Update — the nice people at Voipsupply.com got me a firmware upgrade (220.127.116.11) which is not posted anywhere on the Yealink website. Although it does cause the phone to upload the vpn configuration file, it still doesn’t work. Specifically, a Wireshark trace shows absolutely no packets going to the openvpn server. That is in contrast to the exact same process on the T28 using the same configuration file (I know, but we are testing), which DOES send UDP packets to the openvpn server and correctly set up the vpn and register the phone.
I have sent them the Wireshark traces, config files, and syslogs from the phone. We will see what they come up with. But for know, the Openvpn on the T38 is still not functional.
Update — see below – although openvpn does not work on the Yealinlk SIP-T38G, it DOES work on the Yealink SIP-T28P
I was looking for a secure and simple way to provision an IP phone, and came across the Yealink SIP-T28 phone mentioned in the Elastix Asterisk distribution security documentation. Openvpn is easy to configure, and using Openvpn would allow a simple solution for data encryption (control and RTP), as well as firewall traversal. I saw several posts from individuals who had the SIP-T28 Openvpn working (in spite of poor documentation from Yealink). I have purchased a number of phones from Voipsupply.com, and looking at their website, I saw the SIP-T38G, which looked like an update of the T28, with a color screen as well. The docs for the SIP-T38G on the Yealink website, as well as the data sheet for the SIP-T38G on the Voipsupply.com website, said that the T38G had the Openvpn functionality as well, so I ordered a SIP-T38G from Voipsupply.
The other posts helped with the construction of the openvpn configuration file (they said that the hardest part was finding a tool to create a tar file using ‘.’ as the root, but actually the standard tar utility did that very easily, using something like ‘tar cvf ../client.tar .’, putting client.tar in the parent directory to avoid a warning from tar.) However, when I went to upload client.tar to the phone, there was no option to do so!
Below, you can see that the Openvpn functionality is advertised on the box that the phone came in. However, all of the vpn configuration sections are missing from both the web configuration page and the on-phone configuration menus. I have included the figure from the SIP-T38G manual which I downloaded from the Yealink website, as well as a screen capture showing that the configuration options are missing.
I wanted to contact someone from Yealink about this, but there is no usable contact information (other than a call to China, which I don’t consider a viable option). There is a Yealink UK website with a support forum, so I tried to register. I got an immediate email that my registration would be reviewed by their administrator, and would be inactive until it was. Five days later, I have not heard any more from them. I also tried sending an email to Voipsupply support asking them why the phone they sent did not have the capabilities advertised for it in the data sheet on their website (as well as on the box the phone came in), but five days later, I have heard nothing.
Since I bought this phone entirely for the Openvpn capability, what I now have is a very expensive paperweight (albeit one with a beautiful color screen). I posted this to save others the trouble. I have also ordered a T28, which others say they have made work with Openvpn.
Follow-up: I got my Yealink T28 — completely different story there. The VPN entry was on the advanced network configuration screen, right where it was supposed to be. Uploading the client.tar file was a snap (albeit because I had already constructed the client.tar for the T38G!), and configuration was quick and easy. After uploading client.tar and enabling the VPN, I just went to the Account tab on the web interface, entered the extension number under Label, Display Name, Register Name, and User Name, entered the SIP password under Password, and entered the Asterisk machine’s internal tun interface’s IP address under SIP Server, clicked “Confirm”, and I could make phone calls over the VPN!
If you have trouble, confirm that you have the tun interface’s IP address for the SIP Server (not the Asterisk machine’s external IP), that openvpn is started on the server, and that you can ping the Asterisk machine’s internal tun interface IP from the Asterisk machine. You should see the vpn being set up in the /var/log/messages log, along with the IP assigned to the phone’s end of the vpn, and you should be able to ping the tun interface in the phone from the Asterisk machine. And don’t forget to check that the firewall is not getting in the way.
Also, although I did not do this, if you run the openvpn server process on a machine other than the Asterisk machine, you will have to make sure you have the routing entries to get the packets to your Asterisk server. In that case, I would start by making sure that the vpn is set up correctly, and then work on the routing.