OpenWRT + OpenVPN for Asterisk. Budget way to organize a VPN network

This is another article about the MR3020 router, OpenWRT and OpenVPN. As a bonus, I post the ready firmware for this router with the OpenVPN installed, the text editor Nano and wget. The firmware is turned off all unnecessary, including the web interface, ipv6 and WiFi.

Working with the router is possible only through telnet and SSH. I will not write how to raise the OpenVPN server, a lot of articles about this, this article helped me personally.

Prehistory

To organize the telephone network I needed to organize a VPN. OpenVPN was chosen for this purpose.
Since the budget was limited, it was decided to put on points, and, by the way, there were three of them. Cheapest routers with OpenWRT support.

TP-Link MR3020 was purchased for the test, and after successful testing, a couple more of these babies were purchased.
')
Although the router has only one LAN port, it turned out to be very convenient to connect it at the points. There is no need to put a VoIP-gateway and a router in close proximity to each other. The prepared router connects to any free network port at a remote point, the Voip gateway can also be connected to any free network port by specifying the IP address of our router to the gateway. Naturally, both of them should be on the same network as the Internet gateway.

Configure the router

If the MR3020 is fresh, then go to the web interface and upload the firmware through the appropriate menu. If the router already has OpenWRT, then we act as follows:

We go to the router via telnet or SSH and execute:

cd /tmp/ && wget http://alians-it.pro/images/files/openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin && mtd -r write openwrt-ar71xx-generic-tl-mr3020-v1-squashfs-factory.bin firmware 

If there is no internet, then in any way we upload the firmware to the router, for example, via SSH (scp) or, as I do: install a web server on your computer, put the firmware in the www directory and also download the firmware via wget, but your computer.

If you have done something wrong or have forgotten the address of the router, you can put it into “emergency mode”: Turn off / turn on the router; wait until the LED under the WPS / RESET button flashes approximately once per second (WPS / RESET is on for 3 seconds, then goes off for 3 seconds), immediately press this button and wait until it starts blinking very quickly, release the button . Everything, the router is available through telnet at 192.168.1.1. Configure the network and reflash.

After successful firmware, we go to the router via telnet at 192.168.1.1 and set the password for root:

 passwd 

Enter the password twice, and reboot the router:

 reboot 

After the reboot, the router will only be available via ssh, the root login is the password you specified.

Network configuration:

 nano /etc/config/network 

You need to edit the section:

 config interface 'lan' 

Where 192.168.1.10 is the address of the Internet gateway in the network of the remote point, and 192.168.1.11 is any free address that our router will have. If you have free address 192.168.1.1, then add only

 option gateway '192.168.1.10' option dns '8.8.8.8' 

.
DNS optional.

OpenVPN setup:

We move and copy the keys and certificates to the / etc / openvpn / folder. For convenience, I add everything to the archive and download at once:

 cd /etc/openvpn/ && wget http://192.168.1.5/client_Sushi_Terra.tar.gz && tar xzvf client_Sushi_Terra.tar.gz 

As you guessed, 192.168.1.5 is the address of my work computer with the installed web server, and client_Sushi_Terra is the name of the remote point that was created when generating certificates and keys on the OpenVPN server.

Editing client configuration:

 nano /etc/openvpn/client.conf 

Where port 7193 and remote 37.193.254.254 is the port and address of the OpenVPN server.
We also configure maskvarding on port tun0 after successful start of OpenVPN:

 echo 'iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE' >> /etc/init.d/openvpn 

Restart the router again:

 reboot 

Now the router will be available at 192.168.1.11.

If everything is correct, a new tun0 interface will appear.

Setting the fire wall:

Open the / etc / config / firewall file for editing:


And replace:

 option input 'ACCEPT' #'DROP' 

On:

 option input 'DROP' 

Now the router will be available only on port 22, although otherwise it will not be able to reach it. You can specify an ip-address instead of "*", and this will be the only address from which you can enter the router via ssh.

Setting up a VoIP gateway

Network configuration: specify the IP address of our router as the Internet gateway:



I have OpenVPN raised on the same server as Asterisk, so I specify the address of the OpenVPN server as the sip proxy.

If Asterisk is installed on a separate server, then it is necessary in the configuration of the OpenVPN server to allow clients to see each other and transfer routes to clients to each remote point.

SIP configuration: specify as sip proxy: the address of the Asterisk server.



If you specify the gateway to our router on any other device, then the entire OpenVPN network and all subnets of remote points will also be available to it, if, of course, this is allowed and configured on the OpenVPN server itself.

I would also add that I recommend setting up a firewall on both the server with Asterisk and the server with OpenVPN - as if the internal network, including VPN, is as aggressive as the public Internet.