Asterisk and OpenVPN + SIP configuration

Home » Asterisk Tips » Asterisk and OpenVPN + SIP configuration
Asterisk Tips No Comments

These are the instructions to configure OpenVPN + SIP configuration, based on a brainstorming discussion of the Asterisk Users Mailing List.

The server is running on a uClinux appliance, with /dev/net/tun, and OpenVPN is 2.0.9. The clients will be Windows hosts connecting through Ethernet in hotels or public wifi hotspots.

1. Install OpenVPN on Asterisk server. On appliance, there’s only a single binary /bin/openvpn, and configuration files are in /etc/openvpn/.

To be positive SIP/RTP packets go through the OpenVPN tunnel, make sure the firewall in front of the OpenVPN/Asterisk server only has OpenVPN port open (default: UDP 1194).

2. On client, from http://www.openvpn.net, download and install OpenVPN for Windows, which includes Service + GUI

3. If using an appliance with just the openvpn binary, use a workstation to install the OpenVPN package and create certificates + keys: apt-get install openvpn

4. On workstation, copy programs to create keys and certificates:

mkdir /etc/openvpn/easy-rsa
cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* \
/etc/openvpn/easy-rsa

 

5. Create the CA, and one pair of public/private keys for each host (server, clients)

#Always use a unique Common Name
vi /etc/openvpn/easy-rsa/vars
#export variables
../vars

./clean-all
./build-ca
./build-dh

#keys for server
./build-key-server server

#keys for client
./build-key client1

 

6. Create configuration file for server /var/www/server.ovpn:

port 1194
proto udp
dev tun

ca ca.crt
cert server.crt
key server.key
dh dh1024.pem

#server will use this network number for OpenVPN tunnel,
server = 10.8.0.1
server 10.8.0.0 255.255.255.0

ifconfig-pool-persist ipp.txt
keepalive 10 120

#Uncomment if compiled with compression
#comp-lzo

persist-key
persist-tun
status openvpn-status.log
verb 3

 

7. Create configuration file for client /var/www/client1.ovpn:

dev tun
proto udp
remote 1194
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert client1.crt
key client1.key

#comp-lzo
verb 3

8. Copy keys/certificates/config files to www so can be downloaded by server and client

cd /etc/openvpn/easy-rsa/keys
cp ca.crt dh1024.pem server.crt server.key \
 client1.crt client1.key server.ovpn client1.ovpn /var/www
#So web server can send files
chmod 644 /var/www/server.key
chmod 644 /var/www/client1.key

 

9. On server, download files:

cd /etc/openvpn
wget http://workstation/ca.crt
wget http://workstation/dh1024.pem
wget http://workstation/server.crt
wget http://workstation/server.key
chmod 600 server.key
wget http://workstation/server.ovpn

 

10. On client, download files:

cd c:program filesopenvpnconfig
wget http://workstation/ca.crt
wget http://workstation/client1.crt
wget http://workstation/client1.key
wget http://workstation/client.ovpn

 

Launch server:

/bin/openvpn /etc/openvpn/server.ovpn

 

Launch client:
Start OpenVPN Service
Start OpenVPN GUI with Admin rights: Right-click on OpenVPN GUI icon >Connect
ping 10.8.0.1

If ping OK, configure SIP client to connect to Asterisk through the server’s private IP used by OpenVPN tunnel, eg. 10.8.0.1, and make a call.

As additional recommendations, we have:

  • Verify that you have an end-to-end connection before trying to push any data through it.
  • If you are running windows vista or windows 7 and start the connection with the OpenVPN GUI, you have to run it as administrator or it doesn’t have the rights to add a route to the routing table.

If you need documentation with practical recipes providing tips and tricks to the most common problems and scenarios faced with OpenVPN, then you might be interested in this book:

There’s also another one that will meet the needs of anyone, from the Linux user to the experienced administrator to the security professional.

Thanks to Gilles for this configuration sample.