These are the instructions to configure OpenVPN + SIP configuration, based on a brainstorming discussion of the Asterisk Users Mailing List.
The server is running on a uClinux appliance, with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows hosts connecting through Ethernet in hotels or public wifi hotspots.
1. Install OpenVPN on Asterisk server. On appliance, there’s only a single binary /bin/openvpn, and configuration files are in /etc/openvpn/.
To be positive SIP/RTP packets go through the OpenVPN tunnel, make sure the firewall in front of the OpenVPN/Asterisk server only has OpenVPN port open (default: UDP 1194).
2. On client, from http://www.openvpn.net, download and install OpenVPN for Windows, which includes Service + GUI
3. If using an appliance with just the openvpn binary, use a workstation to install the OpenVPN package and create certificates + keys: apt-get install openvpn
4. On workstation, copy programs to create keys and certificates:
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* \
5. Create the CA, and one pair of public/private keys for each host (server, clients)
#Always use a unique Common Name
#keys for server
#keys for client
6. Create configuration file for server /var/www/server.ovpn:
#server will use this network number for OpenVPN tunnel,
server = 10.8.0.1
server 10.8.0.0 255.255.255.0
keepalive 10 120
#Uncomment if compiled with compression
7. Create configuration file for client /var/www/client1.ovpn:
8. Copy keys/certificates/config files to www so can be downloaded by server and client
cp ca.crt dh1024.pem server.crt server.key \
client1.crt client1.key server.ovpn client1.ovpn /var/www
#So web server can send files
chmod 644 /var/www/server.key
chmod 644 /var/www/client1.key
9. On server, download files:
chmod 600 server.key
10. On client, download files:
cd c:program filesopenvpnconfig
Start OpenVPN Service
Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon >Connect
If ping OK, configure SIP client to connect to Asterisk through the server’s private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a call.
As additional recommendations, we have:
- Verify that you have an end-to-end connection before trying to push any data through it.
- If you are running windows vista or windows 7 and start the connection with the OpenVPN GUI, you have to run it as administrator or it doesn’t have the rights to add a route to the routing table.
If you need documentation with practical recipes providing tips and tricks to the most common problems and scenarios faced with OpenVPN, then you might be interested in this book:
There’s also another one that will meet the needs of anyone, from the Linux user to the experienced administrator to the security professional.
Thanks to Gilles for this configuration sample.