There are several potential benefits to setting up a VPN to your Asterisk server. All traffic is encrypted and you don’t need to open lots of ports in the firewall. Also there are no issues with SIP and NAT as traffic is routed over the VPN tunnel.
This is a pretty advanced setup but here is a walkthrough for setting up a VPS as an OpenVPN server and then connecting to it with a TP-LINK router running OpenWRT.
Specifically this router is used – http://www.tp-link.com/en/products/details/?model=TL-WR1043ND. I paid around £40 from Amazon, an absolute bargain for something that will run OpenWRT.
Setting up the router
First you need to flash OpenWRT on to the router. This replaces the original firmware. Here are some instructions for this TP-Link router – http://wiki.openwrt.org/toh/tp-link/tl-wr1043nd?s. I got version 18 of the router and flashed Backfire 10.03.1-rc6 version of OpenWRT.
Next the router was connected via the WAN port on the TP-LINK to my home network. The WAN side of your TP-LINK should be given an IP address from your network DHCP server. It will use this to connect to the Internet.
Now connect a PC to a LAN port using a network cable and you should be given an IP address in the range 192.168.1.0/24
Now make the following changes on the router using a web browser. This will install the OpenVPN software and assign a new IP address to the router. If you use a different subnet you will need to change some settings below to match –
- Assign a password
- Change the LAN network address to 10.10.10.1
- set hostname to tplink1 or some other identifiable name, this is the CN name used later for creating the certs
- In OpenWRT go to System / Software and click on Update Lists
- Click Available Packages and install OpenVPN
- Click System / Administration and enable SSH on the LAN interface
- Click System / Startup and Enable and Start OpenVPN
- Reboot the router
On the VPS
First we’re going to install OpenVPN. This will install from rpmforge, which is set up as standard –
yum install openvpn
cp -r /usr/share/doc/openvpn-2.2.0/easy-rsa/2.0/* /etc/openvpn/
chmod +x /etc/openvpn/*
Now, if you’d like you can edit /etc/openvpn/vars and change the settings at the bottom to some sensible defaults. This is not required, but will make creating the certificates easier.
Next we’re going to set up some certificates for OpenVPN. You should run these commands one at a time and answer the questions that are asked –
When Creating the tplink1 certs CN should be set to the hostname of the router, in this case tplink1 or some other identifiable hostname.
Now create a file called /etc/openvpn/server.conf with the following settings –
server 10.20.0.0 255.255.255.0
route 10.10.10.0 255.255.255.0
keepalive 10 120
Now we’re going to tell OpenVPN to route traffic to our LAN behind the TP-LINK router –
echo “iroute 10.10.10.0 255.255.255.0” >> ccd/tplink1
Again tplink1 is the host name used by the router/CN in the certs.
Now fire up OpenVPN –
chkconfig openvpn on
service openvpn start
Next we need to allow the OpenVPN traffic through the local IPTables firewall –
iptables -I INPUT -i tun0 -j ACCEPT
iptables -I INPUT -p udp -m udp –dport 1194 -j ACCEPT
service iptables save
ON THE TP-LINK ROUTER VIA SSH
Next from your PC we’re going to SSH on to the TP-LINK router at 10.10.10.1 and run the following. This will copy the certificate files we created earlier to the router. X.X.X.X should be replaced with your VPS IP –
scp X.X.X.X:/etc/openvpn/keys/ca.crt .
scp X.X.X.X:/etc/openvpn/keys/tplink1.key .
scp X.X.X.X:/etc/openvpn/keys/tplink1.crt .
Again tplink1 represents the hostname for the router/CN.
Now create a copy of the original OpenVPN config file –
cp /etc/config/openvpn /etc/config/openvpn.orig
Next we’re going to edit that file and change some settings from the default. These settings start half way down the file under the client configuration settings. Finally reboot the router –
vi /etc/config/openvpnoption enable 1 list remote “X.X.X.X 1194” option cert /etc/openvpn/tplink1.crtoption key /etc/openvpn/tplink1.keyreboot
ON THE TP-LINK ROUTER VIA THE WEB GUI
First we’re going to create a new interface that includes the tun interface created by OpenVPN
- Network / Interfaces / Add New Interface
- name – openvpn
- protocol – unmanaged
- interface – tun0
and now we’re going to allow traffic through the TP-LINK firewall to the VPN –
- Network / Firewall / Zones / Add
- Input / Output / Forward = Accept
- Covered Networks = openvpn
- Tick lan in Destination and Source zones
and now Reboot the router.
And we’re done!
If you used the settings above then VPS should be accessible on the IP address via the IP 10.20.0.1.
This is definitely not for the faint hearted as it’s pretty technical and could require some troubleshooting if things don’t work immediately.
Add more sites to this VPN
log on to the VPS or OpenVPN Server, and run to following:
Then scp the new certs (/etc/openvpn/keys) to the router and follow the router part from above, and again that site will be able to ping the VPS.
Article source: http://bit.ly/JzemQg