Networking/Virtual Private Network (VPN)

From Snom User Wiki

< Networking
Revision as of 09:49, 24 January 2017 by Berterp (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
Languages: English • Deutsch

Contents

Overview

Author: Hirosh Dabui

Starting with firmware version 8.4.27, all snom firmware versions for snom 370, 8xx and 7x0 include the ability to build secure VoIP-Infrastructures via OpenVPN-Technology. Snom decided to use OpenVPN because it is compatible with SSL/TLS, RSA Certificates and X509 PKI, NAT, DHCP, and TUN/TAP virtual devices.

NOTE: Starting from 8.7.5.17 the VPN feature is now not enabled by default, in order to enable it you have to download the VPN patch from this page

OpenVPN is Open Source and is licensed under the GPL.

With OpenVPN you can:

  1. tunnel any packet of your phone over a single UDP or TCP port
  2. there is no need to use secure sip, srtp, stun making life harder in the sip world
  3. use any cipher, key sizes supported by the OpenSSL library
  4. choose between static-key or certificate-based public key encryption
  5. use static, pre-shared keys or dynamic key exchange via TLS or username/password
  6. tunnel phones over NAT
  7. tunnel phones through firewalls
  8. OpenVPN has cross-platform portability, runs on: Linux, Windows 2000/XP and higher, OpenBSD, FreeBSD, NetBSD, Mac OS X, PocketPC and Solaris.
  9. and and and ....

The authentication procedure can be done by using a pre-shared secret key, certificates, or username/password (auth-retry nointeract).

Authentication via username/password is supported per default by Debian-OpenVPN-package until version 2.0beta20. [1]

Install procedure

1. If you are using a firmware version older than 8.4.27, you will need a special VPN version(--> Download Instructions). Otherwise there is no need to install anything else on your phone.

2. Enable the VPN Parameter and press save:

3. Next, the Unzipped VPN config tarball parameter will become available. Please enter a HTTPS-URL of your tarball e.g. https://username:password@host:port with the openvpn configuration.

4. Read below the details for building this tarball.



The source code of components licensed under GPL used in snom VoIP phones can be downloaded from here.

The original GPL license text can be downloaded from here.

Setting up X509 PKI or Setting up Pre-Shared

Configuring a client/server VPN infrastructure by using a X509 PKI (public key infrastruction using certificates and private keys) is explained in this section. The best way to configure your phone is to build your client configs on a linux system for test purposes. If you succeded, you can make a tarball of the directory where the config files are stored. Please note that all file paths in your testing config files, have to changed for the phone in to /openvpn/filename. The config filename has to be renamed into vpn.cnf.

The stuff to configure Certificate Authority (CA), creating certificates and keys for a server and clients can be found here. A tutorial, howto setup an Debian (4.0 Etch) with OpenVPN-server can be found here. There is also a discription about the creation of the necessary certificates.

Available TLS Ciphers

DHE-RSA-AES256-SHA
DHE-DSS-AES256-SHA
AES256-SHA
EDH-RSA-DES-CBC3-SHA
EDH-DSS-DES-CBC3-SHA
DES-CBC3-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-SHA
AES128-SHA
RC4-SHA
RC4-MD5
EDH-RSA-DES-CBC-SHA
EDH-DSS-DES-CBC-SHA
DES-CBC-SHA
EXP-EDH-RSA-DES-CBC-SHA
EXP-EDH-DSS-DES-CBC-SHA
EXP-DES-CBC-SHA
EXP-RC2-CBC-MD5
EXP-RC4-MD5

Example for X509 PKI

vpn.cnf for phone

client
dev tun

# Are we connecting to a TCP or
# UDP server?  Use the same setting as
# on the server.
;proto tcp
# or tcp and no more nat problems, it is a hit to RTP
#  (TCP(UDP(RTP))) :)
proto udp
 
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
# or insert an ip here
remote openvpn.snom.com 1194
 
# Choose a random host from the remote
# list for load-balancing.  Otherwise
# try hosts in the order specified.
;remote-random
 
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server.  Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
 
#  Most clients don't need to bind to
# a specific local port number.
nobind

# Try to preserve some state across restarts.
persist-key
persist-tun

# If you are connecting through an
# HTTP proxy to reach the actual OpenVPN
# server, put the proxy server/IP and
# port number here.  See the man page
# if your proxy server requires
# authentication.
;http-proxy-retry # retry on connection failures
;http-proxy [proxy server] [proxy port #]

# Wireless networks often produce a lot
# of duplicate packets.  Set this flag
# to silence duplicate packet warnings.
;mute-replay-warnings

# SSL/TLS parms.
# See the server config file for more
# description.  It's best to use
# a separate .crt/.key file pair
# for each client.  A single ca
# file can be used for all clients.
ca /openvpn/ca.crt
cert /openvpn/phone1.crt
key /openvpn/phone1.key
 
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server".  This is an
# important precaution to protect against
# a potential attack discussed here:
#  http://openvpn.net/howto.html#mitm
#
# To use this feature, you will need to generate
# your server certificates with the nsCertType
# field set to "server".  The build-key-server
# script in the easy-rsa folder will do this.
ns-cert-type server
 

# Enable compression on the VPN link.
# Don't enable this unless it is also
# enabled in the server config file.
#comp-lzo

# Set log file verbosity.
verb 0

# Silence repeating messages
;mute 20
ping 10
ping-restart 60


server.cnf on server side

# Which local IP address should OpenVPN
# listen on? (optional)
;local a.b.c.d

# Which TCP/UDP port should OpenVPN listen on?
 # If you want to run multiple OpenVPN instances
# on the same machine, use a different port
# number for each one.  You will need to
# open up this port on your firewall.
port 1194

# TCP or UDP server?
;proto tcp
proto udp

# "dev tun" will create a routed IP tunnel,
# "dev tap" will create an ethernet tunnel.

;dev tap
dev tun


# SSL/TLS root certificate (ca), certificate
# (cert), and private key (key).  Each client
# and the server must have their own cert and
# key file.  The server and all clients will
# use the same ca file.
#
# See the "easy-rsa" directory for a series
# of scripts for generating RSA certificates
# and private keys.  Remember to use
# a unique Common Name for the server
# and each of the client certificates.
#
# Any X509 key management system can be used.
# OpenVPN can also use a PKCS #12 formatted key file
# (see "pkcs12" directive in man page).
ca keys/ca.crt
cert keys/openvpn.snom.com.crt 
key keys/openvpn.snom.com.key  # This file should be kept secret

# Diffie hellman parameters.
# Generate your own with:
#   openssl dhparam -out dh1024.pem 1024
# Substitute 2048 for 1024 if you are using
# 2048 bit keys. 
dh dh1024.pem

# Configure server mode and supply a VPN subnet
# for OpenVPN to draw client addresses from.
# The server will take 10.8.0.1 for itself,
# the rest will be made available to clients.
# Each client will be able to reach the server
# on 10.8.0.1. Comment this line out if you are
# ethernet bridging. See the man page for more info.
server 10.30.0.0 255.255.255.0

# Maintain a record of client <-> virtual IP address
# associations in this file.  If OpenVPN goes down or
# is restarted, reconnecting clients can be assigned
# the same virtual IP address from the pool that was
# previously assigned.
ifconfig-pool-persist ipp.txt



# Uncomment this directive to allow different
# clients to be able to "see" each other.
# By default, clients will only see the server.
# To force clients to only see the server, you
# will also need to appropriately firewall the
# server's TUN/TAP interface.
# very important for proxies, b2bua comment it out, more secure
client-to-client 


# The keepalive directive causes ping-like
# messages to be sent back and forth over
# the link so that each side knows when
# the other side has gone down.
# Ping every 10 seconds, assume that remote
# peer is down if no ping received during
# a 120 second time period.
keepalive 10 120


# Select a cryptographic cipher.
# This config item must be copied to
# the client config file as well.
;cipher BF-CBC        # Blowfish (default)
;cipher AES-128-CBC   # AES
;cipher DES-EDE3-CBC  # Triple-DES

# Enable compression on the VPN link.
# If you enable it here, you must also
# enable it in the client config file.
# snom phones doesn't support this
;comp-lzo

# The maximum number of concurrently connected
# clients we want to allow.
;max-clients 100

# The persist options will try to avoid
# accessing certain resources on restart
# that may no longer be accessible because
# of the privilege downgrade.
persist-key
persist-tun
 
# Output a short status file showing
# current connections, truncated
# and rewritten every minute.
status openvpn-status.log

# By default, log messages will go to the syslog (or
# on Windows, if running as a service, they will go to
# the "\Program Files\OpenVPN\log" directory).
# Use log or log-append to override this default.
# "log" will truncate the log file on OpenVPN startup,
# while "log-append" will append to it.  Use one
# or the other (but not both).
;log         openvpn.log
;log-append  openvpn.log

# Set the appropriate level of log
# file verbosity.
#
# 0 is silent, except for fatal errors
# 4 is reasonable for general usage
# 5 and 6 can help to debug connection problems
# 9 is extremely verbose
verb 0

# Silence repeating messages.  At most 20
# sequential messages of the same message
# category will be output to the log.
;mute 20

Example Pre-Shared

A crypted link between 10.5.0.1 and 10.5.0.2 will be established with a pre-shared key (static.key).

server side

mode p2p
port 1194  
dev tun 
proto udp  

ifconfig 10.5.0.1 10.5.0.2  

 
secret static.key

ping 10  
ping-restart 180  
ping-timer-rem  
ping-restart 

verb 0

phone (vpn.cnf)

mode p2p                                                                        
remote 192.168.0.188 1194    
proto udp                           
dev tun                                            
                                                                                 
ifconfig 10.5.0.2 10.5.0.1                           
                                                                                         
                  
secret /openvpn/static.key                                                               
                                                                                
ping 10                
ping-restart 180   
ping-timer-rem   
ping-restart 
                                                                                
verb 0

Example of a VPN snom tarball

Generating a tarball:

cd /etc/openvpn
chown -Rf root:root *
chmod -R 700 *
tar cvpf vpnclient.tar *

Upload to a https or http server!

vpnclient.tar

Please Note the filepaths must point to /openvpn and the config file is named vpn.cnf.

When a VPN session is established, you will see the VPN icon on the phone taskbar!!!

FAQ - most common issues

Everything works as described, but the phone seems to reject my server certificate. What's wrong?

You must configure an NTP server that the phone can reach on its native network (not via VPN). Otherwise, the phone will have a wrong date and assume that all certificates are not valid (yet)...

See also...

Available Turn Key Solution

Together with our technology partner Ciphron, we created an easy to use appliance for VoIP VPN configuration: SecurePhoneNetwork. You should use it, works out of the box without any hazzles.

It does the following for you:

  • certificate handling
  • certificate revocation
  • phone provisioning
  • three click installer for windows vpn clients

Its compatible with any IP PBX, has no licensing fees runs the fantastic OpenBSD operating system.

3CX

http://www.3cx.com/support/secure-calls-openvpn.html

VPN and Debian

How To for Debian

Personal tools
Interoperability