There are several potential benefits to setting up a VPN to your Asterisk server. All traffic is encrypted and you don’t need to open lots of ports in the firewall. Also there are no issues with SIP and NAT as traffic is routed over the VPN tunnel.
This is a pretty advanced setup but here is a walkthrough for setting up a SysAdminMan VPS as an OpenVPN server and then connecting to it with a TP-LINK router running OpenWRT.
Specifically this router is used – http://www.tp-link.com/en/products/details/?model=TL-WR1043ND. I paid around £40 from Amazon, an absolute bargain for something that will run OpenWRT.
Setting up the router
First you need to flash OpenWRT on to the router. This replaces the original firmware. Here are some instructions for this TP-Link router – http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd?s. I got version 18 of the router and flashed Backfire 10.03.1-rc6 version of OpenWRT.
Next the router was connected via the WAN port on the TP-LINK to my home network. The WAN side of your TP-LINK should be given an IP address from your network DHCP server. It will use this to connect to the Internet.
Now connect a PC to a LAN port using a network cable and you should be given an IP address in the range 192.168.1.0/24
Now make the following changes on the router using a web browser. This will install the OpenVPN software and assign a new IP address to the router. If you use a different subnet you will need to change some settings below to match –
- Assign a password
- Change the LAN network address to 10.10.10.1
- In OpenWRT go to System / Software and click on Update Lists
- Click Available Packages and install OpenVPN
- Click System / Administration and enable SSH on the LAN interface
- Click System / Startup and Enable and Start OpenVPN
- Reboot the router
On the SysAdminMan VPS
For this to work you will need a TUN device assigning to your VPS. Please open a support ticket to request this.
First we’re going to install OpenVPN. This will install from rpmforge, which is set up as standard –
cp -r /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/
chmod +x /etc/openvpn/*
Now, if you’d like you can edit /etc/openvpn/vars and change the settings at the bottom to some sensible defaults. This is not required, but will make creating the certificates easier.
Next we’re going to set up some certificates for OpenVPN. You should run these commands one at a time and answer the questions that are asked –
Now create a file called /etc/openvpn/server.conf with the following settings –
server 10.20.0.0 255.255.255.0
route 10.10.10.0 255.255.255.0
keepalive 10 120
Now we’re going to tell OpenVPN to route traffic to our LAN behind the TP-LINK router –
echo "iroute 10.10.10.0 255.255.255.0" >> ccd/tplink1
Now fire up OpenVPN –
service openvpn start
Next we need to allow the OpenVPN traffic through the local IPTables firewall –
iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
service iptables save
ON THE TP-LINK ROUTER VIA SSH
Next from your PC we’re going to SSH on to the TP-LINK router at 10.10.10.1 and run the following. This will copy the certificate files we created earlier to the router. X.X.X.X should be replaced with your VPS IP –
scp X.X.X.X:/etc/openvpn/keys/ca.crt .
scp X.X.X.X:/etc/openvpn/keys/tplink1.key .
scp X.X.X.X:/etc/openvpn/keys/tplink1.crt .
Now create a copy of the original OpenVPN config file –
Next we’re going to edit that file and change some settings from the default. These settings start half way down the file under the client configuration settings. Finally reboot the router –
option enable 1
list remote "X.X.X.X 1194"
option cert /etc/openvpn/tplink1.crt
option key /etc/openvpn/tplink1.key
ON THE TP-LINK ROUTER VIA THE WEB GUI
First we’re going to create a new interface that includes the tun interface created by OpenVPN
- Network / Interfaces / Add New Interface
- name – openvpn
- protocol – unmanaged
- interface – tun0
and now we’re going to allow traffic through the TP-LINK firewall to the VPN –
- Network / Firewall / Zones / Add
- Input / Output / Forward = Accept
- Tick lan in Destination and Source zones
and now Reboot the router.
And we’re done!
If you used the settings above then VPS should be accessible on the IP address via the IP 10.20.0.1. You should be able to get to the FreePBX web interface on this address and also use it for your phone configuration.
This is definitely not for the faint hearted as it’s pretty technical and could require some troubleshooting if things don’t work immediately. It’s pretty cool though and should allow for multiple VOIP handsets to be plugged in to the TP-LINK router and connect to the VPS without any worry of NAT problems (as there’s no NAT happening across the VPN).
I’ve done a few test calls which worked well, but I’ve still got to do some speed tests to see how well the TP-LINK performs.