Yealink T20P
Versao do firmware 9.73.0.40
Versao do hardware 7.0.0.54
Existe um bug que se colocar o nome dns do servidor de destino openvpn, o telefone não funciona. Sendo necessário desativar a VPN pelo painel frontal e posterior mudar o arquivo de conf do cliente para o número do ip do servidor.
[root@ipbx ~]# openvpn --version OpenVPN 2.4.4 x86_64-redhat-linux-gnu [Fedora EPEL patched] [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Sep 26 2017 [root@ipbx ]# uname -a Linux ipbx.localdomain 3.10.0-693.5.2.el7.x86_64 #1 SMP Fri Oct 20 20:32:50 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux CENTOS 7
Step 1 — Installing OpenVPN
yum install openvpn easy-rsa -y cp /usr/share/doc/openvpn-*/sample/sample-config-files/server.conf /etc/openvpn mkdir /var/log/openvpn touch/var/log/openvpn/openvpn.log
Let’s create a directory for the keys to go in.
mkdir -p /etc/openvpn/easy-rsa/keys # We also need to copy the key and certificate generation scripts into the directory. cp -rf /usr/share/easy-rsa/2.0/* /etc/openvpn/easy-rsa # or download in git. I install version 2.2
To make life easier for ourselves we’re going to edit the default values the script
uses so we don’t have to type our information in each time. This information is stored
in the vars file so let’s open this for editing.
vi /etc/openvpn/easy-rsa/vars
We’re going to be changing the values that start with KEY_. Update the following values to be accurate for your organization.
The ones that matter the most are:
KEY_NAME: You should enter server here; you could enter something else, but then you would also have to update the configuration files that reference server.key and server.crt
KEY_CN: Enter the domain or subdomain that resolves to your server
For the other values, you can enter information for your organization based on the variable name.
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="BR" export KEY_PROVINCE="RJ" export KEY_CITY="RiodeJaneiro" export KEY_ORG="Abratel" export KEY_EMAIL="sammy@abratel.com" export KEY_OU="AbratelTelecom" here i put same the name server
We’re also going to remove the chance of our OpenSSL configuration not loading due to the version being undetectable. We’re going to do this by copying the required configuration file and removing the version number.
Certificate:
openssl-1.0.0.cnf
easy-rsa release 2.2
I need change for SHA1 (because Yealink and Mikrotik clients)
[root@ipbx easy-rsa]# cat /etc/openvpn/easy-rsa/openssl.cnf default_days = 3650 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = SHA1 # use public key default MD preserve = no [ req ] default_bits = $ENV::KEY_SIZE default_keyfile = privkey.pem default_md = SHA1 cp /etc/openvpn/easy-rsa/openssl-1.0.0.cnf /etc/openvpn/easy-rsa/openssl.cnf
To start generating our keys and certificates we need to move into our easy-rsa directory and source in our new variables.
cd /etc/openvpn/easy-rsa source ./vars
Then we will clean up any keys and certificates which may already be in this folder and generate our certificate authority.
./clean-all
When you build the certificate authority, you will be asked to enter all the information we put into the vars file, but you will see that your options are already set as the defaults. So, you can just press ENTER for each one.
./build-ca
The next things we need to generate will are the key and certificate for the server. Again you can just go through the questions and press ENTER for each one to use your defaults. At the end, answer Y (yes) to commit the changes.
./build-key-server server
We also need to generate a Diffie-Hellman key exchange file. This command will take a minute or two to complete:
./build-dh
That’s it for our server keys and certificates. Copy them all into our OpenVPN directory.
cd /etc/openvpn/easy-rsa/keys cp dh2048.pem ca.crt server.crt server.key /etc/openvpn
All of our clients will also need certificates to be able to authenticate. These keys and certificates will be shared with your clients, and it’s best to generate separate keys and certificates for each client you intend on connecting.
Make sure that if you do this you give them descriptive names, but for now we’re going to have one client so we’ll just call it client.
cd /etc/openvpn/easy-rsa ./build-key client
That’s it for keys and certificates.
YEALINK CLIENT:
vpn.cnf client remote A.B.C.D nobind persist-key persist-tun port 1195 proto tcp dev tun verb 4 ca /yealink/config/openvpn/keys/ca.crt cert /yealink/config/openvpn/keys/client4.crt key /yealink/config/openvpn/keys/client4.key
Todos os arquivos ca.crt, client4.crt e client5.key devem conter dentro do diretório keys
No windows pode-se utilizar o compactar 7zip para criar o tar.
vpn.cnf
|–> keys/ca.crt
|–> keys/client4.crt
|–> keys/client4.key
tar -cf openvpn.tar vpn.cnf keys/
Os nomes devem ser respeitador (openvpn.tar, vpn.cnf)
[root@ipbx easy-rsa]# tail -f /var/log/openvpn/openvpn.log ROUTING TABLE Virtual Address,Common Name,Real Address,Last Ref GLOBAL STATS Max bcast/mcast queue length,1 END Sat Jan 27 21:25:13 2018 TCP connection established with [AF_INET]C.C.C.C:2864 Sat Jan 27 21:25:14 2018 C.C.C.C:2864 TLS: Initial packet from [AF_INET]C.C.C.C:2864, sid=0777373e dc508015 tail: /var/log/openvpn/openvpn.log: file truncated Sat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=1, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=ipbx.intranet, name=EasyRSA, emailAddress=xxxx@xxxx.com Sat Jan 27 21:25:26 2018 C.C.C.C:2864 VERIFY OK: depth=0, C=BR, ST=RJ, L=RiodeJaneiro, O=Abratel, OU=ipbx, CN=client4, name=EasyRSA, emailAddress=xxxxx@xxxxx.com Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Cipher 'BF-CBC' initialized with 128 bit key Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC). Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication Sat Jan 27 21:25:26 2018 C.C.C.C:2864 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks. Sat Jan 27 21:25:26 2018 C.C.C.C:2864 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Sat Jan 27 21:25:26 2018 C.C.C.C:2864 [client4] Peer Connection Initiated with [AF_INET]C.C.C.C:2864 Sat Jan 27 21:25:26 2018 MULTI: new connection by client 'client4' will cause previous active sessions by this client to be dropped. Remember to use the --duplicate-cn option if you want multiple clients using the same certificate or username to concurrently connect. Sat Jan 27 21:25:26 2018 MULTI_sva: pool returned IPv4=10.8.0.14, IPv6=(Not enabled) Sat Jan 27 21:25:26 2018 MULTI: Learn: 10.8.0.14 -> client4/C.C.C.C:2864 Sat Jan 27 21:25:26 2018 MULTI: primary virtual IP for client4/C.C.C.C:2864: 10.8.0.14 Sat Jan 27 21:25:29 2018 client4/C.C.C.C:2864 PUSH: Received control message: 'PUSH_REQUEST' Sat Jan 27 21:25:29 2018 client4/C.C.C.C:2864 SENT CONTROL [client4]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 10.8.0.1,topology net30,ifconfig 10.8.0.14 10.8.0.13' (status=1) tail: /var/log/openvpn/openvpn.log: file truncated
Log aparelho YEALINK
Jan 27 00:00:17 openvpn[299]: OpenVPN 2.1.3 mipsel-unknown-linux-uclibc [SSL] [LZO2] [EPOLL] built on Sep 30 2013 Jan 27 00:00:17 openvpn[299]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Jan 27 00:00:17 openvpn[299]: NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Jan 27 00:00:17 openvpn[299]: WARNING: file '/yealink/config/openvpn/keys/client4.key' is group or others accessible Jan 27 00:00:17 openvpn[299]: Control Channel MTU parms [ L:1543 D:140 EF:40 EB:0 ET:0 EL:0 ] Jan 27 00:00:17 openvpn[299]: Socket Buffers: R=[43689->131072] S=[16384->131072] Jan 27 00:00:18 openvpn[299]: Data Channel MTU parms [ L:1543 D:1450 EF:43 EB:4 ET:0 EL:0 ] Jan 27 00:00:18 openvpn[299]: Local Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_CLIENT,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Jan 27 00:00:18 openvpn[299]: Expected Remote Options String: 'V4,dev-type tun,link-mtu 1543,tun-mtu 1500,proto TCPv4_SERVER,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Jan 27 00:00:18 openvpn[299]: Local Options hash (VER=V4): 'db02a8f8' Jan 27 00:00:18 openvpn[299]: Expected Remote Options hash (VER=V4): '7e068940' Jan 27 00:00:18 openvpn[301]: Attempting to establish TCP connection with A.B.C.D:1195 [nonblock] Jan 27 00:00:18 netS[262]: SRV <3+error > sendto v6 ntp socket err Jan 27 23:25:14 openvpn[301]: TCP connection established with A.B.C.D:1195 Jan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link local: [undef] Jan 27 23:25:14 openvpn[301]: TCPv4_CLIENT link remote: A.B.C.D:1195 Jan 27 23:25:14 openvpn[301]: TLS: Initial packet from A.B.C.D:1195, sid=4aba1b0f 2963060c Jan 27 23:25:14 openvpn[301]: VERIFY OK: depth=1, /C=BR/ST=RJ/L=RiodeJaneiro/O=Abratel/OU=ipbx/CN=ipbx/name=EasyRSA/emailAddress=uxxxx@xxxx.com Jan 27 23:25:14 openvpn[301]: VERIFY OK: depth=0, /C=BR/ST=RJ/L=RiodeJaneiro/O=Abratel/OU=AbratelTelecom/CN=server/name=EasyRSA/emailAddress=xxxx@xxxx.com Jan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key Jan 27 23:25:26 openvpn[301]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key Jan 27 23:25:26 openvpn[301]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication Jan 27 23:25:26 openvpn[301]: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA Jan 27 23:25:26 openvpn[301]: [server] Peer Connection Initiated with A.B.C.D:1195
MIKROTIK
Para funcionar no mikrotik, no server da openvpn não pode ter:
— Compressão Lzo
— Porta UDP
Alguns ajustes são necessários. Ainda no linux, converter as chaves para RSA:
openssl rsa -in ca.key -text > ca.rsa openssl rsa -in client2.key -text > client2.rsa
NO MIKROTIK
Importar do linux esses 4 arquivos abaixo e arrasta-los para dentro do mikrotik.
Depois no terminal do mesmo executar
/certificate import file-name=ca.crt (pressione enter até concluir) /certificate import file-name=ca.rsa (pressione enter até concluir) /certificate import file-name=client4.crt (pressione enter até concluir) /certificate import file-name=client4.rsa (pressione enter até concluir)
No MIKROTIK:
INTERFACES –> ADD –> OPENVPN CLIENT
Dialup: A.B.C.D (ip do servidor openvpn) porta: 1195 mode: ip user: cliente4 (nome da chave) pass: vazia profile: default-encryptation Certificate: client4.crt_0 Auth: sha1 Cipher: blowfish 128
Após conexão, em IP –> ROUTE eu pude observar que automaticamente criou minha rota para o rede 192.168.1.0/24 saindo pelo openvpn clint.
Criei um masquerad no firewall com:
SOURCE: rede LAN mikrotik OutInterface: openvpncliete criada Aba Action: Masquerad
Step 4 — Routing – SOMENTE SE NECESSITAR ACESSAR A REDE INTERNA LAN ONDE O SERVIDOR VPN ASTERISK ENCONTRA-SE
To keep things simple we’re going to do our routing directly with iptables rather than the new firewalld.
First, make sure the iptables service is installed and enabled.
yum install iptables-services -y
systemctl mask firewalld
systemctl enable iptables
systemctl stop firewalld
systemctl start iptables
iptables –flush
Next we’ll add a rule to iptables to forward our routing to our OpenVPN subnet, and save this rule.
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
iptables-save > /etc/sysconfig/iptables
Then we must enable IP forwarding in sysctl. Open sysctl.conf for editing.
vi /etc/sysctl.conf Add the following line at the top of the file: net.ipv4.ip_forward = 1
Then restart the network service so the IP forwarding will take effect.
systemctl restart network.service
Step 5 — Starting OpenVPN
Now we’re ready to run our OpenVPN service. So lets add it to systemctl:
systemctl -f enable openvpn@server.service systemctl start openvpn@server.service
Foi criada uma regra de mascaramento:
NAT –> ADD
Chain: srcnat
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Out Interface: nome-da-open-vpn-interface
Action: Masquerade
Em MANGLE:
ADD
Chain: Prerouting
Src. Address: rede lan (exemplo: 192.168.88.0/24)
Dst. Address: rede lan da vpn do outro lado (192.168.218.0/24)
Action: Mark routing
New Routing Mark: OpenVpn-NOME
Desmarcar Passthrough
IP –> ROUTES
ADD
Dst. Address: 192.168.218.0/24 (lan do outro lado)
Geteway: openvpn-gw-criado-automaticamente
Routinha Mark: OpenVpn-NOME (dado a regra acima de Mangle)
Obs Final: Não consegui autenticar via UDP no asterisk. Sendo necessário trocar tudo para TCP. Não achei vantajoso a Mikrotik não tem lançado uma versão em UDP ainda para openvpn.
Para funcionar os aparelhos yealink tive que refazer todas as rotas do mikrotik usando ao invés do 192.168.218.0/24 o ip do servidor openvpn 10.8.0.1 … Contrario a isso a voz não passou nos dois canais.