› VitalPBX Community Support › General Discussion › OpenVPN with router › Reply To: RE: OpenVPN with router
-
- December 3, 2019 at 9:53 pm
I have spent a lot of time on this
OpenVPN will work, however all of the phones will show the single remote mikrotik address, which makes it so you can’t easily do a tunnel back thru to the phone since the Vital server is also the Openvpn server and the mikrotik is only client
A better solution for me was to use and IPsec point to point
Install OpenSwan VPN to your server
yum install openswan lsof
Setup firewall rules
4500 UDP/TCP
500 UDPSetup your IPsec config files are here /etc/
ipsec.secrets
0.0.0.0 %any: PSK “YourIPSecPassword” (change 0.0.0.0 to the mikrotik ip for security)
ipsec.conf
config setup
# nat_traversal=yes
protostack=netkey
fragicmp=noconn mikrotik
# This is where you define your connection to the router NAME.left=XXX.XXX.XXX.XXX #your Vital Wan address
leftsourceip=10.5.0.1 #Vital pbx local, you may need to add this as an interface
leftsubnet=10.5.0.0/24
leftid=XXX.XXX.XXX.XXX #your Vital Wan Addressright=XXX.XXX.XXX.XXX ##mikrotikwanip or %any if the server is dynamic
rightid=XXX.XXX.XXX.XXX ##mikrotikwanip
rightsubnet=192.168.0.0/24 ##mikrotik local ips or multiple ranges using a coma “,”keyingtries=0
pfs=yes
aggrmode=noike=3des-sha1;modp1024 ## Or what you want just so it matches the other router
esp=3des-sha1;modp1024authby=secret
keyexchange=ike# This allows the VPN to come up automatically when openswan starts
auto=startikelifetime=86400s
keylife=3600sEnable and start the service Like this
systemctl enable ipsec.service
systemctl status ipsec.serviceMikrotik special settings if the wan is dhcp
Policy behind a NAT
Change SA Scr Address to 0.0.0.0I have also used this with pfsense ipsec vpns or other
The advantage is each phone will have a unique ip address of 1.05.0.X
0