Lonnie, I commented out all of the custom rules on both boxes and check the "Allow OpenVPN Client tunnel to the 1st LAN i/f" on the client (pbx1) and "Allow OpenVPN Server..." on the server. After restarting OpenVPN and the f/w on both machines, now I can no longer ping the LAN i/f of the other box.
I'm OK going back to setting up a SIP trunk between both systems, but I would like to figure out the best way to operate a site-site VPN first. I also tried adding TRUSTED_IF="tunx" (where "x" is the device #) to user.conf, then rebooted both boxes, but if still couldn't ping the other LAN. Any other suggestions? -----Original Message----- From: Lonnie Abelbeck [mailto:[email protected]] Sent: Saturday, September 22, 2012 8:48 PM To: AstLinux Users Mailing List Subject: Re: [Astlinux-users] IAX2 and OpenVPN Tom, I'd rather see you use (Firewall sub-tab)... _x_ Allow OpenVPN Client tunnel to the [ ... LAN Interface ] and _x_ Allow OpenVPN Server tunnel to the [ ... LAN Interface ] respectively Rather than setting TRUSTED_IF="tun+" in user.conf (as Darrick is suggesting, maybe ??). Like Darrick suggested, I'd try to use SIP rather than IAX2. Lonnie On Sep 22, 2012, at 7:34 PM, Tom Mazzotta wrote: > Darrick, > > Thanks for the reply. FYI, there are two reasons why I'm trying to do this > with OpenVPN: [1] Ultimately I would like to configure a site-site VPN among > several boxes (i.e., 3 or more). It's my understanding that this is > problematic when using IPsec (please correct me if I'm wrong here), also, [2] > I'm working with Snom phones which come built-in with the OpenVPN client, > which I would like to be able to integrate into the solution. With that said, > ... > > - the version of Astlinux on both of my test boxes is 1.0.4/1.8.14.1. Is > there some other type of version mismatch that you were referring to? > -early on, (before configuring the VPN) I had some trouble getting a SIP > trunk working correctly between the boxes, so I went with IAX. This is > something I could re-evaluate if it makes more sense. > - I'd be interested in seeing an example of the use of "TRUSTEDIF". I'm no > IPtables expert, and I could not find anything meaningful after a quick > online search. > > Thanks again! > > -tm > > -----Original Message----- > From: Darrick Hartman [mailto:[email protected]] > Sent: Saturday, September 22, 2012 7:45 PM > To: AstLinux Users Mailing List > Subject: Re: [Astlinux-users] IAX2 and OpenVPN > > Just use SIP (unless you are really bandwidth starved, the conversion from > SIP to IAX2 back to SIP is usually not worth the headache. You might be > experiencing something with a version mismatch). > > Oh wait, you are likely experiencing an issue with the openvpn routing, not > specific to IAX2. > > Two ways around this. > > 1). Get rid of everything "custom" that you have in the firewall and add the > tun address to the "TRUSTEDIF" (I don't recall the exact variable off hand). > > 2). Use IPSEC instead of openvpn. I've found that the IPSEC stuff "just > works" while the openvpn config for doing what you're trying, requires some > additional configuration to work. > > Darrick > > -----Original Message----- > From: Tom Mazzotta [mailto:[email protected]] > Sent: Saturday, September 22, 2012 6:22 PM > To: AstLinux Users Mailing List > Subject: [Astlinux-users] IAX2 and OpenVPN > > I seem to be experiencing some unexpected behavior when attempting to route > an IAX2 trunk via OpenVPN. In my lab environment, I have two Astlinux boxes: > pbx1 (net 4801) and pbx2 (alix). I've configured pbx1 as an OpenVPN client, > and pbx2 is configured as the server. When I bring up a site-site tunnel, I > can ping from pbx1 to pbx2 and vice versa, via the LAN i/f addresses. I can > also ping devices on the private LAN's of each pbx, from the other PBX. > However, for some reason, when I setup my IAX trunk using the LAN IP's of > each pbx, the it won't connect. If I use the IP's of the tun i/f on each pbx > for the IAX trunk, everything is fine. I am "restarting" (as opposed to > "reloading") asterisk between my tests. My config files are below: > > PBX1/iax.conf: > =========== > [general] > bindport = 4569 > bindaddr = 0.0.0.0 > disallow=all > allow=ulaw > mailboxdetail=yes > > [pbx2] > type=friend > username=pbx1 > secret=guess > auth=plaintext > ;host=192.168.1.216 ; pbx2 WAN i/f > ;host=192.168.102.1 ; pbx2 LAN i/f > host=10.10.2.1 ; pbx2 VPN i/f > context=LocalSets > peercontext=LocalSets > qualify=yes > trunk=yes > > > PBX2/iax.conf: > =========== > [general] > bindport = 4569 > bindaddr = 0.0.0.0 > disallow=all > allow=ulaw > mailboxdetail=yes > > [pbx1] > type=friend > username=pbx2 > secret=guess > auth=plaintext > ;host=192.168.1.206 ; pbx1 WAN i/f > ;host=192.168.101.1 ; pbx1 LAN i/f > host=10.10.1.1 ; pbx1 VPN i/f > context=LocalSets > peercontext=LocalSets > qualify=yes > trunk=yes > > > PBX1/openvpnclient.conf: > ==================== > dev tun2 > remote 192.168.1.216 1194 > proto udp > ca /mnt/kd/openvpn/webinterface/client_keys/ca.crt > cert /mnt/kd/openvpn/webinterface/client_keys/client.crt > key /mnt/kd/openvpn/webinterface/client_keys/client.key > verb 1 > comp-lzo > ns-cert-type server > ... > > > PBX2/openvpn.conf: > ================ > dev tun0 > port 1194 > proto udp > ca /mnt/kd/openvpn/webinterface/keys/ca.crt > cert /mnt/kd/openvpn/webinterface/keys/server.crt > key /mnt/kd/openvpn/webinterface/keys/server.key > dh /mnt/kd/openvpn/webinterface/dh1024.pem > server 10.10.2.0 255.255.255.0 > verb 1 > push "route 192.168.102.0 255.255.255.0" > client-config-dir /mnt/kd/openvpn/ccd > client-to-client > route 192.168.101.0 255.255.255.0 > route 10.10.1.0 255.255.255.0 > comp-lzo > > > PBX2/ccd/pbx1 > ================ > ifconfig-push 10.10.1.1 10.10.1.2 # statically define IP's of client > & server iroute 192.168.101.0 255.255.255.0 # allow vpn server to > contact client's LAN > > > PBX1/custom-rules: > ================ > #-- INBOUND RULES FOR SITE-SITE VPN --# > ####################################### > > # Pass anything from the tunnel to the LAN side of pbx1 > iptables -A FORWARD_CHAIN -i tun2 -s 10.10.1.0/30 -d 192.168.101.0/24 -j > ACCEPT > iptables -A FORWARD_CHAIN -i tun2 -s 10.10.2.0/24 -d 192.168.101.0/24 -j > ACCEPT > > # Pass anything from the LAN side of pbx2 to the LAN side of pbx1 > iptables -A FORWARD_CHAIN -i tun2 -s 192.168.102.0/24 -d > 192.168.101.0/24 -j ACCEPT > > > #-- OUTBOUND RULES FOR SITE-SITE VPN --# > ######################################## > > # Pass anything from the LAN into the tunnel > iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.1.0/30 -j > ACCEPT > iptables -A FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 10.10.2.0/24 -j > ACCEPT > > # Pass anything from the LAN to the LAN side of pbx2 iptables -A > FORWARD_CHAIN -i br0 -s 192.168.101.0/24 -d 192.168.102.0/24 -j ACCEPT > > > PBX2/custom-rules: > ================ > #-- INBOUND RULES FOR SITE-SITE VPN --# > ####################################### > # Pass anything from the tunnel to the LAN side of pbx2 > iptables -A FORWARD_CHAIN -i tun0 -s 10.10.1.0/30 -d 192.168.102.0/24 -j > ACCEPT > iptables -A FORWARD_CHAIN -i tun0 -s 10.10.2.0/24 -d 192.168.102.0/24 -j > ACCEPT > > # Pass anything from the LAN side of pbx1 to the LAN side of pbx2 > iptables -A FORWARD_CHAIN -i tun0 -s 192.168.101.0/24 -d > 192.168.102.0/24 -j ACCEPT > > > #-- OUTBOUND RULES FOR SITE-SITE VPN --# > ######################################## > # Pass anything from the LAN into the tunnel > iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.1.0/30 -j > ACCEPT > iptables -A FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 10.10.2.0/24 -j > ACCEPT > > # Pass anything from the LAN to the LAN side of pbx1 iptables -A > FORWARD_CHAIN -i br0 -s 192.168.102.0/24 -d 192.168.101.0/24 -j ACCEPT > > ----------------------------------------------- > Some other things that I have noticed: > > 1. If on the OpenVPN config GUI page, I delete the network field, it is > automatically replaced with "10.8.0.0 255.255.255.0", however there is no > network statement written to the openvpn.conf file 2. If I remove the network > statement as stated above. I can't ping the LAN i/f from one pbx to another, > however I can ping 10.10.1.1 from pbx2 (ping from server to client using tun > i/f). Perhaps this is a misunderstanding on my part, but it seems like using > " ifconfig-push" IP's w/o having a "network" statement defined on the server > is virtually useless. > > > Any suggestions as to why I'm seeing this behavior? Also, is there a > different approach to setting up a site-site config that makes more sense? > > Thanks!! > > ---------------------------------------------------------------------- > -------- > How fast is your code? > 3 out of 4 devs don\\\'t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ---------------------------------------------------------------------- > -------- > How fast is your code? > 3 out of 4 devs don\\\'t know how their code performs in production. > Find out how slow your code is with AppDynamics Lite. > http://ad.doubleclick.net/clk;262219672;13503038;z? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > > ---------------------------------------------------------------------- > -------- Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics Download AppDynamics Lite > for free today: > http://ad.doubleclick.net/clk;258768047;13503038;j? > http://info.appdynamics.com/FreeJavaPerformanceDownload.html > _______________________________________________ > Astlinux-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > [email protected]. > > ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected]. ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://ad.doubleclick.net/clk;258768047;13503038;j? http://info.appdynamics.com/FreeJavaPerformanceDownload.html _______________________________________________ Astlinux-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to [email protected].
