Installing OpenVPN on your Asterisk Server (PBX in a Flash Distribution) – Day 2

Status update

So far we configured the asterisk server to run openVPN. You can find all the installation instructions on but if you want us to tell you how we did it then here you go.

Disclaimer. We literally just tested this less than an hour ago so we didnt really customize anything.

So you’ve got openvpn installed now what you need to do is build the certificate authority. You’ll start off by browsing to the easy-rsa directory at /usr/share/doc/openvpn-2.0.9. You should copy this entire directory to /etc/openvpn/ so that future OpenVPN upgrades don’t affect the changes you made. After you’ve entered the directory

vi bars (or use nano bars). Edit the following lines so they look similar to this

export KEY_CITY=NewYork
export KEY_ORG=”Voipling”
export KEY_EMAIL=””

save it and then rebuild the file by typing in the following.
. ./vars – notice there are two dots and there is one blank space in between them

This will build the certificate authority. Follow the on-screen prompts and don’t forget to enter your unique Common Name.

Next you need to generate a certificate and private key.

./build-key-server server

Next generate certificates and keys for the clients that will be connecting to your server.

./build-key client1 (or use whatever name you want in place of “client1“). Make sure you use a unique common name for every certificate you generate.

Generate the Diffie Hellman parameters


Thats it! You should now have all the certs, keys, csr and the ca files that you’ll need. Now continuing on to the configuration files. Since we want the server to act as a server and possibly client (if you want to create a vpn tunnel between two asterisk servers) you’ll have to modify the the server.conf and client.conf files.

The OpenVPN guys provided a nice set of examples that you can find in the “samples-config-files” directory. Let’s modify the server.conf file since we want to get the server up and running.

vi server.conf

You don’t actually need to modify much if you want to do a general test. Just modify the following lines of the “server.conf” file.

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

These need to point to the location where your certs are stored. For our testing we changed it to:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

The default subnet it will use is If you are already using this subnet in you network go ahead and modify the “server″ line to whatever you want it to be. It will use this as the subnet for assigning addresses to your clients and your tunnel interface.

Now you are ready to verify that at a minimum the server portion works. You can do so by typing in:

openvpn server.conf (make sure you are in the right directory where the server conf file is located).

You should now see the server listening for incoming clients. The very last line should say “Initialization Sequence Completed”. If you don’t see this line you’ll have to go back and review what you did. If these instructions didnt work for you, go here and follow those instructions


To prepare for usage of your server you will need to modify the iptables on your server. If you chose to use the defualt udp protocol and port number then you can use the following command. If you don’t be sure to substitute udp with tcp and the port number you defined in the server.conf file.

iptables -A INPUT -p udp –dport 1194 -j ACCEPT