a RSA private key

Here is a detailed example showing how to run this command:

Code Block
languagebash
collapsetrue
# ./build-key 000413A30591
Generating a RSA private key
....................................................................................+++++
........................................................+++++
writing new private key to '000413A30591.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [Berlin]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [Snom Test]:
Organizational Unit Name (eg, section) [MyOrganizationalUnit]:
Common Name (eg, your name or your server's hostname) [000413A30591]:
Name [EasyRSA]:
Email Address [test@myhost.mydomain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'Berlin'
localityName          :PRINTABLE:'Berlin'
organizationName      :PRINTABLE:'Snom Test'
organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'
commonName            :PRINTABLE:'000413A30591'
name                  :PRINTABLE:'EasyRSA'
emailAddress          :IA5STRING:'test@myhost.mydomain'
Certificate is to be certified until Oct 11 11:54:12 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

FilenamePurposeNeeded by
ca.crtRoot CA certificateserver + all clients
ca.keyRoot CA private keyserver only

dh{n}.pemDiffie Hellman parameters
server.crtServer Certificate
server.keyServer private key
000413A30591.crtCertificate for phone 000413A30591phone 000413A30591 only
000413A30591.keyPrivate key for phone 000413A30591


7. Create server configuration for OpenVPN

Create configuration file, for example using the touch command:

Code Block
# touch /etc/openvpn/server.conf

Edit the file with your favorite editor, for example using vim:

Code Block
# vim /etc/openvpn/server.conf 

Paste the following content into the file:

Code Block
languagebash
port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key 
dh /etc/openvpn/easy-rsa/keys/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-to-client
keepalive 10 120
persist-key
persist-tun
status /var/log/openvpn-status.log
verb 6

This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.8.0.0/24


8. Enable packet forwarding

This step is optional and is only needed if you would like to configure your OpenVPN server to act as a VPN gateway for a LAN. See also https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/

Edit /etc/sysctl.conf and uncomment the following line (remove the '#' at the beginning) to enable IP forwarding:

Code Block
net.ipv4.ip_forward=1 

Then save the file and reload sysctl:

Code Block
# sysctl -p /etc/sysctl.conf 


9. Run the OpenVPN server

To check for any fatal errors preventing the server to start, you can try run the server in the foreground like this:

Code Block
# openvpn /etc/openvpn/server.conf

If the service starts and prints several lines finished by "Initialization Sequence Completed", then the try run was successful. You can stop the try run with CTRL+C.

Now you can start the OpenVPN server:

Code Block
# sudo systemctl start openvpn@server

Next, check if OpenVPN created a tun0 interface. You should see something like this:

Code Block
languagebash
# ip addr show dev tun0
9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none 
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 fe80::8fc2:3403:fbac:1f35/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever


10. Configure OpenVPN to run at startup

Running OpenVPN at system startup is optional but often preferred on server machines.

Edit /etc/default/openvpn and add the following line, which instructs the system to start openvpn with configuration file /etc/openvpn/server.conf:

Code Block
AUTOSTART="server"

Then reload systemctl and restart the openVPN OpenVPN service:

Code Block
# systemctl daemon-reload


# systemctl restart openvpn.service 


OpenVPN server on Windows

OpenVPN is available for free, see more details here: https://openvpn.net/ .

Versions used for this section:

  • Windows 10, 64-bit
  • Installation file: openvpn-install-2.4.9-I601-Win10.exe

1. Download and run the OpenVPN installer file
At the time of this article the installation file could be found here: https://openvpn.net/community-downloads/

Double click the installation file. You will see the installation wizard. Press Next until you reach the Choose Components section.

Make sure EasyRSA is enabled (add a green tick):

Follow the install wizard to finish the installation.


2. Initialize the PKI and create the Certificate Authority

Navigate to the C:\Program Files\OpenVPN\easy-rsa folder on an elevated command prompt:

  • Open the search box next to the Start menu
  • Type "cmd"
  • Right-click on Command Prompt and choose "Run as Administrator"
  • Right-click the menu item "Command Prompt"
  • On the pop up User Account Control window, Click "Yes"
  • Navigate to the easy-rsa folder:

    Code Block
    cd "C:\Program Files\OpenVPN\easy-rsa"


  • Initialize the OpenVPN configuration:

    Code Block
    init-config


    Note
    NOTE:

    Only run init-config once, during installation.


  • Open the vars.bat file in a text editor:

    Code Block
    notepad vars.bat


  • Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:


  • Save the file and exit notepad.
  • Run the following commands:

    Code Block
    vars

    
    clean-all


  • Build the certificate authority (CA) certificate and key. When prompted, enter your country, etc. These will have default values (from the vars file), which appear in brackets.

    Code Block
    build-ca

    Here is a detailed example showing how to run this command:

    Code Block
    languagebash
    themecollapseDJangotrue
    C:\Program Files\OpenVPN\easy-rsa>build-ca
    Generating a RSA private key
    ........................................++++
    .............................................................................................................................................................................................................................................................................................................................................................................................................................++++
    writing new private key to 'keys\ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [DE]:
    State or Province Name (full name) [BLN]:
    Locality Name (eg, city) [Berlin]:
    Organization Name (eg, company) [SnomTest]:
    Organizational Unit Name (eg, section) [changeme]:Test
    Common Name (eg, your name or your server's hostname) [192.168.137.142]:   
    Name [changeme]:Test
    Email Address [mail@host.domain]:


3. Create the server certificate

DJango
Code Block
languagebash
theme
build-key-server server

Here is a detailed example showing how to run this command:

Code Block
languagebash
collapsetrue
C:\Program Files\OpenVPN\easy-rsa>build-key-server server
Ignoring -days; not generating a certificate
Generating a RSA private key
............................................++++
............++++
writing new private key to 'keys\server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [BLN]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [SnomTest]:
Organizational Unit Name (eg, section) [changeme]:Test
Common Name (eg, your name or your server's hostname) [192.168.137.142]:
Name [changeme]:Test
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'BLN'
localityName          :PRINTABLE:'Berlin'
organizationName      :PRINTABLE:'SnomTest'
organizationalUnitName:PRINTABLE:'Test'
commonName            :PRINTABLE:'192.168.137.142'
name                  :PRINTABLE:'Test'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Oct 18 12:29:34 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated


4. Create the Diffie Hellman parameter

Code Block
languagebashthemeDJango
C:\Program Files\OpenVPN\easy-rsa>build-dh
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................................................................+........
++*++*++*++*


5. Create the phone certificate

Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.

It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

Code Block
languagebash
build-key 000413A30591

Here is a detailed example showing how to run this command:

Code Block
languagebash
themecollapseDJangotrue
C:\Program Files\OpenVPN\easy-rsa>build-key 000413A30591
Ignoring -days; not generating a certificate
Generating a RSA private key
...............................................................................++++
.............................................................................++++
writing new private key to 'keys\000413A30591.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [DE]:
State or Province Name (full name) [BLN]:
Locality Name (eg, city) [Berlin]:
Organization Name (eg, company) [SnomTest]:
Organizational Unit Name (eg, section) [changeme]:Test
Common Name (eg, your name or your server's hostname) [192.168.137.142]:000413A30591
Name [changeme]:Phone000413A30591
Email Address [mail@host.domain]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'DE'
stateOrProvinceName   :PRINTABLE:'BLN'
localityName          :PRINTABLE:'Berlin'
organizationName      :PRINTABLE:'SnomTest'
organizationalUnitName:PRINTABLE:'Test'
commonName            :PRINTABLE:'000413A30591'
name                  :PRINTABLE:'Phone000413A30591'
emailAddress          :IA5STRING:'mail@host.domain'
Certificate is to be certified until Oct 18 13:00:29 2030 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

Now we will find our newly-generated keys and certificates in the C:\Program Files\OpenVPN\easy-rsa\keys folder. Here is an explanation of the relevant files:

FilenamePurposeNeeded by
ca.crtRoot CA certificateserver + all clients
ca.keyRoot CA private keyserver only

dh{n}.pemDiffie Hellman parameters
server.crtServer Certificate
server.keyServer private key
000413A30591.crtCertificate for phone 000413A30591phone 000413A30591 only
000413A30591.keyPrivate key for phone 000413A30591


6. Create the server configuration for OpenVPN

Create file server.ovpn using command:

Code Block
notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"

When asked if you want to create a new file, click Yes.

Enter the following configuration:

Code Block
languagebash
port 1194
proto udp
dev tun
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\config\\server.crt"
key "C:\\Program Files\\OpenVPN\\config\\server.key"
dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"
server 10.9.0.0 255.255.255.0
client-to-client
keepalive 10 120
persist-key
persist-tun
verb 6

Save the file and exit notepad.

This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.9.0.0/24

Copy the configuration files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server by typing the following in the command prompt::

Code Block
robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt dh2048.pem server.crt server.key server.ovpn


Note

NOTE:

The

In the robocopy command above. the space at the end of the path in each string is important.


7. Run the OpenVPN server

Run OpenVPN from: Start Menu -> OpenVPN -> OpenVPN

GUI

GUI 

This will create a new icon in the system tray. Double click the icon to initiate the connection. The resulting dialog should show the status shortly and then close upon a successful start:


Now if you open Network Connections (from Control Panel → Network and Internet → View Network Status and tasks → Change adapter settings), you should see a new connection of type TAP-Windows Adapter V9:


If you right click this connection and then click Status Details you should be able to see the configured IP address:


8. Running OpenVPN as a Service

Running OpenVPN as a service will allow OpenVPN to be started automatically on system startup. This is often preferred on a server machine.

  • Run the Windows Service administrative tool:
    • Press Windows Key + R
    • Type "services.msc" and press Enter.
  • Find the OpenVPN service, and set its Startup Type to "Automatic". Press Apply.
  • Optionally, start the service now.

9. Firewall Configuration

If you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194. (Win+R "wf.msc")



Install and configure OpenVPN on the Snom phones

Install the VPN patch on the Snom phone

The VPN feature is not shipped with the default firmware due to security considerations. Snom provides the VPN feature in a small firmware patch which needs to be installed. This patch contains only the VPN feature and thus is very small in size.

To install the VPN feature patch follow this procedure:one of the following procedures:

Manual Installation

  • Find out your currently installed firmware version. See this link for information on how to do this
  • Open the Firmware Update Center and click on your version
  • Scroll down to "VPN Feature Updates"
  • Copy the download link appropriate for your phone model
  • Open the phone web user interface and select "Software Update" from the left hand menu
  • Paste the link in the "Manual Software Update" field and click "Load"
    Image Modified

The phone will reboot and install the patch. Afterwards you will be able to use the VPN feature

Warning
Warning

IMPORTANT: A network recovery will remove the VPN patch, so the VPN patch instalation is necessary after each TFTP rescue mode update!

How to tell if the VPN patch installation was successful

If the VPN installation was successful, the VPN feature will be available. Here is now you can check that the VPN feature is available:

  • The VPN option is now visible in the Phone's Web Interface under Advanced → QOS/Security. If the VPN patch installation was successful, you should see here the VPN setting (it will be set to off at first because the VPN feature was installed, but it is not yet enabled)


  • The VPN line is now added to the System Info screen in the Phone Menu. Open the "Settings" menu by pressing the phone button with the gear symbol, then navigate to "Information" and select "System Info".
    You should see the VPN line (it will show VPN off at first because the VPN feature was installed, but is not yet enabled)

  • After installing the VPN patch, the phone will add the X-snom-vpn: available HTTP header to the provisioning requests. Using this header you can distinguish between devices with VPN enabled and devices not supporting the VPN.

VPN feature patch for older versions

If your phone is running version 8.x, you can find the instructions for the VPN patch here .

Create the VPN configuration tarball for the phone on Linux

Create client/phone configuration file

The content of the configuration file is usually the same on all clients/phones. To avoid having to configure both files, client and server, in one directory, create a subfolder called client-config:

Code Block
# mkdir /etc/openvpn/client-config

The configuration file for the phone must be called vpn.cnf:

Code Block
# touch /etc/openvpn/client-config/vpn.cnf

Edit this file with your favorite editor:

Code Block
# vim /etc/openvpn/client-config/vpn.cnf

Paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

Code Block
client
dev tun
proto udp
remote <Server-IP/-name> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.key
remote-cert-tls server
ping 10
ping-restart 60
      
Warning

The phone configuration requires some naming that is mandatory and should not be changed:

  • All file paths in your config file must be set to /openvpn/filename
  • The configuration filen must be named vpn.cnf

In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

Put together the configuration files for the phone

For this example we are using the same MAC we used to create the client certificate.

Create a temporary directory to hold the needed files:

Code Block
# mkdir /etc/openvpn/client-config/tmp

Put together the files in a tarball:

Code Block
# cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/    #the configuration file
# cp /etc/openvpn/easy-rsa/keys/000413A30591.crt /etc/openvpn/client-config/tmp/client.crt  #the client certificate
# cp /etc/openvpn/easy-rsa/keys/000413A30591.key /etc/openvpn/client-config/tmp/client.key  #the client private key
# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt     #the CA
# cd /etc/openvpn/client-config/tmp/
# chown -Rf root:root *    
# chmod -R 700 *           
# tar cvpf vpnclient-000413A30591.tar *   #this command creates the actual tar file
# rm client.*     #remove the used certificate and private key as they are no longer needed in the tmp directory
      

Now you should be able to find the tarball file vpnclient-000413A30591.tar inside the /etc/openvpn/client-config/tmp/ directory. We will use this file in the next step when providing it to the phone.

Create the VPN configuration tarball for the phone on Windows

Create client/phone configuration file

In the Command Prompt, create file vpn.cnf by running:

Code Block
notepad C:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf

When asked if you want to create a new file, click Yes. Copy and paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

Code Block
client
dev tun
proto udp
remote <Server-IP/-name> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /openvpn/ca.crt
cert /openvpn/client.crt
key /openvpn/client.key
remote-cert-tls server
ping 10
ping-restart 60
      
Warning

The phone configuration requires some naming that is mandatory and should not be changed:

  • All file paths in your config file must be set to /openvpn/filename
  • The configuration file must be named vpn.cnf

In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

Save the file vpn.cnf

Put together the configuration files for the phone

Navigate in File Explorer to C:\Program Files\OpenVPN\easy-rsa\keys\. Inside this folder, create a new folder called 000413A30591

Copy the following files from C:\Program Files\OpenVPN\easy-rsa\keys\ into the 000413A30591 folder:
ca.crt
000413A30591.crt
000413A30591.key
vpn.cnf

Now your folder 000413A30591 should look like this:

Rename 000413A30591.crt to client.crt

Rename 000413A30591.key to client.key

Now your folder 000413A30591 should look like this:

In the command prompt, navigate to the new created directory by typing:

Code Block
cd C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591

Now create the tarball archive by typing:

Code Block
tar cvpf C:\vpnclient-000413A30591.tar *

You should see the following:

Code Block
languagebashthemeDJangobash
C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591>tar cvpf C:\vpnclient-000413A30591.tar *
a client.crt
a client.key
a ca.crt
a vpn.cnf

Now you should be able to find the tarball file vpnclient-000413A30591.tar under C:\ . We will use this file in the next step when providing it to the phone.

Structure reference for the configuration tarball

When creating the tar archive for Snom phones, it is very important to keep the file structure and naming as in the above examples.

Below is the content of the tar file created in this example, vpnclient-000413A30591.tar. Note that there are no subdirectories, the files must be placed in the root of the tarball:

ca.crt
client.crt
client.key
vpn.cnf

You can download this example file here: vpnclient-000413A30591.tar 

Put the VPN configuration tarball on an HTTP server

This section also includes the download and set up of a minimal HTTP server using the SPLiT application. If you already have an HTTP server, you can just upload the tar file created in the previous section to your existing HTTP server and skip this section.

Setup an HTTP server on Windows

  1. Download the SPLiT executable file (for this example we used SPLiT-1.1.3_w32.exe)
  2. Create directory SPLiT in a location of your choice, for example C:\SPLiT
  3. Move SPLiT-1.1.3_w32.exe into the SPLiT directory
  4. Create a new directory called http inside the SPLiT directory
  5. Move the tar file created in the previous section from C:\ to the http directory
  6. Go back to the SPLiT directory
  7. Run the SPLiT executable SPLiT-1.1.3_w32.exe as Administrator
  8. Once the software has started you should see a user interface window:
    • Click on the Debug check box
    • Insert your computer IP address into the IP Address field
    • Verify that the HTTP Directory fields contains the http value
    • Click on the Start HTTP Server button
  9. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar . This should present you with the option to download the tarball file.

Setup an HTTP server on Linux

  1. Open a terminal
  2. Install python if it is not already installed

    Code Block
    # apt-get install python


  3. get

    Get and start SPLiT:

    Code Block
    # mkdir /usr/local/SPLiT

    
    # cd /usr/local/SPLiT

    
    # wget https://github.com/pbertera/SPLiT/archive/1.1.3.tar.gz

    
    # tar -xvzf 1.1.3.tar.gz

    
    # cd SPLiT-1.1.3/

    
    # mkdir http

    
    # sudo python SPLiT.py -
    i <Server
    i <Server-IP/-name> --
    http  
    http   #replace <Server-IP/-name> with your server's IP/Hostname


  4. Now that the HTTP server is running, place the tar file created on previous version in the http directory inside the SPLiT directory:

    Code Block
    # cp /etc/openvpn/client-config/tmp/vpnclient-000413A30591.tar /usr/local/SPLiT/SPLiT-1.1.3/http


  5. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar . This should present you with the option to download the tarball file.

Apply the VPN configuration to the Snom phone

  1. Make sure the phone's date and time is correct in order to be able to validate the certificates
  2. Under Advanced → QOS/Security, find the VPN Parameter:


  3. Enable the VPN parameter by clicking on . The Unzipped VPN config tarball parameter will become available:

     

  4. Enter the HTTP(S)-URL of the tarball file e.g. http://<Server-IP/name>/vpnclient-000413A30591.tar with the openVPN configuration:


  5. Scroll down and click Apply

  6. In case the phone presents you with Some settings are not yet stored permanently , click Save . If this text does not appear you can ignore this step.

  7. Click Reboot

  8. After the reboot, the phone will show a notification VPN is active and display the VPN icon on the phone taskbar. Here is an example:


  9. Pressing the Info key will show:


  10. After you have pressed the Info key and seen the Status Info, the "VPN is active" notification will disappear

Changing the VPN configuration tarball at a later time

The Unzipped VPN config tarball parameter is designed to be provisioned only once: every time this parameter is configured the phone downloads the tarball and then the setting gets emptied. If you wish to change the phone's VPN configuration you have to configure the tarball URL again in order to make the phone download and apply the new configuration. It is not necessary to give the tarball a new name, you can use the original name.

Adding another phone to the VPN at a later time

If you wish to set up a new phone in the VPN at a later time, you can use the following steps:

  • open command prompt and then run vars

    On

    on Linux by using commands:

    Code Block
    cd /etc/openvpn/easy-rsa

    
    . ./vars

    On on Windows by using commands:

    Code Block
    cd "C:\Program Files\OpenVPN\easy-rsa"

    
    vars


  • repeat step Create the phone certificate
  • repeat step Create the VPN configuration tarball for the phone (you can skip the part where you create vpn.cnf because this was already created and it is usually the same for all clients)
  • repeat step Put the VPN configuration tarball on an HTTP server
  • repeat step Apply the VPN configuration to the Snom phone

Advanced examples

Additional authentication with a username/password

In some cases the VPN server requires a username and password, in addition to the certificate. Here is how to configure up a VPN username/password for the Snom phone:

  1.  Add auth-user-pass to your vpn.cnf, like this (do not change the path):

    Code Block
    auth-user-pass /openvpn/pass.txt


  2. Create file pass.txt with the following content, replacing the text username and password with your actual username and password.

    Code Block
    username
    password


  3. When creating the configuration tarball (see step Create the VPN configuration tarball for the phone), also include file pass.txt to the tarball. Make sure that the file pass.txt is in the same path of the tarball as the other configuration files.

Troubleshooting


  • Everything works as described, but the phone seems to reject my server certificate. What's wrong?

Make sure the phone has the right date and time. Try to configure an NTP server that the phone can reach on its native network (not via VPN). If the phone has a wrong date it might assume that all certificates are not valid (yet).


Anchor
OpenVPN Logs
OpenVPN Logs

  • How to view the OpenVPN logs

You can set the phone to send all VPN logs to a "Netcat Server". To do this:

    1. Install and run netcat on a host that is reachable to the phone:

      Code Block
      languageactionscript3
      themeDJango
      netcat -l -p 5000


    2. Set the IP address of this host under Advanced → Qos/security → Netcat Server:


    3. Once you apply this and reboot tht phone, you will see the phone's VPN logs on the host running netcat. If you have not added a custom verbosity level in vpn.cnf, you should see the following (for a successfull connection):

      Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019
      Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
      Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:19 2020 UDP link local: (not bound)
      Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194
      Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened
      Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500
      Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5
      Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
      Tue Oct 20 11:58:21 2020 Initialization Sequence Completed


  • What is my IP in the VPN?

The phone does not show the IP address received over VPN in the web interface per default, but there are some other ways to view this:

Option 1: from the SIP logs

Set up a test identity on the phone, with Registrar set to an IP address inside the VPN network. It does not matter what IP address it is, it just needs to be routed inside the VPN network. Set only the Account and the Registrar for this identity:

 

Then click on SIP Trace, you will see some SIP messages. Look at the IP address from which these were sent:

Sent to Udp:10.8.0.1:5060 from Udp:10.8.0.6 :55786 at Oct 19 23:54:43.886 (717 bytes):

REGISTER sip:10.8.0.1 SIP/2.0

Via: SIP/2.0/UDP 10.8.0.6:55786;branch=z9hG4bK-2yig1rmxrpir;rport

From: <sip:100@10.8.0.1>;tag=r06il7bz6r

To: <sip:100@10.8.0.1>

.....

If your VPN network is routing packets correctly, you will see here the phone's IP address (in this example it is 10.8.0.6 )

Option 2: from the netcat logs

From the netcat logs (see above " How to view the OpenVPN logs "). If you have not added a custom verbose level in vpn.cnf, at the beginning of the connection, the netcat logs will also show the IP address that the phone receives. Here is an example:

Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019
Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 UDP link local: (not bound)
Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened
Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5         <-------- this means that our local address in the VPN is 10.8.0.6
Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 20 11:58:21 2020 Initialization Sequence Completed


The source code of components licensed under GPL used in snom VoIP phones can be downloaded from here. The original GPL license text can be downloaded from here.


Include Page
Howto Footer - en
Howto Footer - en

...

German

Table of Contents



Überblick

Ab der Firmware-Version 8.4.27 bieten alle Snom-Firmware-Versionen die Möglichkeit, sichere VoIP-Infrastrukturen über die OpenVPN -Technologie aufzubauen. Snom entschied sich für OpenVPN, da es mit SSL/, RSA-Zertifikaten und X509 PKI, NAT, DHCP und TUN/TAP virtuellen Geräten kompatibel ist.


Info
HINWEIS: Ab 8.7.5.17 ist die VPN-Funktion standardmäßig nicht mehr aktiviert. Um dies zu ermöglichen, müssen Sie den speziellen VPN-Feature-Patch herunterladen (siehe  Firmware Update Center → wählen Sie Ihre Version → VPN Feature).

OpenVPN ist Open Source und lizenziert unter der GPL.

Mit OpenVPN können Sie:

  1. Tunneln Sie jedes Paket Ihres Telefons über einen einzelnen UDP- oder TCP-Port.
  2.  es besteht keine Notwendigkeit, sichere   SIP , SRTP , STUN zu verwenden, was das Leben in der Sip-Welt erschwert.
  3. Verwendung beliebiger Chiffren, Schlüsselgrößen, die von der OpenSSL -Bibliothek unterstützt werden.
  4. Wahl zwischen Statischem Schlüssel oder Zertifikatsbasierter Public-Key-Verschlüsselung
  5. Verwendung von statischen, vorab freigegebenen Schlüsseln oder dynamischem Schlüsselaustausch über   TLS oder Benutzername/Passwort 
  6. Tunneln der Telefone über NAT
  7. Tunneln der Telefone durch Firewalls hindurch
  8. OpenVPN ist plattformübergreifend portabel und läuft auf:: Linux, Windows 2000/XP und höher, OpenBSD, FreeBSD, NetBSD, Mac OS X, PocketPC und Solaris.   
  9. und anderen

Info

Die Authentifizierung kann mit einem vorab freigegebenen geheimen Schlüssel, Zertifikaten oder Benutzername/Passwort (Auto-retry nointeract) erfolgen.

Die Authentifizierung über Benutzername/Passwort wird vom Debian-OpenVPN-Paket bis Version 2.0beta20 standardmäßig unterstützt. Weitere Informationen finden sie hier.



Installationsverfahren

  1. Wenn Sie eine Firmware-Version älter als 8.4.27 verwenden, benötigen Sie eine spezielle VPN-Version (siehe Firmware Update Center →  wählen Sie Produktkategorie und fw-Version → VPN-Funktion).
  2.  Stellen Sie sicher, dass das aktuelle Datum auf dem Telefon korrekt ist, da das Telefon sonst möglicherweise nicht in der Lage ist, die TLS-Zertifikate zu überprüfen.
  3. Aktivieren Sie den VPN-Parameter und drücken Sie Speichern:



  4. Als nächstes wird der Parameter Unzipped VPN config tarball verfügbar. Bitte geben Sie eine HTTP(S)-URL Ihrer tarball-Datei ein, z.B. https://username:password@host:port mit der openvpn-Konfiguration.
    Lesen Sie die Details zum Erstellen dieses Tarballs unten.


Der Quellcode der unter der GPL lizenzierten Komponenten die in snom VoIP-Telefonen verwendet werden, kann  hier heruntergeladen werden. Der Original-GPL-Lizenztext kann  hier heruntergeladen werden.



Einrichten des Config-Tarballs (X509 PKI oder Vorabgeteilt / Pre-Share)

Die Konfiguration einer Client/Server-VPN-Infrastruktur mit Hilfe einer X509 PKI (Public-Key-Infrastruktur mit Zertifikaten und privaten Schlüsseln) wird in diesem Abschnitt erläutert. Der beste Weg, Ihr Telefon zu konfigurieren, ist, Ihre Client-Konfigurationen auf einem Linux-System zu Testzwecken zu erstellen. Wenn dies erfolgreich war, können Sie einen Tarball des Verzeichnisses erstellen, in dem die Konfigurationsdateien gespeichert sind. Bitte beachten Sie, dass alle Dateipfade in Ihren Testkonfigurationsdateien für das Telefon in /openvpn/filename geändert werden müssen. Der Konfigurationsdateiname muss in vpn.cnf umbenannt werden.

Die Details zur Konfiguration der Certificate Authority (CA), zur Erstellung von Zertifikaten und Schlüsseln für einen Server und Clients finden Sie  hier . Ein Tutorial, wie man einen Debian (4.0 Etch) mit OpenVPN-Server einrichtet , finden Sie hier .

Es gibt auch eine Beschreibung über die Erstellung der notwendigen Zertifikate.

Verfügbare TLS-Chiffren 

Info
DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Beispiel für X509 PKI

vpn.cnf for phone

Expand


Code Block
client
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
# or tcp and no more nat problems, it is a hit to RTP
#  (TCP(UDP(RTP))) :)
proto udp
 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# or insert an ip here
remote openvpn.snom.com 1194
 
# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random
 
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
 
#  Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /openvpn/ca.crt
cert /openvpn/phone1.crt
key /openvpn/phone1.key
 
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
 

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 0

# Silence repeating messages
;mute 20
ping 10
ping-restart 60



Warning

HINWEIS: In älteren Firmware-Versionen (8.x) können die Optionen ping und ping-restart Probleme verursachen. Wenn Ihre VPN-Verbindung in älteren Versionen ausfällt, entfernen Sie diese Optionen und versuchen Sie es erneut.

server.cnf serverseitig

Expand


Code Block
# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
 # If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.

;dev tap
dev tun

# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/openvpn.snom.com.crt 
key keys/openvpn.snom.com.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.30.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt

# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
# very important for proxies, b2bua comment it out, more secure
client-to-client 

# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120

# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# snom phones doesn't support this
;comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 0

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20




Beispiel Vorabgeteilt

In diesem Beispiel wird eine verschlüsselte Verbindung zwischen 10.5.0.1 und 10.5.0.2 mit einem vorab geteilten Schlüssel (static.key) hergestellt.

Serverseite

Code Block
mode p2p
port 1194  
dev tun 
proto udp  

ifconfig 10.5.0.1 10.5.0.2  

 
secret static.key

ping 10  
ping-restart 180  
ping-timer-rem  
ping-restart 

verb 0

Telefon (vpn.cnf)

Code Block
mode p2p                                                                        
remote 192.168.0.188 1194    
proto udp                           
dev tun                                            
                                                                                 
ifconfig 10.5.0.2 10.5.0.1                           
                                                                                         
                  
secret /openvpn/static.key                                                               
                                                                                
ping 10                
ping-restart 180   
ping-timer-rem   
ping-restart 
                                                                                
verb 0

Beispiel für einen VPN snom tarball

Erzeugen eines Tarballs:

Code Block
cd /etc/openvpn
chown -Rf root:root *
chmod -R 700 *
tar cvpf vpnclient.tar *
      

Lade es auf einen https- oder http-Server hoch!


Info
Bitte beachten Sie, dass die Dateipfade auf /openvpn zeigen müssen und die Konfigurationsdatei den Namen vpn.cnf trägt.


Wenn eine VPN-Sitzung eingerichtet ist, sehen Sie das VPN-Symbol in der Telefon-Taskleiste.



Zusätzliche Authentifizierung mit einem Benutzernamen/Passwort


Wenn Sie einen VPN-Benutzernamen/Passwort für den Client konfigurieren müssen:

  1.  Fügen Sie auth-user-pass zu Ihrer vpn.cnf hinzu:

    Code Block
    auth-user-pass /openvpn/pass.txt


  2. Füge die Datei pass.txt zu deinem Tarball hinzu, mit folgendem Inhalt:

    Code Block
    username
    password



Fehlerbehebung


  • Alles funktioniert wie beschrieben, aber das Telefon scheint mein Serverzertifikat abzulehnen. Was ist denn los?

Sie müssen einen NTP-Server konfigurieren, den das Telefon in seinem lokalen Netzwerk (nicht über VPN) erreichen kann. Andernfalls hat das Telefon ein falsches Datum und geht davon aus, dass (noch) nicht alle Zertifikate gültig sind.


Anchor
OpenVPN Logs
OpenVPN Logs

  • So zeigen Sie die OpenVPN-Protokolle an

Sie können das Telefon so einstellen, dass alle VPN-Protokolle an einen "Netcat-Server" gesendet werden. Um das zu tun:


    1. Installieren und starten Sie netcat auf einem Host, der für das Telefon erreichbar ist:

      Code Block
      languageactionscript3
      themeDJango
      netcat -l -p 5000


    2. Stellen Sie die IP-Adresse dieses Hosts unter Advanced → Qos/security → Netcat Server ein:

    3. Sobald Sie VPN auf dem Telefon aktivieren und neu starten, werden die Protokolle auf dem Host mit netcat angezeigt:

      Code Block
      languageactionscript3themeDJango
      $ netcat -l -p 5000
      Tue Jan 15 11:01:36 2019 OpenVPN 2.4.6 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Aug 15 2018
      Tue Jan 15 11:01:36 2019 library versions: OpenSSL 1.0.2o 27 Mar 2018, LZO 2.10
      ...
      Tue Jan 15 11:01:49 2019 Initialization Sequence Completed


  • Wie lautet meine IP?

Das Telefon zeigt standardmäßig nicht die über VPN empfangene IP-Adresse in der Weboberfläche an, aber es gibt noch einige andere Möglichkeiten, diese anzuzeigen:

    1. Richten Sie eine Testidentität auf dem Telefon ein, wobei der Registrar auf eine IP-Adresse innerhalb des VPN-Netzwerks eingestellt ist. Es spielt keine Rolle, um welche IP-Adresse es sich handelt, es muss nur innerhalb des VPN-Netzwerks geroutet werden. Stellen Sie nur das Konto und den Registrator für diese Identität ein:



    2. Klicken Sie dann auf SIP Trace, Sie sehen einige SIP-Nachrichten. Schauen Sie sich die IP-Adresse an, von der aus diese gesendet wurden:

      Code Block
      Sent to Udp:10.110.22.37:5060 from Udp:10.245.0.72:5060 at Jan 17 12:17:11.038 (445 bytes):
      REGISTER sip:10.110.22.37 SIP/2.0 
      Via: SIP/2.0/UDP 10.245.0.72:5060;branch=z9hG4bK-4pva189wb2mv;rport
      ...


      Wenn Ihr VPN-Netzwerk Pakete korrekt weiterleitet, sehen Sie hier die IP-Adresse des Telefons (in diesem Fall ist es 10.245.0.72).

    3. Aus den Netcat-Protokollen (siehe oben " Wie man die OpenVPN-Protokolle anzeigt "). Zu Beginn der Verbindung zeigen die netcat-Protokolle auch die IP-Adresse an, die das Telefon erhält.

  • Siehe auch


Include Page
Howto Footer - de
Howto Footer - de

...