[plug] VOIP suggestions please

Brad Campbell brad at wasp.net.au
Fri Apr 7 22:10:17 WST 2006


Brad Campbell wrote:
> W.Kenworthy wrote:
>> yeah, openvpn should be *easier*.  I am also in the throws of
>> reorganising my 'tunnels'.  Seems like they are starting to breed in the
>> dark!

Ok its sorted.. the issue was I'm using openvpn in routing mode.. and it won't pass any traffic with 
anything other than its local addresses..

So, my quick and ugly solution is to rewrite the envelopes..
Packet comes in 192.168.0.5 and is redirected with a dnat to 10.8.0.10 (my laptop). as it passes the 
openvpn interface it still has a source address of 192.168.0.5 so openvpn drops it. So we mangle 
that also and rewrite the source address as 10.8.0.6 (the vpn box in perth) and we are all sweet..

Mangling 1720/tcp is enough to establish a h323 connection, and all udp ports from 2000:56000 seems 
to cover the RTP streams.. so I can now SJPhone over the vpn.. w00t!
I'm *sure* there is an easier way to do this.. and I'll lay $20 that someone will pop up in the next 
week and say.. "well there is this simple little proxy you can use at ww.blah.rabbit".. but in a 
pinch this works..

It's also a gross misuse of infrastructure.. but I like doing that..

#!/bin/sh

IPTABLES=/sbin/iptables
$IPTABLES -t nat -F

$IPTABLES -t nat -A PREROUTING -i tun0 -p tcp --dport 5900:5905 -j DNAT --to 192.168.0.2

$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2000:56000 -j DNAT --to 10.8.0.10
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 1720 -j DNAT --to 10.8.0.10
$IPTABLES -t nat -A POSTROUTING -o tun0 -p udp --dport 2000:56000 -j SNAT --to 10.8.0.6
$IPTABLES -t nat -A POSTROUTING -o tun0 -p tcp --dport 1720 -j SNAT --to 10.8.0.6

echo 1 > /proc/sys/net/ipv4/ip_forward

Brad
-- 
"Human beings, who are almost unique in having the ability
to learn from the experience of others, are also remarkable
for their apparent disinclination to do so." -- Douglas Adams



More information about the plug mailing list