Hi,
I have configured my T20P to use my DD-WRT OpenVPN server. The server indicates that the phone is logged in, however the traffic is small, a few kBytes despite some calls that I'm sure toke some megas of data!
So my question is, does RTP stream passes trough the VPN, or only the SIP information?
Thanks,
Rui
Code:
Firmware Version 9.71.0.140
Hardware Version 7.0.1.61
Hi,
Now I realize that the phone isn't using the VPN for even the registration, so, despite it successfully established the OpenVPN connection the phone isn't using it!
I tried 2 configuration files, the first accordingly with the yealink documentation, and the second, that fully works in my PC redirecting all the traffic as expected!
Code:
# Specify that this is a client configuration:
client
# Check whether the server is using a TUN or TAP interface, use the same dev tun
dev tun0
# Check whether the server is using TCP or UDP protocol, use the same here:
proto udp
;proto tcp
# Specify the host name and OpenVPN port of the server:
remote [My Server Address] 1194
# Specify the file names of your certificates and key - these should not
# The path names must be exactly as detailed below:
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
# The rest of these settings should be unchanged:
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
comp-lzo
verb 3
mute 10
Code:
##############################################
# Sample client-side OpenVPN 2.0 config file #
# for connecting to multi-client server. #
# #
# This configuration can be used by multiple #
# clients, however each client should have #
# its own cert and key files. #
# #
# On Windows, you might want to rename this #
# file so it has a .ovpn extension #
##############################################
# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
# On most systems, the VPN will not function
# unless you partially or fully disable
# the firewall for the TUN/TAP interface.
;dev tap0
dev tun0
# Windows needs the TAP-Win32 adapter name
# from the Network Connections panel
# if you have more than one. On XP SP2,
# you may need to disable the firewall
# for the TAP adapter.
;dev-node MyTap
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
;proto tcp
proto udp
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote [My Server Address] 1194
;remote my-server-2 1194
# Choose a random host from the remote
# list for load-balancing. Otherwise
# try hosts in the order specified.
;remote-random
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
# Try to preserve some state across restarts.
persist-key
persist-tun
# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here. See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]
# Wireless networks often produce a lot
# of duplicate packets. Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server". The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
# If a tls-auth key is used on the server
# then every client must also have the key.
;tls-auth ta.key 1
# Select a cryptographic cipher.
# If the cipher option is used on the server
# then you must also specify it here.
;cipher x
# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
;comp-lzo
# Set log file verbosity.
verb 3
# Silence repeating messages
mute 20
# Extra Fields
;fast-io
;pull
route-delay 2
redirect-gateway
The only difference here is the device, that here is 'tun0' while in the documentation is referred as just 'tun'!
Does any one knows why the phone doesn't redirects the traffic despite successful VPN connection?
Ok, the second version works as intended after all
I think the main difference is the 'redirect-gateway' attribute...
Thanks any way,
Rui
Hi ruiseixas,
I think the different is the ";comp-lzo".
This is relate to the data compression which needs to be supported by server.
# Don't enable this unless it is also
# enabled in the server config file.
Some linux servers need to run plugs to support comp-lzo.
Hope above can help you and others.
Yes, my server doesn't have the 'comp-lzo' enabled as you can see bellow:
Code:
push "route 192.168.11.0 255.255.255.0"
server 10.8.0.0 255.255.255.0
dev tun0
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
# Only use crl-verify if you are using the revoke list - otherwise leave it commented out
# crl-verify /tmp/openvpn/ca.crl
It is possible to enable it, however because I only use it for voice there is no advantages for extra compression because voice is already extremely compressed.
You've done a good job of posting all your OpenVPN configs... and it looks like you have it right for what you are trying to do. Typically on the Yealink phones you'll see the little VPN icon come up on the LCD screen once the link is established. That's a good sign that it's working.
From there it generally comes down to standard networking rules.
We generally have our voice server included in the OpenVPN environment... then we just need to specify the voice server's VPN IP address (typically 172.16.0.1) in the phones SIP configuration. By using the VPN IP as the only server address you will force both SIP and RTP traffic across the VPN link as they have no other choice. A common mistake our technicians make is putting the actual Public address of the server in the SIP config of the phone... at that point the phone establishes the VPN link, but then uses it's internet connection to find the voice server.
With the OpenVPN config files it may be possible to force a range of traffic out across the VPN link... but the server on the other end would need the same rules in place to send the traffic back... and that is generally the tricky part if it's not really part of the VPN.
One question I had with your setup... where is all your equipment located? You mention you have the T20P connecting to your DD-WRT OpenVPN server... is the phone on the internet and your server is behind the firewall on the protected LAN? or vice-versa? Makes a difference whether your DD-WRT should really be in client or server mode.
Hi, thanks for the reply,
I'm in Algeria using the phone, and the VPN router is in Portugal. The VPN router is behind the ADSL router's firewall with all the respective ports for OpenVPN redirected to the VPN router. The phone is also behind a firewall in another WRT54GL working as gateway!
I'm using OpenVPN mainly because here the ISP blocks my local SIP ports after a while, and I always need to change them! I think it's because here they don't like VoIP, and this way the ISP avoids it to be used as an alternative to standard voice communications!
By the way, the VPN string appears in the LCD, however, when I didn't put the 'redirect-gateway' attribute the local SIP port remained blocked, only when I added that attribute the problem disappeared, so I think is better to add it! In the end the config was this:
Code:
# Specify that this is a client configuration:
client
# Check whether the server is using a TUN or TAP interface, use the same dev tun
dev tun0
# Check whether the server is using TCP or UDP protocol, use the same here:
proto udp
;proto tcp
# Specify the host name and OpenVPN port of the server:
remote ******.dyndns.org 1194
# Specify the file names of your certificates and key - these should not
# The path names must be exactly as detailed below:
ca /yealink/config/openvpn/keys/ca.crt
cert /yealink/config/openvpn/keys/client.crt
key /yealink/config/openvpn/keys/client.key
# The rest of these settings should be unchanged:
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
;comp-lzo
verb 3
mute 10
route-delay 2
redirect-gateway
One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal! More explained here:
Regards,
Rui
(11-09-2013 06:55 AM)ruiseixas Wrote: [ -> ]One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal!
same LAN as what ?
Your OpenVPN server endpoint, should be running a SIP ALG (thus rewriting the media IPs to that of the OpenVPN server endpoint inside the tunnel) causing all SIP (port 5060) and RTP data to always be inside the tunnel no matter what IPs are given out by upstream SIP server or upstream media proxy server.
On Linux (which OpenWRT is based this a pair of kernel modules nf_conntrack_sip and nf_nat_sip) ensure the stream in and out is symetric. For example one common problem for Asterisk is that is does not examine the inbound packet local IP to ensure to reuse it in the reply and ends up using the default IP provided by the kernel in the reply. This can be fixed up using Linux netfilter DNAT and SNAT rules (on the Asterisk box or on the OpenVPN server endpoint box) to help it be symetric allowing SIP ALG kernel modules to work.
(12-02-2013 06:05 PM)dlmc Wrote: [ -> ] (11-09-2013 06:55 AM)ruiseixas Wrote: [ -> ]One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal!
same LAN as what ?
Your OpenVPN server endpoint, should be running a SIP ALG (thus rewriting the media IPs to that of the OpenVPN server endpoint inside the tunnel) causing all SIP (port 5060) and RTP data to always be inside the tunnel no matter what IPs are given out by upstream SIP server or upstream media proxy server.
On Linux (which OpenWRT is based this a pair of kernel modules nf_conntrack_sip and nf_nat_sip) ensure the stream in and out is symetric. For example one common problem for Asterisk is that is does not examine the inbound packet local IP to ensure to reuse it in the reply and ends up using the default IP provided by the kernel in the reply. This can be fixed up using Linux netfilter DNAT and SNAT rules (on the Asterisk box or on the OpenVPN server endpoint box) to help it be symetric allowing SIP ALG kernel modules to work.
Same LAN in the sense that I'm using Getonsip.com trough the same gateway, and they force the use of a proxy in that case, so if two phones are in the same LAN, the proxy of Getonsip is used like shown in the next picture:
![[Image: image070.png]](http://members.iinet.net.au/~blade9/UnderstandingSIPandRTP_DB23/image070.png)
For more details see the next page:
One field to consider adding to the Client's VPN config file is this:
Code:
# Uncomment this section for a more reliable detection when a system
# loses its connection. For example, dial-ups or laptops that
# travel to other locations.
ping 30
ping-restart 300
persist-key
;persist-tun
This allows the connection to be restarted in case you use Dyndns when your dynamic IP changes, and this way you still connected to the same LAN via VPN!