I seem to be experiencing some unexpected behavior when attempting to route an IAX2 trunk via OpenVPN. In my lab environment, I have two Astlinux boxes: pbx1 (net 4801) and pbx2 (alix). I've configured pbx1 as an OpenVPN client, and pbx2 is configured as the server. When I bring up a site-site tunnel, I can ping from pbx1 to pbx2 and vice versa, via the LAN i/f addresses. I can also ping devices on the private LAN's of each pbx, from the other PBX. However, for some reason, when I setup my IAX trunk using the LAN IP's of each pbx, the it won't connect. If I use the IP's of the tun i/f on each pbx for the IAX trunk, everything is fine. I am "restarting" (as opposed to "reloading") asterisk between my tests. My config files are below:
PBX1/iax.conf: =========== [general] bindport = 4569 bindaddr = 0.0.0.0 disallow=all allow=ulaw mailboxdetail=yes [pbx2] type=friend username=pbx1 secret=guess auth=plaintext ;host=192.168.1.216 ; pbx2 WAN i/f ;host=192.168.102.1 ; pbx2 LAN i/f host=10.10.2.1 ; pbx2 VPN i/f context=LocalSets peercontext=LocalSets qualify=yes trunk=yes PBX2/iax.conf: =========== [general] bindport = 4569 bindaddr = 0.0.0.0 disallow=all allow=ulaw mailboxdetail=yes [pbx1] type=friend username=pbx2 secret=guess auth=plaintext ;host=192.168.1.206 ; pbx1 WAN i/f ;host=192.168.101.1 ; pbx1 LAN i/f host=10.10.1.1 ; pbx1 VPN i/f context=LocalSets peercontext=LocalSets qualify=yes trunk=yes PBX1/openvpnclient.conf: ==================== dev tun2 remote 192.168.1.216 1194 proto udp ca /mnt/kd/openvpn/webinterface/client_keys/ca.crt cert /mnt/kd/openvpn/webinterface/client_keys/client.crt key /mnt/kd/openvpn/webinterface/client_keys/client.key verb 1 comp-lzo ns-cert-type server ... PBX2/openvpn.conf: ================ dev tun0 port 1194 proto udp ca /mnt/kd/openvpn/webinterface/keys/ca.crt cert /mnt/kd/openvpn/webinterface/keys/server.crt key /mnt/kd/openvpn/webinterface/keys/server.key dh /mnt/kd/openvpn/webinterface/dh1024.pem server 10.10.2.0 255.255.255.0 verb 1 push "route 192.168.102.0 255.255.255.0" client-config-dir /mnt/kd/openvpn/ccd client-to-client route 192.168.101.0 255.255.255.0 route 10.10.1.0 255.255.255.0 comp-lzo PBX2/ccd/pbx1 ================ ifconfig-push 10.10.1.1 10.10.1.2 # statically define IP's of client & server iroute 192.168.101.0 255.255.255.0 # allow vpn server to contact client's LAN PBX1/custom-rules: ================ #-- INBOUND RULES FOR SITE-SITE VPN --# ####################################### # Pass anything from the tunnel to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i tun2 -s 10.10.1.0/30 -d 192.168.101.0/24 -j ACCEPT iptables -A FORWARD_CHAIN -i tun2 -s 10.10.2.0/24 -d 192.168.101.0/24 -j ACCEPT # Pass anything from the LAN side of pbx2 to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i tun2 -s 192.168.102.0/24 -d 192.168.101.0/24 -j ACCEPT #-- OUTBOUND RULES FOR SITE-SITE VPN --# ######################################## # Pass anything from the LAN into the tunnel iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.1.0/30 -j ACCEPT iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.2.0/24 -j ACCEPT # Pass anything from the LAN to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 192.168.102.0/24 -j ACCEPT PBX2/custom-rules: ================ #-- INBOUND RULES FOR SITE-SITE VPN --# ####################################### # Pass anything from the tunnel to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i tun0 -s 10.10.1.0/30 -d 192.168.102.0/24 -j ACCEPT iptables -A FORWARD_CHAIN -i tun0 -s 10.10.2.0/24 -d 192.168.102.0/24 -j ACCEPT # Pass anything from the LAN side of pbx1 to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i tun0 -s 192.168.101.0/24 -d 192.168.102.0/24 -j ACCEPT #-- OUTBOUND RULES FOR SITE-SITE VPN --# ######################################## # Pass anything from the LAN into the tunnel iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.1.0/30 -j ACCEPT iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.2.0/24 -j ACCEPT # Pass anything from the LAN to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 192.168.101.0/24 -j ACCEPT ----------------------------------------------- Some other things that I have noticed: 1. If on the OpenVPN config GUI page, I delete the network field, it is automatically replaced with "10.8.0.0 255.255.255.0", however there is no network statement written to the openvpn.conf file 2. If I remove the network statement as stated above. I can't ping the LAN i/f from one pbx to another, however I can ping 10.10.1.1 from pbx2 (ping from server to client using tun i/f). Perhaps this is a misunderstanding on my part, but it seems like using " ifconfig-push" IP's w/o having a "network" statement defined on the server is virtually useless. Any suggestions as to why I'm seeing this behavior? Also, is there a different approach to setting up a site-site config that makes more sense? Thanks!! ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
