Nortel IP 1535 Development

[rxcomm]

OpenVPN 2.1.4 on the Nortel IP 1535 - HOWTO

Instructions for setting up OpenVPN-2.1.4 on the Nortel IP 1535 Videophone:

1) Grab the tarball at http://dave.tycho.ws/n1535/ovpn.tar.bz2

2) Extract this into two files - the tun module (tun.o) and the openvpn binary (openvpn).

3) Put tun.o in /usr/local/drivers and openvpn in /usr/local/bin. You also need to make the openvpn binary executable:

chmod +x /usr/local/bin/openvpn

4) Execute the following commands to make the tun device:

insmod /usr/local/drivers/tun.o
mkdir /dev/net
mknod /dev/net/tun c 10 200

5) Make a directory /usr/etc/openvpn and put your config file and keys into this directory.

6) I like to make a soft link for the config to the standard location:

ln -s /usr/etc/openvpn /etc/openvpn

7) Start OpenVPN:

/usr/local/bin/openvpn --config /etc/openvpn/client.conf (or whatever your config file is named)

That's all there is to it. You will have to repeat all the steps above except number 5 each time the phone reboots. My recommendation is to put all of those in a shell script that is called by /usr/etc/rc.local. Be careful - if you screw up /usr/etc/rc.local, you can render your phone inoperable. I would definitely add the daemon switch to your config file, so the openvpn process forks to the background and doesn't halt the execution of your /usr/etc/rc.local script. Alternatively, you can call openvpn with the --daemon command-line switch to put it into daemon mode:

/usr/local/bin/openvpn --daemon --config /etc/openvpn/client.conf

For those who are interested in how to configure OpenVPN, I've written some notes about my configuration, together with a set of config files. You can find this material here.

The OpenVPN binary linked above is compiled using the -mcpu=xscale switch and arm-xscale-linux-gnu target in my toolchain. Instructions for building that toolchain can be found here. The crosstool configuration files have been updated since I originally posted the toolchain tutorial, so if you downloaded the configs previously, be sure to grab an updated copy. The binary will also work if you use the -mcpu=iwmmxt switch and arm-iwmmxt-linux-gnu target (edit the crosstool arm.dat config file to change these). For this latter case, the instruction set generated by the cross-compiler is a bit more PXA270-specific and may make a slightly more efficient binary. Try them both and see. I'd be interested in hearing your results.

Dave

 

[TheMole]

MAGIC !

Works Perfectly for me. Thanks again, Dave.

here are my ping times on the local network, not super fast, but usable, i think

root@pbx2:/etc/openvpn $ ping 192.168.211.6
PING 192.168.211.6 (192.168.211.6) 56(84) bytes of data.
64 bytes from 192.168.211.6: icmp_seq=1 ttl=64 time=23.6 ms
64 bytes from 192.168.211.6: icmp_seq=2 ttl=64 time=84.2 ms
64 bytes from 192.168.211.6: icmp_seq=3 ttl=64 time=26.5 ms
64 bytes from 192.168.211.6: icmp_seq=4 ttl=64 time=35.0 ms
64 bytes from 192.168.211.6: icmp_seq=5 ttl=64 time=16.7 ms
64 bytes from 192.168.211.6: icmp_seq=6 ttl=64 time=39.8 ms
64 bytes from 192.168.211.6: icmp_seq=7 ttl=64 time=31.1 ms
64 bytes from 192.168.211.6: icmp_seq=8 ttl=64 time=26.6 ms
64 bytes from 192.168.211.6: icmp_seq=9 ttl=64 time=30.8 ms
64 bytes from 192.168.211.6: icmp_seq=10 ttl=64 time=62.0 ms
64 bytes from 192.168.211.6: icmp_seq=11 ttl=64 time=29.8 ms
64 bytes from 192.168.211.6: icmp_seq=12 ttl=64 time=30.9 ms
64 bytes from 192.168.211.6: icmp_seq=13 ttl=64 time=20.2 ms
64 bytes from 192.168.211.6: icmp_seq=14 ttl=64 time=36.5 ms
64 bytes from 192.168.211.6: icmp_seq=15 ttl=64 time=36.6 ms
64 bytes from 192.168.211.6: icmp_seq=16 ttl=64 time=29.1 ms
64 bytes from 192.168.211.6: icmp_seq=17 ttl=64 time=37.0 ms
64 bytes from 192.168.211.6: icmp_seq=18 ttl=64 time=36.7 ms
64 bytes from 192.168.211.6: icmp_seq=19 ttl=64 time=28.6 ms
64 bytes from 192.168.211.6: icmp_seq=20 ttl=64 time=35.1 ms

--- 192.168.211.6 ping statistics ---
20 packets transmitted, 20 received, 0% packet loss, time 19007ms
rtt min/avg/max/mdev = 16.723/34.878/84.241/14.426 ms
root@pbx2:/etc/openvpn $

 

[TheMole]

for those wondering ... openvpn is only taking 3.0% of memory and 2.5% of the CPU under some small load. haven't tested a video call yet.

  PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
  624 root     S       1936     1  2.5  3.0 openvpn

 

[w1ve]

Rock On!

Wow!

So much has happened since my original post just a month or so ago!

Thanks for this great work.... I'm installing a 1535 at my Mom's, who is 600 miles away and she's 80. Therefore, I want a flawless network... the VPN will help a bunch!

 

[w1ve]

OpenVPN PIAF Server Config?

I did the Google and did not find exactly what I needed for my Windoze-based brain...

I need help setting up OpenVPN on the server side...

I have it installed on PIAF. I need some help with the server.conf.... and how to I create certificates?

I'm really a noob with Linux VPNs...

Basically, want a 192.168.5.x VPN subnet with 5 nortel 1535s as
clients.

TIA,

Gerry

 

[tshif]

I did the Google and did not find exactly what I needed for my Windoze-based brain...

I need help setting up OpenVPN on the server side...

I have it installed on PIAF. I need some help with the server.conf.... and how to I create certificates?

I'm really a noob with Linux VPNs...

I'm waiting for this also.

:boatb: Also, I'm circling like a buzzard trying to figure out if the step by step for OpenVPN 2.1.4 on the Nortel IP 1535 - HOWTO is in small enough steps for me to do it - so far I'm not ready. I really want to - but I would rather not brick the guinea pig phone. I'm worried there may be assumptions I should be drawing from the procedure that I'm not experienced enough to know about.

 

[MichiganTelephone]

I have it installed on PIAF. I need some help with the server.conf.... and how to I create certificates

Many moons ago I did a series of articles that MIGHT or MIGHT NOT help you out. The first one probably won't help that much, since it's for setting up a router-based client, though you might want to glance over it:

http://michigantelephone.wordpress....ed-with-tomato-firmware-as-the-client-part-1/

If there is a part of this you would find helpful, it would likely start with Part 2:

http://michigantelephone.wordpress....ed-with-tomato-firmware-as-the-client-part-2/

And include Part 3:

http://michigantelephone.wordpress....ed-with-tomato-firmware-as-the-client-part-3/

And maybe Part 4:

http://michigantelephone.wordpress....ed-with-tomato-firmware-as-the-client-part-4/

If they help you, great. If they don't, please be aware that getting that to work was one of the most challenging things I've ever done, and once I got everything working I haven't really touched it since those articles were written. So I guess what I'm trying to say is that if something you read there doesn't makes sense to you, by this point in time it might not make sense to me either. And, please understand that those were written for a different purpose than what you guys are doing here, but since it's OpenVPN I'd think at least parts of it should still be applicable.

If nothing else, my list of references in Part 4 might be of some use to you.

I hope that this doesn't confuse you more than help you (if it does, you have my apology in advance!). And also, I do not have one of the phones discussed in this thread, so I absolutely can't help you with any specifics related to that.

 

[rxcomm]

OpenVPN configuration

Here's a quick way to configure OpenVPN using TUN mode (point-to-point). You will be able to access any node on the VPN from any other node.

To generate the certificate and keys, follow this (the OpenVPN documentation really is pretty good):

http://openvpn.net/index.php/open-source/documentation/howto.html#pki

A couple of points about pki creation. 1) It doesn't really matter what you put in the ./vars file. OpenSSL is used for lots of things, and for some it makes a difference. For OpenVPN, it doesn't. 2) Don't password-protect your keys. 3) When generating the keys, be sure to sign with the certificate you generated - you will be prompted whether or not to do this - answer yes. 4) Generate more client keys than you think you will use (twice as many - you always end up adding more clients and it's a pain to go back and generate keys again). 5) Protect your ca.key file with your life. The integrity of your VPN depends on the security of this file. 6) If you screw up during the key-generation process, just delete the keys as explained in the openvpn.net documentation and start over.

To configure a network for a single OpenVPN client (telephone) connecting to a single OpenVPN server (pbx), grab config files here:

http://dave.tycho.ws/n1535/ovpn.config.tar.bz2

Edit the client.conf file line 3 to point to your OpenVPN server. Change the <...> stuff to your server's fqdn or ip address. That line should look like:

remote pbx.domain.com

(no <> brackets).

On the server, create a directory tree with config and keys as follows:

/etc/openvpn
/etc/openvpn/server.conf
/etc/openvpn/keys
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/server.crt
/etc/openvpn/keys/server.key
/etc/openvpn/keys/dh2048.pem

If you used a 1024 bit key, the Diffie-Hellman parameters file will be dh1024.pem. On the client, it should look like:

/etc/openvpn
/etc/openvpn/client.conf
/etc/openvpn/keys
/etc/openvpn/keys/ca.crt
/etc/openvpn/keys/client.crt
/etc/openvpn/keys/client.key

On a Nortel 1535 you have to make the client config in /usr/etc/openvpn and then softlink it to /etc/openvpn via:

ln -s /usr/etc/openvpn /etc/openvpn

Make sure the times on your server and client are reasonably close to the real time. If they are not, you will get a bunch of errors in /var/log/openvpn.log. Determine the system time on linux with:

date

Set the time on linux with:

date MMDDHHMM2010

where MMDDHHMM is the month/day/hour/minute of time in UTC. For example, if it is 8:02 am on Nov. 17 in Central Time (UTC - 6 hours) you would type:

date 111714022010

Start the server:
openvpn --config /etc/openvpn/server.conf

Start the client:
openvpn --config /etc/openvpn/client1.conf

And they should link up and run. Logs can be found in /var/log/openvpn.log and /var/log/openvpn-status.log if troubleshooting is required. Also, if you want to set up more clients (telephones), just replicate the client side with client2, client3 etc. You must have the server OpenVPN version >=2.1 for this to work. The client OpenVPN version just has to be >= 2.0 (the Nortel version is 2.1.4).

The VPN will be established on the 10.8.0.0/24 subnet with my configs from above. You can change that in the server.conf file.

Dave

 

[rxcomm]

This looks like a good way to put OpenVPN on your pbx as well.

http://pbxinaflash.com/community/threads/openvpn-auto-install-script.8639/?t=8639

 

[RXWatcher]

Has anyone tried modifying the firmware payload and uploading it to the phone? I'm wondering if there is a MD5 hash or something to determine if its been tampered with. We could possibly gain access to the Read Only portions this way.

 

[rxcomm]

I haven't tried, but I doubt there is any MD5 hash test done on the payload.

Here are the first few lines of the boot sequence from the console:

 2007.4.19: LVP2890 Boot From G4-M-DOC one-nand. MAC set free
 2007.7.23: LVP2890 Boot From G4-M-DOC. serialno digit change
 In mdoc_load_parameterSerial No : NNTMMB49000E13
 Loading blob from flash  done
 load K1 kernel
 Loading kernel from MDOC one-nand flash  done
 Loading ramdisk from flash  done
 

 Starting kernel ...
 

 Uncompressing Linux................................................................. done, booting the kernel.
 Linux version 2.4.25-vrs2-pxa1 ([email protected]) (gcc version 3.3.2) #4 Mon Aug 20 16:47:35 KST 2007
 CPU: Bulverde revision 7
 Machine: LG Video Phone
 Run Mode clock: 208.00MHz (*16)
 Turbo Mode clock: 416.00MHz (*2.0, active)
 Memory clock: 208.00MHz (Alt=1, SDCLK[0]=/4, SDCLK[1]=/2)
 System bus clock: 208.00MHz
 Bulverde MMX enabled.
 LGVP-2800: PXA270 processor.
 On node 0 totalpages: 16384
 zone(0): 16384 pages.
 zone(1): 0 pages.
 zone(2): 0 pages.
 Kernel command line: console=ttyS2,19200 mem=64m root=/dev/ram panic=2

although I have to confess I don't know what the mdoc_load_parameterSerial No: is. Maybe the serial number for the part - different part from the development system?

Dave

 

[TheMole]

Dave,

I'm all up and running with the the VPN (tap), I can ssh into the phone via the VPN IP and ping, traceroute, etc. All networking works as expected.

However, when I attempt to register the phone to asterisk, the IP address of the eth0 device (or wlan0, if that profile is enabled) is sent in the registration packet to the server, rather than the IP address of the tun0 device. So the server has no route back to this host.

I'm not sure what's going on here. It seems that implementation of the registration software must have the eth0 or wlan0 device hardcoded into the code so that it uses the eth0 or wlan0 as the source address...

any thoughts? are you having the same problem?

fixed. just had to add a route to the remote network's local network where the phone's eth0 or wlan0 lived on in my default router and on my VPN box.

it is a bummer, however, the traffic orginates from the eth0 or wlan0 IP address. it makes administration a bit more difficult.

 

[rxcomm]

eth0 isn't hardcoded in, but the phone app gets it from /usr/etc/ethernet.cfg. It does make things a bit more tricky to get going. You have to change ethernet.cfg and restart the phone app after the vpn tunnel is up. Should be do-able in the rc.local script...

Dave

 

[rxcomm]

Booting the Nortel IP 1535 with an OpenVPN network connection

I put together a set of instructions for how to set up the Nortel IP 1535 with an OpenVPN network in TUN mode at boot time using the rc.local script. You can find the instructions and required files here.

Make sure you back up your original rc.local script before you start. Also, it would be an extremely good idea to make sure you have console access to the phone before you try this in case something goes wrong. Be careful - misconfiguring something while following these instructions could render your phone inoperable.

I'm currently using this technique and it works well. Its probably not optimal however. If you find a better way, please post it!

Dave

 

[rxcomm]

Simpler implementation

I came up with a much simpler and cleaner way to boot OpenVPN on these phones. Same basic idea, but the scripts aren't so spaghetti-ish. Also, this new way will determine the OpenVPN network parameters for you (from the "ifconfig tun0" results), so you don't have to enter that for each phone. OpenVPN can be turned on/off by creating/deleting the file /usr/etc/.ovpn on the phone. Haven't figured out how to do that from the GUI yet, but who knows... This should also work with wireless connections, but I haven't tested that yet. Feedback would be good!

The link in the previous post will get you a revised tarball. I also added a copy of the phone application's boot log (/var/log/mmi.log) for this method.

Same caveats apply...

Judging by the differences in latency reported by Asterisk between with OpenVPN and without OpenVPN registrations, it looks like using OpenVPN doesn't add more than 5-6 ms to the link latency time.

Question for the day - What is "NTP ADJUSTION"???

I'm done for a while. Have a good holiday!
Dave

 

[blanchae]

I'm pretty sure it's talking about the difference that the hardware clock and the NTP time is and the small adjustment to the hardward clock to have the two remain in sync. See this posting

 

[bmore]

Haven't figured out how to do that from the GUI yet, but who knows... This should also work with wireless connections, but I haven't tested that yet. Feedback would be good!


Dave

You might try the type of idea that was used to open the firewall from outside for remote extensions. Checking for a specific Display Name or characters in the display name. Something like... Check if 'vpn' is part of the display name then run, skip if not. This would allow you to see at a glance the mode. Or maybe some other setting that can be changed to a benign value.

 

[petr]

Question for the day - What is "NTP ADJUSTION"???

The ntp on the phone seems to work in a very weird way. The automatic time setting seems to be pretty unreliable when my phones are connected by cable, but it syncs fine over wifi. Another thing is, that the sync actually does not happen on the system level, but in the UI only. After every restart my phone is at 01.01.1970 and even after it syncs time, when I use "date" in the terminal, the system clock is wrong. The msntp utility (source is on the nortel site) does not work correctly either. It loads the time from the ntp server, but setting the system time and date with it is not possible, it will complain about insufficient rights. But you can pipe the output to date.

Petr

P.S. sorry about not being active very much lately, I have been partying since last Wednesday.

 

[rxcomm]

Hi Petr. The version of ntp on the phone only sets the phone application's clock. The hardware clock is not set. There is an OpenNTP binary (ontpd) in my tarball above that will correctly set the hardware clock for you. Very screwy, I agree!

BTW - thanks for your decompiled python - it helped greatly getting OpenVPN integrated in this cleaner way!

Dave

 

[bmore]

IOpenVPN can be turned on/off by creating/deleting the file /usr/etc/.ovpn on the phone. Haven't figured out how to do that from the GUI yet, but who knows...
Dave

I am not a linux or pbx guru ... yet ... done some programming in the windows environment.... so I am not yet comfortable trying this.

To turn on openvpn from the phone maybe something like this can be done. Line 9 of /usr/local/lgvp/vdci.cfg stores the Display Name (DISPLAY_NAME=). If you set the Display Name from the phone or from your provisioning interface to something like this 703vpn, you could check for the special characters... with maybe grep

This line in your rc.local where you check if the file exists
if [ -e /usr/etc/.ovpn ]; then

would become something like this (not sure of syntax)
if ( grep 'vpn' /usr/local/lgvp/vdci.cfg ); then

Just an idea, there are probably better ways to do it plus I don't know if it works