Darrick, Thanks for the reply. FYI, there are two reasons why I'm trying to do this with OpenVPN: [1] Ultimately I would like to configure a site-site VPN among several boxes (i.e., 3 or more). It's my understanding that this is problematic when using IPsec (please correct me if I'm wrong here), also, [2] I'm working with Snom phones which come built-in with the OpenVPN client, which I would like to be able to integrate into the solution. With that said, ...
- the version of Astlinux on both of my test boxes is 1.0.4/1.8.14.1. Is there some other type of version mismatch that you were referring to? -early on, (before configuring the VPN) I had some trouble getting a SIP trunk working correctly between the boxes, so I went with IAX. This is something I could re-evaluate if it makes more sense. - I'd be interested in seeing an example of the use of "TRUSTEDIF". I'm no IPtables expert, and I could not find anything meaningful after a quick online search. Thanks again! -tm -----Original Message----- From: Darrick Hartman [mailto:[email protected]] Sent: Saturday, September 22, 2012 7:45 PM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] IAX2 and OpenVPN Just use SIP (unless you are really bandwidth starved, the conversion from SIP to IAX2 back to SIP is usually not worth the headache. You might be experiencing something with a version mismatch). Oh wait, you are likely experiencing an issue with the openvpn routing, not specific to IAX2. Two ways around this. 1). Get rid of everything "custom" that you have in the firewall and add the tun address to the "TRUSTEDIF" (I don't recall the exact variable off hand). 2). Use IPSEC instead of openvpn. I've found that the IPSEC stuff "just works" while the openvpn config for doing what you're trying, requires some additional configuration to work. Darrick -----Original Message----- From: Tom Mazzotta [mailto:[email protected]] Sent: Saturday, September 22, 2012 6:22 PM To: AstLinux Users Mailing List Subject: [Astlinux-users] IAX2 and OpenVPN I seem to be experiencing some unexpected behavior when attempting to route an IAX2 trunk via OpenVPN. In my lab environment, I have two Astlinux boxes: pbx1 (net 4801) and pbx2 (alix). I've configured pbx1 as an OpenVPN client, and pbx2 is configured as the server. When I bring up a site-site tunnel, I can ping from pbx1 to pbx2 and vice versa, via the LAN i/f addresses. I can also ping devices on the private LAN's of each pbx, from the other PBX. However, for some reason, when I setup my IAX trunk using the LAN IP's of each pbx, the it won't connect. If I use the IP's of the tun i/f on each pbx for the IAX trunk, everything is fine. I am "restarting" (as opposed to "reloading") asterisk between my tests. My config files are below: PBX1/iax.conf: =========== [general] bindport = 4569 bindaddr = 0.0.0.0 disallow=all allow=ulaw mailboxdetail=yes [pbx2] type=friend username=pbx1 secret=guess auth=plaintext ;host=192.168.1.216 ; pbx2 WAN i/f ;host=192.168.102.1 ; pbx2 LAN i/f host=10.10.2.1 ; pbx2 VPN i/f context=LocalSets peercontext=LocalSets qualify=yes trunk=yes PBX2/iax.conf: =========== [general] bindport = 4569 bindaddr = 0.0.0.0 disallow=all allow=ulaw mailboxdetail=yes [pbx1] type=friend username=pbx2 secret=guess auth=plaintext ;host=192.168.1.206 ; pbx1 WAN i/f ;host=192.168.101.1 ; pbx1 LAN i/f host=10.10.1.1 ; pbx1 VPN i/f context=LocalSets peercontext=LocalSets qualify=yes trunk=yes PBX1/openvpnclient.conf: ==================== dev tun2 remote 192.168.1.216 1194 proto udp ca /mnt/kd/openvpn/webinterface/client_keys/ca.crt cert /mnt/kd/openvpn/webinterface/client_keys/client.crt key /mnt/kd/openvpn/webinterface/client_keys/client.key verb 1 comp-lzo ns-cert-type server ... PBX2/openvpn.conf: ================ dev tun0 port 1194 proto udp ca /mnt/kd/openvpn/webinterface/keys/ca.crt cert /mnt/kd/openvpn/webinterface/keys/server.crt key /mnt/kd/openvpn/webinterface/keys/server.key dh /mnt/kd/openvpn/webinterface/dh1024.pem server 10.10.2.0 255.255.255.0 verb 1 push "route 192.168.102.0 255.255.255.0" client-config-dir /mnt/kd/openvpn/ccd client-to-client route 192.168.101.0 255.255.255.0 route 10.10.1.0 255.255.255.0 comp-lzo PBX2/ccd/pbx1 ================ ifconfig-push 10.10.1.1 10.10.1.2 # statically define IP's of client & server iroute 192.168.101.0 255.255.255.0 # allow vpn server to contact client's LAN PBX1/custom-rules: ================ #-- INBOUND RULES FOR SITE-SITE VPN --# ####################################### # Pass anything from the tunnel to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i tun2 -s 10.10.1.0/30 -d 192.168.101.0/24 -j ACCEPT iptables -A FORWARD_CHAIN -i tun2 -s 10.10.2.0/24 -d 192.168.101.0/24 -j ACCEPT # Pass anything from the LAN side of pbx2 to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i tun2 -s 192.168.102.0/24 -d 192.168.101.0/24 -j ACCEPT #-- OUTBOUND RULES FOR SITE-SITE VPN --# ######################################## # Pass anything from the LAN into the tunnel iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.1.0/30 -j ACCEPT iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.2.0/24 -j ACCEPT # Pass anything from the LAN to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 192.168.102.0/24 -j ACCEPT PBX2/custom-rules: ================ #-- INBOUND RULES FOR SITE-SITE VPN --# ####################################### # Pass anything from the tunnel to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i tun0 -s 10.10.1.0/30 -d 192.168.102.0/24 -j ACCEPT iptables -A FORWARD_CHAIN -i tun0 -s 10.10.2.0/24 -d 192.168.102.0/24 -j ACCEPT # Pass anything from the LAN side of pbx1 to the LAN side of pbx2 iptables -A FORWARD_CHAIN -i tun0 -s 192.168.101.0/24 -d 192.168.102.0/24 -j ACCEPT #-- OUTBOUND RULES FOR SITE-SITE VPN --# ######################################## # Pass anything from the LAN into the tunnel iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.1.0/30 -j ACCEPT iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.2.0/24 -j ACCEPT # Pass anything from the LAN to the LAN side of pbx1 iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 192.168.101.0/24 -j ACCEPT ----------------------------------------------- Some other things that I have noticed: 1. If on the OpenVPN config GUI page, I delete the network field, it is automatically replaced with "10.8.0.0 255.255.255.0", however there is no network statement written to the openvpn.conf file 2. If I remove the network statement as stated above. I can't ping the LAN i/f from one pbx to another, however I can ping 10.10.1.1 from pbx2 (ping from server to client using tun i/f). Perhaps this is a misunderstanding on my part, but it seems like using " ifconfig-push" IP's w/o having a "network" statement defined on the server is virtually useless. Any suggestions as to why I'm seeing this behavior? Also, is there a different approach to setting up a site-site config that makes more sense? Thanks!! ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. ------------------------------------------------------------------------------ How fast is your code? 3 out of 4 devs don\\\'t know how their code performs in production. Find out how slow your code is with AppDynamics Lite. http://ad.doubleclick.net/clk;262219672;13503038;z? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
