TIPS Install OpenVPN on IncrediblePBX 13-13

[dicko]

@KNERD

I basically agree - OpenVPN can be setup in minutes - once you know what you are doing.

Actually the DO tutorial is outdated and doesn't work for the current CentOS 6.10 repos. Some file paths are different, easy-rsa needs to be installed separately and references easy-rsa 2.0, but yum install gives us 3.0. Most of the other google hits for "openvpn centos 6" had similar issues.

None of it is hard to overcome once you've done it a time or two, but could chase away a noob.

I haven't tested it yet, but the script @dicko linked looks pretty good. Unfortunately it doesn't do CentOS/SL 6. Still, it would be a great starting point if someone wanted to modify for IPBX usage. Some things should probably be changed if the purpose is only for remote phone access/management. I see no need for nat or enabling forwarding for such use.

I would run the script as

bash -x openvpn-install.sh

Override the whining about old OS's and see what stalls (likely unbound or somesuch)

 

[jerrm]

I would run the script as

bash -x openvpn-install.sh

Override the whining about old OS's and see what stalls (likely unbound or somesuch)

It's pretty obvious where the failings will be. No need to run it. All the systemd-isms would need to be addressed. The iptables stuff would need to be integrated into the IPBX model. Other than those, it's probably about 90+%.

 

[wardmundy]

I know this guide works

https://www.digitalocean.com/commun...p-and-configure-an-openvpn-server-on-centos-6

Might work on D.O. server, but there are about a million dead-end rabbit holes when you try it anywhere else.

 

[jerrm]

I took some time to add CentOS6 support to @dicko's linked script, but I commented out all the iptables stuff. Looks like it works, but I need to test on a clean machine.

@wardmundy, from the IPBX perspective, what would you consider the primary purpose if OpenVPN was added?

The linked script assumes all client traffic is pushed through the VPN. Probably not desirable by default. An endpoint or management pc could connect to many open internet devices and we wouldn't want that traffic passing through the pbx - from both a security and performance perspective.

If the purpose is for endpoints and management, do we need to worry about pushing local dns at all - or could we could just point to the server's openvpn ip? What does the current neorouter setup do?

 

[KNERD]

@KNERD

I basically agree - OpenVPN can be setup in minutes - once you know what you are doing.

Actually the DO tutorial is outdated and doesn't work for the current CentOS 6.10 repos. Some file paths are different, easy-rsa needs to be installed separately and references easy-rsa 2.0, but yum install gives us 3.0. Most of the other google hits for "openvpn centos 6" had similar issues.

None of it is hard to overcome once you've done it a time or two, but could chase away a noob.

I haven't tested it yet, but the script @dicko linked looks pretty good. Unfortunately it doesn't do CentOS/SL 6. Still, it would be a great starting point if someone wanted to modify for IPBX usage. Some things should probably be changed if the purpose is only for remote phone access/management. I see no need for nat or enabling forwarding for such use.

You are a bit corerect, it is sort of outdated . I missed the Easy RSA Part, and one other thing about the epel repo. All they have to do is use the guide for CentOS 7 on the Easy RSA part, and they rest will work on the CentOS 6 guide

All the have to do is follow the CentOS 7 guide parts about Easy RSA and doing "yum install epel-relase". The rest of the setup is the same.

 

[jerrm]

All they have to do is use the guide for CentOS 7...

But a tutorial shouldn't require someone to hunt around and piece together different parts of various tutorials. At the end of the day it doesn't work and contributes to the "OpenVPN is difficult" atmosphere.

It's not just D.O. None of the CentOS 6 links I looked at was current.

It's just the nature of moving technology and trying to use an eight year old distro that has had multiple updates since most of the tutorials were written (and abandoned).

 

[wardmundy]

Since this only becomes painful for the OpenVPN Server component, I threw in the towel and used https://github.com/angristan/openvpn-install with CentOS 7 and Vultr. It's a star platform as designed so you're going to want the server component on a public server somewhere with a static IP address.

This install still ASS-U-MEs some basic familiarity with OpenVPN, but it works like a champ, and you can use the server platform to build all the client config files for any OS including CentOS 6. Very slick and easy... finally. I took good notes on what was missing. We'll put together a tutorial in coming weeks that adds the few pieces that were not discussed or addressed in the install script.

Wondering out loud why we couldn't host the server platform and let users rely upon TM3 to whitelist the private OpenVPN client IP addresses that actually belong to them. I guess the wrinkle would be SIP phones that don't have native firewall protection. Perhaps we could use passwords for those VPN clients. Any thoughts??

 

[jerrm]

Wondering out loud why we couldn't host the server platform and let users ...

Do you really want that kind of headache if (when) there are problems?

I have the script running well on CentOS 6. The mods add CentOS 6 support, it should still work on the other platforms.

I made changes based on how I see the likely functionality if running on the PBX. Basically I don't see this as a path into the internal net, only as a secure tunnel for management and endpoints:

• add CentOS 6.10 as a supported platform
• enable the epel repo for yum commands since the IPBX install disables epel
• removed pushing DNS
• removed pushing default gateway
• removed IP forwarding
• removed nat
• removed systemd based firewall scripts
• now only one additional firewall rule accepting the VPN port - inserting it into iptables-custom at the "# custom rules go below here" comment.
• optionally push route(s) for local adapter subnets - to allow addressing the "internal" IP

Android and PC softphones, ssh, http, etc all work.

I'll give it a quick review later today and post what I have.

Still need to add SL and Raspbian support, but that should be trivial. Need to test with phones. The defaults require a 2.4 client, my guess some phones won't be that current. Probably need to work out an menu easy option to allow 2.2 or 2.3 clients.

 

[wardmundy]

@jerrm: Echoing the following two rules to the end of /usr/local/sbin/iptables-custom should satisfy the firewall requirements. And then just iptables-restart.

echo "/usr/sbin/iptables -A INPUT -p udp -m udp --dport 1194 -j ACCEPT" >> /usr/local/sbin/iptables-custom
echo "/usr/sbin/iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE" >> /usr/local/sbin/iptables-custom

And hosting for others wouldn't work since this is a Class C network with only 254 usable IP addresses (10.8.0.1 to 10.8.0.254) .

EDIT: I think it could be changed to Class B network with 65,534 IP addresses (10.8.0.1 to 10.8.255.254) by making the following change in /etc/openvpn/openvpn.conf:

server 10.8.0.0 255.255.0.0

But see the tips in this article for practical limitations and how to avoid problems. 254 seems like a safe maximum with a beefy server.

Current Connected Client List:

cat /var/log/openvpn/status.log | grep 10.8

 

[wardmundy]

More good news. OpenVPN can coexist with NeoRouter so you can have the best of both worlds on your PBX (tested on CentOS and Mac OS X)...

LOCALHOST
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:202908 errors:0 dropped:0 overruns:0 frame:0
          TX packets:202908 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:18326501 (17.4 MiB)  TX bytes:18326501 (17.4 MiB)

NeoRouter
nrtap     Link encap:Ethernet  HWaddr 6E:BF:BC:FC:8E:44
          inet addr:10.0.0.16  Bcast:10.255.255.255  Mask:255.0.0.0
          inet6 addr: fe80::6cbf:bcff:fefc:8e44/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1300  Metric:1
          RX packets:97 errors:0 dropped:0 overruns:0 frame:0
          TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500
          RX bytes:13123 (12.8 KiB)  TX bytes:6237 (6.0 KiB)

OpenVPN
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:3669 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3686 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:3011339 (2.8 MiB)  TX bytes:327460 (319.7 KiB)

 

[jerrm]

Busy week kept me away. Finally got back to the script today. Spun up and tested a clean iso install and Scientific Linux is fine after a version check tweak (as expected). No extensive testing, but it seems to do what I want so far.

Script is pretty ugly right now - chunks of stuff still commented out until I decide what to add back.

As previously stated my purpose for this is access to the machine for management and endpoints, not access to the entire internal LAN. I'll probably add that back, but this is just first round.

Changes from Angristan's script:

• add CentOS 6 support
• add Scientific Linux 6 support
• enable the epel repo for yum commands since the IPBX install disables epel
• removed pushing DNS
• removed pushing default gateway
• removed IP forwarding
• removed nat
• removed systemd based firewall scripts - now only one additional firewall rule accepting the VPN port - inserting it into iptables-custom at the "# custom rules go below here" comment
• push route(s) for local adapter subnets - to allow addressing the "internal" IP
• add vpn network/prefix input
• make iptables updates optional
• place .ovpn profiles into a "server.ovpn" subfolder instead of dumping directly into home folders
• beginnings of multiple instance support - probably works OK now if you manually edit the SERVER variable but not tested.

Note: This has not been tested on a Centos 7 or Ubuntu install. My guess is it should work, but I haven't spun up and tested. Feeback encouraged.

Raspbian will have to wait for now. The Jessie repos we are stuck with only have OpenVPN 2.3x. Default features in the script require 2.4. Is there a backports repo for Raspbian?

The script defaults will definitely not work with OpenVPN clients prior to version 2.4. Likely most phones have pre-2.4 versions. Need to add options to allow a server config compatible with earlier clients.

My to-do list (that may or may not happen):

• Raspbian support.
• add back optional forwarding and optional nat for LAN access
• add back optional dns push (with or without forwarding)
• add appropriate options to allow earlier OpenVPN clients

 

[wardmundy]

@jerrm: Couldn't get Raspberry Pi to work at all. Lots of missing components. But here's our best shot at the rest...

A New VPN for All Seasons: Introducing OpenVPN for Asterisk

 

[jerrm]

@jerrm: Couldn't get Raspberry Pi to work at all. Lots of missing components. But here's our best shot at the rest...

Looks good, but my biggest issue with the default setup is pushing the default gateway.

In the IPBX context, I don't think most would want all internet their traffic sent over the VPN.

For dedicated phones it might be OK, but not for management or to run a zoiper/gs wave/whatever client on a smartphone/pc. A few Netflix binges could really dig into the hosting bandwidth, even more so if multiplied a few users.

 

[kyle95wm]

@jerrm: Couldn't get Raspberry Pi to work at all. Lots of missing components. But here's our best shot at the rest...

A New VPN for All Seasons: Introducing OpenVPN for Asterisk

Reading through that article, it sounds to me like you're using a standalone server for the VPN. I was expecting something more along the lines of installing the server directly onto the PBX, or am I misunderstanding something?

 

[jerrm]

Reading through that article, it sounds to me like you're using a standalone server for the VPN. I was expecting something more along the lines of installing the server directly onto the PBX, or am I misunderstanding something?

You are correct. Ward's setup assumes a separate OpenVPN server with the PBX as a client.

Try my script to install on the PBX itself. Tested on CentOS6/Scientific Linux 6 with IPBX 13-13. I think it should be OK CentOS7/SL 7/Ubuntu, but haven't tested. If there are problems let me know.

 

[kyle95wm]

Alright, I use version 6 for all my PBX's. Has this been extensively tested?

 

[jerrm]

Alright, I use version 6 for all my PBX's. Has this been extensively tested?

Extensively? No.

I probably installed/removed 30+ times on multiple machines in the course of testing the script. I had two others run through it without issue.

At the end of the day it makes a one line change to iptables-custom that is easily identified. The other changes can be undone with a "yum -y remove openvpn; rm -rf /etc/openvpn".

 

[kyle95wm]

And I assume that Ward's steps for renewing the server certificate are more or less the same, apart from an added directory to /etc/openvpn/?

 

[jerrm]

And I assume that Ward's steps for renewing the server certificate are more or less the same, apart from an added directory to /etc/openvpn/?

Correct. I used the same script Ward is using as the base for mine. Other than file locations, all the heavy lifting is the same code for now. All of the client config stuff from Ward's tutorial should be the same as well.

 

[wardmundy]

04/16 UPDATE: We’ve made one change in the Angristan script to adjust client routing. By default, all packets from every client flowed through the OpenVPN server which wasted considerable bandwidth. Our preference is to route client packets destined for the Internet directly to their destination rather than through the OpenVPN server. The sed command added to the base install in the tutorial now does this by adjusting the code generator for client configs.

sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' /root/openvpn-install.sh

If you’ve already installed and run the Angristan script, your existing clients will be configured differently. Our recommendation is to remove the existing clients, make the change below, and then recreate the clients again by rerunning the script. In the alternative, you can execute the command below to correct future client creations and then run it again on each existing client platform substituting the name of the /root/.ovpn client file for /etc/openvpn/client-template.txt and then restart each of your OpenVPN clients.

sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' /etc/openvpn/client-template.txt