edisoninfo
Guru
- Joined
- Nov 19, 2007
- Messages
- 505
- Reaction score
- 4
Sweet! One more question, does it have slots for TDM cards?
VPN in a Flash
- Thread starter wardmundy
- Start date
No, the M200-LCD case has no room for expansion, and you will have to use an external gateway... I'm assuming this is using Intel's popular D945GCLF w/ 1x PCI slot, so you could build off the M300-LCD for only $10 more/chassis which has room for one card (using a riser). It would be interesting to know what functions are accessible through the LCD, and if this will be available for PiaF as well (would be a great toy to play with!)
jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
Configuration and setup summary
Here's the quick summary (all the standard disclaimers apply - don't try this unless you have some idea what you're doing!):
Open a port in your firewall (at the "mothership" location) and point it to your pbxinaflash box. The standard port number is 1194, you only need to forward udp. If you try to connect from a very locked-down internet connection, the most conservative port number to use would be 443 (https) because that's the least likely port to be blocked or proxied for outgoing connections. You'll also need to open the port on the PiaF firewall, unless you have disabled iptables. See this post for a rule that will probably do the trick.
That being said, I've typically used very non-standard port numbers (pick something over 20000 at random). The configuration below assumes standard port 1194, UDP traffic (don't worry, it's a full VPN, it just uses UDP as a transport - TCP works through the tunnel as well, and much more). These files will make a VPN with internal addresses 10.100.100.x.
For more serious detail, see the openvpn.net website and tutorials - they're great.
You'll need either a fixed public IP at your server, or a dynamic DNS service (dyndns.org is great, there are several others). See their instructions for setting up an account and the software. This config assumes your public IP DNS name is mydyndnsname.dyndns.org).
Log in to your box as root
The default locations that yum looks for packages doesn't include openvpn. You can add one by adding the following files to your yum configuration (if it doesn't already exist):
nano -w /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
exclude=afio*
exclude=asterisk*
exclude=buffer*
exclude=mindi-*
exclude=mondo-*
You may also need to put the GPG key in:
nano -w /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
The following public key can be used to verify RPM packages
downloaded from http://dag.wieers.com/apt/ using 'rpm -K'
if you have the GNU GPG package.
Questions about this key should be sent to:
Dag Wieers <[email protected]>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)
mQGiBD9JMT0RBAC9Q2B0AloUMTxaK73sD0cOu1MMdD8yuDagbMlDtUYA1aGeJVO6
TV02JLGr67OBY+UkYuC1c3PUwmb3+jakZd5bW1L8E2L705wS0129xQOZPz6J+alF
5rTzVkiefg8ch1yEcMayK20NdyOmhDGXQXNQS8OJFLTIC6bJs+7MZL83/wCg3cG3
3q7MWHm3IpJb+6QKpB9YH58D/2WjPDK+7YIky/JbFBT4JPgTSBy611+bLqHA6PXq
39tzY6un8KDznAMNtm+NAsr6FEG8PHe406+tbgd7tBkecz3HPX8nR5v0JtDT+gzN
8fM3kAiAzjCHUAFWVAMAZLr5TXuoq4lGTTxvZbwTjZfyjCm7gIieCu8+qnPWh6hm
30NgA/0ZyEHG6I4rOWqPks4vZuD+wlp5XL8moBXEKfEVOMh2MCNDRGnvVHu1P3eD
oHOooVMt9sWrGcgxpYuupPNL4Uf6B6smiLlH6D4tEg+qCxC17zABI5572XJTJ170
JklZJrPGtnkPrrKMamnN9MU4RjGmjh9JZPa7rKjZHyWP/z/CBrQ1RGFnIFdpZWVy
cyAoRGFnIEFwdCBSZXBvc2l0b3J5IHYxLjApIDxkYWdAd2llZXJzLmNvbT6IWQQT
EQIAGQUCP0kxPQQLBwMCAxUCAwMWAgECHgECF4AACgkQog5SFGuNeeYvDQCeKHST
hIq/WzFBXtJOnQkJGSqAoHoAnRtsJVWYmzYKHqzkRx1qAzL18Sd0iEYEEBECAAYF
Aj9JMWAACgkQoj2iXPqnmevnOACfRQaageMcESHVE1+RSuP3txPUvoEAoJAtOHon
g+3SzVNSZLn/g7/Ljfw+uQENBD9JMT8QBACj1QzRptL6hbpWl5DdQ2T+3ekEjJGt
llCwt4Mwt/yOHDhzLe8SzUNyYxTXUL4TPfFvVW9/j8WOkNGvffbs7g84k7a5h/+l
IJTTlP9V9NruDt1dlrBe+mWF6eCY55OFHjb6nOIkcJwKxRd3nGlWnLsz0ce9Hjrg
6lMrn0lPsMV6swADBQP9H42sss6mlqnJEFA97Fl3V9s+7UVJoAIA5uSVXxEOwVoh
Vq7uECQRvWzif6tzOY+vHkUxOBRvD6oIU6tlmuG3WByKyA1d0MTqMr3eWieSYf/L
n5VA9NuD7NwjFA1kLkoDwfSbsF51LppTMkUggzwgvwE46MB6yyuqAVI1kReAWw+I
RgQYEQIABgUCP0kxPwAKCRCiDlIUa4155oktAKDAzm9QYbDpk6SrQhkSFy016BjE
BACeJU1hpElFnUZCL4yKj4EuLnlo8kc=
=mqUt
-----END PGP PUBLIC KEY BLOCK-----
then install openvpn:
yum -y install openvpn
Let it do it's thing.
Make a folder for everything:
mkdir /etc/openvpn
Copy the easy-rsa folder to your openvpn installation (note the version number may vary):
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/
Once installed, generate your certificates and encryption keys:
cd /etc/openvpn/easy-rsa
mkdir /etc/openvpn/easy-rsa/keys
nano -w vars
and edit the last 5 lines with your information (as you want it to appear in the certificate files - could be bogus info, if you like)
control-x, y <enter> to save
Tell the shell you want to use these parameters:
source ./vars
generate your keys (you may need to do a chmod +x build* and chmod +x clean-all to make the functions executable)
./clean-all
./build-dh # if this doesn't work, try openssl dhparam -out dh1024.pem 1024
./build-ca
./build-key-server myservername
./build-key myclientname1
./build-key myclientname2
You'll be prompted to change anything (if desired) that you entered already. Important: the "common name" of the server and clients must all be unique, don't leave them blank. The OU name can be left blank on all of them. The last two prompts ask you if everything is OK, and if the info should be committed to the database. Be sure to type y<enter> for both.
Create the Server configuration file:
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key # This file should be kept secret
dh easy-rsa/keys/dh1024.pem
server 10.100.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 192.168.200.0 255.255.255.0"
#If your network was 192.168.200.0, this would allow VPN clients to see it
#You'll have to tell your router that your pbxinaflash machine is the gateway for 10.100.100.0/255.255.255.0, though
client-to-client # allows VPN clients to see each other
keepalive 30 120
comp-lzo
max-clients 5 # adjust for however many clients you want to support
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
management localhost 7505
Create the client configuration file (this goes in the "OpenVPN config directory" on Windows (and must have the extension .ovpn instead of .conf), in "~/Library/openvpn/" on the Mac if you use Tunnelblick, or in /etc/openvpn/ on Linux.
nano -w /etc/openvpn/myclientname1.conf
client
dev tun
proto udp
remote mydyndnsname.dyndns.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert myclientname1.crt
key myclientname1.key
ns-cert-type server
comp-lzo
verb 3
control-x, y, <enter> to save
Move all .conf files out of the /etc/openvpn directory to another location on your drive. When openvpn starts, it will try to create a process for each .conf file, and the client configuration files won't work when launched on your server.
Also copy over these files from the server to the client (use a secure connection like ssh or you're compromising the network):
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/myclientname1.crt
/etc/openvpn/easy-rsa/keys/myclientname1.key
Put them in the same place (/etc/openvpn on the client machine for Linux, see above for other platforms)
On the server, you'll want to have openvpn startup automatically, I believe "chkconfig openvpn on" (without quotes) will do it. The server will start a separate instance for each .conf file in /etc/openvpn, so you can run different servers with different settings (on separate ports). I use this so I can connect to my whole network, but all my relatives can connect to an isolated VPN network so I can do tech support on their computers.
For more detailed setup help, check out openvpn.net. These files come directly from my server (Walmart special) running pbxinaflash, so I'm confident they work well, but YMMV. I hope I haven't missed any steps, but as this is a forum, I'm sure working together we can make this documentation better.
Notice the last entry in the server config file turns on a management port. I found this sweet php script that shows a list of all connected clients on the VPN, showing their private (VPN) IP addresses. Find it here:
http://pablohoffman.com/software/vpnstatus/vpnstatus.txt
and copy it to /var/www/html and make sure the priveleges are OK, and you can see the status of your VPN.
Here's the quick summary (all the standard disclaimers apply - don't try this unless you have some idea what you're doing!):
Open a port in your firewall (at the "mothership" location) and point it to your pbxinaflash box. The standard port number is 1194, you only need to forward udp. If you try to connect from a very locked-down internet connection, the most conservative port number to use would be 443 (https) because that's the least likely port to be blocked or proxied for outgoing connections. You'll also need to open the port on the PiaF firewall, unless you have disabled iptables. See this post for a rule that will probably do the trick.
That being said, I've typically used very non-standard port numbers (pick something over 20000 at random). The configuration below assumes standard port 1194, UDP traffic (don't worry, it's a full VPN, it just uses UDP as a transport - TCP works through the tunnel as well, and much more). These files will make a VPN with internal addresses 10.100.100.x.
For more serious detail, see the openvpn.net website and tutorials - they're great.
You'll need either a fixed public IP at your server, or a dynamic DNS service (dyndns.org is great, there are several others). See their instructions for setting up an account and the software. This config assumes your public IP DNS name is mydyndnsname.dyndns.org).
Log in to your box as root
The default locations that yum looks for packages doesn't include openvpn. You can add one by adding the following files to your yum configuration (if it doesn't already exist):
nano -w /etc/yum.repos.d/rpmforge.repo
# Name: RPMforge RPM Repository for Red Hat Enterprise 5 - dag
# URL: http://rpmforge.net/
[rpmforge]
name = Red Hat Enterprise $releasever - RPMforge.net - dag
#baseurl = http://apt.sw.be/redhat/el5/en/$basearch/dag
mirrorlist = http://apt.sw.be/redhat/el5/en/mirrors-rpmforge
#mirrorlist = file:///etc/yum.repos.d/mirrors-rpmforge
enabled = 1
protect = 0
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
gpgcheck = 1
exclude=afio*
exclude=asterisk*
exclude=buffer*
exclude=mindi-*
exclude=mondo-*
You may also need to put the GPG key in:
nano -w /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmforge-dag
The following public key can be used to verify RPM packages
downloaded from http://dag.wieers.com/apt/ using 'rpm -K'
if you have the GNU GPG package.
Questions about this key should be sent to:
Dag Wieers <[email protected]>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.2.1 (GNU/Linux)
mQGiBD9JMT0RBAC9Q2B0AloUMTxaK73sD0cOu1MMdD8yuDagbMlDtUYA1aGeJVO6
TV02JLGr67OBY+UkYuC1c3PUwmb3+jakZd5bW1L8E2L705wS0129xQOZPz6J+alF
5rTzVkiefg8ch1yEcMayK20NdyOmhDGXQXNQS8OJFLTIC6bJs+7MZL83/wCg3cG3
3q7MWHm3IpJb+6QKpB9YH58D/2WjPDK+7YIky/JbFBT4JPgTSBy611+bLqHA6PXq
39tzY6un8KDznAMNtm+NAsr6FEG8PHe406+tbgd7tBkecz3HPX8nR5v0JtDT+gzN
8fM3kAiAzjCHUAFWVAMAZLr5TXuoq4lGTTxvZbwTjZfyjCm7gIieCu8+qnPWh6hm
30NgA/0ZyEHG6I4rOWqPks4vZuD+wlp5XL8moBXEKfEVOMh2MCNDRGnvVHu1P3eD
oHOooVMt9sWrGcgxpYuupPNL4Uf6B6smiLlH6D4tEg+qCxC17zABI5572XJTJ170
JklZJrPGtnkPrrKMamnN9MU4RjGmjh9JZPa7rKjZHyWP/z/CBrQ1RGFnIFdpZWVy
cyAoRGFnIEFwdCBSZXBvc2l0b3J5IHYxLjApIDxkYWdAd2llZXJzLmNvbT6IWQQT
EQIAGQUCP0kxPQQLBwMCAxUCAwMWAgECHgECF4AACgkQog5SFGuNeeYvDQCeKHST
hIq/WzFBXtJOnQkJGSqAoHoAnRtsJVWYmzYKHqzkRx1qAzL18Sd0iEYEEBECAAYF
Aj9JMWAACgkQoj2iXPqnmevnOACfRQaageMcESHVE1+RSuP3txPUvoEAoJAtOHon
g+3SzVNSZLn/g7/Ljfw+uQENBD9JMT8QBACj1QzRptL6hbpWl5DdQ2T+3ekEjJGt
llCwt4Mwt/yOHDhzLe8SzUNyYxTXUL4TPfFvVW9/j8WOkNGvffbs7g84k7a5h/+l
IJTTlP9V9NruDt1dlrBe+mWF6eCY55OFHjb6nOIkcJwKxRd3nGlWnLsz0ce9Hjrg
6lMrn0lPsMV6swADBQP9H42sss6mlqnJEFA97Fl3V9s+7UVJoAIA5uSVXxEOwVoh
Vq7uECQRvWzif6tzOY+vHkUxOBRvD6oIU6tlmuG3WByKyA1d0MTqMr3eWieSYf/L
n5VA9NuD7NwjFA1kLkoDwfSbsF51LppTMkUggzwgvwE46MB6yyuqAVI1kReAWw+I
RgQYEQIABgUCP0kxPwAKCRCiDlIUa4155oktAKDAzm9QYbDpk6SrQhkSFy016BjE
BACeJU1hpElFnUZCL4yKj4EuLnlo8kc=
=mqUt
-----END PGP PUBLIC KEY BLOCK-----
then install openvpn:
yum -y install openvpn
Let it do it's thing.
Make a folder for everything:
mkdir /etc/openvpn
Copy the easy-rsa folder to your openvpn installation (note the version number may vary):
cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa /etc/openvpn/
Once installed, generate your certificates and encryption keys:
cd /etc/openvpn/easy-rsa
mkdir /etc/openvpn/easy-rsa/keys
nano -w vars
and edit the last 5 lines with your information (as you want it to appear in the certificate files - could be bogus info, if you like)
control-x, y <enter> to save
Tell the shell you want to use these parameters:
source ./vars
generate your keys (you may need to do a chmod +x build* and chmod +x clean-all to make the functions executable)
./clean-all
./build-dh # if this doesn't work, try openssl dhparam -out dh1024.pem 1024
./build-ca
./build-key-server myservername
./build-key myclientname1
./build-key myclientname2
You'll be prompted to change anything (if desired) that you entered already. Important: the "common name" of the server and clients must all be unique, don't leave them blank. The OU name can be left blank on all of them. The last two prompts ask you if everything is OK, and if the info should be committed to the database. Be sure to type y<enter> for both.
Create the Server configuration file:
nano -w /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/server.crt
key easy-rsa/keys/server.key # This file should be kept secret
dh easy-rsa/keys/dh1024.pem
server 10.100.100.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "route 192.168.200.0 255.255.255.0"
#If your network was 192.168.200.0, this would allow VPN clients to see it
#You'll have to tell your router that your pbxinaflash machine is the gateway for 10.100.100.0/255.255.255.0, though
client-to-client # allows VPN clients to see each other
keepalive 30 120
comp-lzo
max-clients 5 # adjust for however many clients you want to support
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 4
management localhost 7505
Create the client configuration file (this goes in the "OpenVPN config directory" on Windows (and must have the extension .ovpn instead of .conf), in "~/Library/openvpn/" on the Mac if you use Tunnelblick, or in /etc/openvpn/ on Linux.
nano -w /etc/openvpn/myclientname1.conf
client
dev tun
proto udp
remote mydyndnsname.dyndns.org 1194
resolv-retry infinite
nobind
user nobody
group nobody
persist-key
persist-tun
ca ca.crt
cert myclientname1.crt
key myclientname1.key
ns-cert-type server
comp-lzo
verb 3
control-x, y, <enter> to save
Move all .conf files out of the /etc/openvpn directory to another location on your drive. When openvpn starts, it will try to create a process for each .conf file, and the client configuration files won't work when launched on your server.
Also copy over these files from the server to the client (use a secure connection like ssh or you're compromising the network):
/etc/openvpn/easy-rsa/keys/ca.crt
/etc/openvpn/easy-rsa/keys/myclientname1.crt
/etc/openvpn/easy-rsa/keys/myclientname1.key
Put them in the same place (/etc/openvpn on the client machine for Linux, see above for other platforms)
On the server, you'll want to have openvpn startup automatically, I believe "chkconfig openvpn on" (without quotes) will do it. The server will start a separate instance for each .conf file in /etc/openvpn, so you can run different servers with different settings (on separate ports). I use this so I can connect to my whole network, but all my relatives can connect to an isolated VPN network so I can do tech support on their computers.
For more detailed setup help, check out openvpn.net. These files come directly from my server (Walmart special) running pbxinaflash, so I'm confident they work well, but YMMV. I hope I haven't missed any steps, but as this is a forum, I'm sure working together we can make this documentation better.
Notice the last entry in the server config file turns on a management port. I found this sweet php script that shows a list of all connected clients on the VPN, showing their private (VPN) IP addresses. Find it here:
http://pablohoffman.com/software/vpnstatus/vpnstatus.txt
and copy it to /var/www/html and make sure the priveleges are OK, and you can see the status of your VPN.
Last edited by a moderator:
dynamic DNS question
When the IP changes to you need to restart the clients to clear the DNS cache and re-register the clients to the new IP address? (I've been wondering about this.)
When the IP changes to you need to restart the clients to clear the DNS cache and re-register the clients to the new IP address? (I've been wondering about this.)
Solid state mini-server
Any anticipated timing on the release of the solid state mini-server? Not sure if I should go out and get the Walmart special or wait a week or two for the solid state mini-server.
Will the mini-server have a keyboard and monitor port like the the multi-purpose Walmart Special, or is it more like a dedicated device such as a router that you configure via a remote machine?
It's a good bit more robust than a WalMart Special. So long as the number of simultaneous calls is below 10 or so, it'll work like a champ. Depending upon the number of voicemails, you might want an 8GB SSD instead of a 4GB... for a few cents more.Of course, once the dual core, dual processor Intel Atom is released, The Sky's the Limit!
Any anticipated timing on the release of the solid state mini-server? Not sure if I should go out and get the Walmart special or wait a week or two for the solid state mini-server.
Will the mini-server have a keyboard and monitor port like the the multi-purpose Walmart Special, or is it more like a dedicated device such as a router that you configure via a remote machine?
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,211
- Reaction score
- 5,239
The VPN in a Flash box will have all the standard ports that come with a stock Intel Atom motherboard so, yes, you'll be able to plug in a keyboard, mouse, and monitor with no problems. We're probably several weeks away (at least) so, if you're in a hurry, get a WalMart Special. Then you'll have two systems (which everybody needs). 
jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
See the following pages for detailed information, but the clients will automatically reconnect as soon as the new IP address is available (you may want a shorter timeout in your configuration files if you have a "very" dynamic address that changes often).
If you use a router that directly supports dynamic DNS updates (I really like dd-wrt firmware running on any hardware platform) it will do all the heavy lifting, and no changes are required on the server.
If your pbxinaflash box is also your router/firewall, you may need to configure your dyndns update script to also restart the openvpn daemon.
When the "mothership" ip address changes, there will definitely be some delay (which you have some limited control over) before the connections are re-established. When a client IP changes, the delay will be shorter, I believe. The OpenVPN client handles address changes quite gracefully, in my experience. The DNS name is re-resolved whenever a timeout occurs in a connection, so a DNS cache flush should be unnecessary (on the client end) but clearly a DNS server update must occur on the server end. OpenVPN supports redundant servers, auto-failover, and automatic load balancing (among multiple clients) so you could use multiple "motherships" if you really wanted to, but if this is a production-critical system, you probably don't want a dynamic address anyway.
http://openvpn.net/index.php/documentation/howto.html#dynamic
http://openvpn.net/index.php/documentation/faq.html#dynamic-address
If you use a router that directly supports dynamic DNS updates (I really like dd-wrt firmware running on any hardware platform) it will do all the heavy lifting, and no changes are required on the server.
If your pbxinaflash box is also your router/firewall, you may need to configure your dyndns update script to also restart the openvpn daemon.
When the "mothership" ip address changes, there will definitely be some delay (which you have some limited control over) before the connections are re-established. When a client IP changes, the delay will be shorter, I believe. The OpenVPN client handles address changes quite gracefully, in my experience. The DNS name is re-resolved whenever a timeout occurs in a connection, so a DNS cache flush should be unnecessary (on the client end) but clearly a DNS server update must occur on the server end. OpenVPN supports redundant servers, auto-failover, and automatic load balancing (among multiple clients) so you could use multiple "motherships" if you really wanted to, but if this is a production-critical system, you probably don't want a dynamic address anyway.
http://openvpn.net/index.php/documentation/howto.html#dynamic
http://openvpn.net/index.php/documentation/faq.html#dynamic-address
jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
Another (less powerful) way to do this...
Here's another (less powerful, but pretty cool) way to implement something similar to this (it also doesn't require reconfiguration of the remote phone (server) IP address:
As I've mentioned in my earlier posts, there are several brands of routers supported by the dd-wrt project (linux-based firmware for your router). It would be pretty easy to configure OpenVPN on your main PBXinaflash system, and set up a dd-wrt router to automatically establish a VPN session back to your main network.
Obviously there's no local configuration possible, nor any of the other cool features that would be enabled with the VPNinaflash system, but you would be able to plug in a phone directly on the private side of the router and all traffic would be secured back to the mothership. You could also connect a computer on one of the LAN ports and access your home/office network securely, too. There would be a lot less processing horsepower, but probably enough for a few extensions.
I'll try to do some testing on this and post the configuration if I get it to work well. I've done the remote VPN with dd-wrt before, but I want to test it with VOIP calls before I recommend it.
Here's another (less powerful, but pretty cool) way to implement something similar to this (it also doesn't require reconfiguration of the remote phone (server) IP address:
As I've mentioned in my earlier posts, there are several brands of routers supported by the dd-wrt project (linux-based firmware for your router). It would be pretty easy to configure OpenVPN on your main PBXinaflash system, and set up a dd-wrt router to automatically establish a VPN session back to your main network.
Obviously there's no local configuration possible, nor any of the other cool features that would be enabled with the VPNinaflash system, but you would be able to plug in a phone directly on the private side of the router and all traffic would be secured back to the mothership. You could also connect a computer on one of the LAN ports and access your home/office network securely, too. There would be a lot less processing horsepower, but probably enough for a few extensions.
I'll try to do some testing on this and post the configuration if I get it to work well. I've done the remote VPN with dd-wrt before, but I want to test it with VOIP calls before I recommend it.
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,211
- Reaction score
- 5,239
VoIP Service Beta for VPN in a Flash
As part of our roll out of VPN in a Flash, we are considering bundling in preconfigured VoIP termination service so that every system could make outbound calls as soon as a SIP phone was connected. If the user wishes to add their own providers, then they certainly can, but this would get systems working almost instantly with no obligation to continue at all.
We obviously need to be sure the VoiP service is going to work AND that it's reliable. We think it is. There are POPs in many areas of the U.S. as well as Canada. For now this is outbound service only. No DIDs and no 911 support for the time being! We want to make a final provider decision first.
Before deciding whether to proceed, we need a handful of folks who are willing to try things out particularly for U.S. and Canadian calls from servers in various parts of the U.S. and Canada. Sorry. We'll do something special for our overseas friends soon. Honest!
As our thanks, we will provide a modest calling credit, and you can add more funds through PayPal if desired. We think you will be pleasantly surprised by the rates and the call quality especially in the U.S. and Canada.
If you'd like to be considered for the program, just sign up at the following link. We will be in touch whether or not you are selected for the beta. THANKS!!
SOLD OUT for the moment.
As part of our roll out of VPN in a Flash, we are considering bundling in preconfigured VoIP termination service so that every system could make outbound calls as soon as a SIP phone was connected. If the user wishes to add their own providers, then they certainly can, but this would get systems working almost instantly with no obligation to continue at all.
We obviously need to be sure the VoiP service is going to work AND that it's reliable. We think it is. There are POPs in many areas of the U.S. as well as Canada. For now this is outbound service only. No DIDs and no 911 support for the time being! We want to make a final provider decision first.
Before deciding whether to proceed, we need a handful of folks who are willing to try things out particularly for U.S. and Canadian calls from servers in various parts of the U.S. and Canada. Sorry. We'll do something special for our overseas friends soon. Honest!
As our thanks, we will provide a modest calling credit, and you can add more funds through PayPal if desired. We think you will be pleasantly surprised by the rates and the call quality especially in the U.S. and Canada.
If you'd like to be considered for the program, just sign up at the following link. We will be in touch whether or not you are selected for the beta. THANKS!!
SOLD OUT for the moment.
thunderheart
New Member
- Joined
- Oct 30, 2007
- Messages
- 255
- Reaction score
- 0
So what providers you got in mind Ward?
Working great. I liked the email that was sent out with the configs. Easy to copy/paste.
Only placed a few calls so far....about 10 mins worth but....
Services sounds great. quick to connect. Everything you'd expect. So far, no problems.
I'll keep you posted if I run into anything.
cosmicwombat
Guru
- Joined
- Nov 2, 2007
- Messages
- 498
- Reaction score
- 0
So, are these in the field yet?
One thing I have found with certain "remote" networks is that there can be some funky proxy server setups at hotels and such that prevent Hamachi from working.
Just thought I'd mention it.
One thing I have found with certain "remote" networks is that there can be some funky proxy server setups at hotels and such that prevent Hamachi from working.
Just thought I'd mention it.
jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
Additions to use dd-wrt routers as remotes for your VPN
After following my earlier tutorial and getting your VPN successfully up and running, you can add dd-wrt router VPN clients. With what you see below on a dd-wrt router, I have successfully set up the router on a remote network, which automatically connects to my home pbx-in-a-flash server, and routes all data destined for my home LAN (including all VOIP calls) through the encrypted VPN tunnel. I demonstrated this at the Utah Open Source Conference last week (http://2008.utosc.com - look for the presentation "Serious VPN without serious cost"). Most of this tutorial information is also available in the presentation there, along with some good introductory and background information about VPNs.
Here's the scoop:
Start with a working VPN system from the earlier tutorial.
Add a client config file directory
mkdir /etc/openvpn/ccd
Create a client config file for each remote router (filename must match client name!)
nano -w /etc/openvpn/ccd/client2
iroute my.sub.net.addr 255.255.255.0
Modify the server.conf file and add these lines:
client-config-dir /etc/openvpn/ccd
route my.sub.net.addr 255.255.255.0
VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside! Otherwise, the downgraded daemon won't be able to read the files (chmod 744 ccd and chmod 744 ccd/*)
You can also make each remote router's subnets available to the other routers, but it's a bit more complicated – the ccd files may need to include a push-reset followed by a push off all relevant parameters except for it's own route, see the tutorials on openvpn.net for details.
Now, on a dd-wrt enabled router (be sure you're using the VPN or the MEGA versions of the firmware, not all routers have enough flash to run this) go to the commands page and paste the following into the commands window (inserting the certificates and keys you generated) and click the "save startup" button. This turns the following into a startup script.
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tun0
ifconfig tun0 0.0.0.0 promisc up
sleep 5
echo "client
daemon
dev tun0
proto udp
remote my.server.name 1194
resolv-retry infinite
tls-auth ta.key 1
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf
echo "****CERT CONTENTS****" > ca.crt
echo "****CERTIFICATE CONTENTS****" > client.crt
echo "****KEY CONTENTS***" > client.key
echo “***ta.key contents***” > ta.key
./myvpn --config client.conf
Now create this as the firewall script:
FIREWALL SCRIPT (REMOVE #COMMENTS):
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
#Allows VPN traffic out
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
#Allows VPN traffic in
iptables -I INPUT -i tun0 -j ACCEPT
# Allows VPN to connect to GUI
That should do it. (I'll add some additional notes later, but this covers all the basics.) I connected a Polycom 501 to the router and set it to provision itself from a server on the other end of the VPN tunnel. It came up beautifully, and as I provisioned it to the internal address of the PBXinaFlash system, all calls were automatically routed through the tunnel. I noticed an increase in packet jitter when placing calls this way, though it rarely affected audio quality. I think (and I'll try to test) that turning off LZO compression may be a good idea.
With the Polycom 501 on a call to the server I checked the load on the router's processor. The VPN only consumed about 1% of the processor's power (even with LZO turned on) for a G729 call.
One note about QoS (Quality of Service) for the call audio. If you're like me you've set up QoS to preserve the call audio and reduce other data streams to compensate. Keep in mind that the port number is not likely to fall within the range(s) you've defined for SIP or IAX. Adjustments to your QoS settings may be necessary to obtain good audio. Having said that, you won't want to use a remote router on the VPN to do much data transfer, as now your QoS settings may perceive it as data that must be protected for QoS purposes. With a little time and practice, you could (fairly easily) set up two parallel VPNs and ensure that all calls go through one tunnel (QoS protected) and other data goes through another tunnel.
After following my earlier tutorial and getting your VPN successfully up and running, you can add dd-wrt router VPN clients. With what you see below on a dd-wrt router, I have successfully set up the router on a remote network, which automatically connects to my home pbx-in-a-flash server, and routes all data destined for my home LAN (including all VOIP calls) through the encrypted VPN tunnel. I demonstrated this at the Utah Open Source Conference last week (http://2008.utosc.com - look for the presentation "Serious VPN without serious cost"). Most of this tutorial information is also available in the presentation there, along with some good introductory and background information about VPNs.
Here's the scoop:
Start with a working VPN system from the earlier tutorial.
Add a client config file directory
mkdir /etc/openvpn/ccd
Create a client config file for each remote router (filename must match client name!)
nano -w /etc/openvpn/ccd/client2
iroute my.sub.net.addr 255.255.255.0
Modify the server.conf file and add these lines:
client-config-dir /etc/openvpn/ccd
route my.sub.net.addr 255.255.255.0
VITAL: make sure /etc/openvpn/ccd is world readable, along with all files inside! Otherwise, the downgraded daemon won't be able to read the files (chmod 744 ccd and chmod 744 ccd/*)
You can also make each remote router's subnets available to the other routers, but it's a bit more complicated – the ccd files may need to include a push-reset followed by a push off all relevant parameters except for it's own route, see the tutorials on openvpn.net for details.
Now, on a dd-wrt enabled router (be sure you're using the VPN or the MEGA versions of the firmware, not all routers have enough flash to run this) go to the commands page and paste the following into the commands window (inserting the certificates and keys you generated) and click the "save startup" button. This turns the following into a startup script.
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
./myvpn --mktun --dev tun0
ifconfig tun0 0.0.0.0 promisc up
sleep 5
echo "client
daemon
dev tun0
proto udp
remote my.server.name 1194
resolv-retry infinite
tls-auth ta.key 1
nobind
persist-key
persist-tun
ca ca.crt
cert client.crt
key client.key
ns-cert-type server
comp-lzo
verb 3
" > /tmp/client.conf
echo "****CERT CONTENTS****" > ca.crt
echo "****CERTIFICATE CONTENTS****" > client.crt
echo "****KEY CONTENTS***" > client.key
echo “***ta.key contents***” > ta.key
./myvpn --config client.conf
Now create this as the firewall script:
FIREWALL SCRIPT (REMOVE #COMMENTS):
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
#Allows VPN traffic out
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
#Allows VPN traffic in
iptables -I INPUT -i tun0 -j ACCEPT
# Allows VPN to connect to GUI
That should do it. (I'll add some additional notes later, but this covers all the basics.) I connected a Polycom 501 to the router and set it to provision itself from a server on the other end of the VPN tunnel. It came up beautifully, and as I provisioned it to the internal address of the PBXinaFlash system, all calls were automatically routed through the tunnel. I noticed an increase in packet jitter when placing calls this way, though it rarely affected audio quality. I think (and I'll try to test) that turning off LZO compression may be a good idea.
With the Polycom 501 on a call to the server I checked the load on the router's processor. The VPN only consumed about 1% of the processor's power (even with LZO turned on) for a G729 call.
One note about QoS (Quality of Service) for the call audio. If you're like me you've set up QoS to preserve the call audio and reduce other data streams to compensate. Keep in mind that the port number is not likely to fall within the range(s) you've defined for SIP or IAX. Adjustments to your QoS settings may be necessary to obtain good audio. Having said that, you won't want to use a remote router on the VPN to do much data transfer, as now your QoS settings may perceive it as data that must be protected for QoS purposes. With a little time and practice, you could (fairly easily) set up two parallel VPNs and ensure that all calls go through one tunnel (QoS protected) and other data goes through another tunnel.
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,211
- Reaction score
- 5,239
Not Asleep
Just a heads up to let you know that we're not asleep at the switch. Just as we were about to get production going, Intel released the new dual core Atom motherboard which costs less than $10 more and provides a BogoMIPs boost of roughly 50%. We now have one which we're testing. Of course, Intel has changed the onboard NIC just to keep everyone on their toes. So... we're plugging away in the trenches. Performance will be spectacular and we think it's worth a little extra delay.
Just a heads up to let you know that we're not asleep at the switch. Just as we were about to get production going, Intel released the new dual core Atom motherboard which costs less than $10 more and provides a BogoMIPs boost of roughly 50%. We now have one which we're testing. Of course, Intel has changed the onboard NIC just to keep everyone on their toes. So... we're plugging away in the trenches. Performance will be spectacular and we think it's worth a little extra delay.
Perfect match for VPN in a Flash USB FXO
Just stopped past Sangoma Booth at Astricon had heard a rumor they had a affordable FXO USB solution and so they do.
It is the U100 still in Beta but it has 2 FXO ports and connects via USB 2.0 cost is suppost to be around $140. Driver are aread out. Search WIKI for more info.
Just stopped past Sangoma Booth at Astricon had heard a rumor they had a affordable FXO USB solution and so they do.
It is the U100 still in Beta but it has 2 FXO ports and connects via USB 2.0 cost is suppost to be around $140. Driver are aread out. Search WIKI for more info.
Forum statistics
Get 3CX - Absolutely Free!
Link up your team and customers 
Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Verify your Email
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.