Note: The following guide has been deprecated in our configuration as we have switched to using OpenVPN. OpenVPN is supported natively by our ATAs, so in some installations, we may not even need a router installed
To allow each of our phones to access the PhilTel network, we set up a Virtual Private Network (VPN) to allow a secure connection between each of our sites and our server running Asterisk.
We use WireGuard to facilitate connection between our main C&C server and each client site. Using this VPN, we can also easily administer the hardware at each site as we need.
WireGuard was chosen over OpenVPN due to its reliability, low latency, and ease of use. WireGuard is also considerably faster than OpenVPN but that doesn’t matter much for our purposes because each site uses a low amount of data.
Assuming a Debian system, we will update and install WireGuard using a non-root, sudo user:
$ sudo apt update $ sudo apt install wireguard
We will perform the following commands to create our public/private keypair:
$ wg genkey | sudo tee /etc/wireguard/private.key $ sudo chmod go= /etc/wireguard/private.key $ sudo cat /etc/wireguard/private.key | wg pubkey | sudo tee /etc/wireguard/public.key
Now we will create our config file:
$ sudo nano /etc/wireguard/wg0.conf
Our IP range will be
10.11.12.0/24 and we will listen on the port
[Interface] Address = 10.11.12.1/24 ListenPort = 52934 PrivateKey = private_key_from_cat_command_above_goes_here SaveConfig = false PostUp = iptables -A FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE PostDown = iptables -D FORWARD -i eth0 -o wg0 -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
Note: we set
SaveConfig as false as to not cache endpoint info from our peers. This could be problematic when their public IPs change.
Now, we must enable IPv4 forwarding on the server by modifying
/etc/sysctl.conf and uncommenting
net.ipv4.ip_forward=1. This will make sure that traffic can flow from our WireGuard peers through the server:
$ sudo cat /etc/sysctl.conf | grep 'net.ipv4.ip_forward=1' net.ipv4.ip_forward=1
Then reload for changes to take effect:
$ sudo sysctl -p
Now, we can enable and start the
wg0 service via
$ sudo systemctl enable firstname.lastname@example.org $ sudo systemctl start email@example.com
This will make sure that the service will run on reboot.
Check the status of the service with the following:
$ sudo systemctl status firstname.lastname@example.org
Check the WireGuard connection with:
$ sudo wg show
Also, remember to create a firewall rule to open up the connection port, and a rule to accept all UDP traffic from our peers (ATAs can communicate with Asterisk on random UDP ports):
$ sudo cat /etc/iptables/rules.v4 | grep '52934' -A INPUT -p udp --dport 52934 -j ACCEPT