[asterisk-users] OpenVPN + SIP configuration?

Bruce B bruceb444 at gmail.com
Thu Jan 13 08:43:26 CST 2011 

In sip_nat.conf you need to specify 10.8.0.1/24 as your localnet and also
make sure you have your externip setup as well. Else you will notice one way
audio or cut off after 30 seconds. Rest of your work is all good. For
security reasons the workstation that creates the keys is not connected to
any network (local or internet)

-Bruce

On Thu, Jan 13, 2011 at 8:24 AM, Gilles <codecomplete at free.fr> wrote:

> On Tue, 11 Jan 2011 15:20:39 +0100, Gilles <codecomplete at free.fr>
> wrote:
> >By any chance, would someone have a working configuration so I can
> >take a look?
>
> Got it working :-) Thanks much guys for the help.
>
> For those interested, here's how I did it. Note that the appliance
> only has the openvpn server, so I used a Ubuntu workstation to create
> the certificates + keys:
>
> =================
> 1. Install OpenVPN on Asterisk server. On appliance, there's only a
> single binary /bin/openvpn, and configuration files are in
> /etc/openvpn/.
>
> To be positive SIP/RTP packets go through the OpenVPN tunnel, make
> sure the firewall in front of the OpenVPN/Asterisk server only has
> OpenVPN port open (default: UDP 1194).
>
> 2. On client, from www.openvpn.net, download and install OpenVPN for
> Windows, which includes Service + GUI
>
> 3. If using an appliance with just the openvpn binary, use a
> workstation to install the OpenVPN package and create certificates +
> keys: apt-get install openvpn
>
> 4. On workstation, copy programs to create keys and certificates:
> mkdir /etc/openvpn/easy-rsa
> cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*
> /etc/openvpn/easy-rsa
>
> 5. Create the CA, and one pair of public/private keys for each host
> (server, clients)
> #Always use a unique Common Name
> vi /etc/openvpn/easy-rsa/vars
> #export variables
> . ./vars
>
> ./clean-all
> ./build-ca
> ./build-dh
>
> #keys for server
> ./build-key-server server
>
> #keys for client
> ./build-key client1
>
> 6. Create configuration file for server /var/www/server.ovpn:
>
> port 1194
> proto udp
> dev tun
>
> ca ca.crt
> cert server.crt
> key server.key
> dh dh1024.pem
>
> #server will use this network number for OpenVPN tunnel, server =
> 10.8.0.1
> server 10.8.0.0 255.255.255.0
>
> ifconfig-pool-persist ipp.txt
>
> keepalive 10 120
>
> #Uncomment if compiled with compression
> #comp-lzo
>
> persist-key
> persist-tun
> status openvpn-status.log
> verb 3
>
> 7. Create configuration file for client /var/www/client1.ovpn:
>
> dev tun
> proto udp
> remote <public IP to reach OpenVPN/Asterisk server> 1194
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
>
> ca ca.crt
> cert client1.crt
> key client1.key
>
> #comp-lzo
> verb 3
>
> 8. Copy keys/certificates/config files to www so can be downloaded by
> server and client
>
> cd /etc/openvpn/easy-rsa/keys
> cp ca.crt dh1024.pem server.crt server.key client1.crt client1.key
> server.ovpn client1.ovpn /var/www
> #So web server can send files
> chmod 644 /var/www/server.key
> chmod 644 /var/www/client1.key
>
> 9. On server, download files:
>
> Asterisk> cd /etc/openvpn
> Asterisk> wget http://workstation/ca.crt
> Asterisk> wget http://workstation/dh1024.pem
> Asterisk> wget http://workstation/server.crt
> Asterisk> wget http://workstation/server.key
> Asterisk> chmod 600 server.key
> Asterisk> wget http://workstation/server.ovpn
>
> 10. On client, download files:
>
> cd c:\program files\openvpn\config
> wget http://workstation/ca.crt
> wget http://workstation/client1.crt
> wget http://workstation/client1.key
> wget http://workstation/client.ovpn
>
> Launch server:
> Asterisk> /bin/openvpn /etc/openvpn/server.ovpn
>
> Launch client:
> Start OpenVPN Service
> Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon >
> Connect
> ping 10.8.0.1
>
> If ping OK, configure SIP client to connect to Asterisk through the
> server's private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a
> call.
> =================
>
> HTH,
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>               http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20110113/fcfe4083/attachment.htm>

More information about the asterisk-users mailing list