[asterisk-users] VPN between Asterisk server and phone client
Salvatore Giudice
Salvatore.Giudice at VoIPSecurityTraining.com
Wed May 2 15:26:41 MST 2007
If you run it on the fly, doesn't that mean that the Asterisk user will have
permissions to configure VPN's? Nobody sees a problem with that? I thinking
that if you knock over the Asterisk service and get shell execution rights
as Asterisk, you could be able to start tunnels for things other than voice.
It's like giving a hacker a great way to hide their activities from your IDS
without having to bother to get root first to install an encrypted data
pipe.
--------------------------------------------------
Salvatore Giudice
Salvatore.Giudice at VoIPSecurityTraining.com
VoIP Security Training, LLC
http://VoIPSecurityTraining.com
848 N. Rainbow Blvd. #1676
Las Vegas, NV 89107
Phone: (617) 959-7625
Fax: (214) 279-2906
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com
[mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Steve Totaro
Sent: Wednesday, May 02, 2007 4:58 PM
To: Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] VPN between Asterisk server and phone client
Kai-Uwe Jensen wrote:
> Concur with Steve: OpenVPN is your friend. At one time, I used "VPN on
> Demand"-type functionality in my dial plan to trunk a certain subset
> of calls to a different * server via OpenVPN. This is what that
> dialplan looked like:
>
> [trunkfreecallsviaoffsite]
> exten => _X.,1,NoOp
> exten => _X.,n,Playback(creating_vpn)
> exten => _X.,n,System(/usr/local/bin/startvpn clientname
> ${CALLERID(name)})
> exten => _X.,n,Wait(10)
> exten => _X.,n,Playback(success_vpn)
> exten => _X.,n,Dial(IAX2/vpnmaster/**${EXTEN},60,TW)
> exten => _X.,n,Hangup
>
> exten => h,1,System(/usr/local/bin/stopvpn clientname ${CALLERID(name)})
> exten => h,n,Playback(stopping_vpn)
>
> The startvpn and stopvpn scripts (which I've since managed to lose)
> would establish the VPN between this server and the "vpnmaster"
> server. The scripts would also keep track of current users
> (${CALLERID(name)} of the VPN-trunk. As a side effect of user
> tracking, I'd know when the VPN was already established, so I didn't
> need to re-connect. Similarly, I'd only tear it down when no users
> were left.
>
> As I mentioned, this does not address your direct need to create a VPN
> between an endpoint (softphone) and your server. My example simply
> illustrates the straight-forward OpenVPN approach. You can install the
> OpenVPN GUI tools on your desktop/laptop and create the VPN manually
> when you need it.
>
> BTW, I stopped using this technique when we added a second local
> server, so I didn't have to go across the WAN for offloading certain
> calls anymore.
>
That is really a cool idea to add it on demand in the dialplan. Was the
wait(10) required to get the VPN up or could you set it to a lower
number? It seems OpenVPN connects pretty darn quickly. Did you ever
run into issues where wait(10) was not long enough?
Thanks,
Steve Totaro
www.asteriskhelpdesk.com
_______________________________________________
--Bandwidth and Colocation provided by Easynews.com --
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list