As we expand there is greater need for international connections, this is fine if they have a static WAN IP or FQDN, but the more recent requirements are for “home” users with phones on their residential connections where dynamic IPs are the standard.

Changing the whitelisted IP every time their IP changes is not only tedious, but gives poor service, plus due to recent events (here and here) I’m not prepared to open access to another country for a single extension.

In my case, these internationals are satellites of a UK based office, so the idea is having the overseas phone route all voice traffic through the UK office where its free to connect to the PBX…

For this setup, a Yealink T46S will connect to a Draytek 2927 via OpenVPN and crucially, route all traffic destined for the PBX via the VPN to get around the GeoIP block.

This guide should also be compatible with the Draytek 2865, and Yealink T4xS and T4xU series phones.

Notepad++ and 7zip are required.

Draytek Setup

Original Guide: https://www.draytek.com/support/knowledge-base/7462

First create a user for the Yealink, at the router GUI navigate to: VPN and Remote Access >> Remote Dial-in User.

Click an Index number and make the following changes:

• Enable this account: On
• Allowed Dail-In Type: OpenVPN Tunnel: On
• Username: Enter a username
• Password: Enter a password

It should look like this:

Next is to setup the Draytek to accept OpenVPN connections.

Navigate to VPN and Remote Access >> Remote Access Control. And check OpenVPN is enabled.

Then navigate to VPN and Remote Access >> OpenVPN >> OpenVPN Server Setup.

In the General Certificates section, select Router Generated Certificates, and then press generate.

After some time, the generated certificates appear in this section:

OpenVPN Setup

The Draytek has the ability to create an OpenVPN config file for clients. However, what the Draytek generates and what the Yealink requires is not compatible. Therefore, we’ll need to manipulate the file to file to get what we want.

Extracting Certificates

On the Draytek, navigate to Remote Access >> OpenVPN >> Client Config.

Leaving defaults in place, enter a filename and click the Export button to download the config file.

Open the file in Notepad++.

You’ll see the protocol config at start of file, followed by each of the certificates in the following order:

1. CA
2. Client
3. Private Key

The Yealink requires the certificates in their own file so they need to be extracted.

Copy the text from —–BEGIN CERTIFICATE—– to —–END CERTIFICATE—– of the first certificate and paste into a new Notepad++ file.

Save this file as ca.crt (remove the txt file extension)

Repeat this for the second certificate, naming this one client.crt

Now it’s the private key, copy text from —–BEGIN RSA PRIVATE KEY—– to —–END RSA PRIVATE KEY—– to a new file and save as client.key

Config files

For the next file, you’ll need to add the Draytek VPN user details as a file to allow the Yealink to authenticate.

In a new text file, enter the username and password on separate lines as below:

Save the file as auth.txt

You’ll now have the following files:

With the supporting files ready, it’s time to reference them together with the OpenVPN config file.

In a new text file, enter the following info:

client
dev tun
proto udp
remote nnn.nnn.nnn.nnn 1194                  # IP address of Draytek
auth sha256
cipher aes-256-cbc
resolv-retry infinite                        # Reconnect if dropped
nobind

ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

auth-user-pass /config/openvpn/keys/auth.txt

persist-key
persist-tun

route nnn.nnn.nnn.nnn 255.nnn.nnn.nnn nnn.nnn.nnn.nnn  # Static route:
                                                       # PBX IP
                                                       # IP Subnet
                                                       # Draytek LAN Gateway
verb 5

Save this as vpn.cnf

Preparing Yealink File

Original Guide: https://support.yealink.com/forward2download?path=ZIjHOJbWuW/DFrGTLnGypjZRKhDplusSymbolXJQ4JaUSvKXmAoZw0rMev5uUPSPDoclfqojerLoiDU/Ol0NW5DZdXcWplusSymbolZDNbde0dvqwZjDVChAjsaqHDjPW14991UaBvXhQ10P6Rm4u3tO4pNBqXRzzyvj9PbA==

The OpenVPN configuration is uploaded to the Yealink via a specifically arranged tar file, so the directory structure needs to be prepared.

On your desktop, create a new folder (named anything you like) and within this folder create another named “keys”

Move vpn.cnf to the upper folder, and move auth.txt, ca.crt, client.crt and client.key to keys directory.

Open 7-Zip and navigate to the newly created folder:

Highlight vpn.cnf and keys, right click and choose 7-Zip >> add to archive.

Ensure the following is set:

• Archive format: tar
• Compression level: Store

Click OK to create the file. The tar file is created in the directory and it’s ready to be uploaded to the Yealink

Yealink Setup

On the phone, press the OK key to discover it’s IP address, then navigate to it’s Web interface via a browser on your computer.

Login, then move to Network >> Advanced and scroll down to the VPN section.

Set Active to Enabled and set Mode to OpenVPN

Click browse next to Upload VPN Config and choose the created tar file.

Click Upload, the page will refresh and now Upload VPN Config is populated with vpn.cnf

Click Save at the bottom of the page.

OpenVPN will be set back to Disabled, scroll down and Enable it again, then click Save.

As there’s a network change pending, you’ll need to click apply at the warning message:

It’ll now connect to the VPN.

Note: If you are configuring a phone remotely, the web page will stop responding as traffic is now passing through the VPN. To get back to the interface, check the Draytek for the VPN connection (VPN and Remote Access >> Connection Management) to discover it’s local IP:

The phone is now connected and routing traffic via the VPN.

Earlier this year I made the change from PIA to NordVPN due to a change of goalposts from PIA (More below), and since the change my VPN service has been impeccable, using a LAN to LAN connection via L2TP to connect, and routing traffic through the service for a separate VLAN.

However a few weeks ago I noticed that the connection has dropped and stayed down, despite being set to always on.

During hour long web chat with NordVPN support (who were helpful and responsive) it was revealed that recent changes to the Nord service meant that now only service account credentials were permitted for authentication for 3^rd party devices.

The Draytek and Nord guides for setup (albeit NordVPN guide referred to Draytek’s notes) both illustrated the account login credentials being used, and likewise this is what I was using. Although it was now apparent why this was and now why using service creds is a huge issue.

The NordVPN service account has a 25-character password, which at the advice of Nord support, cannot be changed. The Draytek 2862 was only capable of storing up to 15-character passwords. This essentially stopped the service for my use in its tracks.

As a big relief, the latest 3.9.6.1 release firmware for the 2862 now allows 26-character passwords to be saved in the LAN to LAN profile, this is worthy to note as this detail is not in the release notes.

So, if you are in a similar predicament, upgrade your firmware to the latest.

PIA to NordVPN Story

As mentioned, prior to NordVPN I was using PIA in a similar setup using the weaker PPTP as the connection protocol.

The change in providers was forced upon me late last year PIA made upgrades to their infrastructure, which as a result meant that only OpenVPN or Wireguard protocols were offered. This effectively stopped the support for a Draytek 2862 as it did not have these available for a dial-out LAN to LAN VPN.

Following some research, the move to NordVPN was made and it turned out to be a blessing in disguise.

My use of PIA came before the purchase of the 2862, so as part of my initial configuration PIA was added as a dial-out profile. In use, the Draytek from the start suffered multiple reboots, sometimes twice a day. A lengthy dialogue with Draytek support started (Personal opinion; Draytek support are abysmal) in which many logs were sent, and in the end had to prove its instability with SNMP graphs. Eventually I was sent a beta firmware to load onto the router.

This helped, but uptime was still limited to at most 7 days, either through unexpected reboot or to fix a new issue where the WiFi SSID would stop broadcasting.

Since the change to NordVPN, stability has been impeccable, and the change to L2TP as a protocol has brought a big improvement to speed, where I’m now able to reach WAN speeds (40Mbps on VDSL) whereas was only getting a quarter of that with PIA.

Even though the removal of PIA brought a stability breakthrough, I was reluctant upgrade firmware in the fear that the reboots would return. This was compounded by the lack of detail in the firmware release notes and the recent news that the 2862 was becoming end-of-life, leaving me skeptical that new firmware’s would bring anything other than security patches.

I’m happy to be proved wrong on this point. Lesson here is that new firmware can bring feature updates that while not worthy enough of the patch notes, could be critical for your operation.

If you are NordVPN user with a Draytek 2862, upgrade to the latest firmware to regain functionality.

However, this Pi would be in my parents’ home, and miles away from where my videos are stored. I didn’t want to add a hard drive locally as syncing the library would be an issue. But thanks to the fibre internet connection on the server side I could upload at 10Mbps, enough to stream media across the net.

Therefore, the plan is to use an install of OSMC and add a VPN connection to my home server that starts when the Pi starts to make the operation seamless.

How To:

Start with a running Pi with OSMC on. Log in to the Pi via SSH using osmc for the username and password.

When logged in, perform “sudo apt get update” and “sudo apt get upgrade” to ensure the latest software is installed, then install the PPTP client by running “sudo apt get install pptp-client”

With the PPTP client installed a connection file is needed, however the folder it needs to be in requires elevated privileges to access. So type “sudo bash” to gain administrator control.

Then navigate to the folder with cd /etc/ppp/peers

Open a new text file using “nano connectname” where connectname is the name of the new file.

Enter the following connection settings:

pty “pptp REMOTESERVER –nolaunchpppd –debug”
name USERNAME
password PASSWORD
remotename PPTP
require-mppe-128
require-mschap-v2
refuse-eap
refuse-pap
refuse-chap
refuse-mschap
noauth
debug
persist
maxfail 0
defaultroute
replacedefaultroute
usepeerdns

Where REMOTESERVER, USERNAME and PASSWORD are the address and credentials use to connect to the VPN.

Type Ctrl + O to save and Ctrl + X to exit the text editor.

The VPN connection can be tested by entering pon connectname, have a look on the server to see if a connection is established or typing ifconfig in the terminal and look for a ppp0 adaptor. If it fails, use poff connectname to disconnect then edit the config file.

With a successful connection made, next up is to make the connection start with the Pi, navigate to the home directory using cd /home/osmc

Create a script, by creating a text file with nano connect.sh

In the new file, enter the following:

#!/bin/bash
sudo pon hartland

Ctrl + O to save and Ctrl + X to exit

Make the file an executable using chmod +x connect.sh

With the script created and executable, edit the start-up file that will run the script when the Pi boots, open it by using nano /etc/rc.local, as this is editing an established file the following screen should appear:

After the lines starting with # and before exit 0, add the following line:

(sleep 20;sudo /home/osmc/connectvpn.sh)&

So the file looks like the following:

Ctrl + O to save, Ctrl + X to exit and it is set up. The Pi is now setup to connect to the VPN at boot, test by rebooting the Pi and monitoring the server to see if a connection is made.

Tweaking

During this setup an issue arose where a VPN was made, but upon any attempt to access files the connection would drop, and looking at ifconfig on the Pi showed unfeasibly large amounts of transmitted data on ppp0 adaptor.

To rectify this, a manual IP route is required to show the Pi a useable path to the remote network, this may be needed also if the remote network is on a different subnet to the local.

Do this by entering route add -net 192.168.1.0 netmask 255.255.255.0 dev ppp0 at the command line, replacing 192.168.1.0 with the subnet required and the final value 0. Test by pinging servers or machines on the remote network to see if they reply.