asterisk users - Jan 2011 - OpenVPN + SIP configuration?

Hello

I read a whole book on OpenVPN, but still can't figure how to
configure the server + client so that the the client connects and
sends SIP/RTP data through the tunnel.

To get started, I'd rather use a shared key instead of X509
(certificates + keys). The server is running on a uClinux appliance,
with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
hosts connecting through Ethernet in hotels or public wifi hotspots.

By any chance, would someone have a working configuration so I can
take a look?

Thank you.

On Tue, Jan 11, 2011 at 11:20 AM, Gilles <codecomplete at free.fr>
wrote:
> Hello
>
> I read a whole book on OpenVPN, but still can't figure how to
> configure the server + client so that the the client connects and
> sends SIP/RTP data through the tunnel.
>
> To get started, I'd rather use a shared key instead of X509
> (certificates + keys). The server is running on a uClinux appliance,
> with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
> hosts connecting through Ethernet in hotels or public wifi hotspots.
>
> By any chance, would someone have a working configuration so I can
> take a look?
>
> Thank you.

Lazy way would be to use http://www.zentyal.org/ and point and click
your way there...

* Number one issue with Microsoft Windows clients on OpenVPN is
getting the routing right.

~~~ Andrew "lathama" Latham lathama at gmail.com ~~~

Hi,

I have OpenVPN and Asterisk working nicely. However, I do use certificates.
Though, it shouldn't matter. Can you explain what doesn't work for you?
Is
the connection not established or is the Asterisk and it's client not
communicating?

-Bruce

On Tue, Jan 11, 2011 at 9:20 AM, Gilles <codecomplete at free.fr> wrote:
> Hello
>
> I read a whole book on OpenVPN, but still can't figure how to
> configure the server + client so that the the client connects and
> sends SIP/RTP data through the tunnel.
>
> To get started, I'd rather use a shared key instead of X509
> (certificates + keys). The server is running on a uClinux appliance,
> with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
> hosts connecting through Ethernet in hotels or public wifi hotspots.
>
> By any chance, would someone have a working configuration so I can
> take a look?
>
> Thank you.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20110111/f5d0951f/attachment.htm>

> I read a whole book on OpenVPN, but still can't figure how to
> configure the server + client so that the the client connects and
> sends SIP/RTP data through the tunnel.
>
> To get started, I'd rather use a shared key instead of X509
> (certificates + keys). The server is running on a uClinux appliance,
> with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
> hosts connecting through Ethernet in hotels or public wifi hotspots.
>
I use OpenVPN to pass both IAX2 trunking and SIP for a softphone on a 
laptop.  Works very well.

If the OpenVPN server is on a uClinux appliance, my first question is 
does the * server know how to route to the OpenVPN client address?  If 
the appliance is not the default gateway for the server,  a route to the 
OpenVPN client via the uClinux appliance address needs to be added.

Since the client is Windows, you do have to start the client (GUI) as 
'Administrator' otherwise the routing table does not get updated and the
client cannot route to the server network.

Dale

On 01/11/2011 02:20 PM, Gilles wrote:
> Hello
>
> I read a whole book on OpenVPN, but still can't figure how to
> configure the server + client so that the the client connects and
> sends SIP/RTP data through the tunnel.
>
> To get started, I'd rather use a shared key instead of X509
> (certificates + keys). The server is running on a uClinux appliance,
> with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
> hosts connecting through Ethernet in hotels or public wifi hotspots.
>
> By any chance, would someone have a working configuration so I can
> take a look?
I have had OpenVPN and Asterisk running together, with both Linux and 
Windows clients for about 2 years now. As the others have already 
pointed out - you really should sort out your OpenVPN setup first and 
basic connectivity first between client and server - before starting to 
wonder what is happening on the Asterisk side of things.

I'm not sure what book you read on OpenVPN - but if you read carefully 
and follow the step by step instructions on OpenVPN.net (under Community 
Edition) - you shouldn't have too much trouble getting a basic, 
certificates based connection working.

I am a subscriber to the openvpn users mailing list as well - and if you 
follow the steps and still get stuck - feel free to post there what 
you've done so far and what is not working - and I'm sure people will be
happy to point you in the right direction.

Incidently - I use QuteCom (qutecom.org) and X-lite on Windows, and 
Linphone, Twinkle and Ekiga on Linux as clients - if it helps.

Sebastian
>
> Thank you.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                 http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users
>

On Tue, 11 Jan 2011, Gilles wrote:
> Hello
>
> I read a whole book on OpenVPN, but still can't figure how to
> configure the server + client so that the the client connects and
> sends SIP/RTP data through the tunnel.
>
> To get started, I'd rather use a shared key instead of X509
> (certificates + keys). The server is running on a uClinux appliance,
> with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows
> hosts connecting through Ethernet in hotels or public wifi hotspots.
Are you sure that your uClinux system can actually handle the load of the 
VPN encryption? If it doesn't have a hardware crypto chip then I'd be
very
wary of it.

And you might just want to make your own life easier - and not use the 
appliance for the VPN endpoint, but something else - e.g. Draytek 2820 (or 
a 2900 equivalent) and then the clients can use bog-standard Microsoft 
pptp. You might save yourself a whole load of grief that way.

Gordon

On Tue, 11 Jan 2011 15:20:39 +0100, Gilles <codecomplete at free.fr>
wrote:
>By any chance, would someone have a working configuration so I can
>take a look?
Got it working :-) Thanks much guys for the help.

For those interested, here's how I did it. Note that the appliance
only has the openvpn server, so I used a Ubuntu workstation to create
the certificates + keys:

================1. Install OpenVPN on Asterisk server. On appliance, there's
only a
single binary /bin/openvpn, and configuration files are in
/etc/openvpn/.

To be positive SIP/RTP packets go through the OpenVPN tunnel, make
sure the firewall in front of the OpenVPN/Asterisk server only has
OpenVPN port open (default: UDP 1194).

2. On client, from www.openvpn.net, download and install OpenVPN for
Windows, which includes Service + GUI

3. If using an appliance with just the openvpn binary, use a
workstation to install the OpenVPN package and create certificates +
keys: apt-get install openvpn

4. On workstation, copy programs to create keys and certificates:
mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
/etc/openvpn/easy-rsa

5. Create the CA, and one pair of public/private keys for each host
(server, clients)
#Always use a unique Common Name
vi /etc/openvpn/easy-rsa/vars
#export variables
. ./vars

./clean-all
./build-ca
./build-dh

#keys for server
./build-key-server server

#keys for client
./build-key client1

6. Create configuration file for server /var/www/server.ovpn:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

#server will use this network number for OpenVPN tunnel, server 10.8.0.1
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

#Uncomment if compiled with compression
#comp-lzo

persist-key
persist-tun
status openvpn-status.log
verb 3

7. Create configuration file for client /var/www/client1.ovpn:

dev tun
proto udp
remote <public IP to reach OpenVPN/Asterisk server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

#comp-lzo
verb 3

8. Copy keys/certificates/config files to www so can be downloaded by
server and client

cd /etc/openvpn/easy-rsa/keys
cp ca.crt dh1024.pem server.crt server.key client1.crt client1.key
server.ovpn client1.ovpn /var/www
#So web server can send files
chmod 644 /var/www/server.key
chmod 644 /var/www/client1.key

9. On server, download files:

Asterisk> cd /etc/openvpn
Asterisk> wget http://workstation/ca.crt
Asterisk> wget http://workstation/dh1024.pem
Asterisk> wget http://workstation/server.crt
Asterisk> wget http://workstation/server.key
Asterisk> chmod 600 server.key
Asterisk> wget http://workstation/server.ovpn

10. On client, download files:

cd c:\program files\openvpn\config
wget http://workstation/ca.crt
wget http://workstation/client1.crt
wget http://workstation/client1.key
wget http://workstation/client.ovpn

Launch server:
Asterisk> /bin/openvpn /etc/openvpn/server.ovpn

Launch client:
Start OpenVPN Service
Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon >
Connect
ping 10.8.0.1

If ping OK, configure SIP client to connect to Asterisk through the
server's private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a
call.
================
HTH,