Does anyone have a working D60 openvpn config? I’m trying to set this up and I just can’t get it to work, and more frustrating, I can’t get any diagnostic back from the phone about what’s not working.
I have an inline config file following the example from the wiki ( https://wiki.asterisk.org/wiki/display/DIGIUM/Digium+Phones+and+OpenVPN ), loaded with the proper certs. When I do a factory reset the phone grabs the ovpn file successfully, but it never tries to connect to the remote addr afterwards, it doesn’t even try to resolve the address ( tcpdump on the gateway watching the traffic ). I have the logs being sent to a remote system, and they never show ANYTHING having to do with the vpn in them, so I’m flying blind here.
So to help this conversation along, I have a D60 in the same state as yours. One thing I have noticed is that you are right, it does not query DNS, but mine does show an ARP request for the FQDN. I never actually see a ARP reply (I am thinking because ARP is IP and MAC only).
I am in the process of testing now, but what happens if you swap your FQDN in the ovpn file with the VPN server IP? Also when you visit http://phoneip/vpn does your VPN IP Address read 0.0.0.0?
Edit/Add: if I may ask, what kind of OpenVPN (PiVPN, OpenVPN AS, self build, etc.)?
To add to the conversation, swapping the IP did not help; however, I found in the phones log an error when I try to connect to the VPN from the phones menu.
Options error: unrecognized option or missing parameter(s) in client.ovpn. tls-version-min (2.3.2)
Some sites state the number is the client version and that it needs to be updated as 2.3.2 is old. My guess is since a user can’t independently update the package on the phone then one would need a config that is coded for client version 2.3.2.
Swapping the IP doesn’t change anything, unfortunately; I never see the connection attempt. It’s a custom openvpn server. the /vpn page shows the IP as 0.0.0.0 regardless of what I do, which makes sense; I’m guessing that’s the vpn address that’s assigned to the device when it connects.
One thing I did find ( this morning ) was this signature in xyz.log: OpenVPN 2.3.2 arm-wrs-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [eurephia] [MH] [IPv6] built on Mar 19 2020. Gonna go digging, but do you think that means it’s an IPv6 only build?
Alright I have found something quite interesting, and I think you are right about the client being borked. It looks like the client is built on version 2.3.2 of the OpenVPN platform, and this is what causes the problems. Several times when I try to connect I see errors in the logs related to TLS config parameters. So I had to remove several config parameters that involved TLS.
I cannot figure out what that message means or when the up command was ignored. I have removed a few server config items as well and I am close! The phone is trying to connect now, but TLS is failing to create a valid handshake.
I had to remove the tis-version-min, tls-cert and tls-key from my config and then on my server I commented out the “remote-cert-tis client” line. I now see the connection attempts that fail due to the TLS handshake timing out after 60 seconds. I can redact and share my client config if that helps at all.
Moderate success! I went back to basics ( and ended up rebuilding my vpn infrastructure ). Got an inline config that works on my laptop and mobile, so I threw it on the D60 phone and viola; it connects!
Now the problem is that the line isn’t registering with the server. But at least the vpn is working! I’m attaching the working config below.
Once I figure out the registration problem I’ll report back.
EDIT: This is a DNS issue. The phone is ignoring the push’d DNS settings from the VPN, so it can’t resolve the various names in it’s config files ( config server, time server and voip server ).
Still working on this. The problem is that the phone isn’t using the internal vpn DNS for resolution, favoring the dhcp provided DNS servers, so it doesn’t know how to find my voip server.
I’ve tried pushing DNS settings via the openvpn server configuration. I’ve tried overriding the dns settings via the configuration file, but the phone stubbornly refuses to use anything but the local network’s dhcp provider dns servers.
Complicating this work is the fact that I’m using TLS+SRTP, so I need the phone to resolve the FQDN of my server to correctly set up the registration. I was successful in getting the phone to register over the vpn by turning off TLS and such and giving it an ip address to register to instead of a FQDN, but I still need to get DNS working so I can push out any config changes over the vpn to the phone.
I’ll keep tinkering away until I get this ( although I would love input from anyone who’s gotten DNS working over the vpn ). In the meanwhile, for completeness sake, here’s the openvpn server config file.
local <ip> <port> <proto>
log <logfile>
dev tun
ca <ca.crt>
cert <cert.crt>
key <cert.key>
remote-cert-tls client
comp-lzo yes
push "comp-lzo yes"
ping 1
dh <dh.pem>
server <ipnetwork> <netmask>
ifconfig-pool-persist ipp.txt
push "route <voip network> 255.255.255.0"
push "dhcp-option DNS <internal ipaddr>"
push "dhcp-option DOMAIN <internal domain>"
tls-auth <ta.key> 0
cipher AES-256-CBC
status <statusfile>
verb 3
Sorry for the delay, it has been craziness since last week. So way below is the config I got close with, I am in the process of spinning up a second VPN Server on the 2.3.2 image since I could not get the phone to connect with our updated server here.
I am very fascinated that you got it connecting, but that it is ignoring the pushed settings. I wonder if it would be possible to push the DNS via the phones config vs the DHCP or VPN pushed settings.
client
dev tun
proto udp
remote ourpublic.vpndomain.net 1194
resolv-retry infinite
nobind
ns-cert-type server
verb 3
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
<key>
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
</key>
I tried setting the DNS via the config file, no dice. It seems the DHCP process overrides the config file.
Currently I’m working on a vpn client config file approach. I hoped setting the default gateway might force the issue; no luck. I’m also thinking that maybe a client-connect command might allow me to push the DNS server IP where it needs to be manually. No real luck yet.
I’m guessing that the phone’s OS has a command that can set the phone’s DNS settings, but I have no idea what that might be or even how to find it. I wonder if it’s possible to mount the firmeware image file and poke around the file system…
Anyway, still plugging away at this. VPN is up and reliable, I just can’t get the phone to listen to the pushed DNS settings ( same inline file works on my pixel 3 however ).
I finally broke down and filed a ticket with support; this is a confirmed issue with this build ( not a bug, but “a feature that isn’t implemented yet” ).
To date: I have a configuration which brings the tunnel up and is stable ( mtr all day, no dropped packets ). Bidirectional traffic successful. The problem is that the DNS order of precedence places DHCP-provided DNS servers above all else, meaning internal DNS servers can not be used, meaning no resolving of internal sources.
I filed a feature request ( phonefeatures@digium.com ), outlining the change I’d like to see, so hopefully they’ll be able to include it in future firmware builds.
Note: This is almost a really neat feature of the phone and would allow me to use it in a couple different applications, so I’m hopeful they’ll get this fixed.