In sip_nat.conf you need to specify <a href="http://10.8.0.1/24" target="_blank">10.8.0.1/24</a> as your localnet and also make sure you have your externip setup as well. Else you will notice one way audio or cut off after 30 seconds. Rest of your work is all good. For security reasons the workstation that creates the keys is not connected to any network (local or internet)<div>
<br></div><div>-Bruce<br><br><div class="gmail_quote">On Thu, Jan 13, 2011 at 8:24 AM, Gilles <span dir="ltr"><<a href="mailto:codecomplete@free.fr" target="_blank">codecomplete@free.fr</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, 11 Jan 2011 15:20:39 +0100, Gilles <<a href="mailto:codecomplete@free.fr" target="_blank">codecomplete@free.fr</a>><br>
wrote:<br>
<div>>By any chance, would someone have a working configuration so I can<br>
>take a look?<br>
<br>
</div>Got it working :-) Thanks much guys for the help.<br>
<br>
For those interested, here's how I did it. Note that the appliance<br>
only has the openvpn server, so I used a Ubuntu workstation to create<br>
the certificates + keys:<br>
<br>
=================<br>
1. Install OpenVPN on Asterisk server. On appliance, there's only a<br>
single binary /bin/openvpn, and configuration files are in<br>
/etc/openvpn/.<br>
<br>
To be positive SIP/RTP packets go through the OpenVPN tunnel, make<br>
sure the firewall in front of the OpenVPN/Asterisk server only has<br>
OpenVPN port open (default: UDP 1194).<br>
<br>
2. On client, from <a href="http://www.openvpn.net" target="_blank">www.openvpn.net</a>, download and install OpenVPN for<br>
Windows, which includes Service + GUI<br>
<br>
3. If using an appliance with just the openvpn binary, use a<br>
workstation to install the OpenVPN package and create certificates +<br>
keys: apt-get install openvpn<br>
<br>
4. On workstation, copy programs to create keys and certificates:<br>
mkdir /etc/openvpn/easy-rsa<br>
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/*<br>
/etc/openvpn/easy-rsa<br>
<br>
5. Create the CA, and one pair of public/private keys for each host<br>
(server, clients)<br>
#Always use a unique Common Name<br>
vi /etc/openvpn/easy-rsa/vars<br>
#export variables<br>
. ./vars<br>
<br>
./clean-all<br>
./build-ca<br>
./build-dh<br>
<br>
#keys for server<br>
./build-key-server server<br>
<br>
#keys for client<br>
./build-key client1<br>
<br>
6. Create configuration file for server /var/www/server.ovpn:<br>
<br>
port 1194<br>
proto udp<br>
dev tun<br>
<br>
ca ca.crt<br>
cert server.crt<br>
key server.key<br>
dh dh1024.pem<br>
<br>
#server will use this network number for OpenVPN tunnel, server =<br>
10.8.0.1<br>
server 10.8.0.0 255.255.255.0<br>
<br>
ifconfig-pool-persist ipp.txt<br>
<br>
keepalive 10 120<br>
<br>
#Uncomment if compiled with compression<br>
#comp-lzo<br>
<br>
persist-key<br>
persist-tun<br>
status openvpn-status.log<br>
verb 3<br>
<br>
7. Create configuration file for client /var/www/client1.ovpn:<br>
<br>
dev tun<br>
proto udp<br>
remote <public IP to reach OpenVPN/Asterisk server> 1194<br>
resolv-retry infinite<br>
nobind<br>
persist-key<br>
persist-tun<br>
<br>
ca ca.crt<br>
cert client1.crt<br>
key client1.key<br>
<br>
#comp-lzo<br>
verb 3<br>
<br>
8. Copy keys/certificates/config files to www so can be downloaded by<br>
server and client<br>
<br>
cd /etc/openvpn/easy-rsa/keys<br>
cp ca.crt dh1024.pem server.crt server.key client1.crt client1.key<br>
server.ovpn client1.ovpn /var/www<br>
#So web server can send files<br>
chmod 644 /var/www/server.key<br>
chmod 644 /var/www/client1.key<br>
<br>
9. On server, download files:<br>
<br>
Asterisk> cd /etc/openvpn<br>
Asterisk> wget <a href="http://workstation/ca.crt" target="_blank">http://workstation/ca.crt</a><br>
Asterisk> wget <a href="http://workstation/dh1024.pem" target="_blank">http://workstation/dh1024.pem</a><br>
Asterisk> wget <a href="http://workstation/server.crt" target="_blank">http://workstation/server.crt</a><br>
Asterisk> wget <a href="http://workstation/server.key" target="_blank">http://workstation/server.key</a><br>
Asterisk> chmod 600 server.key<br>
Asterisk> wget <a href="http://workstation/server.ovpn" target="_blank">http://workstation/server.ovpn</a><br>
<br>
10. On client, download files:<br>
<br>
cd c:\program files\openvpn\config<br>
wget <a href="http://workstation/ca.crt" target="_blank">http://workstation/ca.crt</a><br>
wget <a href="http://workstation/client1.crt" target="_blank">http://workstation/client1.crt</a><br>
wget <a href="http://workstation/client1.key" target="_blank">http://workstation/client1.key</a><br>
wget <a href="http://workstation/client.ovpn" target="_blank">http://workstation/client.ovpn</a><br>
<br>
Launch server:<br>
Asterisk> /bin/openvpn /etc/openvpn/server.ovpn<br>
<br>
Launch client:<br>
Start OpenVPN Service<br>
Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon ><br>
Connect<br>
ping 10.8.0.1<br>
<br>
If ping OK, configure SIP client to connect to Asterisk through the<br>
server's private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a<br>
call.<br>
=================<br>
<br>
HTH,<br>
<div><div></div><div><br>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</div></div></blockquote></div><br></div>