Installing OpenVPN on your Asterisk Server (PBX in a Flash Distribution) – Day 2

Status update

So far we configured the asterisk server to run openVPN. You can find all the installation instructions on http://www.openvpn.net but if you want us to tell you how we did it then here you go.

Disclaimer. We literally just tested this less than an hour ago so we didnt really customize anything.

So you’ve got openvpn installed now what you need to do is build the certificate authority. You’ll start off by browsing to the easy-rsa directory at /usr/share/doc/openvpn-2.0.9. You should copy this entire directory to /etc/openvpn/ so that future OpenVPN upgrades don’t affect the changes you made. After you’ve entered the directory

vi bars (or use nano bars). Edit the following lines so they look similar to this

export KEY_COUNTRY=US
export KEY_PROVINCE=NA
export KEY_CITY=NewYork
export KEY_ORG=”Voipling”
export KEY_EMAIL=”
webmaster@someplace.com”

save it and then rebuild the file by typing in the following.
. ./vars – notice there are two dots and there is one blank space in between them
./clean-all
./build-ca

This will build the certificate authority. Follow the on-screen prompts and don’t forget to enter your unique Common Name.

Next you need to generate a certificate and private key.

./build-key-server server

Next generate certificates and keys for the clients that will be connecting to your server.

./build-key client1 (or use whatever name you want in place of “client1“). Make sure you use a unique common name for every certificate you generate.

Generate the Diffie Hellman parameters

./build-dh

Thats it! You should now have all the certs, keys, csr and the ca files that you’ll need. Now continuing on to the configuration files. Since we want the server to act as a server and possibly client (if you want to create a vpn tunnel between two asterisk servers) you’ll have to modify the the server.conf and client.conf files.

The OpenVPN guys provided a nice set of examples that you can find in the “samples-config-files” directory. Let’s modify the server.conf file since we want to get the server up and running.

vi server.conf

You don’t actually need to modify much if you want to do a general test. Just modify the following lines of the “server.conf” file.

ca ca.crt
cert server.crt
key server.key  # This file should be kept secret

These need to point to the location where your certs are stored. For our testing we changed it to:

ca /etc/openvpn/easy-rsa/keys/ca.crt
cert /etc/openvpn/easy-rsa/keys/server.crt
key /etc/openvpn/easy-rsa/keys/server.key  # This file should be kept secret

The default subnet it will use is 10.8.0.0 255.255.255.0. If you are already using this subnet in you network go ahead and modify the “server 10.8.0.0 255.255.255.0″ line to whatever you want it to be. It will use this as the subnet for assigning addresses to your clients and your tunnel interface.

Now you are ready to verify that at a minimum the server portion works. You can do so by typing in:

openvpn server.conf (make sure you are in the right directory where the server conf file is located).

You should now see the server listening for incoming clients. The very last line should say “Initialization Sequence Completed”. If you don’t see this line you’ll have to go back and review what you did. If these instructions didnt work for you, go here and follow those instructions

*********************************************************************

To prepare for usage of your server you will need to modify the iptables on your server. If you chose to use the defualt udp protocol and port number then you can use the following command. If you don’t be sure to substitute udp with tcp and the port number you defined in the server.conf file.

iptables -A INPUT -p udp –dport 1194 -j ACCEPT

 

 

**********************************************************************

Installing OpenVPN on your Asterisk Server (PBX in a Flash Distribution)

For all of you that are looking to secure communications for softphones OpenSSL looks to be a good option. Right now we are in the process of testing it and ran through the OpenSSL installation. We provided a set of instructions on getting it installed on your PBX in a Flash Server. (Cent O.S 5.2)
Download openvpn
wget http://openvpn.net/release/openvpn-2.0.9.tar.gz

Download LZO and install the rpm
wget http://dag.wieers.com/rpm/packages/lzo/lzo-1.08-4.2.el5.rf.i386.rpm
rpm -ivh lzo-1.08-4.2.el5.rf.i386.rpm

You can try to build the rpm package from the tarball (but it will probably fail).
rpmbuild -tb openvpn-2.0.9.tar.gz

It will probably tell you it requires certain dependencies and will not allow you to continue. The dependencies are listed below.
– openssl
– pam
– lzo – you’ll probably have to download it
– openssl-devel
– pam-devel
– lzo-devel – you’ll probably have to download it

If you dont have openssl, openssl-devel, pam and pam-devel installed you can use yum to install them.
yum install openssl pam openssl-devel pam-devel

You can download lzo-devel and install it.
wget ftp://ftp.pbone.net/mirror/download.fedora.redhat.com/pub/fedora/epel/5/i386/lzo-devel-2.02-2.el5.1.i386.rpm
rpm -ivh lzo-devel-2.02-2.el5.1.i386.rpm

If for some reason when you try to install the lzo-devel package it complains that the dependencies are not available you can download the following

lzo2-devel
wget ftp://ftp.pbone.net/mirror/dag.wieers.com/packages/lzo2/lzo2-2.02-3.el5.rf.i386.rpm
rpm -ivh lzo2-2.02-3.el5.rf.i386.rpm

liblzo2_2
wget ftp://ftp.pbone.net/mirror/atrpms.net/el5-i386/atrpms/stable/liblzo2_2-2.03-6.el5.i386.rpm
rpm -ivh liblzo2_2-2.03-6.el5.i386.rpm

libminilzo.so.2
wget http://dl.atrpms.net/all/libminilzo2-2.03-6.el5.i386.rpm
rpm -i libminilzo2-2.03-6.el5.i386.rpm.

You can now try to install lzo-devel. It should install now with no problems.
rpm -i lzo-devel-2.02-2.el5.1.i386.rpm

After you install all of the dependencies you can try to rebuild the openvpn rpm.
rpmbuild -tb openvpn-2.0.9.tar.gz

After building it you’ll find it in the following directory
/usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm

Now try to install it. It should run successfully.
rpm -ivh /usr/src/redhat/RPMS/i386/openvpn-2.0.9-1.i386.rpm

Thats it.

This was installed on a 32bit system so if you do install it on a 64-bit machine please make sure to download all of the correct rpms and tarballs.

Linksys RTP300 unlocked and setup with Asterisk

This information is already floating around the internet, due to the fact that there are so many curious people that got rid of vonage and wanted to use their routers for other reasons, and or with other providers.

So here’s our take on it.

We dug up an old RTP300 with the vonage firmware. As we attempted to “hack” away at the unit we found that all the username combinations we found scattered across the good ole’ internet didn’t work so we used (probably by now) the infamous cyt tool. What does the cyt tool do you ask? It simply resets the “admin” and “user” accounts with default passwords. This basically allows you to clear all of the pre-configured sip settings and upgrade to the latest firmware. It does this by creating a socket session using port 2400 to reconfigure the xml settings on the box.

So how do you get it? Well we provide it right here for you. It includes all the instructions that you’ll need to run the tool in the readme file.

[download#6#size]

Now that you have the passwords changed you can log into the http://192.168.15.1/upgrade.html interface with the new username and password combination. The username and password should be “user”. (Don’t forget you’ll have to log in to the router first with the username and password “admin”.)

Next go to Linksys website and download the firmware release 3.1.24. You’ll find that if you attempt to upgrade the router with this file you’ll run into some trouble.  No worries, there are a couple more steps before you are up and running. All you have to do is download a hex editor, open the .img file in it and make a couple of changes.

The following changes will need to be made.

On the second line the eight value or pair it will say 4d – change it to 4c. So to the far right you should see “….CYLL@0…..”

On the very last line you need to change the 5th, 6th, 7th and 8th values. Change them from 85 da 20 bb – to 3b a5 4d da. Save it and now upgrade the firmware on your router.

At this point your router should be upgraded and you should be running the latest firmware. Cool huh.

If you click on the voice link and click on the admin login you’ll see line 1, line 2, etc. All you have to do is enter the asterisk extension and password. Simply register the RTP300 like any other sip device; plugin any regular phone and your good to go.

1 2 3