[asterisk-users] OpenVPN + SIP configuration?

Thu Jan 13 07:24:11 CST 2011

On Tue, 11 Jan 2011 15:20:39 +0100, Gilles <codecomplete at free.fr>
wrote:
>By any chance, would someone have a working configuration so I can
>take a look?

Got it working :-) Thanks much guys for the help.

For those interested, here's how I did it. Note that the appliance
only has the openvpn server, so I used a Ubuntu workstation to create
the certificates + keys:

=================
1. Install OpenVPN on Asterisk server. On appliance, there's only a
single binary /bin/openvpn, and configuration files are in
/etc/openvpn/.

To be positive SIP/RTP packets go through the OpenVPN tunnel, make
sure the firewall in front of the OpenVPN/Asterisk server only has
OpenVPN port open (default: UDP 1194).

2. On client, from www.openvpn.net, download and install OpenVPN for
Windows, which includes Service + GUI

3. If using an appliance with just the openvpn binary, use a
workstation to install the OpenVPN package and create certificates +
keys: apt-get install openvpn

4. On workstation, copy programs to create keys and certificates:
mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
/etc/openvpn/easy-rsa

5. Create the CA, and one pair of public/private keys for each host
(server, clients)
#Always use a unique Common Name
vi /etc/openvpn/easy-rsa/vars
#export variables
. ./vars

./clean-all
./build-ca
./build-dh

#keys for server
./build-key-server server

#keys for client
./build-key client1

6. Create configuration file for server /var/www/server.ovpn:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

#server will use this network number for OpenVPN tunnel, server =
10.8.0.1
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt

keepalive 10 120

#Uncomment if compiled with compression
#comp-lzo

persist-key
persist-tun
status openvpn-status.log
verb 3

7. Create configuration file for client /var/www/client1.ovpn:

dev tun
proto udp
remote <public IP to reach OpenVPN/Asterisk server> 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

#comp-lzo
verb 3

8. Copy keys/certificates/config files to www so can be downloaded by
server and client

cd /etc/openvpn/easy-rsa/keys
cp ca.crt dh1024.pem server.crt server.key client1.crt client1.key
server.ovpn client1.ovpn /var/www
#So web server can send files
chmod 644 /var/www/server.key
chmod 644 /var/www/client1.key

9. On server, download files:

Asterisk> cd /etc/openvpn
Asterisk> wget http://workstation/ca.crt
Asterisk> wget http://workstation/dh1024.pem
Asterisk> wget http://workstation/server.crt
Asterisk> wget http://workstation/server.key
Asterisk> chmod 600 server.key
Asterisk> wget http://workstation/server.ovpn

10. On client, download files:

cd c:\program files\openvpn\config
wget http://workstation/ca.crt
wget http://workstation/client1.crt
wget http://workstation/client1.key
wget http://workstation/client.ovpn

Launch server:
Asterisk> /bin/openvpn /etc/openvpn/server.ovpn

Launch client:
Start OpenVPN Service
Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon >
Connect
ping 10.8.0.1

If ping OK, configure SIP client to connect to Asterisk through the
server's private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a
call.
=================

HTH,