• Installing OpenVPN on your Asterisk Server (PBX in a Flash Distribution) – Day 2

    by  • November 26, 2008 • Informational • 0 Comments

    Status update

    So far we configured the asterisk server to run openVPN. You can find all the installation instructions on http://www.openvpn.net but if you want us to tell you how we did it then here you go.

    Disclaimer. We literally just tested this less than an hour ago so we didnt really customize anything.

    So you’ve got openvpn installed now what you need to do is build the certificate authority. You’ll start off by browsing to the easy-rsa directory at /usr/share/doc/openvpn-2.0.9. You should copy this entire directory to /etc/openvpn/ so that future OpenVPN upgrades don’t affect the changes you made. After you’ve entered the directory

    vi bars (or use nano bars). Edit the following lines so they look similar to this

    export KEY_COUNTRY=US
    export KEY_PROVINCE=NA
    export KEY_CITY=NewYork
    export KEY_ORG=”Voipling”
    export KEY_EMAIL=”
    webmaster@someplace.com”

    save it and then rebuild the file by typing in the following.
    . ./vars – notice there are two dots and there is one blank space in between them
    ./clean-all
    ./build-ca

    This will build the certificate authority. Follow the on-screen prompts and don’t forget to enter your unique Common Name.

    Next you need to generate a certificate and private key.

    ./build-key-server server

    Next generate certificates and keys for the clients that will be connecting to your server.

    ./build-key client1 (or use whatever name you want in place of “client1“). Make sure you use a unique common name for every certificate you generate.

    Generate the Diffie Hellman parameters

    ./build-dh

    Thats it! You should now have all the certs, keys, csr and the ca files that you’ll need. Now continuing on to the configuration files. Since we want the server to act as a server and possibly client (if you want to create a vpn tunnel between two asterisk servers) you’ll have to modify the the server.conf and client.conf files.

    The OpenVPN guys provided a nice set of examples that you can find in the “samples-config-files” directory. Let’s modify the server.conf file since we want to get the server up and running.

    vi server.conf

    You don’t actually need to modify much if you want to do a general test. Just modify the following lines of the “server.conf” file.

    ca ca.crt
    cert server.crt
    key server.key  # This file should be kept secret

    These need to point to the location where your certs are stored. For our testing we changed it to:

    ca /etc/openvpn/easy-rsa/keys/ca.crt
    cert /etc/openvpn/easy-rsa/keys/server.crt
    key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

    The default subnet it will use is 10.8.0.0 255.255.255.0. If you are already using this subnet in you network go ahead and modify the “server 10.8.0.0 255.255.255.0″ line to whatever you want it to be. It will use this as the subnet for assigning addresses to your clients and your tunnel interface.

    Now you are ready to verify that at a minimum the server portion works. You can do so by typing in:

    openvpn server.conf (make sure you are in the right directory where the server conf file is located).

    You should now see the server listening for incoming clients. The very last line should say “Initialization Sequence Completed”. If you don’t see this line you’ll have to go back and review what you did. If these instructions didnt work for you, go here and follow those instructions

    *********************************************************************

    To prepare for usage of your server you will need to modify the iptables on your server. If you chose to use the defualt udp protocol and port number then you can use the following command. If you don’t be sure to substitute udp with tcp and the port number you defined in the server.conf file.

    iptables -A INPUT -p udp –dport 1194 -j ACCEPT

     

     

    **********************************************************************

    About

    Leave a Reply