=== OpenVPN Configuration ===

By installing OpenVPN on the server and using phones which use OpenVPN you may have remote workers who could be possibly working from home connect into the server and use the phone as if they were in the office.

You must enable UDP or TCP Port 1194 though to server. I suggest UDP as this is faster and still reliable over short hops, but uses up less bandwidth.


<code>
yum install gcc gcc-ccc++ autoconf automake lzo-devel 
yum install rpm-build autoconf.noarch zlib-devel pam-devel openssl-devel 
cd /tmp 
wget http://swupdate.openvpn.org/community/releases/openvpn-2.2.1.tar.gz
wget http://www.oberhumer.com/opensource/lzo/download/lzo-2.06.tar.gz 
wget http://www.opensc-project.org/files/pkcs11-helper/pkcs11-helper-1.09.tar.bz2 

tar xvf lzo-2.06.tar.gz 
tar xvf openvpn-2.2.1.tar.gz 
tar xvf pkcs11-helper-1.09.tar.bz2 

cd lzo-2.06 
./configure 
make 
make check 
make test 
make install  

cd /tmp/pkcs11-helper-1.09 
./configure 
make 
make install 

cd /tmp/openvpn-2.2.1 
./configure 
make 
make check 
make install  

mkdir /etc/openvpn 
mkdir /etc/openvpn/easy-rsa 

cp -p /tmp/openvpn-2.2.1/sample-scripts/openvpn.init /etc/rc.d/init.d/openvpn 
cp -p /tmp/openvpn-2.2.1/sample-config-files/server.conf /etc/openvpn/openvpn.conf 
cp -r /tmp/openvpn-2.2.1/easy-rsa/2.0/* /etc/openvpn/easy-rsa/ 

chkconfig --add openvpn 

</code>
Refer to this document for more details http://openvpn.net/index.php/open-source/documentation/howto.html#vpntype 
<code>
cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf 

vi /etc/openvpn/easy-rsa/vars 

export KEY_CONFIG=/etc/openvpn/easy-rsa/openssl-1.0.0.cnf 
export KEY_COUNTRY="xx" 
export KEY_PROVINCE="xxxx" 
export KEY_CITY="xxxxxx" 
export KEY_ORG="pbx" 
export KEY_EMAIL="xxxx@xxxx.com"
export KEY_CN=xxxxx 
export KEY_NAME=xxxxxxx 
export KEY_OU=xxxx 

./clean-all 

./source vars
./vars 
./clean-all     (Removes all certs and keys from keys folder) 
./build-ca 

 **** if you enter '.' the field will be blank *** 

./build-key-server server 

Use server name is: <servername>
Use Password of :<password>


./build-dh 

</code>
Create individual Client keys which will be used for each phone.
you will need to perform this process for each phone you want to add to the vpn.
You may change the name of Phone1, but each device name must be unique.
The device name appears in the openn vpn status and assignment file once the device connects to the vpn.
<code>
./build-key phone1 

Use Password of :<password previously used>
</code>
You will use the ca.crt, client1.crt and client1.key to configure each phones vpn files.
*** save a copy of the keys and certs ***
<code>
cp keys/ca.crt ../ 
cp keys/ca.key ../ 
cp keys/dh1024.pem ../ 
cp keys/server.key ../ 
cp keys/server.crt ../ 
cp keys/phone1.crt ../ 

cp keys/phone1.key ../ 
</code>

Edit the open VPN conf File and set the server settings
In this case the servers ip address is 192.168.1.100
I allocate another subnet of 192.168.2.0
And allow the server to talk to this new subnet.
All new vpn connections will get a 192.168.2.x ip address.
<code>

cd /etc/openvpn

vi openvpn.conf 
proto udp 
dev tun 
server 192.168.2.1 255.255.0.0 
dh dh1024.pem 
dev tap 
ca ca.crt 
cert server.crt 
key server.key 
keepalive 10 30 
comp-lzo 
verb 4 
user nobody 
group nobody 

log openvpn.log 
</code>

<code>

service openvpn restart 
chkconfig openvpn on 
</code>
Now you must configure the Phones VPN settings.

Basically the vpn.cnf file must have the word 'client',servers address, port, tcp/udp

the ca, phone cert, phone key files.

The following phones do support OpenVPN.

http://www.yealink.com/index.php/Products/detail/id/19

http://www.yealink.com/index.php/Products/detail/id/20

http://www.yealink.com/index.php/Products/detail/id/1 (I believe with latest firmware)


Check the /etc/openvpn/openvpn.log files for connection issues and testing.