Htek IP Phone OpenVPN Guide

Owned by HTEK
Last updated: Jul 24, 2023
12 min read

System: CentOS 7

openvpn: 2.4.10-1.el8

easy-rsa: 3.0.8-1.el8

 

Make sure to perform the following operations as the root.

 

1 Installation and preparation

yum install -y epel-release yum install -y openvpn yum install -y easy-rsa mkdir /etc/openvpn/easy-rsa cp -R /usr/share/easy-rsa/3.0.8/* /etc/openvpn/easy-rsa/ cp -p /usr/share/doc/openvpn-2.4.10/sample/sample-config-files/server.conf /etc/openvpn/ cp /usr/share/doc/easy-rsa-3.0.8/vars.example /etc/openvpn/easy-rsa/vars

For now, the contents of the two directories are shown in the figure:

Modify the below lines of the file - vars

set_var EASYRSA "$PWD" set_var EASYRSA_PKI "$EASYRSA/pki" set_var EASYRSA_DN "cn_only" set_var EASYRSA_REQ_COUNTRY"CN" set_var EASYRSA_REQ_PROVINCE "SJ" set_var EASYRSA_REQ_CITY "NJ" set_var EASYRSA_REQ_ORG "HTEK" set_var EASYRSA_REQ_EMAIL "support@htek.com" set_var EASYRSA_REQ_OU "HTEK Support" set_var EASYRSA_KEY_SIZE 2048 set_var EASYRSA_ALGO rsa set_var EASYRSA_CA_EXPIRE 7000 set_var EASYRSA_CERT_EXPIRE 3650 set_var EASYRSA_NS_SUPPORT "no" set_var EASYRSA_NS_COMMENT "Hanlong" set_var EASYRSA_EXT_DIR "$EASYRSA/x509-types" set_var EASYRSA_DIGEST "sha256"

Next, we will start to create the OpenVPN server.

2 Generate Certification files

2.1 Initialize Certificate

[root@localhost openvpn]# cd /etc/openvpn/easy-rsa/ [root@localhost easy-rsa]# ./easyrsa init-pki

You will get the below notice

2.2 Generate a CA certificate

You will be prompt to enter New CA Key Passphrase, please remember it, you will use them later.

2.3 Generate a server certificate

2.4 Sign the server certificate

When signing the server certificate, you need to enter the passphrase of the CA (you have set it in 2.2).

2.5 Generate Diffie-Hellman key

2.6 Generate a client certificate

2.7 Sign the client certificate

Like sign the server certificate, you need the passphrase of the CA to sign the client certificate.

3 Configure the server

3.1 Configure IP route and firewall rules

Add the below line to this file

After editing the file, you can run the following command to make the changes take effect right away.

Now start the firewall service and add rules for the OpenVPN service

Check the status of the firewall

Add rules for the firewall and then reload it.

Check the status of the firewall again

3.2 server.conf

3.3 Start openvpn@server.service

You can check the status by below command:

 

4 Using openvpn on the Htek phone

4.1 Create client.ovpn

Add the below lines to this file:

Note

If there is no M or D in the DSP info of your phone, please change the file path to /hlcfg/vpn/xxx, such as /hlcfg/vpn/client.crt

(no M or D, path should be /hlcfg/vpn/client.crt)

(has M, path should be /hlfs/vpn/client.crt)

4.2 Creating the tar file for the phone (client)

The phone as an OpenVPN client needs at least ca.crt, client.crt, client.key, client.ovpn, and these files should be packaged in tar format.

Now the files in /etc/openvpn/client should be:

Now you get the openvpn.tar file, then you should put it into a folder that you could import the file into the phone.

4.3 Import tar file into Htek phone

Import openvpn.tar file into the phone.

Choose Yes and then click the SaveSet button on the bottom of the webpage, the phone will reboot to apply the new configuration.

Upon the phone boot up, you can check the VPN address.

LCD GUI: Menu -> Status -> Network -> 5.VPN

4.4 Download VPN configuration file

Click the "Download" button to download the OpenVPN configuration file that the phone is currently using.

 

5 Option: Authenticate with Username/Password

If you want to use username/password along with the certificate to verify the client, you could do as follows.

5.1 Prepare a script to check username/password

The content is:

After you have done this, exit and give the executable permissions to it by

5.2 Create username/password record file

In the file - checkpsw.sh - we have defined a PASSFILE, that is used to store username and password pairs.

In this file, we record the username and password line by line like following ( each line contains a pair of username and password )

5.3 Modify server.conf

Add these three lines:

So the server.conf now looks like this:

5.4 Modify the client.conf

Add this line to the client.conf

And now the whole file is like this:

5.5 Create a username/password file for client

Type in the username and password, like

Different with the auth record file ( in this example, the filename is auth_file ) in server, the format of the auth file used by the client needs two lines to store the username and password. The first line is username, the second line is password.

After that, add the username and password into the record file /etc/openvpn/auth_file, such as:

5.6 Creating the tar file for the phone (client)

In the previous steps, we have prepared some files for the phone.

Now there is a new file, so in /etc/openvpn/client :

Now, put the new openvpn.tar file into a folder and import it into the phone.

5.7 If you don’t want to verify by a certificate

In the server.conf, add this line

So the whole server.conf will be

In the client.conf, comment out these two lines

So the whole client.conf will be

 

6 Option: Use one file - client.ovpn

In some purpose, you may would like to contain all the files to one, that is possible.

Let’s continue with the above example in section 4. We now have at least 4 files, they are

We could attach ca.crt, client.crt and clinet.key into the corresponding angle brackets in client.ovpn to merge them into one file.

Below is an completly example.

All done, now you could just import this client.ovpn file into the phone, no need to pack the files to a .tar file.

 

Please note that if you use password authentication at the same time, the authenticate information file, e.g., auth.txt cannot be attached to the client.ovpn.

You still need to use a line in client.ovpn to point to its path auth-user-pass /hlfs/vpn/auth.txt. And you still need to pack the client.ovpn and auth.txt to a .tar file.