Remote phones without expensive, complex or closed VPN solutions

! This post hasn't been updated in over 2 years.

Do you have a remote user or office? Need to give them a phone on your IP PBX? Lots of phone solutions offer a VPN type solution but normally costs a lot of money and also can only be used for the phones not the computer.

Recently I was faced this this problem and needed to set up a remote phone for a customer, the remote site was in Italy and they only had home type broadband and no one onsite with any technical ability.   The ideal solution is site to site vpn, but due to the home style boardband they would need to set up DDNS and port forwarding etc.  I have found after lots of goggling and online tutorials. That open VPN can do site to site VPN while one end is fully behind a Nat with no port forwarding. Perfect.

After some more research I found using dd-wrt you can turn most routers in to an openvpn client/server. Dd-wrt is an open source firmware you can load on to a home router giving it much more advanced options than intended.  More information can be found here: http://www.dd-wrt.com. I found that the Supported models and installation procedure very confusing on the site.  I ended up with the asus rt-n16 as it was cheap, support and had quite a bit of memory.  the firmware installation steps will flow. First details about the solution and how they pay a part of it.

I used 2 routers one acting as a server at the office (which does need UDP port 1194 forwarding to it) and the second which acts as the client which needs no special network requirements, (is it doesn’t need any special network requirements, it can be a mobile solution) This is the network digram of the vpn solution.

 

 

So we have the Router’s WAN port in the office connected to the Data or DMZ network (depending on your set up) and one of the LAN ports in the office Voice Vlan. The remote office will have an ip subnet of 192.168.3.0/24. Static routing will need to be added to the default gateway on the voice VLAN to point traffic to the 192.168.3.0 subent to the the ip address of the LAN port on the Asus router. )If you are going to run data over this connection you will also need to set up a route the remote network on the data vlan as well.) No additional routing is required at the remote end. The firewall will also require port forwarding setup. it needs UDP port 1194 to be forwarded to the WAN port of the router.  All ip addresses in the digram above are used within the guide below.

 

Installing DD-WRT on to the Asus rt-n16 Router

  1. Download all required files form dd-wrt.com (dd-wrt.v24-19342_NEWD-2_K2.6_mini_RT-N16.trx & dd-wrt.v24-18024_NEWD-2_K2.6_mega.bin)
  2. Install the Router utility software which came with the router
  3. give your computer a static ip address of 192.168.1.2 with a subnet mask of 255.255.255.0 (no other ip address are required.) and plug your computer in to any LAN port
  4. Turn on the router and leave it one minutes. (that is a full 60 secs) – before moving to the next step you should have 3 lights on the router, Power(PWR), wireless (2.4GHz) and LAN.
  5. unplug the router, then set the router in recovery mode by holding in the restore button when plugging in the power. The power light should now be blinking slowly, meaning the router is in restore/recovery mode and ready for the new firmware
  6. open the recently installed Firmware Restoration program, select the file “dd-wrt.v24-19342_NEWD-2_K2.6_mini_RT-N16.trx” and click upload. It is possible for the recovery mode on the router to time out. If step 6 fails check to see if the light is still blinking, if no then go back to step 5 and do step 5 and step 6 quicker!
  7. Once finished and rebooted (3 lights on the router, Power(PWR) – solid not blinking, wireless (2.4GHz)) browse to http://192.168.1.1 and enter the username root and password ‘password’
  8. telnet to 192.168.1.1 (if you are using windows 7 you might need to use putty to telnet). log on with the credentials from step 7 and enter the commands “erase nvram” followed by “reboot
  9. once rebooted, open a browser to http://192.168.1.1 and go to Administration -> Firmware Upgrade. if asked for to log or to change password use the credentials from step 7.
  10. select the file “dd-wrt.v24-18024_NEWD-2_K2.6_mega.bin” and then click upgrade. IMPORTANT – this takes awhile. leave the router for 5 minutes before touching it again. during this step it is recommended that you disconnect your wireless network as well, so the only network connection you have is to the router.
  11. Once finished and rebooted browse to http://192.168.1.1 and enter the username root and password ‘password’
  12. telnet to 192.168.1.1 (if you are using windows 7 you might need to use putty to telnet). log on with the credentials from step 11 and enter the commands “erase nvram” followed by “reboot
  13. Once finished and rebooted browse to http://192.168.1.1 and enter the username root and password ‘password’

 

Do the above for both routers.

Setting up the new dd-wrt Routers

Using the digram as our solution plan, give one router a LAN ip address of 192.168.3.1 / 255.255.255.0 and set the WAN port to use DHCP and make this router as Client.

The other router give a WAN address of 192.168.1.20 / 255.255.255.0 and a gateway of 192.168.1.1 DNS of 8.8.8.8 and LAN ip address of 192.168.2.20 / 255.255.255.0 and mark this router as the server.

Before we start with the configuration we need to create static keys as these are used to secure the vpn tunnel.  the to created static keys, install openvpn for windows. At the time of writing theism it is openvpn-2.2.2-install.exe the download page can be found here: http://openvpn.net/index.php/download/58-open-source/downloads.html

Install openvpn and run this command:

openvpn --genkey --secret static.key

This will create a file called static.key with the static key inside. (Please do not use my static keys in this tutorial as they have been altered and will not work.)

Next browse to the server router web fronted and select Administration > Commands.

Paste the following into the start up box:

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config for Site-to-Site SiteA-SiteB
echo ”
proto udp
port 1194
dev tun0
secret /tmp/static.key
verb 3
#log /tmp/vpn.log
comp-lzo
keepalive 15 60
daemon
” > SiteA-SiteB.conf
# Config for Static Key
echo ”
—–BEGIN OpenVPN Static key V1—–
1a91dba6ff15e8548c4a3518c161cfeb
9504349b1fb65c1d1a8285b65a9abfdf
c10974b3886e32fdc686b7199bc6362a
62c204088276797883421eb7d8c0e64f
23fa223a3fc1711e6dde1143fbeb7c6a
ee71c9e7714d18d4e8970118d4a6b9ee
—–END OpenVPN Static key V1—–
” > static.key
# Create interfaces
/tmp/myvpn –mktun –dev tun0
ifconfig tun0 10.0.0.1 netmask 255.255.255.0 promisc up
route add -net 192.168.3.0 netmask 255.255.255.0 gw 10.0.0.2
# Initiate the tunnel
sleep 5
/tmp/myvpn –config SiteA-SiteB.conf
 

The green bit – If you remove the hash, it will create a log file /tmp/vpn.log. Keep this hashed out while not required as the refuter has limited space.

The blue bit – This is the static key, paste this from your key file you created. Your one will be much longer than the one above

The red bit – The ip address of the remote network

in the firewall box paste the following:

# Open firewall holes
iptables -I INPUT 2 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
 

 Save this and move to the client router and navigate to Administration and commands.  in the start up section paste:

# Move to writable directory and create scripts
cd /tmp
ln -s /usr/sbin/openvpn /tmp/myvpn
# Config for Site-to-Site SiteA-SiteB
echo ”
remote <internet IP address>
proto udp
port 1194
dev tun0
secret /tmp/static.key
verb 3
#log /tmp/vpn.log
comp-lzo
keepalive 15 60
daemon
” > SiteA-SiteB.conf
# Config for Static Key
echo ”
—–BEGIN OpenVPN Static key V1—–
1a91dba6ff15e8548c4a3518c161cfeb
9504349b1fb65c1d1a8285b65a9abfdf
c10974b3886e32fdc686b7199bc6362a
62c204088276797883421eb7d8c0e64f
23fa223a3fc1711e6dde1143fbeb7c6a
ee71c9e7714d18d4e8970118d4a6b9ee
—–END OpenVPN Static key V1—–
” > static.key
# Create interfaces
/tmp/myvpn –mktun –dev tun0
ifconfig tun0 10.0.0.2 netmask 255.255.255.0 promisc up
# Create routes
route add -net 192.168.2.0 netmask 255.255.255.0 gw 10.0.0.1
# Initiate the tunnel
sleep 5
/tmp/myvpn –config SiteA-SiteB.conf
 

 The pink bit – This is the internet ip address of the office which has the port forwarding setup.

The green bit – If you remove the hash, it will create a log file /tmp/vpn.log. Keep this hashed out while not required as the refuter has limited space.

The blue bit – This is the static key, paste this from your key file you created. (sane as the server one) Your one will be much longer than the one above

The red bit – The ip address of the remote network

in the firewall box paste the following:

# Open firewall holes
iptables -I INPUT 2 -p udp –dport 1194 -j ACCEPT
iptables -I FORWARD -i br0 -o tun0 -j ACCEPT
iptables -I FORWARD -i tun0 -o br0 -j ACCEPT
 

Click Save.

That is it the server /client pair is now complete. un-hash the green bits as described above to enable logging if you have any issues (you will need to restart the router to take affect) . A useful way to view the logs is to telnet on the router and run the following command:

tail -f -n 100 /tmp/vpn.log

This will enter the log file and keep the screen updated with the contents of the file, (as it is being wrote to). to exit this press Ctrl+c.

 

I would like to thanks the dd-wrt wiki as this was a great source of knowledge regarding this topic.

About the author

Peter Doyle I will pretty much do anything UC! My Google+ Page My Linkedin Page

%d bloggers like this: