Asterisk with OpenVPN

Hi all,

I hope you can help me with this. I’ve searched the forums but so far cannot find what I’m looking for…

Here is my setup:

I have Asterisk running on a hosted server here in the UK. It all works fine and I have 2 SIP clients talking perfectly well over NAT most of the time and I can carry my SIP phones around and use various open networks to connect to the server.

The problem I have is that some networks (with a particularly annoying ISP) seem to block the RTP ports for their own use. This means that although my phones register with the server correctly, the RTP cannot travel anywhere and no calls can be generated. It’s obviously impossible for me to disable this behaviour on routers that I don’t administer so I’m looking at ways to circumvent the router.

There are three methods that are viable:

  1. Install Asterisk on my laptop and use IAX2 to talk to the server with phones registering to the laptop.
  2. Setup siproxd on my laptop.
  3. Use OpenVPN and fire all traffic down an encrypted tunnel.

Option 1 seems a little bit of overkill for simply setting up relay link (but the use of IAX2 would definitely solve the problem). I’d rather not go down this route unless I have to.

Option 2 I don’t think will make any difference. I would only shift the problem from the phone to the laptop and the RTP ports would still be blocked by the annoying router.

Option 3 is the best solution I can think of. The OpenVPN tunnel is working perfectly (well, most of the time) and I can talk to the server quite happily through it. This option also means that I don’t need to worry about a firewall on the server (the main IP is firewalled but the VPN tunnel is secured enough that it doesn’t need firewalling).

Now, whilst it’s not a problem for me to carry my laptop around and use it as a router and end-point for the VPN tunnel when I need it, the SIP phones cannot be configured to use my laptop as a router (they pick up the routes from the DSL routers that I use and there’s no way of configuring each one to add my laptop as another route) so what I ultimately want to do is configure IPTables to throw all traffic on ports 5060 and 10000-11000 straight down the tunnel silently and relay the replies as they come back through. Essentially, this would mean that all I would need to do is point the SIP registration details on the phone to my laptop’s IP and it will talk directly to the server through the tunnel (note: tunnel is UDP) but it simply doesn’t seem to work.

Could anyone give me some advice here on what I need to configure or if there is another option that I haven’t considered?

Many thanks in advance.

Have you considered buying hadphones IAX2 compatible ? You should make sure this works with Zoiper

OK, after hammering away at OpenVPN and Asterisk, I’ve managed to get SIP traffic flowing down the VPN. I’ll post the complete details here in case anyone else wants to do something similar.

First of all, using OpenVPN to the server achieves the following:

  1. SIP registration can be completely encrypted and isolated from the Internet to stop hackers attacking port 5060.
  2. No need to use STUN or NAT-aware routers for SIP traffic.
  3. RTP traffic is completely encrypted as it travels over the Internet to the server.

The problem that needed this (rather elaborate) solution is that my SIP hard phones (Linksys WIP-300 and Nokia N95) cannot be told to use my laptop as a router and the router itself cannot be configured to give out additional routes. Also, my laptop is on a dynamic IP (cannot do fixed IPs on this particular router).

Right, here’s the configuration for anyone who’s interested:

First off, set up OpenVPN and create the certificates and ensure that you can connect. As long as you can ping the server then you’re fine. There’re plenty of HowTos on OpenVPN on the Internet and I’m not going to repost them here.

The most essential settings in server.conf are the following lines for this to work:

proto udp # VoIP traffic won’t play nicely with TCP.
dev tun # You cannot use dev tap for bridging for this to work.
ifconfig-pool-persist ipp.txt # Keep a consistent IP for the tunnel.
client-config-dir /etc/openvpn/ccd # We will need a specific configuration…
route 192.168.2.0 255.255.255.0 # This is the internal IP address of my LAN.

Now, create the directory /etc/openvpn/ccd and create a file in there with the EXACT same name as you used for the “common name” when creating the certificate. Note that the name is case-sensitive.

In this file, using my example of 192.168.2.0, insert the following:

iroute 192.168.2.0 255.255.255.0

Change it as required. That’s all that’s needed and when you restart OpenVPN on the client, it should make the server aware that it (the server) now has access to a whole LAN.

That’s all for OpenVPN. Now onto Asterisk.

There’s really not much you need to do to make Asterisk work over a VPN. All I had to edit was /etc/asterisk/sip.conf and set the bindaddr to 0.0.0.0 to make it bind to all addresses rather than just its Internet routeable IP. I don’t think it’s possible to specify individual IPs so it’s one or all of them. Anyway, it’ll listen on the OpenVPN IP that you set up as long as Asterisk is started after OpenVPN.

Lastly, some IPTables magic is required on the client:

[code]#!/bin/bash

This script sets up NAT for sending VoIP traffic down the VPN.

Global variables

IPT=/sbin/iptables

$IPT -F
$IPT -X
$IPT -t nat -F

$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

$IPT -A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A PREROUTING -t nat -i eth1 -d 192.168.2.11 -p udp --dport 5060 -j DNAT --to-destination 172.17.0.1[/code]

This script will clear out all of the IPTables policies and set up forwarding. Note that the IP address of my laptop is 192.168.2.11 and the IP address of the VPN server (with Asterisk on it) is 172.17.0.1. If you use this script then you will have to edit it to your needs and be aware that it clears ALL rules and chains and sets the default policies to ACCEPT!

Now, once that’s done, you can point your SIP hardphone (or softphone, if you prefer) to the IP address of the new “router” (in my case, my laptop) and the SIP registration details will be silently thrown down the tunnel and the server should respond. I use ports 10000:11000 for RTP traffic but these ports do not need to be forwarded. Since we’re not doing masquerading, the server is aware of the client phone’s true internal IP address and will talk directly back to the device. It will send RTP traffic direct to the device.

One thing that is interesting, though, is that the clients don’t seem to care where the response for SIP registration comes from. Whilst my phone talks to 192.168.2.11, the response comes back from the server at the end of the VPN tunnel on 172.17.0.1. I thought that it would confuse the hell out of the phone but apparently not.

I’ve run a few tests on calls to BT lines and the quality is excellent - you wouldn’t notice that the call is routed through the VPN instead of the Internet (well, you know what I mean).

Finally, if you don’t set “redirect-gateway” in the server.conf OpenVPN file then all non-SIP traffic will be routed normally.

I hope that this solution benefits someone else who needs SIP traffic through a VPN.

Comments welcome.

I’ve never come across an IAX2 compatible hardphone but I haven’t really looked lately. Also, my SIP phones are mobile rather than desk phones, but yes, IAX2 would be a much better solution.

Don’t know if you are still keeping an eye on this thread - but it might come in handy for others at least.

Here are few more ideas:

  1. I have recently heard of a SIP hardphone which has openvpn support builtin. I can’t remember which one was it - but I think it was from one of the big manufacturers - Aastra or such. This would save all the hassle with routing and needing the laptop as well.
  2. Your setup assumes that you know not only the subnet of your client LAN, but also the precise IP address of the laptop. Otherwise you have to log-in remotely into the OpenVPN server and keep on changing these settings, and change them in the hardphone as well.
  3. If you are already carrying a laptop - why not use it as a phone? There is a variety of headsets styles out there, it can already run openvpn, a softphone client, it has lan, wan, 3g (possibly). To me it is the ideal phone. I’ve been using my laptop as my SIP phone (through OpenVPN) for about two years now - with a small discreet mono headset with microphone build into the cord. I use it over various wifi networks, depending on where I am, and even over 3G, with a dongle. Next I’m planning on setting it up to be used with a mobile phone hands-free style headset over bluetooth for extra mobility.
  4. If you want to keep the laptop just for work - why not buy a cheap, small, sturdy netbook and use it as your phone. It will be the same price (if not cheaper) then a good, full featured dedicated SIP hard-phone - but it can have SIP, IAX 2, a battery, wireless, 3G (if needed), even a webcam - and can be taught “new tricks” easily - unlike a hard-phone.
  5. One more suggestion - OpenVPN and SIP are available for Android. Get an Android smartphone with 3G and wifi (I believe LG does some really cheap ones) - install OpenVPN and a SIP client - and you have a very portable, wifi SIP phone with support for OpenVPN. If you are lucky - you might even be able to call over 3G - as even with provider restrictions - they won’t be able to inspect your OpenVPN packets - to find out you are running a VoIP protocol through 3G.

Sebastian