OpenVPN with a TP-LINK TL-WR1043ND

TP-LINK TL-WR1043NDThere are several potential benefits to setting up a VPN to your Asterisk server. All traffic is encrypted and you don’t need to open lots of ports in the firewall. Also there are no issues with SIP and NAT as traffic is routed over the VPN tunnel.

This is a pretty advanced setup but here is a walkthrough for setting up a SysAdminMan VPS as an OpenVPN server and then connecting to it with a TP-LINK router running OpenWRT.

Specifically this router is used – http://www.tp-link.com/en/products/details/?model=TL-WR1043ND. I paid around £40 from Amazon, an absolute bargain for something that will run OpenWRT.

Setting up the router

First you need to flash OpenWRT on to the router. This replaces the original firmware. Here are some instructions for this TP-Link router – http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd?s. I got version 18 of the router and flashed Backfire 10.03.1-rc6 version of OpenWRT.

Next the router was connected via the WAN port on the TP-LINK to my home network. The WAN side of your TP-LINK should be given an IP address from your network DHCP server. It will use this to connect to the Internet.

Now connect a PC to a LAN port using a network cable and you should be given an IP address in the range 192.168.1.0/24

Now make the following changes on the router using a web browser. This will install the OpenVPN software and assign a new IP address to the router. If you use a different subnet you will need to change some settings below to match –

  • Assign a password
  • Change the LAN network address to 10.10.10.1
  • In OpenWRT go to System / Software and click on Update Lists
  • Click Available Packages and install OpenVPN
  • Click System / Administration and enable SSH on the LAN interface
  • Click System / Startup and Enable and Start OpenVPN
  • Reboot the router

On the SysAdminMan VPS

For this to work you will need a TUN device assigning to your VPS. Please open a support ticket to request this.

First we’re going to install OpenVPN. This will install from rpmforge, which is set up as standard –

yum install openvpn
cp -r /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/
chmod +x /etc/openvpn/*
cd /etc/openvpn

Now, if you’d like you can edit /etc/openvpn/vars and change the settings at the bottom to some sensible defaults. This is not required, but will make creating the certificates easier.

Next we’re going to set up some certificates for OpenVPN. You should run these commands one at a time and answer the questions that are asked –

. ./vars
./clean-all
./build-ca
./build-key-server server
./build-key tplink1

Now create a file called /etc/openvpn/server.conf with the following settings –

port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key
dh /etc/openvpn/keys/dh1024.pem
server 10.20.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd
route 10.10.10.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3

Now we’re going to tell OpenVPN to route traffic to our LAN behind the TP-LINK router –

mkdir ccd
echo "iroute 10.10.10.0 255.255.255.0" >> ccd/tplink1

Now fire up OpenVPN –

chkconfig openvpn on
service openvpn start

Next we need to allow the OpenVPN traffic through the local IPTables firewall –

iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -p udp -m udp --dport 1194 -j ACCEPT
service iptables save

ON THE TP-LINK ROUTER VIA SSH

Next from your PC we’re going to SSH on to the TP-LINK router at 10.10.10.1 and run the following. This will copy the certificate files we created earlier to the router. X.X.X.X should be replaced with your VPS IP –

cd /etc/openvpn
scp X.X.X.X:/etc/openvpn/keys/ca.crt .
scp X.X.X.X:/etc/openvpn/keys/tplink1.key .
scp X.X.X.X:/etc/openvpn/keys/tplink1.crt .

Now create a copy of the original OpenVPN config file –

cp /etc/config/openvpn /etc/config/openvpn.orig

Next we’re going to edit that file and change some settings from the default. These settings start half way down the file under the client configuration settings. Finally reboot the router –

vi /etc/config/openvpn

option enable 1
list remote "X.X.X.X 1194"
option cert /etc/openvpn/tplink1.crt
option key /etc/openvpn/tplink1.key

reboot

ON THE TP-LINK ROUTER VIA THE WEB GUI

First we’re going to create a new interface that includes the tun interface created by OpenVPN

  • Network / Interfaces / Add New Interface
  • name – openvpn
  • protocol – unmanaged
  • interface – tun0

and now we’re going to allow traffic through the TP-LINK firewall to the VPN –

  • Network / Firewall / Zones / Add
  • Input / Output / Forward = Accept
  • Tick lan in Destination and Source zones

and now Reboot the router.

And we’re done!

If you used the settings above then VPS should be accessible on the IP address via the IP 10.20.0.1. You should be able to get to the FreePBX web interface on this address and also use it for your phone configuration.

This is definitely not for the faint hearted as it’s pretty technical and could require some troubleshooting if things don’t work immediately. It’s pretty cool though and should allow for multiple VOIP handsets to be plugged in to the TP-LINK router and connect to the VPS without any worry of NAT problems  (as there’s no NAT happening across the VPN).

I’ve done a few test calls which worked well, but I’ve still got to do some speed tests to see how well the TP-LINK performs.

15 thoughts on “OpenVPN with a TP-LINK TL-WR1043ND

  1. matt Post author

    Just as a small update … as we’re going to be using the tunnel above for VOIP and want the lowest latency possible it makes sense to turn off compression. Therefore it would be going to disable comp-lzo. This needs doing in both the server and client OpenVPN config files.

  2. peter

    that is a very good walk through Matt, well done, there are many sites where we deploy wimax to the site instead of ADSL and putting an OpenWRT based router like that TP-Link one will fit the bill quite nicely for sure.

    when using the OpenWRT firmware on the TL-WR1043ND do you still have all the TP-Link featured, the wifi specs on that model look very impressive, and I noticed that there is a USB connector for an ext hard drive, that could be useful for a lot of things at the sites we serve

    thanks for posting Matt 🙂
    happy new year

  3. matt Post author

    Hi Peter,

    Certainly basic WiFi functionality seems to work fine. I get options for B+G+N and modifying the power output works OK. I’ve not tried a USB drive but it does seem to be something OpenWRT supports. Sadly, while you can put it on the 834GT, it looks like using the built-in DSL modem is not supported.

  4. matt Post author

    I did a quick test today to see how much of an overhead running OpenVPN added to the VOIP traffic. It looks like it’s around 25kb/s so if you’re running G729 then that’s quite significant. The results below show one channel running an echo test.

    Here were the findings –

    Without OpenVPN – Single Call
    G729 – 25 kb/s
    G711 – 80 kb/s

    With OpenVPN – Single Call
    G729 – 50 kb/s
    G711 – 105 kbs

    With OpenVPN – Two Calls
    G711 – 210 kb/s

  5. Phil

    i have followed this guide, and i am unable to ping my server, i am not a customer of systemadminman, however i did follow this guide to the letter, the servers tun0 address is 10.20.0.1 and the routers tun0 address is 10.20.0.6, from a laptop connected to the lan i can ping the lan network address 10.10.10.1 and 10.20.0.6 but if i try and ping the server address 10.20.0.1 i get destination net unavailable, if i log on to the router via ssh and do ifconfig i see the address of tun0 and can ping the server address, i can also ssh to the server address from the router but am unable to ping the server address from a laptop connected to the lan. any suggestions??????

  6. matt Post author

    Hi Phil,

    OpenVPN should be logging attempted connections (/var/log/messages in CentOS) so check to see that the client is actually trying to connect. You might see some errors in there.

  7. Phil

    hi Matt,

    everything seems ok in message, and i can ping from the router so connectivity is fine, it seems like the router is not routing the traffic or the server can not find its way back to the 10.10.10.0/24 network (10.10.10.10/24) but i can ping 10.20.0.6 strange….. any help please….. maybe you could go through the above tutorial you wrote and see if you can repeat my problem… should be able to as i followed this tutorial to the letter…..

  8. matt Post author

    If the router is actually making a connection then it’s probably either the ‘route’ line in server.conf (which tells Linux that OpenVPN is doing the routing for that subnet) or the tplink1 file in ccd, which tells OpenVPN which device to send the traffic to. The name of the file must match the device name you used when creating the certificates.

  9. Phil

    Hi Matt,

    so i have worked out that the CN is the name of the router and created the file in /etc/openvpn/ccd for vpnroutertest, which contains iroute 10.10.10.0 255.255.255.0 , restarted both server and router, and now the server can ping the LAN interface of the vpnroutertest (10.10.10.1) and it can ping the tun0 interface (10.20.0.6), but the server can not ping my laptop at 10.10.10.199 nor can the laptop ping the server at 10.20.0.1, as per the first trace below, but the laptop can ping 10.10.10.1 and 10.20.0.6.

  10. matt Post author

    If the server can ping the LAN that must mean the VPN is up? If so it sounds like a firewall problem. I’d double check you’ve done everything above (changing any relevant bits to match your config)

  11. Phil

    i will check the firewall, can you add more details to

    “and now we’re going to allow traffic through the TP-LINK firewall to the VPN –

    Network / Firewall / Zones / Add
    Input / Output / Forward = Accept
    Tick lan in Destination and Source zones”

    as there are other options on this list like masqurading/mss clamping/covered networks am i suppose to select openvpn from this list to be allows to the LAN zone ?

    Please can you elaborate on this section, thanks.

  12. Phil

    ok so the problem seemed to be the CN and the firewall.

    i ticked the openvpn box and saved all restarted and all pings started to work….

    Thanks for this tutorial, it was a great help i would also suggest updating the firewall section to include the fact you have to also put a tick in openvpn and LAN also point out the users that CN is the name of the router and the file that should be used in ccd … many thanks for this… 🙂

  13. matt Post author

    Thanks for the update Phil, I’m glad it’s working but I think if you’re going to take my blog and post it pretty much verbatim on your own site then the least you could do is link back.

    For anyone looking to do this without the hassle then SysAdminMan has a custom tp-link 1043 firmware with OpenVPN installed and configured that works with a SysAdminMan VPS – http://sysadminman.net/sysadminman-vpnpbx-hosting.html

  14. Phil

    Sorry Matt the ping back url shortner i use had not updated the RRS feed, there is a link on there now…. i always include links to the place i find useful blog posts.

    sorry for the misunderstanding 🙂

  15. openvpn_Help

    Hi,
    I am following this guide and am at the step where I install openVPN. However, I have several openVPN’s, which one do I install. I would like SSL but not required as I would use a self generated SSL. So I have openvpn-nossl, openvpn-openssl and openvpn-polarssl. I would appreciate any assistance you can provide

Comments are closed.