Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Defaults

By default, the phone does not attempt to connect using OpenVPN.  These options must be enabled.

Recommended Firmware

Firmware 2_2_1_1 or greater is required.  Versions prior to this do not support OpenVPN connectivity.

Compatibility

OpenVPN connectivity is supported by models D60, D62, and D65.  Models D40, D45, D50 and D70 do not support OpenVPN connectivity.

Important Notes

Phones require, at a minimum, an OpenVPN configuration file and a Root (CA) Certificate, or an OpenVPN configuration file that contains an in-line CA cert, in order to be able to use VPN connectivity.

...

Certificates have been tested in CRT format only.

Requirements

In order to connect to an OpenVPN server, the phone utilizes an OpenVPN configuration file, a Root (CA) certificate and, optionally, client key and CRT files.  The phone will, when directed by its configuration, attempt to cURL those files in from a defined http(s) or ftp(s) server.  The phone can retrieve these files using no authentication, basic auth, or digest auth.  Once the files are retrieved, the phone will store them locally using the names defined as "values" in the phone's configuration.  If the phone receives a new configuration file and the value remains the same, the phone will not attempt to retrieve new VPN configuration elements, rather, it will use the already stored copies.  If the phone receives a new configuration file and a value has changed, the phone will retrieve a new file from the defined URLs and use the new file instead.

It is important to note that the phone must be able to retrieve the OpenVPN configuration elements without actually being connected to the VPN.  This presents a chicken-and-egg scenario that is most often solved by connecting the phone to an already-secure network, feeding it a configuration file that points to VPN configuration files that can be retrieved, and then, once successfully loaded, moving the phone to the insecure network.

Configuration Elements

The phone maintains six (6) VPN configuration elements that are defined like:

...

The openvpn_logging element turns on or off logging that can be used by Digium Support to troubleshoot issues.  Note: this option should not be enabled unless you are so directed by Digium's Support department.

When the VPN is Enabled

When the network_default_enable_openvpn option is enabled on the phone, the phone will display an additional setup item in its BootConfig Settings page, e.g.:

...

No Format
client
dev tun
proto udp
remote server.example.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ns-cert-type server
verb 3
 
<ca>
-----BEGIN CERTIFICATE-----
sFA...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
MII...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
</key>

Ciphers

Digium phones support the following Control Channel TLS Ciphers:

...

Note

The use of ciphers may impact the performance of the phone. Normal operation with the listed ciphers has been tested, but it is conceivable that certain combinations of ciphers, transports, RTP encryption, numbers of calls, codecs, audio paths, subscriptions, applications, etc., could result in audio degradation. If audio degradation is experienced, use alternate ciphers, transports, RTP, codecs, subscriptions, etc.

 

Debugging

In the event that OpenVPN login fails, and you cannot resolve the issue by inspecting the OpenVPN server-side logging, first, only if directed by Digium's Support department, enable OpenVPN logging by turning it on:

...

the debug file should be provided to Digium's Support department.

Replacing Certificates

When a phone is factory defaulted, any stored certificates are deleted.

...

This will cause the phone to download, from the same or from a newly-specified URL, and the new certificate will be stored and referenced locally on the phone as "ca-new.crt."  Note that if making this change, you'll need to also update the OpenVPN configuration file to also point ca to the updated value.

Disabling OpenVPN

By default, a phone will not perform OpenVPN login.  The phone disables OpenVPN when the following parameter is configured as zero, the default:

...