1.

Configuring VPN on Snom DeskphonesIndex:

OverviewInstall and configure the OpenVPN server

OpenVPN server on LinuxOpenVPN server on Windows

Install and configure OpenVPN on the Snom phonesInstall the VPN patch on the Snom phone

Manual InstallationAutomatic installation via SRAPSHow to tell if the VPN patch installation was successfulVPN feature patch for older versions

Create the VPN configuration tarball for the phone on LinuxCreate client/phone configuration filePut together the configuration files for the phone

Create the VPN configuration tarball for the phone on WindowsCreate client/phone configuration filePut together the configuration files for the phone

Structure reference for the configuration tarballPut the VPN configuration tarball on an HTTP server

Setup an HTTP server on WindowsSetup an HTTP server on Linux

Apply the VPN configuration to the Snom phoneChanging the VPN configuration tarball at a later timeAdding another phone to the VPN at a later timeAdvanced examples

Additional authentication with a username/passwordTroubleshooting

Everything works as described, but the phone seems to reject my server certificate. What's wrong?How to view the OpenVPN logsWhat is my IP in the VPN?

OverviewSnom deskphones include the ability to build secure VoIP-Infrastructures via the Technology. Snom decided to use OpenVPN because it is OpenVPNcompatible with SSL/RSA Certificates and X509 PKI, , , and TUN/TAP virtual devices. is Open Source and is .NAT DHCP OpenVPN licensed under the GPL

This article explains the step-by-step implementation of OpenVPN on Snom phones, including server installation and setup, creating the phone configuration and applying it on the phone.

Install and configure the OpenVPN server

The OpenVPN server is available for free and there are various guides available on installing and configuring it. This section contains one out of several methods to install and set up a minimal OpenVPN server on Linux and Windows. For more options and detailed information, see or the https://openvpn.netavailable documentation for your server.

OpenVPN server on Linux

Versions used for this section:

Ubuntu 18.04OpenVPN 2.4.4OpenSSL 1.1.1

The installation steps require that you are logged in as on the Ubuntu system.root

Update the apt-sources

Note: If you already have a VPN server, you can skip this section.

1.

2.

3.

a.

b.

c.

d.

e.

f.

g.

# apt-get update

Install OpenVPN and easy-rsa packages

# apt-get install openvpn# apt-get install easy-rsa

Create the Certificate Authority

Copy the directory to :easy-rsa /etc/openvpn

# make-cadir /etc/openvpn/easy-rsa

Enter the created directory:

# cd /etc/openvpn/easy-rsa

Edit the   file with your favorite editor, for example using :vars vim

# vim vars

and scroll down until you find the and parameters. Edit these KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, KEY_EMAILto fit your server. Don’t leave any of these parameters blank.

Next, initialize the :PKI

# . ./vars# ./clean-all

The next command ( ) will build the certificate authority (CA) certificate and key:build-ca

# ./build-ca

Here is a detailed example showing how to run this command:

If when running ". ./vars" you get error "No /etc/openvpn/easy-rsa/openssl.cnf file could be found", link openssl.cnf to the latest available cnf file insider the directory, for example using command: " ". ln -s openssl-1.0.0.cnf openssl.cnfThen, run again.". ./vars"

3.

g.

h.

4.

# ./build-caGenerating a RSA private key...............................................................................+++++.......................................................................................+++++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [Berlin]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [Snom Test]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [Snom Test CA]:Name [EasyRSA]:Email Address [test@myhost.mydomain]:

In the above sequence, most queried parameters were defaulted to the values that you have set in the  file.vars

Create the server certificate

# ./build-key-server server

Here is a detailed example showing how to run this command:

4.

5.

6.

# ./build-key-server serverGenerating a RSA private key.+++++..............+++++writing new private key to 'server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [Berlin]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [Snom Test]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [server]:192.168.137.102 <--------- the IP address/hostname that the phone will use to reach the serverName [EasyRSA]:Email Address [test@myhost.mydomain]:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'DE'stateOrProvinceName :PRINTABLE:'Berlin'localityName :PRINTABLE:'Berlin'organizationName :PRINTABLE:'Snom Test'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName :PRINTABLE:'192.168.137.102'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'test@myhost.mydomain'Certificate is to be certified until Oct 11 16:03:20 2030 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

Create the Diffie Hellman parameter

# ./build-dhGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time..............................................................................+........++*++*++*++*

Create the phone certificateEvery client/phone should have its own certificate. This means that you will have to repeat this step for each phone.It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

# ./build-key 000413A30591

Here is a detailed example showing how to run this command:

6.

# ./build-key 000413A30591Generating a RSA private key....................................................................................+++++........................................................+++++writing new private key to '000413A30591.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [Berlin]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [Snom Test]:Organizational Unit Name (eg, section) [MyOrganizationalUnit]:Common Name (eg, your name or your server's hostname) [000413A30591]:Name [EasyRSA]:Email Address [test@myhost.mydomain]:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from /etc/openvpn/easy-rsa/openssl.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'DE'stateOrProvinceName :PRINTABLE:'Berlin'localityName :PRINTABLE:'Berlin'organizationName :PRINTABLE:'Snom Test'organizationalUnitName:PRINTABLE:'MyOrganizationalUnit'commonName :PRINTABLE:'000413A30591'name :PRINTABLE:'EasyRSA'emailAddress :IA5STRING:'test@myhost.mydomain'Certificate is to be certified until Oct 11 11:54:12 2030 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

Now we will find our newly-generated keys and certificates in the   subdirectory. Here is an explanation of the relevant files:keys

Filename Purpose Needed by

ca.crt Root CA certificate server + all clients

ca.key Root CA private key server only

dh{n}.pem Diffie Hellman parameters

server.crt Server Certificate

The phone configuration requires some naming that is mandatory and :should not be changed

All file paths in your config file must be set to /openvpn/filenameThe configuration file must be named vpn.cnf

In older firmware versions (8.x), the and options . If your VPN connection is failing in older ping ping-restart might cause issuesversions, remove these options and try again.

6.

7.

8.

9.

server.key Server private key

000413A30591.crt Certificate for phone 000413A30591 phone 000413A30591 only

000413A30591.key Private key for phone 000413A30591

Create server configuration for OpenVPNCreate configuration file, for example using the command:touch

# touch /etc/openvpn/server.conf

Edit the file with your favorite editor, for example using :vim

# vim /etc/openvpn/server.conf

Paste the following content into the file:

port 1194proto udpdev tunca /etc/openvpn/easy-rsa/keys/ca.crtcert /etc/openvpn/easy-rsa/keys/server.crtkey /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pemserver 10.8.0.0 255.255.255.0ifconfig-pool-persist /var/log/openvpn/ipp.txtclient-to-clientkeepalive 10 120persist-keypersist-tunstatus /var/log/openvpn-status.logverb 6

This will configure OpenVPN to listen on , and use private port 1194 IP subnet 10.8.0.0/24

Enable packet forwardingThis step is and is only needed if you would like to configure your OpenVPN server to act as a VPN gateway for a LAN. See also optional https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/Edit and uncomment the following line (remove the ' ' at the beginning) to enable IP forwarding:/etc/sysctl.conf #

net.ipv4.ip_forward=1

Then save the file and reload sysctl:

# sysctl -p /etc/sysctl.conf

Run the OpenVPN serverTo check for any fatal errors preventing the server to start, you can try run the server in the foreground like this:

# openvpn /etc/openvpn/server.conf

If the service starts and prints several lines finished by "Initialization Sequence Completed", then the try run was successful. You can stop the try run with .CTRL+C

Now you can start the OpenVPN server:

9.

10.

1.

a. b. c.

# sudo systemctl start openvpn@server

Next, check if OpenVPN created a interface. You should see something like this:tun0

# ip addr show dev tun09: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8fc2:3403:fbac:1f35/64 scope link stable-privacy valid_lft forever preferred_lft forever

Configure OpenVPN to run at startupRunning OpenVPN at system startup is optional but often preferred on server machines.Edit and add the following line, which instructs the system to start openvpn with configuration file /etc/default/openvpn /etc/openvpn

:/server.conf

AUTOSTART="server"

Then reload and restart the OpenVPN service:systemctl

# systemctl daemon-reload# systemctl restart openvpn.service

OpenVPN server on Windows

OpenVPN is available for free, see more details here: .https://openvpn.net/

Versions used for this section:

Windows 10, 64-bitInstallation file: openvpn-install-2.4.9-I601-Win10.exe

Download and run the OpenVPN installer file At the time of this article the installation file could be found here: https://openvpn.net/community-downloads/

the installation file. Double click You will see the installation wizard. until you reach the Choose Components section.Press Next

Make sure is enabled (add a green tick):EasyRSA

1.

c.

d.

2.

a. b. c. d. e. f.

g.

h.

Follow the install wizard to finish the installation.

Initialize the PKI and create the Certificate AuthorityNavigate to the folder on an elevated command prompt:C:\Program Files\OpenVPN\easy-rsa

Open the search box next to the Start menuType " "cmdRight-click on Command Prompt and choose " "Run as AdministratorRight-click the menu item "Command Prompt"On the pop up User Account Control window, " "Click YesNavigate to the easy-rsa folder:

cd "C:\Program Files\OpenVPN\easy-rsa"

Initialize the OpenVPN configuration:

init-config

Open the vars.bat file in a text editor:

notepad vars.bat

Only run init-config once, during installation.

2.

i.

j.

k.

l.

3.

Edit the following lines in vars.bat, replacing " ", " ," etc. with your company's information:US CA

Save the file and notepad.exit

Run the following commands:

varsclean-all

Build the certificate authority (CA) certificate and key. When prompted, enter your country, etc. These will have default values (from the v file), which appear in brackets.ars

build-ca

Here is a detailed example showing how to run this command:

C:\Program Files\OpenVPN\easy-rsa>build-caGenerating a RSA private key........................................++++.............................................................................................................................................................................................................................................................................................................................................................................................................................++++writing new private key to 'keys\ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [BLN]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [SnomTest]:Organizational Unit Name (eg, section) [changeme]:TestCommon Name (eg, your name or your server's hostname) [192.168.137.142]: Name [changeme]:TestEmail Address [mail@host.domain]:

Create the server certificate

3.

4.

5.

build-key-server server

Here is a detailed example showing how to run this command:

C:\Program Files\OpenVPN\easy-rsa>build-key-server serverIgnoring -days; not generating a certificateGenerating a RSA private key............................................++++............++++writing new private key to 'keys\server.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [BLN]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [SnomTest]:Organizational Unit Name (eg, section) [changeme]:TestCommon Name (eg, your name or your server's hostname) [192.168.137.142]:Name [changeme]:TestEmail Address [mail@host.domain]:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'DE'stateOrProvinceName :PRINTABLE:'BLN'localityName :PRINTABLE:'Berlin'organizationName :PRINTABLE:'SnomTest'organizationalUnitName:PRINTABLE:'Test'commonName :PRINTABLE:'192.168.137.142'name :PRINTABLE:'Test'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Oct 18 12:29:34 2030 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

Create the Diffie Hellman parameter

C:\Program Files\OpenVPN\easy-rsa>build-dhGenerating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time..............................................................................+........++*++*++*++*

Create the phone certificateEvery client/phone should have its own certificate. This means that you will have to repeat this step for each phone.It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

build-key 000413A30591

5.

Here is a detailed example showing how to run this command:

C:\Program Files\OpenVPN\easy-rsa>build-key 000413A30591Ignoring -days; not generating a certificateGenerating a RSA private key...............................................................................++++.............................................................................++++writing new private key to 'keys\000413A30591.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [DE]:State or Province Name (full name) [BLN]:Locality Name (eg, city) [Berlin]:Organization Name (eg, company) [SnomTest]:Organizational Unit Name (eg, section) [changeme]:TestCommon Name (eg, your name or your server's hostname) [192.168.137.142]:000413A30591Name [changeme]:Phone000413A30591Email Address [mail@host.domain]:

Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:Using configuration from openssl-1.0.0.cnfCheck that the request matches the signatureSignature okThe Subject's Distinguished Name is as followscountryName :PRINTABLE:'DE'stateOrProvinceName :PRINTABLE:'BLN'localityName :PRINTABLE:'Berlin'organizationName :PRINTABLE:'SnomTest'organizationalUnitName:PRINTABLE:'Test'commonName :PRINTABLE:'000413A30591'name :PRINTABLE:'Phone000413A30591'emailAddress :IA5STRING:'mail@host.domain'Certificate is to be certified until Oct 18 13:00:29 2030 GMT (3650 days)Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]yWrite out database with 1 new entriesData Base Updated

Now we will find our newly-generated keys and certificates in the  folder. Here is an explanation of C:\Program Files\OpenVPN\easy-rsa\keysthe relevant files:

Filename Purpose Needed by

ca.crt Root CA certificate server + all clients

ca.key Root CA private key server only

dh{n}.pem Diffie Hellman parameters

server.crt Server Certificate

server.key Server private key

000413A30591.crt Certificate for phone 000413A30591 phone 000413A30591 only

000413A30591.key Private key for phone 000413A30591

5.

6.

a.

b.

c.

d.

e.

7.

a.

Create the server configuration for OpenVPN

Create file using command:server.ovpn

notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"

When asked if you want to create a new file, click .Yes

Enter the following configuration:

port 1194proto udpdev tunca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"cert "C:\\Program Files\\OpenVPN\\config\\server.crt"key "C:\\Program Files\\OpenVPN\\config\\server.key"dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem"server 10.9.0.0 255.255.255.0client-to-clientkeepalive 10 120persist-keypersist-tunverb 6

Save the file and exit notepad.This will configure OpenVPN to listen on , and use port 1194 private IP subnet 10.9.0.0/24

Copy the configuration files from to on the server by C:\Program Files\OpenVPN\easy-rsa\keys\ C:\Program Files\OpenVPN\config\typing the following in the command prompt:

robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt dh2048.pem server.crt server.key server.ovpn

Run the OpenVPN server

Run OpenVPN from: -> -> Start Menu OpenVPN OpenVPN GUI This will create a new icon in the system tray. Double click the icon to initiate the connection. The resulting dialog should show the status shortly and then close upon a successful start:

NOTE: In the command above. the at the end of the path in each string is important.robocopy space

7.

a.

b.

c.

Now if you open Network Connections (from Control Panel Network and Internet View Network Status and tasks  Change adapter ), you should see a new connection of type TAP-Windows Adapter V9:settings

If you right click this connection and then click you should be able to see the configured IP address:Status Details

7.

c.

8.

a.

i. ii.

b. c.

9.

1. 2. 3. 4. 5.

Running OpenVPN as a ServiceRunning OpenVPN as a service will allow OpenVPN to be started automatically on system startup. This is often preferred on a server machine.

Run the Windows Service administrative tool:

Press Windows Key + RType " " and press Enter.services.msc

Find the OpenVPN service, and set its Startup Type to "Automatic". Press Apply.Optionally, start the service now.

Firewall ConfigurationIf you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194. ( )Win+R " "wf.msc

Install and configure OpenVPN on the Snom phones

Install the VPN patch on the Snom phone

The VPN feature is not shipped with the default firmware due to security considerations. Snom provides the VPN feature in a small firmware patch which needs to be installed. This patch contains only the VPN feature and thus is very small in size.

To install the VPN feature patch follow one of the following procedures:

Manual Installation

Find out your currently installed firmware version. See for information on how to do thisthis link Open the and click on your versionFirmware Update CenterScroll down to "VPN Feature Updates"Copy the download link appropriate for your phone modelOpen the phone web user interface and select "Software Update" from the left hand menu

6.

1.

2.

Paste the link in the "Manual Software Update" field and click "Load"

The phone will reboot and install the patch. Afterwards you will be able to use the VPN feature

Automatic installation via SRAPS

It is also possible to install the VPN patch automatically via SRAPS, as part of the provisioning or even prior to the settings being fetched by the phone. See details .here

How to tell if the VPN patch installation was successful

If the VPN installation was successful, the VPN feature will be available. Here is now you can check that the VPN feature is available:

The VPN option is now visible in the Phone's Web Interface under . If the VPN patch installation was successful, you Advanced QOS/Securityshould see here the VPN setting (it will be set to off at first because the VPN feature was installed, but it is not yet enabled)

The VPN line is now added to the System Info screen in the Phone Menu. Open the " " menu by pressing the phone button with the gear Settingssymbol, then navigate to " " and select " ". Information System InfoYou should see the VPN line (it will show VPN off at first because the VPN feature was installed, but is not yet enabled)

IMPORTANT: A network recovery will remove the VPN patch, so the VPN patch instalation is necessary after each TFTP rescue mode update!

2.

3.

1.

2.

3.

4.

After installing the VPN patch, the phone will add the HTTP header to the provisioning requests. Using this header you X-snom-vpn: availablecan distinguish between devices with VPN enabled and devices not supporting the VPN.

VPN feature patch for older versions

If your phone is running version 8.x, you can find the instructions for the VPN patch .here

Create the VPN configuration tarball for the phone on Linux

Create client/phone configuration file

The content of the configuration file is usually the same on all clients/phones. To avoid having to configure both files, client and server, in one directory, create a subfolder called client-config:

# mkdir /etc/openvpn/client-config

The configuration file for the phone :must be called vpn.cnf

# touch /etc/openvpn/client-config/vpn.cnf

Edit this file with your favorite editor:

# vim /etc/openvpn/client-config/vpn.cnf

Paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

clientdev tunproto udpremote <Server-IP/-name> 1194resolv-retry infinitenobindpersist-keypersist-tunca /openvpn/ca.crtcert /openvpn/client.crtkey /openvpn/client.keyremote-cert-tls serverping 10ping-restart 60

1.

2.

1.

2.

Put together the configuration files for the phone

For this example we are using the same MAC we used to create the client certificate.

Create a temporary directory to hold the needed files:

# mkdir /etc/openvpn/client-config/tmp

Put together the files in a tarball:

# cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/ #the configuration file# cp /etc/openvpn/easy-rsa/keys/000413A30591.crt /etc/openvpn/client-config/tmp/client.crt #the client certificate# cp /etc/openvpn/easy-rsa/keys/000413A30591.key /etc/openvpn/client-config/tmp/client.key #the client private key# cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt #the CA# cd /etc/openvpn/client-config/tmp/# chown -Rf root:root * # chmod -R 700 * # tar cvpf vpnclient-000413A30591.tar * #this command creates the actual tar file# rm client.* #remove the used certificate and private key as they are no longer needed in the tmp directory

Now you should be able to find the tarball file vpnclient-000413A30591.tar inside the /etc/openvpn/client-config/tmp/ directory. We will use this file in the next step when providing it to the phone.

Create the VPN configuration tarball for the phone on Windows

Create client/phone configuration file

In the Command Prompt, create file vpn.cnf by running:

notepad C:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf

When asked if you want to create a new file, click . Copy and paste the following content into the file, but remember to set the value for Yesremote to your server's IP or FQDN by replacing <Server-IP/-name> below:

clientdev tunproto udpremote <Server-IP/-name> 1194

Note

If you want to use OpenVPN configurations from phones with fw v8 now in fw v10 on the same OpenVPN server you may need to add the parameter

ncp-ciphers "BF-CBC"

to phone's vpn.cnf if the server's OpenVPN version is < 2.5

The phone configuration requires some naming that is mandatory and :should not be changed

All file paths in your config file must be set to /openvpn/filenameThe configuration filen must be named vpn.cnf

In older firmware versions (8.x), the ping and ping-restart options . If your VPN connection is failing in older versions, might cause issuesremove these options and try again.

2.

3.

1. 2.

3.

4.

5.

6.

7.

8.

9.

resolv-retry infinitenobindpersist-keypersist-tunca /openvpn/ca.crtcert /openvpn/client.crtkey /openvpn/client.keyremote-cert-tls serverping 10ping-restart 60

Save the file vpn.cnf

Put together the configuration files for the phone

Navigate in File Explorer to . Inside this folder, create a new folder called C:\Program Files\OpenVPN\easy-rsa\keys\ 000413A30591Copy the following files from into the folder:C:\Program Files\OpenVPN\easy-rsa\keys\ 000413A30591

ca.crt000413A30591.crt000413A30591.keyvpn.cnf

Now your folder should look like this000413A30591 :

Rename to 000413A30591.crt client.crt

Rename to 000413A30591.key client.key

Now your folder should look like this000413A30591 :

In the command prompt, navigate to the new created directory by typing:

cd C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591

Now the tarball archive by typing:create

tar cvpf C:\vpnclient-000413A30591.tar *

The phone configuration requires some naming that is mandatory and :should not be changed

All file paths in your config file must be set to /openvpn/filenameThe configuration file must be named vpn.cnf

In older firmware versions (8.x), the ping and ping-restart options . If your VPN connection is failing in older might cause issuesversions, remove these options and try again.

9.

10.

1. 2. 3. 4. 5. 6. 7. 8.

You should see the following:

C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591>tar cvpf C:\vpnclient-000413A30591.tar *a client.crta client.keya ca.crta vpn.cnf

Now you should be able to find the tarball file under . We will use this file in the next step when providing vpnclient-000413A30591.tar C:\it to the phone.

Structure reference for the configuration tarball

When creating the tar archive for Snom phones, it is as in the above examples. very important to keep the file structure and naming

Below is the content of the tar file created in this example, . Note that , the files must be placed vpnclient-000413A30591.tar there are no subdirectoriesin the root of the tarball:

ca.crt

client.crt

client.key

vpn.cnf

You can download this example file here:  vpnclient-000413A30591.tar

Put the VPN configuration tarball on an HTTP server

This section also includes the download and set up of a minimal HTTP server using the SPLiT application. If you already have an HTTP server, you can just upload the tar file created in the previous section to your existing HTTP server and skip this section.

Setup an HTTP server on Windows

Download the SPLiT executable file (for this example we used SPLiT-1.1.3_w32.exe)Create directory SPLiT in a location of your choice, for example C:\SPLiTMove SPLiT-1.1.3_w32.exe into the SPLiT directoryCreate a new directory called inside the SPLiT directoryhttpMove the tar file created in the previous section from C:\ to the directoryhttpGo back to the SPLiT directoryRun the SPLiT executable SPLiT-1.1.3_w32.exe as AdministratorOnce the software has started you should see a user interface window:

Click on the check boxDebugInsert your computer IP address into the fieldIP AddressVerify that the fields contains the valueHTTP Directory http

8.

9.

1. 2.

3.

4.

5.

1.

Click on the buttonStart HTTP Server

Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar . This should present you with the option to download the tarball file.

Setup an HTTP server on Linux

a terminalOpenInstall python if it is not already installed

# apt-get install python

Get and :start SPLiT

# mkdir /usr/local/SPLiT# cd /usr/local/SPLiT# wget https://github.com/pbertera/SPLiT/archive/1.1.3.tar.gz# tar -xvzf 1.1.3.tar.gz# cd SPLiT-1.1.3/# mkdir http# sudo python SPLiT.py -i <Server-IP/-name> --http #replace <Server-IP/-name> with your server's IP/Hostname

Now that the HTTP server is running, place the tar file created on previous version in the directory inside the SPLiT directory:http

# cp /etc/openvpn/client-config/tmp/vpnclient-000413A30591.tar /usr/local/SPLiT/SPLiT-1.1.3/http

Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar . This should present you with the option to download the tarball file.

Apply the VPN configuration to the Snom phone

Make sure the is correct in order to be able to validate the certificatesphone's date and time

2.

3.

Under , find the Parameter:Advanced QOS/Security VPN

Enable the VPN parameter by clicking . The parameter will become available: on Unzipped VPN config tarball

 

4.

5.

6.

7.

8.

Enter the e.g.  with the openVPN configuration:HTTP(S)-URL of the tarball file http://<Server-IP/name>/vpnclient-000413A30591.tar

Scroll down and click Apply

In case the phone presents you with , click If this text does not appear you Some settings are not yet stored permanently Save . can ignore this step.

Click Reboot

After the reboot, the phone will show a notification VPN is active and display the VPN icon on the phone taskbar.

Here is an example:

9.

10.

1.

2. 3.

4. 5.

Pressing the Info key will show:

After you have pressed the Info key and seen the Status Info, the " " notification will disappearVPN is active

Changing the VPN configuration tarball at a later time

The parameter is designed to be provisioned only once: every time this parameter is configured the phone downloads the Unzipped VPN config tarballtarball and then the setting gets emptied. If you wish to change the phone's VPN configuration you have to configure the tarball URL again in order to make the phone download and apply the new configuration. It is not necessary to give the tarball a new name, you can use the original name.

Adding another phone to the VPN at a later time

If you wish to set up a new phone in the VPN at a later time, you can use the following steps:

open command prompt and then run varson Linux by using commands:

cd /etc/openvpn/easy-rsa. ./vars

on Windows by using commands:

cd "C:\Program Files\OpenVPN\easy-rsa"vars

repeat step Create the phone certificaterepeat step (you can skip the part where you create because this was already Create the VPN configuration tarball for the phone vpn.cnfcreated and it is usually the same for all clients) repeat step Put the VPN configuration tarball on an HTTP serverrepeat step Apply the VPN configuration to the Snom phone

Advanced examples

Additional authentication with a username/password

In some cases the VPN server requires a username and password, in addition to the certificate. Here is how to configure up a VPN username/password for the Snom phone:

1.

2.

3.

a.

b.

c.

 Add to your vpn.cnf, like this ( ): auth-user-pass do not change the path

auth-user-pass /openvpn/pass.txt

Create with the following content, replacing the text and with your actual username and password. file pass.txt username password

usernamepassword

When creating the configuration tarball (see ), also include file to the tarball. step Create the VPN configuration tarball for the phone pass.txtMake sure that the file pass.txt is in the same path of the tarball as the other configuration files.

Troubleshooting

Everything works as described, but the phone seems to reject my server certificate. What's wrong?

Make sure the phone has the right date and time. Try to configure an NTP server that the phone can reach on its ( ). native network not via VPNIf the phone has a wrong date it might assume that all certificates are not valid (yet).

How to view the OpenVPN logs

You can set the phone to send all VPN logs to a " ". To do this:Netcat Server

I on a host that is reachable to the phone:nstall and run netcat

netcat -l -p 5000

Set the IP address of this host under Advanced Qos/security  Netcat Server:

Once you apply this and , you will see the phone's VPN logs on the host running netcat. reboot tht phone If you have not added a you should see the following (for a successfull connection):custom verbosity level in vpn.cnf,

Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:19 2020 UDP link local: (not bound)Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 openedTue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisTue Oct 20 11:58:21 2020 Initialization Sequence Completed

What is my IP in the VPN?

The phone does not show the IP address received over VPN in the web interface per default, but there are some other ways to view this:

Option 1: from the SIP logs

Set up a test identity on the phone, with Registrar set to an IP address inside the VPN network. It does not matter what IP address it is, it just needs to be routed inside the VPN network. Set only the Account and the Registrar for this identity:

 

Then click on , you will see some SIP messages. Look at the IP address from which these were sent: SIP Trace

Sent to Udp:10.8.0.1:5060 :55786 at Oct 19 23:54:43.886 (717 bytes): from Udp:10.8.0.6 REGISTER sip:10.8.0.1 SIP/2.0

Via: SIP/2.0/UDP 10.8.0.6:55786;branch=z9hG4bK-2yig1rmxrpir;rport From: <sip:100@10.8.0.1>;tag=r06il7bz6r

To: <sip:100@10.8.0.1> .....

If your VPN network is routing packets correctly, you will see here the phone's IP address (in this example it is ) 10.8.0.6

Option 2: from the netcat logs

From the (see above " "). If you have not added a custom verbose level in vpn.cnf, at the beginning of netcat logs How to view the OpenVPN logsthe connection, the netcat logs will also show the IP address that the phone receives.

Here is an example:

Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:19 2020 UDP link local: (not bound)Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 openedTue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5         <-------- this means that our local address in the VPN is 10.8.0.6Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent thisTue Oct 20 11:58:21 2020 Initialization Sequence Completed

The source code of components licensed under GPL used in snom VoIP phones can be downloaded from . The original GPL license text herecan be downloaded from .here

Further Information

Related articles

Can I use two snom phones for VPN without additional equipment

How can I enable VPN support for the D305

How can I use my Snom phone at home

How to auto-provision VPN Patch to your desk phone

How to configure VPN on a M200SC - M215SC

VoIP EssentialsVisit the Snom ForumOpen a support ticketFind a local partner