By default, the phone does not attempt to connect using OpenVPN. These options must be enabled.
Firmware 2_2_1_1 or greater is required. Versions prior to this do not support OpenVPN connectivity.
OpenVPN connectivity is supported by models D60, D62, and D65. Models D40, D45, D50 and D70 do not support OpenVPN connectivity.
Phones require, at a minimum, an OpenVPN configuration file and a Root (CA) Certificate, or an OpenVPN configuration file that contains an in-line CA cert, in order to be able to use VPN connectivity.
Certificates have been tested in CRT format only.
In order to connect to an OpenVPN server, the phone utilizes an OpenVPN configuration file, a Root (CA) certificate and, optionally, client key and CRT files. The phone will, when directed by its configuration, attempt to cURL those files in from a defined http(s) or ftp(s) server. The phone can retrieve these files using no authentication, basic auth, or digest auth. Once the files are retrieved, the phone will store them locally using the names defined as "values" in the phone's configuration. If the phone receives a new configuration file and the value remains the same, the phone will not attempt to retrieve new VPN configuration elements, rather, it will use the already stored copies. If the phone receives a new configuration file and a value has changed, the phone will retrieve a new file from the defined URLs and use the new file instead.
It is important to note that the phone must be able to retrieve the OpenVPN configuration elements without actually being connected to the VPN. This presents a chicken-and-egg scenario that is most often solved by connecting the phone to an already-secure network, feeding it a configuration file that points to VPN configuration files that can be retrieved, and then, once successfully loaded, moving the phone to the insecure network.
The phone maintains six (6) VPN configuration elements that are defined like:
The openvpn_logging element turns on or off logging that can be used by Digium Support to troubleshoot issues. Note: this option should not be enabled unless you are so directed by Digium's Support department.
When the VPN is Enabled
When the network_default_enable_openvpn option is enabled on the phone, the phone will display an additional setup item in its BootConfig Settings page, e.g.:
client dev tun proto udp remote server.example.com 1194 resolv-retry infinite nobind persist-key persist-tun ns-cert-type server verb 3 <ca> -----BEGIN CERTIFICATE----- sFA... -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- </cert> <key> -----BEGIN PRIVATE KEY----- MII... -----END PRIVATE KEY----- </key>
Digium phones support the following Control Channel TLS Ciphers:
The use of ciphers may impact the performance of the phone. Normal operation with the listed ciphers has been tested, but it is conceivable that certain combinations of ciphers, transports, RTP encryption, numbers of calls, codecs, audio paths, subscriptions, applications, etc., could result in audio degradation. If audio degradation is experienced, use alternate ciphers, transports, RTP, codecs, subscriptions, etc.
In the event that OpenVPN login fails, and you cannot resolve the issue by inspecting the OpenVPN server-side logging, first, only if directed by Digium's Support department, enable OpenVPN logging by turning it on:
the debug file should be provided to Digium's Support department.
When a phone is factory defaulted, any stored certificates are deleted.
This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.crt." Note that if making this change, you'll need to also update the OpenVPN configuration file to also point ca to the updated value.
By default, a phone will not perform OpenVPN login. The phone disables OpenVPN when the following parameter is configured as zero, the default: