Reply To: RE: OpenVPN with router

VitalPBX Community Support General Discussion OpenVPN with router Reply To: RE: OpenVPN with router

    DannyLarsen
    Participant
    none
    Up
    0
    Down

    I have spent a lot of time on this

    OpenVPN will work, however all of the phones will show the single remote mikrotik address, which makes it so you can’t easily do a tunnel back thru to the phone since the Vital server is also the Openvpn server and the mikrotik is only client

    A better solution for me was to use and IPsec point to point

    Install OpenSwan VPN to your server

    yum install openswan lsof

    Setup firewall rules

    4500 UDP/TCP
    500 UDP

    Setup your IPsec config    files are here   /etc/

    ipsec.secrets

       0.0.0.0 %any: PSK “YourIPSecPassword”         (change 0.0.0.0 to the mikrotik ip for security)

    ipsec.conf

    config setup

    # nat_traversal=yes

    protostack=netkey
    fragicmp=no

    conn mikrotik
    # This is where you define your connection to the router NAME.

    left=XXX.XXX.XXX.XXX    #your Vital Wan address
    leftsourceip=10.5.0.1             #Vital pbx local, you may need to add this as an interface 
    leftsubnet=10.5.0.0/24
    leftid=XXX.XXX.XXX.XXX  #your Vital Wan Address

    right=XXX.XXX.XXX.XXX    ##mikrotikwanip or %any   if the server is dynamic
    rightid=XXX.XXX.XXX.XXX ##mikrotikwanip
    rightsubnet=192.168.0.0/24   ##mikrotik local ips or multiple ranges using a coma “,”

    keyingtries=0
    pfs=yes
    aggrmode=no

    ike=3des-sha1;modp1024   ## Or what you want just so it matches the other router
    esp=3des-sha1;modp1024

    authby=secret
    keyexchange=ike

    # This allows the VPN to come up automatically when openswan starts
    auto=start

    ikelifetime=86400s
    keylife=3600s

     

    Enable and start the service Like this
    systemctl enable ipsec.service
    systemctl status ipsec.service

    Mikrotik special settings if the wan is dhcp

    Policy behind a NAT
    Change SA Scr Address to 0.0.0.0

     

    I have also used this with pfsense ipsec vpns or other

    The advantage is each phone will have a unique ip address of 1.05.0.X

    0