I generated a small presentation on how to connect an IPhone with an Asterisk server through pptp VPN.
Watch this short presentation Secure IPhone
or see the complete story with tutorial videos: I generated a small presentation on how to connect an IPhone with an Asterisk server through pptp VPN.
Watch this short presentation Secure IPhone
or see the complete story with tutorial videos:
More details
Getting the VPN tunnel working
The IPhone does support three different variants of VPN.
- L2TP
- PPTP
- IPSec
I choose PPTP
because it was easy to setup. Unfortunately the IPhone does not support OpenVPN, which I would prefer.
Setting up pptpd
Installing MPPE Support
Most people want their tunnels encrypted. Check the version of your kernel; if it is below 2.6.15-rc1 then you do not have MPPE support. To check further, test like this:
# modprobe ppp-compress-18 && echo success
If this fails, follow the Debian MPPE HOWTO, then return here.
Installing the Server Program
Install the pptpd package from the Debian Project:
# apt-get install pptpd
Configure IP Address Range
Edit the file /etc/pptpd.conf
for the IP address range, for example:
localip 192.168.0.1 remoteip 192.168.0.234-238,192.168.0.245
Note: see pptpd.conf(5)
for more details on the other options.
Note: you will need to restart pptpd to make changes to /etc/pptpd.conf
effective:
# /etc/init.d/pptpd restart
Adding Users
Configure /etc/ppp/chap-secrets
for the accounts, for example:
# echo "username pptpd password *" >> /etc/ppp/chap-secrets
Note: this method has all the usernames in one file. There are other ways, including authentication using Radius, or using Samba. Check the mailing list (subscribe, archives).
Note: you do not need to restart pptpd, a change to chap-secrets is effective for the next connection.
NAT for the vpn network
We need to add nat translation to the vpn network and enable ip forwarding.
/sbin/iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE echo "1" >/proc/sys/net/ipv4/ip_forward
We also need to edit /etc/sysctl.conf
and enable the following line, so that this is enable by the next reboot:
# Uncomment the next line to enable packet forwarding for IPv4 net/ipv4/ip_forward=1
Setting up Asterisk
We need to add an user in the /etc/asterisk/sip.conf
[general] port=5060 bindaddr=0.0.0.0 context=fromLOCAL realm=atorg.vpn tos_sip=cs3 ; fuer SIP-Pakete (Kommunikationsaufbau) tos_audio=ef ; fuer RTP-Audio-Pakete tos_video=af41 ; fuer RTP-Video-Pakete language=de disallow=all allow=alaw allow=ulaw allow=ilbc ;allow=gsm allow=h261 dtmfmode=inband srvlookup=yes videosupport=yes canrenvite=nonat maxexpiry=7200 defaultexpiry=3600 musiconhold=default nat=yes [30] ; SipPhone nat=yes type=friend context=trunk secret=*** host=dynamic callerid="e;IPhone via SIP through PPTP"e; <30>
Setup the IAX2 trunking to the asterisk with PSTN connection:
[general] port=5036 bandwidth=low disallow=all allow=gsm jitterbuffer=yes tos=lowdelay register =^gt; trunk2thestar:***@thestar.vpn [trunk2atorg] type=friend host=dynamic trunk=yes auth=md5,plaintext,rsa secret=*** username=trunk2atorg qualify=yes context=trunk
And now we need to add this to our small /etc/asterisk/extensions.conf
[globals] [trunk] ; Anrufe von local SIP users exten => _X.,1,Dial,IAX2/trunk2thestar:***@thestar.vpn/${EXTEN} exten => _X.,2,Congestion(5) exten => _X.,3,Hangup() exten => _X.,102,Playback(tt-allbusy) exten => _X.,103,Hangup()
How does it look like on the iPhone
Just watch this short movie: VPN on IPhone
Testing
Example of pptpd
login and logoff, when you move the slider of the VPN on the IPhone
Jun 6 21:02:46 atorg pptpd[7290]: CTRL: Client 62.216.217.17 control connection started Jun 6 21:02:46 atorg pptpd[7290]: CTRL: Starting call (launching pppd, opening GRE) Jun 6 21:02:46 atorg pppd[7291]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Jun 6 21:02:46 atorg pppd[7291]: pppd 2.4.4b1 started by root, uid 0 Jun 6 21:02:46 atorg pppd[7291]: Using interface ppp0 Jun 6 21:02:46 atorg pppd[7291]: Connect: ppp0 < --> /dev/pts/0 Jun 6 21:02:46 atorg pptpd[7290]: GRE: Bad checksum from pppd. Jun 6 21:02:49 atorg pppd[7291]: MPPE 128-bit stateless compression enabled Jun 6 21:02:49 atorg pppd[7291]: Cannot determine ethernet address for proxy ARP Jun 6 21:02:49 atorg pppd[7291]: local IP address 192.168.42.1 Jun 6 21:02:49 atorg pppd[7291]: remote IP address 192.168.42.10 Jun 6 21:05:50 atorg pppd[7291]: LCP terminated by peer (MPPE disabled) Jun 6 21:05:50 atorg pppd[7291]: Connect time 3.1 minutes. Jun 6 21:05:50 atorg pppd[7291]: Sent 9127 bytes, received 7660 bytes.
Example of a SIP login, SIP call with IAX2 trunking and SIP logout
atorg*CLI> -- Registered SIP '30' at 192.168.42.10 port 5060 expires 10 -- Executing Dial("SIP/30-066d", "IAX2/trunk2thestar:***@thestar.vpn/6666") in new stack -- Called trunk2thestar:***@thestar.vpn/6666 -- Call accepted by 10.23.0.10 (format gsm) -- Format for call is gsm -- IAX2/10.23.0.10:4569-1 answered SIP/30-066d -- Hungup 'IAX2/10.23.0.10:4569-1' -- Unregistered SIP '30'
More details
Getting the VPN tunnel working
The IPhone does support three different variants of VPN.
- L2TP
- PPTP
- IPSec
I choose PPTP
because it was easy to setup. Unfortunately the IPhone does not support OpenVPN, which I would prefer.
Setting up pptpd
Installing MPPE Support
Most people want their tunnels encrypted. Check the version of your kernel; if it is below 2.6.15-rc1 then you do not have MPPE support. To check further, test like this:
# modprobe ppp-compress-18 && echo success
If this fails, follow the Debian MPPE HOWTO, then return here.
Installing the Server Program
Install the pptpd package from the Debian Project:
# apt-get install pptpd
Configure IP Address Range
Edit the file /etc/pptpd.conf
for the IP address range, for example:
localip 192.168.0.1 remoteip 192.168.0.234-238,192.168.0.245
Note: see pptpd.conf(5)
for more details on the other options.
Note: you will need to restart pptpd to make changes to /etc/pptpd.conf
effective:
# /etc/init.d/pptpd restart
Adding Users
Configure /etc/ppp/chap-secrets
for the accounts, for example:
# echo "username pptpd password *" >> /etc/ppp/chap-secrets
Note: this method has all the usernames in one file. There are other ways, including authentication using Radius, or using Samba. Check the mailing list (subscribe, archives).
Note: you do not need to restart pptpd, a change to chap-secrets is effective for the next connection.
NAT for the vpn network
We need to add nat translation to the vpn network and enable ip forwarding.
/sbin/iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE echo "1" >/proc/sys/net/ipv4/ip_forward
We also need to edit /etc/sysctl.conf
and enable the following line, so that this is enable by the next reboot:
# Uncomment the next line to enable packet forwarding for IPv4 net/ipv4/ip_forward=1
Setting up Asterisk
We need to add an user in the /etc/asterisk/sip.conf
[general] port=5060 bindaddr=0.0.0.0 context=fromLOCAL realm=atorg.vpn tos_sip=cs3 ; fuer SIP-Pakete (Kommunikationsaufbau) tos_audio=ef ; fuer RTP-Audio-Pakete tos_video=af41 ; fuer RTP-Video-Pakete language=de disallow=all allow=alaw allow=ulaw allow=ilbc ;allow=gsm allow=h261 dtmfmode=inband srvlookup=yes videosupport=yes canrenvite=nonat maxexpiry=7200 defaultexpiry=3600 musiconhold=default nat=yes [30] ; SipPhone nat=yes type=friend context=trunk secret=*** host=dynamic callerid="e;IPhone via SIP through PPTP"e; <30>
Setup the IAX2 trunking to the asterisk with PSTN connection:
[general] port=5036 bandwidth=low disallow=all allow=gsm jitterbuffer=yes tos=lowdelay register =^gt; trunk2thestar:***@thestar.vpn [trunk2atorg] type=friend host=dynamic trunk=yes auth=md5,plaintext,rsa secret=*** username=trunk2atorg qualify=yes context=trunk
And now we need to add this to our small /etc/asterisk/extensions.conf
[globals] [trunk] ; Anrufe von local SIP users exten => _X.,1,Dial,IAX2/trunk2thestar:***@thestar.vpn/${EXTEN} exten => _X.,2,Congestion(5) exten => _X.,3,Hangup() exten => _X.,102,Playback(tt-allbusy) exten => _X.,103,Hangup()
How does it look like on the iPhone
Just watch this short movie: VPN on IPhone
Testing
Example of pptpd
login and logoff, when you move the slider of the VPN on the IPhone
Jun 6 21:02:46 atorg pptpd[7290]: CTRL: Client 62.216.217.17 control connection started Jun 6 21:02:46 atorg pptpd[7290]: CTRL: Starting call (launching pppd, opening GRE) Jun 6 21:02:46 atorg pppd[7291]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded. Jun 6 21:02:46 atorg pppd[7291]: pppd 2.4.4b1 started by root, uid 0 Jun 6 21:02:46 atorg pppd[7291]: Using interface ppp0 Jun 6 21:02:46 atorg pppd[7291]: Connect: ppp0 < --> /dev/pts/0 Jun 6 21:02:46 atorg pptpd[7290]: GRE: Bad checksum from pppd. Jun 6 21:02:49 atorg pppd[7291]: MPPE 128-bit stateless compression enabled Jun 6 21:02:49 atorg pppd[7291]: Cannot determine ethernet address for proxy ARP Jun 6 21:02:49 atorg pppd[7291]: local IP address 192.168.42.1 Jun 6 21:02:49 atorg pppd[7291]: remote IP address 192.168.42.10 Jun 6 21:05:50 atorg pppd[7291]: LCP terminated by peer (MPPE disabled) Jun 6 21:05:50 atorg pppd[7291]: Connect time 3.1 minutes. Jun 6 21:05:50 atorg pppd[7291]: Sent 9127 bytes, received 7660 bytes.
Example of a SIP login, SIP call with IAX2 trunking and SIP logout
atorg*CLI> -- Registered SIP '30' at 192.168.42.10 port 5060 expires 10 -- Executing Dial("SIP/30-066d", "IAX2/trunk2thestar:***@thestar.vpn/6666") in new stack -- Called trunk2thestar:***@thestar.vpn/6666 -- Call accepted by 10.23.0.10 (format gsm) -- Format for call is gsm -- IAX2/10.23.0.10:4569-1 answered SIP/30-066d -- Hungup 'IAX2/10.23.0.10:4569-1' -- Unregistered SIP '30'
I updated this post with an architectural overview. See /?p=473