VPN-less remote access - YeaLink

[IanC]

Hi all,

 

In the release notes for version Swyxware12:

In addition, the certified Yealink end devices, which have recently become part of the Swyx product portfolio, are optimally supported. For example, employees in the home office can be securely integrated into their company's communications environment without having to set up a Virtual Private Network (VPN). Yealink telephones can also be integrated into the corporate network via port authentication according to IEEE 802.1x. Swyx thus offers an authentication method for the highest security requirements.”

Anyone know how to set this up?  Neither the SWYX Admin Guide nor KB area has any info.

 

Many thanks.

 

[jodost]

As far as I know, you need to setup a session border controller that helps the device connecting from outside.

 

The only "new" thing compared to older versions is

 

- that Yealink uses SIP, where the unify devices use CorNet.IP (I do not know about any session border controller that can handle CorNet.IP)

 

- that with SwyxWare 12.1, they only use port 5060 (Yealink connected to SwyxWare 11.x also uses port 65012 for uaCSTA) that makes SBC configuration a bit easier.

 

But anyway, it is far away from "plug and play" or worth calling it a feature.

 

And, to be honest, I would really think about using inexpensive VPN components instead. If you configure your SBC to use port 5060 into the internet, your SwyxServer will be INVITEd into fraudulent calls within hours, so don't forget to configure security features like fail2ban, geo-IP-blacklists, .... If you want to change the port to somewhere else, this may collide with the AutoProvisioning of Swyx - once you change any account setting on the Yealink manually, the device will not longer accept account settings via AutoProvisioning any more. There are some ugly ways to force Swyx' AutoProvisioning to deploy your own settings, but they are ugly ways and nothing officially supported. So in both ways, you will get in trouble if you update the server to a newer version and Swyx has changed everything (like they did on 12.0->12.1) without giving any information to the partners.

 

If you keep all of this in mind, I does work. We use this on our HostedPBX VPNless-offer, but the work we spend to figure out all all problems, bugs, ... is nothing I want to do if you are just talking about one single PBX.

 

Hope this helps

[IanC]

Thanks a lot for the info.  We are indeed talking about a single PBX (with a standby).  At present our client's CEO has a UNIFY telephone at his home.  That connects over a site-to-site VPN.  Post-COVID, they anticipate more remote working so would like a dozen or so colleagues to have a similar set up (they already use SWYXIT).  Although we can preconfigure a VPN router for each home,  the challenge here is relying on these users to set up their WAN connections. 

 

When I noticed that section in the release notes,  I thought we may have a solution.  The client site doesn't currently use an SBC - the SWYX server sits in a DMZ with connections from SIP providers published (reverse-proxied) through the firewall.  

 

Not too concerned about auto-provisioning due to the small numbers, but looks complicated however we decide to tackle it.

[Varmenni]

Don't know if you are still looking for a solution, but here's one:

 

The Yealink phones support OpenVPN natively.  The best way I found is to set up a VPN server with PFSense (https://www.pfsense.org/)  There are a lot of good guides around on how to implement it.

[jodost]

sure they still support OpenVPN?

 

IIRC, the openVPN-support was removed by the product change from Yealink T4xG- to T4xS- series some years ago.

[Varmenni]

Just checked spec sheets on the current models in the T4 and T5 lines, and they state that the have OpenVPN support... 

[RaKin]

Am 15.12.2022 um 16:52 schrieb jodost:

sure they still support OpenVPN?

 

IIRC, the openVPN-support was removed by the product change from Yealink T4xG- to T4xS- series some years ago.

 

Yes I am sure. I still use it on various T48S and T57W.