Index:

Note:  this guide is valid for the public announcement system PA1+ as well (but not its predecessor PA1).

Overview

Snom deskphones include the ability to build secure VoIP-Infrastructures via the OpenVPN Technology. Snom decided to use OpenVPN because it is compatible with SSL/RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices. OpenVPN is Open Source and is licensed under the GPL.

This article explains the step-by-step implementation of OpenVPN on Snom phones, including server installation and setup, creating the phone configuration and applying it on the phone.

Install and configure the OpenVPN server

The OpenVPN server is available for free and there are various guides available on installing and configuring it. This section contains one out of several methods to install and set up a minimal OpenVPN server on Linux and Windows. For more options and detailed information, see https://openvpn.net or the available documentation for your server.

OpenVPN server on Linux

Versions used for this section:

• Ubuntu 18.04
• OpenVPN 2.4.4
• OpenSSL 1.1.1

The installation steps require that you are logged in as root on the Ubuntu system.

1. Update the apt-sources
   

   # apt-get update

   
   

2. Install OpenVPN and easy-rsa packages
   

   # apt-get install openvpn # apt-get install easy-rsa

   
   

3. Create the Certificate Authority
   

   1. Copy the easy-rsa directory to /etc/openvpn:

      # make-cadir /etc/openvpn/easy-rsa

      
      

   2. Enter the created directory:

      # cd /etc/openvpn/easy-rsa

      
      

   3. Edit the vars file with your favorite editor, for example using vim:

      # vim vars

      
      

   4. and scroll down until you find the KEY_COUNTRY, KEY_PROVINCE, KEY_CITY, KEY_ORG, and KEY_EMAIL parameters. Edit these to fit your server. Don’t leave any of these parameters blank.
      
      

   5. Next, initialize the PKI:

      # . ./vars # ./clean-all

      
      

      If when running ". ./vars" you get error "No /etc/openvpn/easy-rsa/openssl.cnf file could be found", link openssl.cnf to the latest available cnf file insider the directory, for example using command: "ln -s openssl-1.0.0.cnf openssl.cnf". Then, run ". ./vars" again.

      
      

   6. The next command (build-ca) will build the certificate authority (CA) certificate and key:

      # ./build-ca

      
      

   7. Here is a detailed example showing how to run this command:

      # ./build-ca Generating a RSA private key ...............................................................................+++++ .......................................................................................+++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Berlin]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [Snom Test]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [Snom Test CA]: Name [EasyRSA]: Email Address [test@myhost.mydomain]:

      
      

   8. In the above sequence, most queried parameters were defaulted to the values that you have set in the vars file.
      
      

4. Create the server certificate
   

   # ./build-key-server server

   
   Here is a detailed example showing how to run this command:

   # ./build-key-server server Generating a RSA private key .+++++ ..............+++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Berlin]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [Snom Test]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [server]:192.168.137.102 <--------- the IP address/hostname that the phone will use to reach the server Name [EasyRSA]: Email Address [test@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Berlin' localityName :PRINTABLE:'Berlin' organizationName :PRINTABLE:'Snom Test' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'192.168.137.102' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'test@myhost.mydomain' Certificate is to be certified until Oct 11 16:03:20 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

   
   

5. Create the Diffie Hellman parameter
   

   # ./build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................+........ ++*++*++*++*

   
   

6. Create the phone certificate
   Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
   It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

   # ./build-key 000413A30591

   
   Here is a detailed example showing how to run this command:

   # ./build-key 000413A30591 Generating a RSA private key ....................................................................................+++++ ........................................................+++++ writing new private key to '000413A30591.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [Berlin]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [Snom Test]: Organizational Unit Name (eg, section) [MyOrganizationalUnit]: Common Name (eg, your name or your server's hostname) [000413A30591]: Name [EasyRSA]: Email Address [test@myhost.mydomain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/openvpn/easy-rsa/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'Berlin' localityName :PRINTABLE:'Berlin' organizationName :PRINTABLE:'Snom Test' organizationalUnitName:PRINTABLE:'MyOrganizationalUnit' commonName :PRINTABLE:'000413A30591' name :PRINTABLE:'EasyRSA' emailAddress :IA5STRING:'test@myhost.mydomain' Certificate is to be certified until Oct 11 11:54:12 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

   
   Now we will find our newly-generated keys and certificates in the keys subdirectory. Here is an explanation of the relevant files:

   The phone configuration requires some naming that is mandatory and should not be changed: All file paths in your config file must be set to /openvpn/filename The configuration file must be named vpn.cnf In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

   
   

   Filename	Purpose	Needed by
   ca.crt	Root CA certificate	server + all clients
   ca.key	Root CA private key	server only
   dh{n}.pem	Diffie Hellman parameters
   server.crt	Server Certificate
   server.key	Server private key
   000413A30591.crt	Certificate for phone 000413A30591	phone 000413A30591 only
   000413A30591.key	Private key for phone 000413A30591

   
   

   
   

7. Create server configuration for OpenVPN
   Create configuration file, for example using the touch command:
   

   # touch /etc/openvpn/server.conf

   
   Edit the file with your favorite editor, for example using vim:

   # vim /etc/openvpn/server.conf

   
   Paste the following content into the file:

   port 1194 proto udp dev tun ca /etc/openvpn/easy-rsa/keys/ca.crt cert /etc/openvpn/easy-rsa/keys/server.crt key /etc/openvpn/easy-rsa/keys/server.key dh /etc/openvpn/easy-rsa/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/log/openvpn/ipp.txt client-to-client keepalive 10 120 persist-key persist-tun status /var/log/openvpn-status.log verb 6

   
   This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.8.0.0/24
   
   

8. Enable packet forwarding
   This step is optional and is only needed if you would like to configure your OpenVPN server to act as a VPN gateway for a LAN. See also https://openvpn.net/faq/what-is-and-how-do-i-enable-ip-forwarding-on-linux/
   Edit /etc/sysctl.conf and uncomment the following line (remove the '#' at the beginning) to enable IP forwarding:

   net.ipv4.ip_forward=1

   
   Then save the file and reload sysctl:

   # sysctl -p /etc/sysctl.conf

   
   

9. Run the OpenVPN server
   To check for any fatal errors preventing the server to start, you can try run the server in the foreground like this:

   # openvpn /etc/openvpn/server.conf

   
   If the service starts and prints several lines finished by "Initialization Sequence Completed", then the try run was successful. You can stop the try run with CTRL+C.
   
   Now you can start the OpenVPN server:

   # sudo systemctl start openvpn@server

   
   Next, check if OpenVPN created a tun0 interface. You should see something like this:

   # ip addr show dev tun0 9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0 valid_lft forever preferred_lft forever inet6 fe80::8fc2:3403:fbac:1f35/64 scope link stable-privacy valid_lft forever preferred_lft forever

   
   

10. Configure OpenVPN to run at startup
    Running OpenVPN at system startup is optional but often preferred on server machines.
    Edit /etc/default/openvpn and add the following line, which instructs the system to start openvpn with configuration file /etc/openvpn/server.conf:

    AUTOSTART="server"

    
    Then reload systemctl and restart the OpenVPN service:

    # systemctl daemon-reload # systemctl restart openvpn.service

    
    

OpenVPN server on Windows

OpenVPN is available for free, see more details here: https://openvpn.net/ .

Versions used for this section:

• Windows 10, 64-bit
  
• Installation file: openvpn-install-2.4.9-I601-Win10.exe
  
  

1. Download and run the OpenVPN installer file
   At the time of this article the installation file could be found here: https://openvpn.net/community-downloads/
   1. Double click the installation file. You will see the installation wizard.
   2. Press Next until you reach the Choose Components section.
   3. Make sure EasyRSA is enabled (add a green tick):
      
      
      
      
   4. Follow the install wizard to finish the installation.
      
      
2. Initialize the PKI and create the Certificate Authority
   Navigate to the C:\Program Files\OpenVPN\easy-rsa folder on an elevated command prompt:
   1. Open the search box next to the Start menu
   2. Type "cmd"
   3. Right-click on Command Prompt and choose "Run as Administrator"
   4. Right-click the menu item "Command Prompt"
   5. On the pop up User Account Control window, Click "Yes"

   6. Navigate to the easy-rsa folder:

      cd "C:\Program Files\OpenVPN\easy-rsa"

      
      

   7. Initialize the OpenVPN configuration:

      init-config

      
      

      Only run init-config once, during installation.

      
      

      
      

   8. Open the vars.bat file in a text editor:

      notepad vars.bat

      
      

   9. Edit the following lines in vars.bat, replacing "US", "CA," etc. with your company's information:
      
      
   10. Save the file and exit notepad.
       
       

       
       

   11. Run the following commands:

       vars clean-all

       
       

       
       

   12. Build the certificate authority (CA) certificate and key. When prompted, enter your country, etc. These will have default values (from the vars file), which appear in brackets.

       build-ca

       
       Here is a detailed example showing how to run this command:

       C:\Program Files\OpenVPN\easy-rsa>build-ca Generating a RSA private key ........................................++++ .............................................................................................................................................................................................................................................................................................................................................................................................................................++++ writing new private key to 'keys\ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BLN]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [SnomTest]: Organizational Unit Name (eg, section) [changeme]:Test Common Name (eg, your name or your server's hostname) [192.168.137.142]: Name [changeme]:Test Email Address [mail@host.domain]:

       
       

3. Create the server certificate
   

   build-key-server server

   
   Here is a detailed example showing how to run this command:
   

   C:\Program Files\OpenVPN\easy-rsa>build-key-server server Ignoring -days; not generating a certificate Generating a RSA private key ............................................++++ ............++++ writing new private key to 'keys\server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BLN]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [SnomTest]: Organizational Unit Name (eg, section) [changeme]:Test Common Name (eg, your name or your server's hostname) [192.168.137.142]: Name [changeme]:Test Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'BLN' localityName :PRINTABLE:'Berlin' organizationName :PRINTABLE:'SnomTest' organizationalUnitName:PRINTABLE:'Test' commonName :PRINTABLE:'192.168.137.142' name :PRINTABLE:'Test' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Oct 18 12:29:34 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

   
   

4. Create the Diffie Hellman parameter
   

   C:\Program Files\OpenVPN\easy-rsa>build-dh Generating DH parameters, 2048 bit long safe prime, generator 2 This is going to take a long time ..............................................................................+........ ++*++*++*++*

   
   

5. Create the phone certificate
   Every client/phone should have its own certificate. This means that you will have to repeat this step for each phone.
   It is necessary to give each certificate an individual name, e.g. the phone's MAC address, for our example we will use 000413A30591:

   build-key 000413A30591

   
   Here is a detailed example showing how to run this command:
   

   C:\Program Files\OpenVPN\easy-rsa>build-key 000413A30591 Ignoring -days; not generating a certificate Generating a RSA private key ...............................................................................++++ .............................................................................++++ writing new private key to 'keys\000413A30591.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [DE]: State or Province Name (full name) [BLN]: Locality Name (eg, city) [Berlin]: Organization Name (eg, company) [SnomTest]: Organizational Unit Name (eg, section) [changeme]:Test Common Name (eg, your name or your server's hostname) [192.168.137.142]:000413A30591 Name [changeme]:Phone000413A30591 Email Address [mail@host.domain]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from openssl-1.0.0.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'DE' stateOrProvinceName :PRINTABLE:'BLN' localityName :PRINTABLE:'Berlin' organizationName :PRINTABLE:'SnomTest' organizationalUnitName:PRINTABLE:'Test' commonName :PRINTABLE:'000413A30591' name :PRINTABLE:'Phone000413A30591' emailAddress :IA5STRING:'mail@host.domain' Certificate is to be certified until Oct 18 13:00:29 2030 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated

   
   Now we will find our newly-generated keys and certificates in the C:\Program Files\OpenVPN\easy-rsa\keys folder. Here is an explanation of the relevant files:

   Filename	Purpose	Needed by
   ca.crt	Root CA certificate	server + all clients
   ca.key	Root CA private key	server only
   dh{n}.pem	Diffie Hellman parameters
   server.crt	Server Certificate
   server.key	Server private key
   000413A30591.crt	Certificate for phone 000413A30591	phone 000413A30591 only
   000413A30591.key	Private key for phone 000413A30591

   
   

   
   

6. Create the server configuration for OpenVPN

   1. Create file server.ovpn using command:

      notepad "C:\Program Files\OpenVPN\easy-rsa\keys\server.ovpn"

      
      

   2. When asked if you want to create a new file, click Yes.
      
      

   3. Enter the following configuration:

      port 1194 proto udp dev tun ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt" cert "C:\\Program Files\\OpenVPN\\config\\server.crt" key "C:\\Program Files\\OpenVPN\\config\\server.key" dh "C:\\Program Files\\OpenVPN\\config\\dh2048.pem" server 10.9.0.0 255.255.255.0 client-to-client keepalive 10 120 persist-key persist-tun verb 6

      
      

   4. Save the file and exit notepad.
      This will configure OpenVPN to listen on port 1194, and use private IP subnet 10.9.0.0/24
      
      

   5. Copy the configuration files from C:\Program Files\OpenVPN\easy-rsa\keys\ to C:\Program Files\OpenVPN\config\ on the server by typing the following in the command prompt:

      robocopy "C:\Program Files\OpenVPN\easy-rsa\keys\ " "C:\Program Files\OpenVPN\config\ " ca.crt dh2048.pem server.crt server.key server.ovpn

      
      

      NOTE: In the robocopy command above. the space at the end of the path in each string is important.

      
      

7. Run the OpenVPN server

   1. Run OpenVPN from: Start Menu -> OpenVPN -> OpenVPN GUI
      This will create a new icon in the system tray. Double click the icon to initiate the connection. The resulting dialog should show the status shortly and then close upon a successful start:
      
      
      
      

   2. Now if you open Network Connections (from Control Panel → Network and Internet → View Network Status and tasks → Change adapter settings), you should see a new connection of type TAP-Windows Adapter V9:
      
      
      
      

   3. If you right click this connection and then click Status → Details you should be able to see the configured IP address:
      
      
      
      

8. Running OpenVPN as a Service
   Running OpenVPN as a service will allow OpenVPN to be started automatically on system startup. This is often preferred on a server machine.

   1. Run the Windows Service administrative tool:

      1. Press Windows Key + R
      2. Type "services.msc" and press Enter.
   2. Find the OpenVPN service, and set its Startup Type to "Automatic". Press Apply.
   3. Optionally, start the service now.
      
      
9. Firewall Configuration
   If you have connection problems, make sure to set a rule on your server's firewall allowing incoming traffic on UDP port 1194. (Win+R "wf.msc")

Install and configure OpenVPN on the Snom phones

Install the VPN patch on the Snom phone

The VPN feature is not shipped with the default firmware due to security considerations. Snom provides the VPN feature in a small firmware patch which needs to be installed. This patch contains only the VPN feature and thus is very small in size.

To install the VPN feature patch follow one of the following procedures:

Manual Installation

1. Find out your currently installed firmware version. See this link for information on how to do this
2. Open the Firmware Update Center and click on your version
3. Scroll down to "VPN Feature Updates"
4. Copy the download link appropriate for your phone model
5. Open the phone web user interface and select "Software Update" from the left hand menu
6. Paste the link in the "Manual Software Update" field and click "Load"
   
   

The phone will reboot and install the patch. Afterwards you will be able to use the VPN feature

Automatic installation via SRAPS

It is also possible to install the VPN patch automatically via SRAPS, as part of the provisioning or even prior to the settings being fetched by the phone. See details here.

How to tell if the VPN patch installation was successful

If the VPN installation was successful, the VPN feature will be available. Here is now you can check that the VPN feature is available:

1. The VPN option is now visible in the Phone's Web Interface under Advanced → QOS/Security. If the VPN patch installation was successful, you should see here the VPN setting (it will be set to off at first because the VPN feature was installed, but it is not yet enabled)
   
   
   
2. The VPN line is now added to the System Info screen in the Phone Menu. Open the "Settings" menu by pressing the phone button with the gear symbol, then navigate to "Information" and select "System Info".
   You should see the VPN line (it will show VPN off at first because the VPN feature was installed, but is not yet enabled)
   
   
   
   
3. After installing the VPN patch, the phone will add the X-snom-vpn: available HTTP header to the provisioning requests. Using this header you can distinguish between devices with VPN enabled and devices not supporting the VPN.

VPN feature patch for older versions

If your phone is running version 8.x, you can find the instructions for the VPN patch here .

Create the VPN configuration tarball for the phone on Linux

Create client/phone configuration file

1. The content of the configuration file is usually the same on all clients/phones. To avoid having to configure both files, client and server, in one directory, create a subfolder called client-config:

   # mkdir /etc/openvpn/client-config

   
   

2. The configuration file for the phone must be called vpn.cnf:

   # touch /etc/openvpn/client-config/vpn.cnf

   
   

3. Edit this file with your favorite editor:

   # vim /etc/openvpn/client-config/vpn.cnf

   
   

4. Paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

   client dev tun proto udp remote <Server-IP/-name> 1194 resolv-retry infinite nobind persist-key persist-tun ca /openvpn/ca.crt cert /openvpn/client.crt key /openvpn/client.key remote-cert-tls server ping 10 ping-restart 60

   
   

ncp-ciphers "BF-CBC"

Put together the configuration files for the phone

For this example we are using the same MAC we used to create the client certificate.

1. Create a temporary directory to hold the needed files:

   # mkdir /etc/openvpn/client-config/tmp

   
   

2. Put together the files in a tarball:

   # cp /etc/openvpn/client-config/vpn.cnf /etc/openvpn/client-config/tmp/ #the configuration file # cp /etc/openvpn/easy-rsa/keys/000413A30591.crt /etc/openvpn/client-config/tmp/client.crt #the client certificate # cp /etc/openvpn/easy-rsa/keys/000413A30591.key /etc/openvpn/client-config/tmp/client.key #the client private key # cp /etc/openvpn/easy-rsa/keys/ca.crt /etc/openvpn/client-config/tmp/ca.crt #the CA # cd /etc/openvpn/client-config/tmp/ # chown -Rf root:root * # chmod -R 700 * # tar cvpf vpnclient-000413A30591.tar * #this command creates the actual tar file # rm client.* #remove the used certificate and private key as they are no longer needed in the tmp directory

   
   Now you should be able to find the tarball file vpnclient-000413A30591.tar inside the /etc/openvpn/client-config/tmp/ directory. We will use this file in the next step when providing it to the phone.

Create the VPN configuration tarball for the phone on Windows

Create client/phone configuration file

1. In the Command Prompt, create file vpn.cnf by running:

   notepad C:\Program Files\OpenVPN\easy-rsa\keys\vpn.cnf

   
   

2. When asked if you want to create a new file, click Yes. Copy and paste the following content into the file, but remember to set the value for remote to your server's IP or FQDN by replacing <Server-IP/-name> below:

   client dev tun proto udp remote <Server-IP/-name> 1194 resolv-retry infinite nobind persist-key persist-tun ca /openvpn/ca.crt cert /openvpn/client.crt key /openvpn/client.key remote-cert-tls server ping 10 ping-restart 60

   
   

   The phone configuration requires some naming that is mandatory and should not be changed: All file paths in your config file must be set to /openvpn/filename The configuration file must be named vpn.cnf In older firmware versions (8.x), the ping and ping-restart options might cause issues. If your VPN connection is failing in older versions, remove these options and try again.

   
   

3. Save the file vpn.cnf

Put together the configuration files for the phone

1. Navigate in File Explorer to C:\Program Files\OpenVPN\easy-rsa\keys\. Inside this folder, create a new folder called 000413A30591
2. Copy the following files from C:\Program Files\OpenVPN\easy-rsa\keys\ into the 000413A30591 folder:
   
   • ca.crt
   • 000413A30591.crt
   • 000413A30591.key
   • vpn.cnf


3. Now your folder 000413A30591 should look like this:
   
   
   
   
4. Rename 000413A30591.crt to client.crt


5. Rename 000413A30591.key to client.key


6. Now your folder 000413A30591 should look like this:
   
   
   
   

7. In the command prompt, navigate to the new created directory by typing:

   cd C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591

   
   

8. Now create the tarball archive by typing:

   tar cvpf C:\vpnclient-000413A30591.tar *

   
   

9. You should see the following:

   C:\Program Files\OpenVPN\easy-rsa\keys\000413A30591>tar cvpf C:\vpnclient-000413A30591.tar * a client.crt a client.key a ca.crt a vpn.cnf

   
   

10. Now you should be able to find the tarball file vpnclient-000413A30591.tar under C:\ . We will use this file in the next step when providing it to the phone.

Structure reference for the configuration tarball

When creating the tar archive for Snom phones, it is very important to keep the file structure and naming as in the above examples.

Below is the content of the tar file created in this example, vpnclient-000413A30591.tar. Note that there are no subdirectories, the files must be placed in the root of the tarball:

• ca.crt

• client.crt

• client.key

• vpn.cnf

You can download this example file here: vpnclient-000413A30591.tar 

Put the VPN configuration tarball on an HTTP server

This section also includes the download and set up of a minimal HTTP server using the SPLiT application. If you already have an HTTP server, you can just upload the tar file created in the previous section to your existing HTTP server and skip this section.

Setup an HTTP server on Windows

1. Download the SPLiT executable file (for this example we used SPLiT-1.1.3_w32.exe)
2. Create directory SPLiT in a location of your choice, for example C:\SPLiT
3. Move SPLiT-1.1.3_w32.exe into the SPLiT directory
4. Create a new directory called http inside the SPLiT directory
5. Move the tar file created in the previous section from C:\ to the http directory
6. Go back to the SPLiT directory
7. Run the SPLiT executable SPLiT-1.1.3_w32.exe as Administrator
8. Once the software has started you should see a user interface window:
   • Click on the Debug check box
   • Insert your computer IP address into the IP Address field
   • Verify that the HTTP Directory fields contains the http value
   • Click on the Start HTTP Server button
     
     
     
9. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
   This should present you with the option to download the tarball file.

Setup an HTTP server on Linux

1. Open a terminal

2. Install python if it is not already installed

   # apt-get install python

   
   

3. Get and start SPLiT:

   # mkdir /usr/local/SPLiT # cd /usr/local/SPLiT # wget https://github.com/pbertera/SPLiT/archive/1.1.3.tar.gz # tar -xvzf 1.1.3.tar.gz # cd SPLiT-1.1.3/ # mkdir http # sudo python SPLiT.py -i <Server-IP/-name> --http #replace <Server-IP/-name> with your server's IP/Hostname

   
   

4. Now that the HTTP server is running, place the tar file created on previous version in the http directory inside the SPLiT directory:

   # cp /etc/openvpn/client-config/tmp/vpnclient-000413A30591.tar /usr/local/SPLiT/SPLiT-1.1.3/http

   
   

5. Next, check that the link to the tarball file works correctly by opening a browser and accessing http://<Server-IP/name>/vpnclient-000413A30591.tar .
   This should present you with the option to download the tarball file.

Apply the VPN configuration to the Snom phone

1. Make sure the phone's date and time is correct in order to be able to validate the certificates
2. Under Advanced → QOS/Security, find the VPN Parameter:
   
   
   
3. Enable the VPN parameter by clicking on . The Unzipped VPN config tarball parameter will become available:
   
    
   
   
4. Enter the HTTP(S)-URL of the tarball file e.g. http://<Server-IP/name>/vpnclient-000413A30591.tar with the openVPN configuration:
   
   
   
5. Scroll down and click Apply
   
   
6. In case the phone presents you with Some settings are not yet stored permanently , click Save . If this text does not appear you can ignore this step.
   
   
7. Click Reboot
   
   
8. After the reboot, the phone will show a notification VPN is active and display the VPN icon on the phone taskbar.
   
   Here is an example:
   
   
   
9. Pressing the Info key will show:
   
   
   
10. After you have pressed the Info key and seen the Status Info, the "VPN is active" notification will disappear

Changing the VPN configuration tarball at a later time

The Unzipped VPN config tarball parameter is designed to be provisioned only once: every time this parameter is configured the phone downloads the tarball and then the setting gets emptied.
If you wish to change the phone's VPN configuration you have to configure the tarball URL again in order to make the phone download and apply the new configuration.
It is not necessary to give the tarball a new name, you can use the original name.

Adding another phone to the VPN at a later time

If you wish to set up a new phone in the VPN at a later time, you can use the following steps:

1. open command prompt and then run vars
   on Linux by using commands:
   

   cd /etc/openvpn/easy-rsa . ./vars

   
   on Windows by using commands:
   

   cd "C:\Program Files\OpenVPN\easy-rsa" vars

   


2. repeat step Create the phone certificate
3. repeat step Create the VPN configuration tarball for the phone (you can skip the part where you create vpn.cnf because this was already created and it is usually the same for all clients)
   
4. repeat step Put the VPN configuration tarball on an HTTP server

5. repeat step Apply the VPN configuration to the Snom phone

Advanced examples

Additional authentication with a username/password

In some cases the VPN server requires a username and password, in addition to the certificate. Here is how to configure up a VPN username/password for the Snom phone:

1.  Add auth-user-pass to your vpn.cnf, like this (do not change the path):

   auth-user-pass /openvpn/pass.txt

   
   

2. Create file pass.txt with the following content, replacing the text username and password with your actual username and password.

   username password

   
   

3. When creating the configuration tarball (see step Create the VPN configuration tarball for the phone), also include file pass.txt to the tarball.
   Make sure that the file pass.txt is in the same path of the tarball as the other configuration files.

Troubleshooting

• Everything works as described, but the phone seems to reject my server certificate. What's wrong?

Make sure the phone has the right date and time. Try to configure an NTP server that the phone can reach on its native network (not via VPN). If the phone has a wrong date it might assume that all certificates are not valid (yet).

• How to view the OpenVPN logs

You can set the phone to send all VPN logs to a "Netcat Server". To do this:

1. 1. Install and run netcat on a host that is reachable to the phone:

      netcat -l -p 5000

      
      

   2. Set the IP address of this host under Advanced → Qos/security → Netcat Server:
      
      
      

   3. Once you apply this and reboot tht phone, you will see the phone's VPN logs on the host running netcat. If you have not added a custom verbosity level in vpn.cnf, you should see the following (for a successfull connection):

      
      

      Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019 Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10 Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 UDP link local: (not bound) Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194 Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500 Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5 Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this Tue Oct 20 11:58:21 2020 Initialization Sequence Completed

      


• What is my IP in the VPN?

The phone does not show the IP address received over VPN in the web interface per default, but there are some other ways to view this:

Option 1: from the SIP logs

Set up a test identity on the phone, with Registrar set to an IP address inside the VPN network. It does not matter what IP address it is, it just needs to be routed inside the VPN network. Set only the Account and the Registrar for this identity:

 

Then click on SIP Trace, you will see some SIP messages. Look at the IP address from which these were sent:

Sent to Udp:10.8.0.1:5060 from Udp:10.8.0.6 :55786 at Oct 19 23:54:43.886 (717 bytes):
REGISTER sip:10.8.0.1 SIP/2.0
Via: SIP/2.0/UDP 10.8.0.6:55786;branch=z9hG4bK-2yig1rmxrpir;rport
From: <sip:100@10.8.0.1>;tag=r06il7bz6r
To: <sip:100@10.8.0.1>
.....

If your VPN network is routing packets correctly, you will see here the phone's IP address (in this example it is 10.8.0.6 )

Option 2: from the netcat logs

From the netcat logs (see above " How to view the OpenVPN logs "). If you have not added a custom verbose level in vpn.cnf, at the beginning of the connection, the netcat logs will also show the IP address that the phone receives.

Here is an example:

Tue Oct 20 11:58:19 2020 OpenVPN 2.4.7 arm-buildroot-linux-gnueabi [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] built on Jul 5 2019
Tue Oct 20 11:58:19 2020 library versions: OpenSSL 1.0.2s 28 May 2019, LZO 2.10
Tue Oct 20 11:58:19 2020 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 UDP link local: (not bound)
Tue Oct 20 11:58:19 2020 UDP link remote: [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:19 2020 [openvpntest.snom.de] Peer Connection Initiated with [AF_INET]192.168.137.102:1194
Tue Oct 20 11:58:21 2020 TUN/TAP device tun0 opened
Tue Oct 20 11:58:21 2020 /sbin/ip link set dev tun0 up mtu 1500
Tue Oct 20 11:58:21 2020 /sbin/ip addr add dev tun0 local 10.8.0.6 peer 10.8.0.5         <-------- this means that our local address in the VPN is 10.8.0.6
Tue Oct 20 11:58:21 2020 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Tue Oct 20 11:58:21 2020 Initialization Sequence Completed