By default, the phone does not attempt to connect using OpenVPN. These options must be enabled.
Firmware 2_2_1_1 or greater is required. Versions prior to this do not support OpenVPN connectivity.
OpenVPN connectivity is supported by models D60, D62, and D65. Models D40, D45, D50 and D70 do not support OpenVPN connectivity.
Phones require, at a minimum, an OpenVPN configuration file and a Root (CA) Certificate, or an OpenVPN configuration file that contains an in-line CA cert, in order to be able to use VPN connectivity.
OpenVPN server configuration must not require manual password entry in order to connect. The phone does not provide the user a means of inputting user and/or password credentials as a part of VPN connection.
Certificates have been tested in CRT format only.
In order to connect to an OpenVPN server, the phone utilizes an OpenVPN configuration file, a Root (CA) certificate and, optionally, client key and CRT files. The phone will, when directed by its configuration, attempt to cURL those files in from a defined http(s) or ftp(s) server. The phone can retrieve these files using no authentication, basic auth, or digest auth. Once the files are retrieved, the phone will store them locally using the names defined as "values" in the phone's configuration. If the phone receives a new configuration file and the value remains the same, the phone will not attempt to retrieve new VPN configuration elements, rather, it will use the already stored copies. If the phone receives a new configuration file and a value has changed, the phone will retrieve a new file from the defined URLs and use the new file instead.
It is important to note that the phone must be able to retrieve the OpenVPN configuration elements without actually being connected to the VPN. This presents a chicken-and-egg scenario that is most often solved by connecting the phone to an already-secure network, feeding it a configuration file that points to VPN configuration files that can be retrieved, and then, once successfully loaded, moving the phone to the insecure network.
The phone maintains six (6) VPN configuration elements that are defined like:
The network_default_enable_openvpn element is disabled by default. When enabled, the phone will, on boot, attempt to load its already-stored VPN configuration files and connect to the VPN. When disabled, the phone will not attempt to connect to the VPN.
The phone will retrieve from the defined URLs using cURL. Basic and Digest Authorization are supported. If the phone does not have a file, it will cURL it in, regardless of the disposition of the network_default_enable_openvpn option.
Where an element has a value, the value specifies the local name of the file. If the value in the configuration file remains the same between reboots / configuration file loads, the phone will use the previously-stored element file. If the value changes, the phone will attempt to download a new Root CA, Client Cert, Client Key, and/or OpenVPN configuration file using the defined URL.
The openvpn_root_cert element defines the Root CA file.
The openvpn_client_cert element defines the Client Certificate file.
The openvpn_client_key element defines the Client Key file.
The openvpn_config_file element defines the OpenVPN configuration file.
The openvpn_logging element turns on or off logging that can be used by Digium Support to troubleshoot issues. Note: this option should not be enabled unless you are so directed by Digium's Support department.
When the VPN is Enabled
When the network_default_enable_openvpn option is enabled on the phone, the phone will display an additional setup item in its BootConfig Settings page, e.g.:
Within this menu, the phone will show the load status of the VPN configuration files as well as its VPN address:
If a configuration file was retrieved okay, the menu will display a . If a configuration file is not found or the VPN is not connected, the phone will display an icon. The phone will also display the VPN IP Address and the connection status. When connected, you may Disconnect using the Disconnect soft key. When disconnected, you may connect using the Connect soft key.
When the phone is booted, OpenVPN is enabled, and the connection is successfully brought up, the phone will show a blue VPN shield icon in the status bar, e.g.:
If the OpenVPN connection cannot be brought up, a red VPN shield icon will show in the status bar, e.g.:
The OpenVPN configuration file
OpenVPN has myriad configuration options, and not all can be or have been tested with Digium's phones. A tested, sample configuration file is provided here:
Within this file, if you do not in-line them, you must pass in the ca, cert, and key parameters using file names that match the value names as defined in the phone's configuration file. Further, they must be passed in without directory declarations - OpenVPN will search for them in the local directory.
The phone can operate OpenVPN in either UDP or TCP protocols. The comp-lzo option has been tested to work but adds additional processing overhead.
It is also possible to in-line any of the ca, cert, and key parameters as such:
Digium phones support the following Control Channel TLS Ciphers:
ECDHE-RSA-RC4-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA
Versions of firmware prior to 2.3.9 also supported the following, additional ciphers:
AECDH-RC4-SHA, AECDH-DES-CBC3-SHA, AECDH-AES128-SHA, AECDH-AES256-SHA
Digium phones support the following Data Channel Ciphers:
RC2-CBC, RC2-40-CBC, RC2-64-CBC
DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC
AES-128-CBC, AES-192-CBC, AES-256-CBC
CAMILLIA-128-CBC, CAMELLIA-192-CBC, CAMELLIA-256-CBC
In the event that OpenVPN login fails, and you cannot resolve the issue by inspecting the OpenVPN server-side logging, first, only if directed by Digium's Support department, enable OpenVPN logging by turning it on:
Setting this will cause the phone to restart and capture extra OpenVPN logging. Do not leave this option enabled while normally using the phone.
Then, after the phone has booted and has attempted to connect to the OpenVPN server, capture a phone debug by taking a web browser to:
the debug file should be provided to Digium's Support department.
When a phone is factory defaulted, any stored certificates are deleted.
If you need to cause a phone to switch to different certificates, then the value parameter of the certificate definition must be change. When the phone detects that the retrieved value is different from the stored value, the phone will load a new certificate. An example:
Where a phone has previously been configured with a CA certificate such as:
and where the administrator needs to provide an updated CA certificate, the user can affect this by changing the value name, e.g.:
This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.crt." Note that if making this change, you'll need to also update the OpenVPN configuration file to also point ca to the updated value.
By default, a phone will not perform OpenVPN login. The phone disables OpenVPN when the following parameter is configured as zero, the default:
Even if this setting is disabled, the phone will continue to retrieve new certificates if so directed by the phone's configuration file.