Hello I read a whole book on OpenVPN, but still can't figure how to configure the server + client so that the the client connects and sends SIP/RTP data through the tunnel. To get started, I'd rather use a shared key instead of X509 (certificates + keys). The server is running on a uClinux appliance, with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows hosts connecting through Ethernet in hotels or public wifi hotspots. By any chance, would someone have a working configuration so I can take a look? Thank you.
On Tue, Jan 11, 2011 at 11:20 AM, Gilles <codecomplete at free.fr> wrote:> Hello > > I read a whole book on OpenVPN, but still can't figure how to > configure the server + client so that the the client connects and > sends SIP/RTP data through the tunnel. > > To get started, I'd rather use a shared key instead of X509 > (certificates + keys). The server is running on a uClinux appliance, > with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows > hosts connecting through Ethernet in hotels or public wifi hotspots. > > By any chance, would someone have a working configuration so I can > take a look? > > Thank you.Lazy way would be to use http://www.zentyal.org/ and point and click your way there... * Number one issue with Microsoft Windows clients on OpenVPN is getting the routing right. ~~~ Andrew "lathama" Latham lathama at gmail.com ~~~
Hi, I have OpenVPN and Asterisk working nicely. However, I do use certificates. Though, it shouldn't matter. Can you explain what doesn't work for you? Is the connection not established or is the Asterisk and it's client not communicating? -Bruce On Tue, Jan 11, 2011 at 9:20 AM, Gilles <codecomplete at free.fr> wrote:> Hello > > I read a whole book on OpenVPN, but still can't figure how to > configure the server + client so that the the client connects and > sends SIP/RTP data through the tunnel. > > To get started, I'd rather use a shared key instead of X509 > (certificates + keys). The server is running on a uClinux appliance, > with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows > hosts connecting through Ethernet in hotels or public wifi hotspots. > > By any chance, would someone have a working configuration so I can > take a look? > > Thank you. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110111/f5d0951f/attachment.htm>
> I read a whole book on OpenVPN, but still can't figure how to > configure the server + client so that the the client connects and > sends SIP/RTP data through the tunnel. > > To get started, I'd rather use a shared key instead of X509 > (certificates + keys). The server is running on a uClinux appliance, > with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows > hosts connecting through Ethernet in hotels or public wifi hotspots. >I use OpenVPN to pass both IAX2 trunking and SIP for a softphone on a laptop. Works very well. If the OpenVPN server is on a uClinux appliance, my first question is does the * server know how to route to the OpenVPN client address? If the appliance is not the default gateway for the server, a route to the OpenVPN client via the uClinux appliance address needs to be added. Since the client is Windows, you do have to start the client (GUI) as 'Administrator' otherwise the routing table does not get updated and the client cannot route to the server network. Dale
On 01/11/2011 02:20 PM, Gilles wrote:> Hello > > I read a whole book on OpenVPN, but still can't figure how to > configure the server + client so that the the client connects and > sends SIP/RTP data through the tunnel. > > To get started, I'd rather use a shared key instead of X509 > (certificates + keys). The server is running on a uClinux appliance, > with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows > hosts connecting through Ethernet in hotels or public wifi hotspots. > > By any chance, would someone have a working configuration so I can > take a look?I have had OpenVPN and Asterisk running together, with both Linux and Windows clients for about 2 years now. As the others have already pointed out - you really should sort out your OpenVPN setup first and basic connectivity first between client and server - before starting to wonder what is happening on the Asterisk side of things. I'm not sure what book you read on OpenVPN - but if you read carefully and follow the step by step instructions on OpenVPN.net (under Community Edition) - you shouldn't have too much trouble getting a basic, certificates based connection working. I am a subscriber to the openvpn users mailing list as well - and if you follow the steps and still get stuck - feel free to post there what you've done so far and what is not working - and I'm sure people will be happy to point you in the right direction. Incidently - I use QuteCom (qutecom.org) and X-lite on Windows, and Linphone, Twinkle and Ekiga on Linux as clients - if it helps. Sebastian> > Thank you. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >
On Tue, 11 Jan 2011, Gilles wrote:> Hello > > I read a whole book on OpenVPN, but still can't figure how to > configure the server + client so that the the client connects and > sends SIP/RTP data through the tunnel. > > To get started, I'd rather use a shared key instead of X509 > (certificates + keys). The server is running on a uClinux appliance, > with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows > hosts connecting through Ethernet in hotels or public wifi hotspots.Are you sure that your uClinux system can actually handle the load of the VPN encryption? If it doesn't have a hardware crypto chip then I'd be very wary of it. And you might just want to make your own life easier - and not use the appliance for the VPN endpoint, but something else - e.g. Draytek 2820 (or a 2900 equivalent) and then the clients can use bog-standard Microsoft pptp. You might save yourself a whole load of grief that way. Gordon
On Tue, 11 Jan 2011 15:20:39 +0100, Gilles <codecomplete at free.fr> wrote:>By any chance, would someone have a working configuration so I can >take a look?Got it working :-) Thanks much guys for the help. For those interested, here's how I did it. Note that the appliance only has the openvpn server, so I used a Ubuntu workstation to create the certificates + keys: ================1. Install OpenVPN on Asterisk server. On appliance, there's only a single binary /bin/openvpn, and configuration files are in /etc/openvpn/. To be positive SIP/RTP packets go through the OpenVPN tunnel, make sure the firewall in front of the OpenVPN/Asterisk server only has OpenVPN port open (default: UDP 1194). 2. On client, from www.openvpn.net, download and install OpenVPN for Windows, which includes Service + GUI 3. If using an appliance with just the openvpn binary, use a workstation to install the OpenVPN package and create certificates + keys: apt-get install openvpn 4. On workstation, copy programs to create keys and certificates: mkdir /etc/openvpn/easy-rsa cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa 5. Create the CA, and one pair of public/private keys for each host (server, clients) #Always use a unique Common Name vi /etc/openvpn/easy-rsa/vars #export variables . ./vars ./clean-all ./build-ca ./build-dh #keys for server ./build-key-server server #keys for client ./build-key client1 6. Create configuration file for server /var/www/server.ovpn: port 1194 proto udp dev tun ca ca.crt cert server.crt key server.key dh dh1024.pem #server will use this network number for OpenVPN tunnel, server 10.8.0.1 server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 #Uncomment if compiled with compression #comp-lzo persist-key persist-tun status openvpn-status.log verb 3 7. Create configuration file for client /var/www/client1.ovpn: dev tun proto udp remote <public IP to reach OpenVPN/Asterisk server> 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key #comp-lzo verb 3 8. Copy keys/certificates/config files to www so can be downloaded by server and client cd /etc/openvpn/easy-rsa/keys cp ca.crt dh1024.pem server.crt server.key client1.crt client1.key server.ovpn client1.ovpn /var/www #So web server can send files chmod 644 /var/www/server.key chmod 644 /var/www/client1.key 9. On server, download files: Asterisk> cd /etc/openvpn Asterisk> wget http://workstation/ca.crt Asterisk> wget http://workstation/dh1024.pem Asterisk> wget http://workstation/server.crt Asterisk> wget http://workstation/server.key Asterisk> chmod 600 server.key Asterisk> wget http://workstation/server.ovpn 10. On client, download files: cd c:\program files\openvpn\config wget http://workstation/ca.crt wget http://workstation/client1.crt wget http://workstation/client1.key wget http://workstation/client.ovpn Launch server: Asterisk> /bin/openvpn /etc/openvpn/server.ovpn Launch client: Start OpenVPN Service Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon > Connect ping 10.8.0.1 If ping OK, configure SIP client to connect to Asterisk through the server's private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a call. ================ HTH,
Reasonably Related Threads
- WG: OpenVPN question
- WG: Cross subnet browsing + OpenVPN
- Bug#499323: logcheck-database: Logcheck fails to ignore certain OpenVPN messages
- Bridging Firewall with windows OpenVPN road warriors?
- crossposting: OpenVPN on CentOS(RHES clone) and Fedora Core3..some strange things