To Setup your FreePBX to use OpenVPN for Yealink phones is not hard, once you know how to do it.

I
spent nearly a week figuring out how to make it work. The internet is filled partial, disjointed, half-truth
articles on how to do it, but they are all missing critical pieces, so I am writing this so there is a simple
step by step guide even a newb can uderstand. I am running FreePBX 16, installed from the ISO file I
downloaded from freepbx.org, it is installed it on a Hyper V virtual machine.

I have Yealink T44W and T54W phones. This process should work with other Yealink phones though.

I am running a Cisco ASA firewall and my server has a private IP behind that firewall. I want some
people who work remotely out of the office to be able to setup a phone on their wireless network at
home and use it. I don’t want to map thousands of RTP ports in my firewall. I just don’t think that is a
secure way to do things. With OpenVPN you just have to map port 1194/UDP trough your firewall to
your server’s inside IP.

First you need to install and setup your phone system. Then you need to activate it with Sangoma and
create an account on the Sangoma portal account. Once you have activated it you will have to buy the
License for System Admin professional. The license is only $39 for a 25-year license. It is worth it,
because it will make VPN setup so much easier. Once you have activated the server you go to
Admin/System Admin, and click the Buy Now option on the license, put in your billing info and the
license will take effect immediately.

Make sure the Time Zone in the FreePBX (Admin/System Admin/Time Zone) and the Yealink phone
are setup correctly. If they are too far apart the VPN tunnel will not build.

To setup the VPN, got to Admin/System Admin. Scroll down the bottom of the menu on the right side,
and click on VPN Server.
Once you are in the VPN server you will see a list of clients that already have profiles. You can delete
these if you want. These will not work with the Yealink, by default. You can leave them to and it will
recreate the ones that you set up. I like things to be clean so I just deleted them all and let it create new
ones in a later step.

Next, Click on the Settings tab.

Now set it to “Enabled”

You can put a different IP subnet in to user for the Server Range. I stuck with the default, but you can
put any address subnet in here that does not match one you are already using.

Set the server port to 1194.

The server address will be your outside IP Address from the internet that your outside clients will see.

I set Redirect Gateway to Yes. This is similar to something we call split tunneling in Cisco. When this is
turned on if forces all traffic from the phone to go trough the VPN tunnel, for example things like
connecting to NTP servers, rather than going out the local internet connection they will go through the
tunnel.

Leave VPN Renegotiate Timer set to 3600

(You may want to set it lower than this to like 300, if you use connections that time out with no activity,
like 4G/5G devices)

Leave CERT Alert Threshold set to 28

I set auto renew to Yes, to automatically renew the cert.

The 10.8.0.0 or whatever subnet you used will not show up at the bottom yet, till you click submit the
first time, but make sure you have route set to “Yes” for your LAN network.

Click the Submit button

Click the Save and Apply button

Now got to Admin/User Management

Click the edit button/icon for the user you want to use VPN

Make sure you put a password in for this user. This is not the VPN password, but you will need to have a
password here, for a later step.

Now click the move sideways button, under the user. And scroll over the end.

Click on the UCP Tab, and click on Allow Login

Next, Click on the VPN tab and click yes on the Auto Create & Link

Click on Submit button

Now Go Back to Admin / System, VPN Server

Click on the edit Button/Icon. *Note: Yours will not say it is connected yet like this one does.
Set the VPN to “Yes” for Enabled

Leave the description what it is by default. I think you can change it, but I just left it.

Use DDNS is set to “No”, because I have a static IP address. I don’t know how this works with Dynamic
DNS, I am sure there is some more setup for DDNS somewhere.

Set Use Server Remote Address to “Yes”

Leave Client Remote Address(s) empty. I will use the remote address in the “Settings” tab that we
created earlier.

Don’t select an assigned address it will automatically assign on from the Server Range that we setup
earlier on the “Settings” tab.

Click the “Apply Config” and apply the changes.

Now Click the UCP button at the top of the FreePBX cli.
Enter the extension number and the password that you created earlier in the UCP Setup under User
Management. Click the “Login” button.

Click the Gear Icon at the bottom left

Click the OpenVPN tab, and download the VPN client configuration file.
Open the file and extract the content to a folder

Now open a file in notepad (Or whatever OS/Text editor you are using). Name it vpn.cnf

Put these lines in the file

client
dev tun
proto udp
remote <Your Outside IP>
port 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-128-CBC
auth SHA256
reneg-sec 3600
comp-lzo
verb 3
<ca>
...
</ca>
<cert>
...
</cert>
<key>
...
</key>

Be-sure the reneg-sec is set to the number of seconds you specified in the OpenVPN Server “Settings”
tab above.

Net you want to open the “sysadmin_ca.crt” from the folder where you extracted the files with notepad
or another text editor.

Copy the contents of the “sysadmin_ca.crt” file and overwrite all the first three dots in between the
<ca> </ca> in the vpn.cfg file.
Now open the “sysadmin_client(x).crt” file with a text editor, and copy then paste the contents of it over
the second set of three dots in between the <cert> </cert>, in the vpn.cnf file.
Next open the “sysadmin_client(x).key” file with a text editor and copy then paste the contents of it
over third set of three dots, in between the <key> </key>, it the vpn.conf file.

Save the vpn.cnf file and exit the text editor.

Compress the vpn.cnf to a .tar file. This is done differently on different operating systems. The picture
below is with Windows 11
Now login to the Web interface of the Yealink Phone.

Go to Network, Advanced. Scroll down to VPN Section.

Set VPN to Active, an select the “OpenVPN” radio button.

Next click the “Browse” button

Select the vpn.tar file you created before and click on “Open”.

Now click the “Upload” button.

Now click the save button.

Now you are ready to set the phone up on an outside connection and connect it to the VPN.

Here is my phone connected to a VPN. You will notice the red V that appears on the top when it is using
VPN.

It seems to work just fine on an old Verizon 4G MiFi, running on a Tello SIM card with only 2 Bars of
signal strength. I don’t notice any quality issues with the voice quality.
To disable the VPN if the phone comes back on the physical network. Which you will have to do if your
Router does not support something called NAT Loopback (Sometimes called hair pinning). Routers like
Cisco, Some Netgear, Addtran, Microtik (without special rules), do not support loopback, but most
affordable small home/business routers do.

Got to the Menu, Go to Advanced.

Go to the Network

Go to VPN
Special thanks to Kelli Higdon for his original article on connecting phone to VPN locally. This article got
me over the hump of getting this working and much of my article is based on his information

https://sangomakb.atlassian.net/wiki/spaces/FCD/pages/10420341/How-
to+Set+up+VPN+on+Yealink+Phone
Switch it to Disabled and save it. You can do this same procedure to enable it when it goes back outside
of the network.