Asterisk's built-in encryption is only just starting to work in 1.8, and it would require you to open ports to your Asterisk server from the Internet. Enter OpenVPN, an open-source user-space VPN that's lighter weight than IPSec. Better yet, no per-client licensing fees like Cisco. (Unless you want commercially supported OpenVPN @ $10/client.) Asterisk itself isn't quite ready for the enterprise, but we're all hoping Asterisk 10 is ready for prime time.
Using the built-in OpenVPN server in pfSense 2.0, you can connect your Snom phone across the internet to your internal network, and Asterisk securely. (Although it does not do end-to-end encryption, even if you run OpenVPN on your Asterisk server.)
Part 1: pfSense OpenVPN config
In the pfSense OpenVPN server page, choose the following parameters: (DISCLAIMER: this is certainly not the only way to do this, nor the most secure.) I'm also going to assume you've already used the pfSense Cert Manager to create a CA and issue a client certificate for the your Snom phone.
OpenVPN | Server
General
Disabled: Not checked.
Server Mode: Remote Access (SSL/TLS).
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: 1194 (default)
Description: SnomPhoneVPN
Crypto Settings:
TLS Authentication: Checked (pfSense should populate the box with an OpenVPN Static Key.)
Peer Certificate Authority: InternalCA (What you set up in pfSense's CA Page.)
Peer Certificate Revocation List: (leave default for now.)
Server Certificate: OpenVPNServer (CA: InternalCA)
DH Params Length: 1024
Encryption Algorithm: AES-256-CBC (256-bit)
Hardware Crypto: No Hardware Crypto (Unless you've got a card...)
Tunnel Settings:
Tunnel Network: Choose a private IP space that's not 192.168.x.x, so it doesn't conflict with every NAT home network. (10.1.0.0/24) should work most places.
Redirect gateway: Checked if you want it to be more secure, but you'll lose local access to the phone.
Local Network: Enter yor local LAN IP space here, e.g. the one you Asterisk server is on.
Concurrent connections: 1 or more.
Compression: unchecked.
Inter-client Communications: not checked.
Duplicate connections: leave this checked for testing only.
Client Settings: The only one that needs to be checked is "Provide a virtual adapater IP addresss to clients."
Advanced: Nothing is required here.
Part 2: Client OpenVPN config
Use the OpenVPN client export utility (0.9.6). Export the Configuration Archive. Unzip the files. Rename the x.ovpn file to vpn.cnf and edit it to add /openvpn/ in front of the cert and key file names. Then place it in a dir/folder called openvpn and tar it from within the folder, per SNOM.
Keep in mind that the two other files in there, the personal certificate (x-.p12) and the OpenVPN TLS key (x-tls.key) are the keys to your network, so protect them. (If your certificate file is compromised, you'll need to create a certificate revocation list pronto.) When we selected Remote Access (SSL/TLS) in step one, that means certificate only, and then added the TLS key. So no username and password required. (You can try adding them, but you'll need to hard-code them in another file in the config tarball, so it won't make much difference.)
vpn.cnf after editing:
#----------
dev tun
persist-tun
persist-key
proto udp
cipher AES-256-CBC
tls-client
client
resolv-retry infinite
remote x.x.x.x 1194
tls-remote OpenVPNServer
pkcs12 /openvpn/pfsense-udp-1194.p12
tls-auth /openvpn/pfsense-udp-1194-tls.key 1
#----------
where x.x.x.x is your WAN IP Address, or preferably, your dynamically updated DNS name if your IP is subject to change.
There should be three files for you to place in the tarball: vpn.cnf, the .p12 certificate (with key), and the xtls.key. Once you have the tarball, follow SNOM's instructions to get it onto the phone. (Hint: you'll need to place it on a webserver, but preferably not one that's publicly available or unauthenticated.)
Gotchas:
- This client config leaves you vulnerable to man-in-the-middle attacks where someone says they're your server. I'm still working on server authentication that works with the pfsense openvpn config.
- The phone's NTP server needs to be available on whatever network you plug in to.
- You need to follow Snom's instructions on how to create the tar file, which may be different than what you're used to.
- You need netcat running to see OpenVPN logs. They don't go to the phone's syslog server.
- If you blow up your Snom phone (can't connect to it any more), be sure to have the firmware image available on a local tftp server so you can start all over.
- Don't forget to add your OpenVPN network to Asterisk's sip_nat.conf or you'll drop calls.
- Be aware that the Snom phones can also route packets from devices behind it via the PC port. You'll need to consider how to secure your internal network from the vpn phones.
- If your Snom phone doesn't grab the tarball after boot, you'll need to put a dummy file on the webserver that's referenced on the advanced | update | Setting URL: parameter called "snom370.htm". Then the phone should start grabbing the tarball again. This may be a bug in snom370-SIP 8.4.32, the version tested.
- You'll need to test on a subnet that doesn't have access to your Asterisk box without the VPN. E.g. not on your internal network.
