Skip to end of metadata
Go to start of metadata

Defaults

By default, the phone does not attempt to connect using OpenVPN.  These options must be enabled.

Recommended Firmware

Firmware 2_2_1_1 or greater is required.  Versions prior to this do not support OpenVPN connectivity.

Compatibility

OpenVPN connectivity is supported by models D60, D62, and D65.  Models D40, D45, D50 and D70 do not support OpenVPN connectivity.

Important Notes

Phones require, at a minimum, an OpenVPN configuration file and a Root (CA) Certificate, or an OpenVPN configuration file that contains an in-line CA cert, in order to be able to use VPN connectivity.

OpenVPN server configuration must not require manual password entry in order to connect.  The phone does not provide the user a means of inputting user and/or password credentials as a part of VPN connection.

Certificates have been tested in CRT format only.

Requirements

In order to connect to an OpenVPN server, the phone utilizes an OpenVPN configuration file, a Root (CA) certificate and, optionally, client key and CRT files.  The phone will, when directed by its configuration, attempt to cURL those files in from a defined http(s) or ftp(s) server.  The phone can retrieve these files using no authentication, basic auth, or digest auth.  Once the files are retrieved, the phone will store them locally using the names defined as "values" in the phone's configuration.  If the phone receives a new configuration file and the value remains the same, the phone will not attempt to retrieve new VPN configuration elements, rather, it will use the already stored copies.  If the phone receives a new configuration file and a value has changed, the phone will retrieve a new file from the defined URLs and use the new file instead.

It is important to note that the phone must be able to retrieve the OpenVPN configuration elements without actually being connected to the VPN.  This presents a chicken-and-egg scenario that is most often solved by connecting the phone to an already-secure network, feeding it a configuration file that points to VPN configuration files that can be retrieved, and then, once successfully loaded, moving the phone to the insecure network.

Configuration Elements

The phone maintains six (6) VPN configuration elements that are defined like:

The network_default_enable_openvpn element is disabled by default.  When enabled, the phone will, on boot, attempt to load its already-stored VPN configuration files and connect to the VPN.  When disabled, the phone will not attempt to connect to the VPN.

The phone will retrieve from the defined URLs using cURL.  Basic and Digest Authorization are supported.  If the phone does not have a file, it will cURL it in, regardless of the disposition of the network_default_enable_openvpn option.

Where an element has a value, the value specifies the local name of the file.  If the value in the configuration file remains the same between reboots / configuration file loads, the phone will use the previously-stored element file.  If the value changes, the phone will attempt to download a new Root CA, Client Cert, Client Key, and/or OpenVPN configuration file using the defined URL.

The openvpn_root_cert element defines the Root CA file.

The openvpn_client_cert element defines the Client Certificate file.

The openvpn_client_key element defines the Client Key file.

The openvpn_config_file element defines the OpenVPN configuration file.

The openvpn_logging element turns on or off logging that can be used by Digium Support to troubleshoot issues.  Note: this option should not be enabled unless you are so directed by Digium's Support department.

When the VPN is Enabled

When the network_default_enable_openvpn option is enabled on the phone, the phone will display an additional setup item in its BootConfig Settings page, e.g.:

 

Within this menu, the phone will show the load status of the VPN configuration files as well as its VPN address:

If a configuration file was retrieved okay, the menu will display a (tick).  If a configuration file is not found or the VPN is not connected, the phone will display an (error) icon.  The phone will also display the VPN IP Address and the connection status.  When connected, you may Disconnect using the Disconnect soft key.  When disconnected, you may connect using the Connect soft key.

 

When the phone is booted, OpenVPN is enabled, and the connection is successfully brought up, the phone will show a blue VPN shield icon in the status bar, e.g.:

 

If the OpenVPN connection cannot be brought up, a red VPN shield icon will show in the status bar, e.g.:


The OpenVPN configuration file

OpenVPN has myriad configuration options, and not all can be or have been tested with Digium's phones.  A tested, sample configuration file is provided here:

client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
verb 3
 

Within this file, if you do not in-line them, you must pass in the ca, cert, and key parameters using file names that match the value names as defined in the phone's configuration file.  Further, they must be passed in without directory declarations - OpenVPN will search for them in the local directory.

The phone can operate OpenVPN in either UDP or TCP protocols.  The comp-lzo option has been tested to work but adds additional processing overhead.

It is also possible to in-line any of the ca, cert, and key parameters as such:

client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
verb 3
 
<ca>
-----BEGIN CERTIFICATE-----
sFA...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>

Ciphers

Digium phones support the following Control Channel TLS Ciphers:

 Digium Phone Control Channel TLS Ciphers

RC4-SHA, RC4-MD5
DES-CBC-SHA, DES-CBC3-SHA
AES128-SHA, AES256-SHA
CAMELLIA128-SHA, CAMELLIA256-SHA
SEED-SHA
ECDHE-RSA-RC4-SHA, ECDHE-RSA-DES-CBC3-SHA, ECDHE-RSA-AES128-SHA, ECDHE-RSA-AES256-SHA 

Versions of firmware prior to 2.3.9 also supported the following, additional ciphers:

 Digium Phone Control Channel TLS Ciphers

AECDH-RC4-SHA, AECDH-DES-CBC3-SHA, AECDH-AES128-SHA, AECDH-AES256-SHA

 

Digium phones support the following Data Channel Ciphers:

 Digium Phone Data Channel Ciphers

RC2-CBC, RC2-40-CBC, RC2-64-CBC
DES-CBC, DES-EDE-CBC, DES-EDE3-CBC, DESX-CBC
AES-128-CBC, AES-192-CBC, AES-256-CBC
CAMILLIA-128-CBC, CAMELLIA-192-CBC, CAMELLIA-256-CBC
SEED-CBC
BF-CBC
CAST5-CBC

Icon

The use of ciphers may impact the performance of the phone. Normal operation with the listed ciphers has been tested, but it is conceivable that certain combinations of ciphers, transports, RTP encryption, numbers of calls, codecs, audio paths, subscriptions, applications, etc., could result in audio degradation. If audio degradation is experienced, use alternate ciphers, transports, RTP, codecs, subscriptions, etc.

 

Debugging

In the event that OpenVPN login fails, and you cannot resolve the issue by inspecting the OpenVPN server-side logging, first, only if directed by Digium's Support department, enable OpenVPN logging by turning it on:

Setting this will cause the phone to restart and capture extra OpenVPN logging.  Do not leave this option enabled while normally using the phone.

Then, after the phone has booted and has attempted to connect to the OpenVPN server, capture a phone debug by taking a web browser to:

http://[ip address of phone]/cgi-bin/ptsr

the debug file should be provided to Digium's Support department.

Replacing Certificates

When a phone is factory defaulted, any stored certificates are deleted.

If you need to cause a phone to switch to different certificates, then the value parameter of the certificate definition must be change.  When the phone detects that the retrieved value is different from the stored value, the phone will load a new certificate.  An example:

Where a phone has previously been configured with a CA certificate such as:

and where the administrator needs to provide an updated CA certificate, the user can affect this by changing the value name, e.g.:

This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.crt."  Note that if making this change, you'll need to also update the OpenVPN configuration file to also point ca to the updated value.

Disabling OpenVPN

By default, a phone will not perform OpenVPN login.  The phone disables OpenVPN when the following parameter is configured as zero, the default:

Even if this setting is disabled, the phone will continue to retrieve new certificates if so directed by the phone's configuration file.

 

  • No labels