› VitalPBX Community Support › General Discussion › OpenVPN with router
- This topic has 4 replies, 4 voices, and was last updated 1 year, 1 month ago by
DannyLarsen.
- Post
- Replies
-
- November 27, 2019 at 2:25 pm
- December 1, 2019 at 9:24 pm
Posted by: @linkatHi,
it is possible to use OpenVPN add-on whit router cliente?
I use mikrotik router and I would like to create a vpn VitalPBX (Cloud) <–> Router (mikrotik) and next register all extensions to PBX over VPN.
It is possible?
thanks
Yes this is possible with the right configuration of the mikrotik router.
You can use the mikrotik openvpn client to connect to vitalpbx.0- December 3, 2019 at 8:25 am
- December 3, 2019 at 9:53 pm
I have spent a lot of time on this
OpenVPN will work, however all of the phones will show the single remote mikrotik address, which makes it so you can’t easily do a tunnel back thru to the phone since the Vital server is also the Openvpn server and the mikrotik is only client
A better solution for me was to use and IPsec point to point
Install OpenSwan VPN to your server
yum install openswan lsof
Setup firewall rules
4500 UDP/TCP
500 UDPSetup your IPsec config files are here /etc/
ipsec.secrets
0.0.0.0 %any: PSK “YourIPSecPassword” (change 0.0.0.0 to the mikrotik ip for security)
ipsec.conf
config setup
# nat_traversal=yes
protostack=netkey
fragicmp=noconn mikrotik
# This is where you define your connection to the router NAME.left=XXX.XXX.XXX.XXX #your Vital Wan address
leftsourceip=10.5.0.1 #Vital pbx local, you may need to add this as an interface
leftsubnet=10.5.0.0/24
leftid=XXX.XXX.XXX.XXX #your Vital Wan Addressright=XXX.XXX.XXX.XXX ##mikrotikwanip or %any if the server is dynamic
rightid=XXX.XXX.XXX.XXX ##mikrotikwanip
rightsubnet=192.168.0.0/24 ##mikrotik local ips or multiple ranges using a coma “,”keyingtries=0
pfs=yes
aggrmode=noike=3des-sha1;modp1024 ## Or what you want just so it matches the other router
esp=3des-sha1;modp1024authby=secret
keyexchange=ike# This allows the VPN to come up automatically when openswan starts
auto=startikelifetime=86400s
keylife=3600sEnable and start the service Like this
systemctl enable ipsec.service
systemctl status ipsec.serviceMikrotik special settings if the wan is dhcp
Policy behind a NAT
Change SA Scr Address to 0.0.0.0I have also used this with pfsense ipsec vpns or other
The advantage is each phone will have a unique ip address of 1.05.0.X
0
- You must be logged in to reply to this topic.