It’s been almost three years since we introduced VoIP Over VPN to securely interconnect Asterisk® servers. As LogMeIn® continues to squeeze the free Hamachi® VPN into oblivion, we’ll have a new, Really Free™ matrix VPN solution for you in coming weeks. This will let you interconnect up to 256 PBX in a Flash™ servers in minutes, not months, with no muss, no fuss, no fees, and no licensing worries. But today we want to begin VPN Month by turning our attention to those that need a virtual private network to connect back to a home office network or a home for that matter. This includes the traveling businessman or woman, the physician or lawyer with multiple remote offices, and any hub-and-spoke business such as a bank that has small branch offices that need to transparently link back to the mothership for network and communications services. The hidden beauty of PPTP VPNs is that all data (including phone calls) travels through an encrypted tunnel between the satellite office and home base. If you travel for a living and rely on other people’s WiFi networks for Internet access, a layer of network security will be a welcome addition.
Believe it or not, Microsoft introduced the Point-to-Point-Tunneling-Protocol (PPTP) with Windows 95. Back then we knew it as Dial-Up Networking. Suffice it to say that, in those days, PPTP was anything but secure. Unfortunately, the bad name kinda stuck. For the most part, the security issues have been addressed with the possible exception of man-in-the-middle attacks which are incredibly difficult to pull off unless you are a service provider or have access to the wiring closets of your employer. You can read the long history of PPTP VPNs on Wikipedia for more background. If you’re traveling to China or other democracy-challenged destinations, you probably shouldn’t rely upon PPTP for network security. If these security considerations aren’t applicable in your situation, keep reading because PPTP VPNs are incredibly useful and extremely easy to deploy for an extra layer of VoIP and network security in most countries that have severe wiretapping penalties in place.
PPTP VPNs also provide home-away-from-home transparency to home office network services. Simply stated, with a PPTP VPN, you get a private IP address on the home office LAN that lets you do almost anything you could have done sitting at a desk in the home office. There’s more good news. Fifteen years ago, we paid Cisco thousands of dollars for hardware boxes known as PPTP VPN Concentrators. You can still find some of them on eBay. For history buffs, a little company in California originally built these boxes. I think we paid about $3,000 for them. One year later Cisco bought the company and promptly doubled the price. Today, you can Do It For Free™ using your existing PIAF2 server platform. And, trust me, today’s 2-minute setup runs circles around the hoops we jumped through 15 years ago to install PPTP VPNs. Once deployed, they revolutionized mobile computing.
If you’re already running one or more PIAF2™ servers, then adding a PPTP VPN server to an existing system is a job for a Fifth Grader. Remember, you only need to do this on one server at your home base even if you have a dozen. The other good news is there are PPTP VPN clients for almost any platform you can name. Linux, Windows, Macs, Android, as well as iPhones, iPads, and iPod Touch devices all have free PPTP VPN clients that can be activated in less than a minute giving you instant, secure home base access.
Getting Started. We’re assuming you already have a PBX in a Flash 2 server set up behind a hardware-based firewall. If not, start there. Next, we’ll need to download and run the installer for your PPTP VPN Server. Just log into your server as root and issue the following commands:
chmod +x install-pptp
UPDATE: For those of you still running a PBX in a Flash 1.7.x server under CentOS 5, we have a separate install script for you thanks to the great work of scurry7:
chmod +x install-pptp-centos5
The Server Install: Five Easy Pieces. The installer will walk you through these five installation steps, but we’ll repeat them here so you have a ready reference down the road.
First, on your hardware-based firewall, map TCP port 1723 to the private IP address of your PIAF2 server. This tells the router to send all PPTP VPN traffic to your PIAF2 server when it hits your firewall. If you forget this step, your PPTP VPN will never work!
Second, you’re going to need a dedicated IP address on your private LAN to assign to the PPTP VPN server. Make sure it’s not an IP address from your router’s DHCP pool of addresses, and make sure it’s not one of the addresses from Step #3 below.
Third, you’re going to need two or more sequential IP addresses on your private LAN to assign to PPTP VPN clients that connect to your server. Remember, the PPTP design makes every remote client a node on your local area network so each client needs a private IP address on your LAN. Figure out how many client devices will be simultaneously connecting to your server and add one to it. Make sure the addresses you choose are in sequential order and not part of your router’s DHCP pool of addresses. Don’t use the address reserved for your PPTP server in Step #2 above. The address range should look something like this entry: 192.168.0.41-49. If you get the syntax wrong, guess what happens? If you screw it up, you can edit your localip and remoteip entries in /etc/pptpd.conf.
Fourth, each user is going to need a username to access your PPTP server. We’re going to set up credentials for one user as part of the install. You can add extra ones by adding entries to /etc/ppp/chap-secrets. For an extra layer of security, make the username as obscure as a password. Just don’t use any special characters. Upper and lowercase letters sprinkled with numbers are perfect. We recommend a length of at least 8 alphanumeric characters.
Fifth, make up an equally secure password to access your PPTP server. Same rules apply as in Step #4.
You’re done. Review your entries very carefully. If all is well, press Enter. If you blink, you may miss the completion of the install process. It’s that quick.
Configuring PPTP Client Devices. As we mentioned, there are available PPTP clients for Linux and Windows machines and Macs as well as Android and Apple smartphones and tablets. We’ve documented the steps for the various client setups on the PBX in a Flash Forum. Come visit! You’ll also discover some great tips from our resident gurus. We also would encourage you to post any questions that arise in your use of PPTP VPNs in that thread. You’ll get a quick and courteous response.
Secure VoIP Calling. The collateral benefit of implementing a PPTP VPN on your PIAF server is that all calls between remote extensions and home base can now be transmitted through a secure VPN tunnel. The only adjustment necessary using a SIP client on either an Android or Apple device is to replace the public server IP address with the server’s LAN IP address, and all of the communications traffic will flow through the VPN tunnel. The way we set up our Android phone with the Bria SIP client is to allocate an extension from the home office PIAF server to the SIP client and then enter the private IP address of the PIAF server in the Bria configuration. Then, when you’re at home base with WiFi, the client just works. And, when you’re on the road, just turn on the PPTP VPN, and Bria will register through the VPN tunnel using the exact same settings. It’s that easy, and it works great with WiFi or 3G/4G.
Checking for Connected Clients. If you get curious about who is logged into your PPTP server, here’s the command that’ll let you know: last | grep ppp.
GPL2 License. The install-pptp application is open source software licensed under GPL2. It has been specifically tailored for use on PBX in a Flash 2 (and now PIAF 1.7.x) servers, but it can easily be adjusted to work with virtually any Linux-based Asterisk system. If you make additions or changes, we hope you’ll share them on our forums for the benefit of the entire VoIP community. Enjoy!
What’s Next? For a more traditional client-server VPN which still relies upon a central server but uses a star topology to connect remote nodes, see this new Nerd Vittles article on the NeoRouter VPN.
Originally published: Monday, April 9, 2012
Need help with Asterisk? Visit the NEW PBX in a Flash Forum.
whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.
Some Recent Nerd Vittles Articles of Interest…