• Part 1
• Part 2
• Client setup checklist
• Linux softphone comparison

Setting up a client

January 1, 2009

Adding a client

InPart 1 we discussed the "plumbing": getting OpenVPN server and client installed, getting a SIP desktop phone to talk to Asterisk, and getting Asterisk to talk to our SIP trunk provider. InPart 2 we went into detail of building a dial plan for Asterisk so it can provide us the "bread and butter" of a PBX: extensions and voicemail. In this article we will provide a detailed check-list of adding more clients. This means installing OpenVPN on the client, enabling the client's OpenVPN access on the server, enabling a SIP extension for the client in Asterisk, and installing a softphone on the client. Our client system will be Ubuntu 8.10 "Intrepid Ibex". Our SIP softphone will be KPhone. The basic steps and information will be easily applicable to other operating systems.

Step 1: install the software on the client

OpenVPN:

sudo apt-get install openvpn

There's also a package called kvpnc which provides a graphical interface to configure OpenVPN. We're not using it, to keep these instructions as universal as possible.

KPhone:

Note, January 2011: We're no longer using KPhone. Ekiga is a more suitable open-source desktop SIP client. It runs on both Linux and Windows, operates well with Asterisk, and has full video support.

sudo apt-get install kphone

Generate the OpenVPN key pair on the server

We use the easy-rsa directory that comes with the OpenVPN server to make it easy to generate keys. Go into that directory and adjust the vars file as necessary.

Start a root shell:

sudo bash

Source the vars script to set the environment correctly:

source vars

Make the key:

./build-key newclient

Enter the information as needed. It's not necessary to sign the certificate, so answer NO for that.

The common name is very important. The common name must match the name of the file stored in the clients directory, or OpenVPN won't be able to find it. When the connection comes in to the OpenVPN server, all it knows is the key's common name field. From that, it locates the appropriate config file in the clients directory.

Enable the connection on the server

Pick a subnet that will be the client's VPNed subnet. Let's say 192.168.5.0. We modify two files on the server.

First, add a route to that net to the server's main config file, normally /etc/openvpn/server.conf:

route 192.168.5.0 255.255.255.0

Next, add a client file in the /etc/openvpn/clients directory. This file has the same name as the key's common name. In this example, the file is named newclient. This file simply binds a route between the subnet and the common name:

iroute 192.168.5.0 255.255.255.0

We're done with OpenVPN config on the server.

Configuring OpenVPN on the client

Make a key directory on the client:

sudo mkdir /etc/openvpn/keys

Now copy the necessary keys to the client. In this case these would be ca.crt, newclient.crt and newclient.key. They will go into the client's /etc/openvpn/keys directory.

Create a configuration file in /etc/openvpn on the client. The OpenVPN startup script runs any file with the .conf extension in that directory, so it could be anything. We'll use /etc/openvpn/client.conf. This is it:

client
dev tun
remote openvpn.chiralsoftware.com

resolv-retry infinite

ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/newclient.crt
key /etc/openvpn/keys/newclient.key

port 1194

Turn on IP forwarding in the client

Edit /etc/sysctl.conf and add a line:

net.ipv4.ip_forward = 1

If you would like the client to serve a as a gateway for other machines on its LAN, add this to /etc/network/interfaces:

auto eth0 eth0:1

iface eth0:1 inet static
      address 192.168.4.1
        netmask 255.255.255.0

This is recommended. If you take the laptop with you and want to use a desktop SIP phone with the laptop, it's great to have the client acting as a VPN gateway.

Make sure the firewalls allow the traffic, restart OpenVPN (both client and server), and you should have an OpenVPN connection. Test it out. If it doesn't work, check for firewall problems first, then check that OpenVPN is running (started properly) on both client and server.

If it doesn't work

If it still doesn't work, check on the server:

• The keys are in the keys directory
• The key file has the same name as the common name of the key
• The key was signed when it was generated
• There is a route entry, with the correct network, in /etc/openvpn/server.conf
• There is a file in the clients directory with the same name as the key common name
• The client file contains an iroute entry with the correct network

If it still doesn't work, check on the client:

• IP forwarding is turned on. cat /proc/sys/net/ipv4/ip_forward should return 1
• The keys are installed
• The config file, with correct network information and key file names, is installed, as above

It should be working at this point.

Add the extension in the Asterisk sip.conf file

Before we can do anything with the Asterisk dial plan, we need to enable the extension in sip.conf. The exact details depend on which SIP client you're using. We're using KPhone in this example, but there are many others.

Edit /etc/asterisk/sip.conf on the server. Add a block like this:

[newclient]
type=friend
host=dynamic
authname=newclient
secret=seekrit
dtmfmode=inband ; unfortunately required for kphone
; we need to specify a codec other than GSM
; otherwise we get an error in kphone:
; Inband DTMF is not supported on codec gsm. Use RFC2833
disallow=all                    ; First disallow all codecs
allow=ulaw                      ; Allow codecs in order of preference
allow=ilbc                      ; see doc/rtp-packetization for framing options
mailbox=1000
context=staff
callerid=MyCallerId
canreinvite=no
bindaddr = 10.8.0.1
nat=no

Now that extension can be used in your dial plan as any other. After making the changes in the dial plan, reload the Asterisk configuration.

Configuring Kphone

The server is 10.8.0.1. The name and password as as above. Connect and start making calls. It works, with both incoming and outgoing calls. You now have an softphone extension, routing securely over OpenVPN.

Conclusion

This is a great system. You have a secure, reliable extension that works on your laptop, whether it's in your home office, or your hotel on the other side of the world. You don't need to worry about insecure hotel networks or wireless networks. OpenVPN has you covered. And remember, in your Asterisk dial plan, you can use the Dial() application to dial more than one extension. For example:

exten => 101,1,Dial(${JOEDESKTOP}&${JOELAPTOP},22,m)

where JOEDESKTOP and JOELAPTOP are variables for the relevant extensions. If you set it up this way, both will attempt to ring, so Joe will get his calls at the office or on his laptop, depending on which is active.

A benefit of all this is cost savings and better interaction with customers. Many companies today are cutting costs by not giving their employees extensions and desk phones. A conventional high-quality office phone can be over $200, and a conventional PBX port also has costs. With softphones, those costs can be cut to zero. Doing so makes it easy to give all employees an extension, which works both at the office and the home office, to facilitate better and more professional interaction with customers. At the end of the day, that's the biggest benefit of this configuration.

If you need help designing and implementing a voice application or PBX based on Asterisk and SIP, contact us at 310 356 7869 to discuss.