How can I secure phone calls using OpenVPN?

Introduction

Please note that this config guide is for OpenVPN V2.1 RC10.

This Configuration Guide will show you how to:

Download Pre-Requisites
Prepare Certificates and Keys for VPN Security
Configure the 3CX Phone System machine to also be a VPN Server, using OpenVPN
Configure a client PC to be a VPN Client, using OpenVPN
Configure a Snom370 phone to be a VPN Client, using the OpenVPN implemented inside its firmware

Download Pre-Requisites

Download OpenVPN from:
http://users.skynet.be/ballet/joris/SimpleCA/SimpleCA-1.0.3-win32.zip
Install OpenVPN on the PBX Server using default settings – If you get a warning about installing an unsigned driver, select “Continue Anyway”
Download SimpleCA from:
http://users.skynet.be/ballet/joris/SimpleCA/SimpleCA-1.0.3-win32.zip
Extract the contents of the SimpleCA ZIP file to “c:\openca”
Download 7-Zip from:
http://www.7-zip.org
Install 7-Zip. We will be needing it to make the Tarball for the Snom370 Installation
Download the OpenVPN-capable version of the Snom370 firmware. As at time of writing, this is the URL to retrieve the correct file:
http://provisioning.snom.com/download/fw/snom370-7.3.7-VPN-SIP-f.bin

Preparing Certificates and Keys for security for VPN communications

Extract the contents of the SimpleCA ZIP file to “c:\openca”
Run SimpleCA – Since you are running this the first time, you will need to create a Root Certificate Authority, and SimpleCA will pop up the “Set Up Root CA” dialog
Set up the Root Certificate Authority
a. Select your country (example: “Cyprus”)
b. Enter the “State or Province Name” (example: “Nicosia”)
c. Enter the “Locality Name” (example: “Nicosia”)
d. Enter the “Organization” (example: “3CX Ltd.”)
e. You may leave the “Organizational Unit” blank
f. Enter the “Common Name” (example: “3CX-CA”)
g. Enter the “Email Address” (example: “someone@3cx.com”)
h. Set a password – keep it safe
i. Click on the “Ok” button
Create a Server Certificate Request
a. Select Menu Item “Server Certificates -> New Certificate Request”

b. Select your country (example: “Cyprus”)
c. Enter the “State or Province Name” (example: “Nicosia”)
d. Enter the “Locality Name” (example: “Nicosia”)
e. Enter the “Organization” (example: “3CX Ltd.”)
f. Enter the “Organizational Unit” (example: “Telecommunications”)
g. Enter the “Common Name” (example: “pbx.3cx.com”)
h. Enter the “Email Address” (example: “someone@3cx.com”)
i. Click the “Ok” button – This will display the “Save” dialog
j. Save the Server Certificate Signing Request into “c:\openca\certificates”
Sign the Server Certificate Request
a. Select Menu item “Server Certificates -> Sign Certificate Request” – This will display the “Select
CSR to sign” dialog
b. Select the Server Certificate Signing Request file which you saved previously in
“c:\openca\certificates”
c. Click the “Open” button – This will display a dialog titled “Do you want to sign this request?”
d. Click the “Ok” button to sign the request
e. Enter the Root CA password and click the “Ok” button
Create a Client Certificate Request
a. Select Menu Item “Client Certificates -> New Client Certificate Request” – This will display the
“New Client Certificate Request” dialog

b. Enter the “Common Name” (example: “VPN Client 1”)
c. Enter the “Email Address” (example: “someuser@3cx.com”)
d. Click the “Ok” button – This will display the “Enter file name to save CSR” dialog
e. Save the User Certificate Signing Request into “c:\openca\certificates”
Sign the Client Certificate Request
a. Select Menu Item “Client Certificates -> Sign Client Certificate Request” – This will display the
“Select CSR to sign” dialog
b. Select the Client Certificate Request file which you saved previously in “c:\openca\certificates”
c. Click the “Open” button
d. Click the “Ok” button to sign the request
e. Enter the Root CA password and click the “Ok” button
Export the Client Certificate
a. Select Menu Item “Client Certificates -> Export PKCS12 format” – This will display the
“Select certificate to export” dialog
b. Select the Client Certificate file to export
c. Click the “Open” button
d. Enter a password for this Certificate in the “PKCS12 Export Password” field and keep it safe,
and enter it again in the “Repeat Password” field to confirm
e. Click the “Ok” button
Create a DH (Diffie-Hellman) Parameter file
a. Launch a command prompt and cd to “c:\openca”
b. Run the command: “openssl dhparam –out dh1024.pem 1024”
Create another Client Certificate Request – Repeat steps 6 to 8 for “VPN Client 2”

Configure the 3CX Phone System machine to be a VPN Server

Create the Server configuration
a. Create this file: “c:\program files\openvpn\config\server.ovpn” and open it using Notepad
b. Enter the following text into the file:
    mode server
    tls-server
    dev tap
    ca ca.crt
    cert server.crt
    key server.key
    dh dh1024.pem
    keepalive 10 120

c. Save the file
d. From “c:\openca”, copy file “ca.crt” into “c:\program files\openvpn\config”
e. From “c:\openca”, copy file “dh1024.pem” into “c:\program files\openvpn\config”
f. From “c:\openca\certificates”, copy the server .KEY file into “c:\program files\openvpn\config”,
   ensuring that the destination filename becomes “server.key”
g. From “c:\openca\certificates”, copy the server .CRT file into “c:\program files\openvpn\config”,
   ensuring that the destination filename becomes “server.crt”
Bridging the Network Adaptors
a. Ensure that you perform this task from the machine’s console – the machine will lose network
    connectivity during this procedure
b. Launch “Start -> Settings -> Network Connections”
c. Select the Hardware NIC Card which this machine will be using to listen for VPN connections and
    take a note of all its Statically-assigned IP parameters.
Please note that DHCP client implementations of the PBX server are not supported, and are therefore considered outside the scope of this config guide.

d. Now select both the Hardware Network Adaptor AND the new Virtual Network Adaptor
    (installed by OpenVPN). With both selected, right-click on one of the Adaptors and select
    “Bridge Connections”.
e. When the Network Bridge is created, right-click the Network Bridge and set the TCP/IP
    parameters to be the same as those noted on the Hardware NIC Card noted above.
Set OpenVPN Server to start automatically as a service
a. Go to “Start -> Control Panel -> Administrative Tools -> Services”
b. Scroll down and find the service named “OpenVPN”. Right-click on it and select “Properties”
c. Change the “Startup Type” field to “Automatic”
d. Click the “Start” button to start the server now

Configuring OpenVPN on the Client PC

Install OpenVPN on the Client machine using default settings
Create the Client configuration
a. Create this file: “c:\program files\openvpn\config\client.ovpn” and open it using Notepad
b. Enter the following text into the file:
    client
    tls-client
    dev tap
    ca ca.crt
    cert client.crt
    key client.key
    keepalive 10 120
    remote 10.10.10.10
c. Replace the IP Address in the last line above with the IP Address applied statically to the
    Network Bridge of the OpenVPN Server.
d. On the Client Machine, copy into “c:\program files\openvpn\config” the file “c:\openca\ca.crt”
    from the OpenVPN Server machine.
e. On the Client Machine, copy into “c:\program files\openvpn\config” the client certificate (.crt) file
    from the “c:\openca\certificates” folder on the OpenVPN Server machine.
    Make sure that the destination filename is “client.crt”.
f. On the Client Machine, copy into “c:\program files\openvpn\config” the client key (.key) file
    from the “c:\openca\certificates” folder on the OpenVPN Server machine.
    Make sure that the destination filename is “client.key”.
Starting up the OpenVPN Client
a. Launch Start –> Programs -> OpenVPN -> OpenVPN GUI
b. Right-click the OpenVPN icon in the system tray and select “Connect”.
This will start the OpenVPN Client.

Configuring OpenVPN on the Snom370

Prepare the OpenVPN configuration file for the Snom370
a. Create a folder “c:\snomvpn”
b. Create a file “c:\snomvpn\vpn.cnf” and ensure the contents read as follows:

    client
    tls-client
    dev tap
    ca /openvpn/ca.crt
    cert /openvpn/client.crt
    key /openvpn/client.key
    keepalive 10 120
    remote 10.10.10.10
c. Replace the IP Address in the last line above with the IP Address applied statically to the
    Network Bridge of the OpenVPN Server.
Prepare the certificate files for the Snom370
a. Copy into the “c:\snomvpn” folder the file “c:\openca\ca.crt” from the OpenVPN Server machine.
b. Copy into the “c:\snomvpn” folder the client certificate (.crt) file from the “c:\openca\certificates”
    folder on the OpenVPN Server machine. Make sure that the file you choose is that for the
    Snom370 phone. Make sure that the destination filename is “client.crt”.
c. Copy into the “c:\snomvpn” folder the client key (.key) file from the “c:\openca\certificates”
    folder on the OpenVPN Server machine. Make sure that the file you choose is that for the
    Snom370 phone.
    Make sure that the destination filename is “client.key”.
Create a Tarball for use with the Snom37
a. This step requires 7-Zip to be installed, so install it now if necessary. Using Windows Explorer,
    go to the “c:\snomvpn” folder
b. Select all 4 files, right-click on any one of the 4 files, and select the “7-Zip -> Add to Archive…”
    option
c. In the “Add to Archive window, change the “Archive Format” field to “Tar”, and change the
    “Archive” field to “vpnclient.tar”.
d. Copy the “vpnclient.tar” file into the “c:\program files\3cx phonesystem\data\http\firmwares”
    folder. You may need to create the “firmwares” folder for this purpose.
Update the firmware for the Snom370
a. On the 3CX PhoneSystem Server5, place the downloaded firmware for the Snom370 into folder
    “c:\program files\3cx phonesystem\data\http\firmwares”. You may need to create the
    “firmwares” folder for this purpose.
b. Log on to the Snom370 web interface, and go to the “Settings -> Software Update” link

c. Enter the URL where the Snom370 phone can retrieve its new firmware. For example, if the
    IP Address of the PBX Server is 192.168.1.25, you would enter:
    http://192.168.1.25:5481/firmwares/snom370-7.3.7-VPN-SIP-f.bin
d. Click on the “Load” button. The phone will reboot, and ask you if you want to load new software.
    Press the “OK” button on the phone. The phone will retrieve the firmware, erase its flash, and
    perform the upgrade.
Activate the OpenVPN client on the Snom370
a. Log on to the Snom370 web interface, and click the “Advanced” link in the left-hand-side menu.
    Click the “QoS/Security” tab.

b. In the “Unzipped VPN config tarball” field, enter the URL where the Snom370 phone can retrieve
    the tarball file. For example, if the IP Address of the PBX Server is 192.168.1.25, you would
    enter:
    http://192.168.1.25:5481/firmwares/vpnclient.tar
c. Click the “Save” button. Then click the “Reboot” button at the top of the page to reboot the phone
    – click the “Yes” button if it asks for confirmation. The phone will reboot and display a message:
    “Fetching VPN Tarball config…”. You may need to reboot the phone a second time for this
    procedure to complete successfully.
Ensure that the 3CX PhoneSystem machine and the Snom370 have synchronized time clocks.
a. You can set an NTP Time Server on the Snom370 by clicking the “Advanced” link in the
    Snom370’s Web Interface.
b. You can set an NTP Time Server on the 3CX PhoneSystem machine (and any other Windows
    machine which you will use as an OpenVPN client) from the “Internet Time” tab in the
    “Date and Time” Control Panel application.
This step is necessary because if the 2 devices attempting to establish a VPN connection have times that are too far apart, the connection will fail.

How can I secure phone calls using OpenVPN?

General 3CX Phone System FAQs