asterisk users - May 2007 - VPN between Asterisk server and phone client

> -----Original Message-----
> From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users-
> bounces@lists.digium.com] On Behalf Of Biju
> Sent: Wednesday, May 02, 2007 5:38 AM
> To: 'Asterisk Users Mailing List - Non-Commercial Discussion'
> Subject: [asterisk-users] VPN between Asterisk server and phone client
> 
> Hi,
> 
> I wish to make a secure tunnel between the asterisk server and the
> softphone.
> I have seen the feature X-tunnel in x-lite.
> 
> It will be a great help if somebody can guide me to confure a tunnel
> between
> the asterisk server and X-lite or any other phone.
> 
> Regards,
> 
> biju

A very simple and flexible answer is OpenVPN.  Install OpenVPN on your
Asterisk server with it's own network (eg 10.8.0.x) and setup your PC to
connect to the Asterisk server, the PC will also get a 10.8.0.x address.
Configure your softphone to use the new network settings and all traffic
will be secure over the VPN.

OpenVPN has a little learning curve but if you follow the examples, you
should be up in running in half a day.

Thanks,
Steve Totaro
http://www.asteriskhelpdesk.com
KB3OPB

Concur with Steve: OpenVPN is your friend. At one time, I used "VPN on
Demand"-type functionality in my dial plan to trunk a certain subset
of calls to a different * server via OpenVPN. This is what that
dialplan looked like:

[trunkfreecallsviaoffsite]
exten => _X.,1,NoOp
exten => _X.,n,Playback(creating_vpn)
exten => _X.,n,System(/usr/local/bin/startvpn clientname ${CALLERID(name)})
exten => _X.,n,Wait(10)
exten => _X.,n,Playback(success_vpn)
exten => _X.,n,Dial(IAX2/vpnmaster/**${EXTEN},60,TW)
exten => _X.,n,Hangup

exten => h,1,System(/usr/local/bin/stopvpn clientname ${CALLERID(name)})
exten => h,n,Playback(stopping_vpn)

The startvpn and stopvpn scripts (which I've since managed to lose)
would establish the VPN between this server and the "vpnmaster"
server. The scripts would also keep track of current users
(${CALLERID(name)} of the VPN-trunk. As a side effect of user
tracking, I'd know when the VPN was already established, so I didn't
need to re-connect. Similarly, I'd only tear it down when no users
were left.

As I mentioned, this does not address your direct need to create a VPN
between an endpoint (softphone) and your server. My example simply
illustrates the straight-forward OpenVPN approach. You can install the
OpenVPN GUI tools on your desktop/laptop and create the VPN manually
when you need it.

BTW, I stopped using this technique when we added a second local
server, so I didn't have to go across the WAN for offloading certain
calls anymore.

On 5/2/07, Salvatore Giudice <Salvatore.Giudice@voipsecuritytraining.com>
wrote:
> If you run it on the fly, doesn't that mean that the Asterisk user will
have
> permissions to configure VPN's? Nobody sees a problem with that? I
thinking
> that if you knock over the Asterisk service and get shell execution rights
> as Asterisk, you could be able to start tunnels for things other than
voice.
> It's like giving a hacker a great way to hide their activities from
your IDS
> without having to bother to get root first to install an encrypted data
> pipe.
That's true, the asterisk user needs to be able to invoke the
"start_vpn" script or program. That does not mean that the asterisk
user will have to have superuser rights to configure VPNs. You could
make the start_vpn program setuid to a user that has those rights (and
in that case, you probably don't want start_vpn to be a script). Also,
openvpn typically starts "predefined" VPNs. To define a new one,
someone would have to have access to the file system.

When you say "knock over the Asterisk servoce and get shell execution
rights", how would that happen, exactly? I can think of DoS attacks
and other stuff, but am wondering how "knocking over Asterisk" will
give someone shell execution rights? As I said above, you would want
to make the function to start a VPN connection as safe as possible.
That would include NOT using scripts, and employing other verification
methods.