Networking/Virtual Private Network (VPN)
From Snom User Wiki
|Languages: English • Deutsch|
Author: Hirosh Dabui
Starting with firmware version 8.4.27, all snom firmware versions for snom 370, 8xx and 7x0 include the ability to build secure VoIP-Infrastructures via OpenVPN-Technology. Snom decided to use OpenVPN because it is compatible with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.
NOTE: Starting from 220.127.116.11 the VPN feature is now not enabled by default, in order to enable it you have to download the VPN patch from this page
OpenVPN is Open Source and is licensed under the GPL.
With OpenVPN you can:
- tunnel any packet of your phone over a single UDP or TCP port
- there is no need to use secure sip, srtp, stun making life harder in the sip world
- use any cipher, key sizes supported by the OpenSSL library
- choose between static-key or certificate-based public key encryption
- use static, pre-shared keys or dynamic key exchange via TLS or username/password
- tunnel phones over NAT
- tunnel phones through firewalls
- OpenVPN has cross-platform portability, runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, PocketPC and Solaris.
- and and and ....
The authentication procedure can be done by using a pre-shared secret key, certificates, or username/password (auth-retry nointeract).
Authentication via username/password is supported per default by Debian-OpenVPN-package until version 2.0beta20. 
1. If you are using a firmware version older than 8.4.27, you will need a special VPN version(--> Download Instructions). Otherwise there is no need to install anything else on your phone.
2. Enable the VPN Parameter and press save:
3. Next, the Unzipped VPN config tarball parameter will become available. Please enter a HTTPS-URL of your tarball e.g. https://username:password@host:port with the openvpn configuration.
4. Read below the details for building this tarball.
The source code of components licensed under GPL used in snom VoIP phones can be downloaded from here.
The original GPL license text can be downloaded from here.
Setting up X509 PKI or Setting up Pre-Shared
Configuring a client/server VPN infrastructure by using a X509 PKI (public key infrastruction using certificates and private keys) is explained in this section. The best way to configure your phone is to build your client configs on a linux system for test purposes. If you succeded, you can make a tarball of the directory where the config files are stored. Please note that all file paths in your testing config files, have to changed for the phone in to /openvpn/filename. The config filename has to be renamed into vpn.cnf.
The stuff to configure Certificate Authority (CA), creating certificates and keys for a server and clients can be found here. A tutorial, howto setup an Debian (4.0 Etch) with OpenVPN-server can be found here. There is also a discription about the creation of the necessary certificates.
Available TLS Ciphers
DHE-RSA-AES256-SHA DHE-DSS-AES256-SHA AES256-SHA EDH-RSA-DES-CBC3-SHA EDH-DSS-DES-CBC3-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-DSS-AES128-SHA AES128-SHA RC4-SHA RC4-MD5 EDH-RSA-DES-CBC-SHA EDH-DSS-DES-CBC-SHA DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5
Example for X509 PKI
vpn.cnf for phone
client dev tun # Are we connecting to a TCP or # UDP server? Use the same setting as # on the server. ;proto tcp # or tcp and no more nat problems, it is a hit to RTP # (TCP(UDP(RTP))) :) proto udp # The hostname/IP and port of the server. # You can have multiple remote entries # to load balance between the servers. # or insert an ip here remote openvpn.snom.com 1194 # Choose a random host from the remote # list for load-balancing. Otherwise # try hosts in the order specified. ;remote-random # Keep trying indefinitely to resolve the # host name of the OpenVPN server. Very useful # on machines which are not permanently connected # to the internet such as laptops. resolv-retry infinite # Most clients don't need to bind to # a specific local port number. nobind # Try to preserve some state across restarts. persist-key persist-tun # If you are connecting through an # HTTP proxy to reach the actual OpenVPN # server, put the proxy server/IP and # port number here. See the man page # if your proxy server requires # authentication. ;http-proxy-retry # retry on connection failures ;http-proxy [proxy server] [proxy port #] # Wireless networks often produce a lot # of duplicate packets. Set this flag # to silence duplicate packet warnings. ;mute-replay-warnings # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca /openvpn/ca.crt cert /openvpn/phone1.crt key /openvpn/phone1.key # Verify server certificate by checking # that the certicate has the nsCertType # field set to "server". This is an # important precaution to protect against # a potential attack discussed here: # http://openvpn.net/howto.html#mitm # # To use this feature, you will need to generate # your server certificates with the nsCertType # field set to "server". The build-key-server # script in the easy-rsa folder will do this. ns-cert-type server # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. #comp-lzo # Set log file verbosity. verb 0 # Silence repeating messages ;mute 20 ping 10 ping-restart 60
server.cnf on server side
# Which local IP address should OpenVPN # listen on? (optional) ;local a.b.c.d # Which TCP/UDP port should OpenVPN listen on? # If you want to run multiple OpenVPN instances # on the same machine, use a different port # number for each one. You will need to # open up this port on your firewall. port 1194 # TCP or UDP server? ;proto tcp proto udp # "dev tun" will create a routed IP tunnel, # "dev tap" will create an ethernet tunnel. ;dev tap dev tun # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca keys/ca.crt cert keys/openvpn.snom.com.crt key keys/openvpn.snom.com.key # This file should be kept secret # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 # Substitute 2048 for 1024 if you are using # 2048 bit keys. dh dh1024.pem # Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 10.8.0.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 10.8.0.1. Comment this line out if you are # ethernet bridging. See the man page for more info. server 10.30.0.0 255.255.255.0 # Maintain a record of client <-> virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist ipp.txt # Uncomment this directive to allow different # clients to be able to "see" each other. # By default, clients will only see the server. # To force clients to only see the server, you # will also need to appropriately firewall the # server's TUN/TAP interface. # very important for proxies, b2bua comment it out, more secure client-to-client # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. # snom phones doesn't support this ;comp-lzo # The maximum number of concurrently connected # clients we want to allow. ;max-clients 100 # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status openvpn-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log ;log-append openvpn.log # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 0 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. ;mute 20
A crypted link between 10.5.0.1 and 10.5.0.2 will be established with a pre-shared key (static.key).
mode p2p port 1194 dev tun proto udp ifconfig 10.5.0.1 10.5.0.2 secret static.key ping 10 ping-restart 180 ping-timer-rem ping-restart verb 0
mode p2p remote 192.168.0.188 1194 proto udp dev tun ifconfig 10.5.0.2 10.5.0.1 secret /openvpn/static.key ping 10 ping-restart 180 ping-timer-rem ping-restart verb 0
Example of a VPN snom tarball
Generating a tarball:
cd /etc/openvpn chown -Rf root:root * chmod -R 700 * tar cvpf vpnclient.tar *
Upload to a https or http server!
Please Note the filepaths must point to /openvpn and the config file is named vpn.cnf.
When a VPN session is established, you will see the VPN icon on the phone taskbar!!!
FAQ - most common issues
Everything works as described, but the phone seems to reject my server certificate. What's wrong?
You must configure an NTP server that the phone can reach on its native network (not via VPN). Otherwise, the phone will have a wrong date and assume that all certificates are not valid (yet)...
Available Turn Key Solution
It does the following for you:
- certificate handling
- certificate revocation
- phone provisioning
- three click installer for windows vpn clients
Its compatible with any IP PBX, has no licensing fees runs the fantastic OpenBSD operating system.