Making our conference phones secure using Raspberry Pi

We’ve been experimenting with Raspberry Pi computers since they were released. They’re small, fun and powerful enough to fit those little gaps in systems where you might otherwise have to shell out for a proprietary solution.

Raspberry Pi image courtesy of Switched On Tech Design (www.sotechdesign.com.au)

Recently, we moved offices in York, meaning we had space for a dedicated meeting and conference room. This means we decided to start using proper conference “spiderphones” to communicate with our Manchester office. Swanky!

Unfortunately, we ran into a problem. We use OpenVPN to securely connect our SIP phones together. Our standard desk phones – Snom 370s – support OpenVPN but the conference phones, Polycom SoundStation IP 6000s, do not. Initially, we experimented with using Blinkpipe cameras to act as gateways, but they were an expensive option and not totally reliable in this instance.

We started exploring other options and, specifically, whether the Raspberry Pi could plug the gap between our conference phones and allow them to connect securely via OpenVPN to our SIP phone network.

The idea:

Build a single purpose OpenVPN gateway using a Raspberry Pi with a second USB network connection. It should accept network configuration & OpenVPNs in its /boot, connect on startup, reconnect on errors, and – crucially! – not require any maintenance. It should present the OpenVPN-secured network connection over its ethernet interface.

The results:

After some experimentation, I created a custom image based on Raspbian but it needs some basic setup before you can flash it to a blank SD card. All of the configuration options can be found in the boot partition in the vpn folder:

1. Download the image (3.7 GB).

2. Run the following to mount the boot partition:

nathan@desk:~$ cp vpnapp.piimg myvpnapp.piimg
nathan@desk:~$ mkdir mnt
nathan@desk:~$ sudo kpartx -av myvpnapp.piimg
add map loop1p1 (254:25): 0 114688 linear /dev/loop1 8192
add map loop1p2 (254:26): 0 3665920 linear /dev/loop1 122880
nathan@desk:~$ sudo mount /dev/mapper/loop1p1 mnt
nathan@desk:~$ cd mnt/vpn/
nathan@desk:~/mnt/vpn$

3. Now edit the etc.network.interfaces file. The Pi has two interfaces, we refer to as green (client/phone side) and red (external/internet side).

By default in the image we use, eth0 (the onboard ethernet) is used as the green interface and is given the static IP of 169.254.1.10/24 by default. This means you can change the red interface at will with minimal configuration changes, from wifi to USB ethernet for example. A different interface should be setup on the red side and configured as necessary. In our image, wlan0 is configured to pick up an address by DHCP.

4. Next, put the ca.crt, client.crt, client.key and vpn.cnf (spelling!) file in the directory. Ensure that the vpn.cnf file has absolute links to /boot/vpn/{ca.crt,client.crt,client.key}. vpn.cnf is simply an OpenVPN configuration file.

5. All done! Now run:

nathan@desk:~/mnt/vpn$ cd ../..
nathan@desk:~$ sync
nathan@desk:~$ sudo umount mnt
nathan@desk:~$ rmdir mnt
nathan@desk:~$ sudo kpartx -d /dev/loop1

And then, assuming there is a blank sdcard at /dev/sdx:

nathan@desk:~$ sudo dd if=myvpnapp.piimg of=/dev/sdx

Now, when the Pi boots, it will attempt to get an IP on the red interface and start the VPN over it. It will then statelessly NAT traffic between the green and red interfaces. Easy!

Useful things to know (if you need to change anything):

  • There are no network services running for simplicity and security. This includes SSH.
  • There is a single user: username root, password vpnappliance
  • The Pi should not need to be touched. All config is in the boot partition under vpn/
    • /etc/network/interfaces is a link to /boot/vpn/etc.network.interfaces
    • /etc/openvpn/vpnappliance.conf is a link to /boot/vpn/vpn.cnf
    • /boot/vpn/iptables.conf is a script to set up the NAT, and must be called by post-up on the red interface
  • The line net.ipv4.ip_forward=1 exists in /etc/sysctl.conf

So with two similarly configured Raspberry Pis in Manchester and York, we’ve got two working conference phones which happily connect to our OpenVPN-secured phone network!

Found this useful or got a better way of doing it? Drop us a comment below!

Nathan @ Bytemark

One thought on “Making our conference phones secure using Raspberry Pi

  1. Pingback: Making our conference phones secure using Raspb...