Monday, August 24, 2009

Installing SerMyAdmin 1.2.8 With OpenSIPS 1.5.xx ON Ubuntu 9.x.x

WARNING: Tutorial is in progress, not finalized yet so please contribute if you have efficient way of doing this...

Why SerMyADmin?
We need a GUI tool to help users and administrators, OpenSIPS offer command tool (opensipsctl) but its not easy to use it when dealing with 1000's of users.

SerMyAdmin 1.2.8 is available for download at https://sourceforge.net/projects/sermyadmin/

Objectives:

  • Installing Dependencies
  • Installing SerMyAdmin 1.2.8
  • Configuring User's/Administrator's Access
  • Add and Remove domains
  • Customize the Portal:
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Changes since the last version:
- New installation tool
- It uses now the opensips database instead of their own.
- Does not delete and recreate any opensips tables
- Five new modules
- Updated to Grails 1.0.5 and Jsecurity 0.4.1
- Database table cdrs was renamed to srm_cdrs to avoid conflicts with opensips-cp


Important Consideration:
The database connection parameters are defined in the file /usr/local/tomcat6/conf/context.xml The defaults used are "opensips:opensipsrw". Please adjust the parameters specific to your needs.

If the system do not start, please restart tomcat6 (/etc/init.d/tomcat6 restart) it is often the problem.
SerMyAdmin is best viewed using Firefox.
default user: admin@setup
default password: secret


By Flavio E. Goncalves
http://www.sermyadmin.org/

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

STOP!!! Before you start, you must add the non-free repository to your /etc/apt/sources.list to include the contrib and non-free repositories as stated in the instructions. Java is not in the standard Debian repositories.

>> Add repositories in file...
$ nano /etc/apt/sources.list

deb http://ftp.us.debian.org/debian/ etch main contrib non-free
deb-src http://ftp.us.debian.org/debian/ etch main contrib non-free
deb http://security.debian.org/ etch/updates main contrib non-free
deb-src http://security.debian.org/ etch/updates main contrib non-free

>> Update the package listings:
$ apt-get update
...
...

Manual Installation:
You can always install by using the script provided "install.sh" but if someone have curiousity to go all the way step by step then here it is...

Untar the package using following command:
$ tar xvfz sermyadmin-install-1.2.8.tar.gz

Installing Dependencies:
`````````````````````````
SerMyAdmin uses Grails framework thus it needs an application server. We will use Apache Tomcat in this tutorial because it's easy to install and it's free.

>> Install SunJava by executing following command:
$ aptitude install sun-java6-jdk
...
...
Reading package lists... Done
Building dependency tree
Reading state information... Done
Reading extended state informationInitializing package states... Done
The following NEW packages will be installed: gsfonts-x11{a} java-common{a} sun-java6-bin{a} sun-java6-jdk sun-java6-jre{a}
0 packages upgraded, 5 newly installed, 0 to remove and 1 not upgraded.
Need to get 52.6MB of archives. After unpacking 156MB will be used.

Do you want to continue? [Y/n/?] Y
Writing extended state information... Done

Preconfiguring packages ...
Selecting previously deselected package java-common.(Reading database ... 145032 files and directories currently installed.)
Unpacking java-common (from .../java-common_0.30ubuntu4_all.deb) ...
Selecting previously deselected package sun-java6-jre.
Unpacking sun-java6-jre (from .../sun-java6-jre_6-14-0ubuntu1.9.04_all.deb) ...
Selecting previously deselected package sun-java6-bin.
Unpacking sun-java6-bin (from .../sun-java6-bin_6-14-0ubuntu1.9.04_amd64.deb) ...

Accept license, terms, and conditions:

sun-dlj-v1-1 license has already been accepted
Selecting previously deselected package sun-java6-jdk.
Unpacking sun-java6-jdk (from .../sun-java6-jdk_6-14-0ubuntu1.9.04_amd64.deb) ...
...
...
DoneBuilding dependency tree
Reading state information... Done
Reading extended state informationInitializing package states... Done
Writing extended state information... Done

>> Lookup the directory where java files and links are stored:
$ ls -l /usr/lib/jvm/

lrwxrwxrwx 1 root root 19 2009-08-25 12:24 java-6-sun -> java-6-sun-1.6.0.14
drwxr-xr-x 8 root root 4096 2009-08-25 12:24 java-6-sun-1.6.0.14

>> Make Java implementation default for Debian to use by executing following command:
$ update-java-alternatives -s java-6-sun
...
...
Using '/usr/lib/jvm/java-6-sun/bin/appletviewer' to provide 'appletviewer'.
Using '/usr/lib/jvm/java-6-sun/bin/apt' to provide 'apt'.

>> If all goes well then following command should give you similar output
$ java -version

java version "1.6.0_14"
Java(TM) SE Runtime Environment (build 1.6.0_14-b08)
Java HotSpot(TM) 64-Bit Server VM (build 14.0-b16, mixed mode)


Installing Apache Tomcat 6:
````````````````````````````
- Unpack ApacheTomcat package from sermyadmin-install directory...
$ tar xvfz apache-tomcat-6.0.16.tar.gz

- Create a link to directory
$ ln -s apache-tomcat-6.0.16 tomcat6

>> To see the contents of package execute following commands:
$ cd apache-tomcat-6.0.16
$ ls -l
drwxrwxrwx 2 root root 4096 2009-08-11 20:40 bin
drwxrwxrwx 2 root root 4096 2009-08-11 20:41 conf
-rwxrwxrwx 1 root root 148 2009-03-26 11:18 generate-cdrs.sh
drwxrwxrwx 2 root root 4096 2009-08-11 20:40 lib
-rwxrwxrwx 1 root root 37951 2009-03-26 11:18 LICENSE
drwxrwxrwx 2 root root 4096 2009-08-20 17:57 logs
-rwxrwxrwx 1 root root 556 2009-03-26 11:18 NOTICE
-rwxrwxrwx 1 root root 7508 2009-03-26 11:18 RELEASE-NOTES
-rwxrwxrwx 1 root root 6681 2009-03-26 11:18 RUNNING.txt
drwxrwxrwx 3 root root 4096 2009-08-11 20:40 temp
drwxrwxrwx 7 root root 4096 2009-08-20 17:57 webapps
drwxrwxrwx 3 root root 4096 2009-08-11 20:40 work


- Write a short script to start Tomcat6 at your server initialization
- Copy the script in /etc/init.d ... as "tomcat6"
- Make script executable at initialization as follows:

$ cd /etc/init.d
$ chmod 755 tomcat6
$ update-rc.d tomcat6 defaults 99

update-rc.d: warning: /etc/init.d/tomcat6 missing LSB information
update-rc.d: see <http://wiki.debian.org/LSBInitScripts>
Adding system startup for /etc/init.d/tomcat6 ...
/etc/rc0.d/K99tomcat6 -> ../init.d/tomcat6
/etc/rc1.d/K99tomcat6 -> ../init.d/tomcat6
/etc/rc6.d/K99tomcat6 -> ../init.d/tomcat6
/etc/rc2.d/S99tomcat6 -> ../init.d/tomcat6
/etc/rc3.d/S99tomcat6 -> ../init.d/tomcat6
/etc/rc4.d/S99tomcat6 -> ../init.d/tomcat6
/etc/rc5.d/S99tomcat6 -> ../init.d/tomcat6

- Now reboot the server, open your browser and type the URL http://mydomain:8080/ in the address bar; if all gone well then you'll see Tomcat's startup page...
- Install MySQL driver for Tomcat, to enable access of your database by SerMyAdmin.
- Download the driver and then execute the commands as follows:

$ wget http://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.8.tar.gz/from/http://mirror.services.wisc.edu/mysql/
$ tar zxvf mysql-connector-java-5.1.8.tar.gz
$ cp mysql-connector-java-5.1.8/mysql-connector-java-5.1.8-bin.jar /usr/src/tomcat6/lib

Note: Driver can be found at http://dev.mysql.com/downloads/connector/j/5.1.html

- Update the file "context.xml" found in /usr/src/tomcat6/conf as follows:


Make changes in highlighted tags, based on how you are handling your server. You also need to create a user referenced in context.xml file (in my case "sermyadmin") This user should have required access to database

/usr/local/tomcat6/conf# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 1489Server version: 5.0.75-0ubuntu10.2 (Ubuntu)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> grant all privileges on opensips.* to mailto:sermyadmin@ identified by 'secret';Query OK, 0 rows affected (0.00 sec)
mysql> \q

>> Copy necessary files as follows:
$ cp serMyAdmin.war /usr/local/tomcat6/webapps/serMyAdmin.war
$ cp context.xml /usr/local/tomcat6/conf/context.xml


Configure Debian's Message Transfer Agent if you wish SerMyAdmin to send confirmation email to new users. You can configure to your existing MTA also for this purpose.

Restart tomcat6 again using command "tomcat6 start" and you are done with setup.....
To access SerMyAdmin point your browser to http://:8080/serMyAdmin and you will see the login page ...


Installing SerMyAdmin 1.2.8 using standard script:
`````````````````````````````` `````````````````````
$ tar xvfz sermyadmin-install-1.2.8.tar.gz
sermyadmin-install/
sermyadmin-install/context.xml
sermyadmin-install/install.sh
sermyadmin-install/stacktrace.log
sermyadmin-install/script/
sermyadmin-install/script/tomcat6
sermyadmin-install/apache-tomcat-6.0.16.tar.gz
sermyadmin-install/INSTALL
sermyadmin-install/sermyadmin.sql
sermyadmin-install/README
sermyadmin-install/serMyAdmin.war

Switch directory to read INSTALL file for details about package...

/usr/src$ cd sermyadmin-install
/usr/src/sermyadmin-install$ more INSTALL

********************************************************************
* Please, you MUST have the contrib and non-free repositories
* in your /etc/apt/sources.list or you won't be able to install
* Java 6
*
* To install Java 6 you need at least Debian version 5
*
* IMPORTANT: Before running this program, you MUST have
* ran opensipsdbctl to create the OpenSIPS database. serMyAdmin
do not create a new database it only update the opensips
* database.
*
Its strongly advised that you to BACKUP YOUR DATA BEFORE INSTALLING !
***********************************************************************

To install issue following commands and answer questions:

$ ./install.sh

NOTE: If you need to install again, you have to recreate opensips database or change sermyadmin.sql. The sql file cannot be applied twice.

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Specifics to my case:

I already have ISPConfig3 running on port 8080 thus tomcat6 would cause conflict on that port. In order to avoid this conflict I am assigning another port (e.g. 8100)

Following file needs to be updated for this purpose and replace all port 8080 with 8100...

$ /usr/local/tomcat6/conf# nano server.xml

Now my Tomcat6 and ISPConfig running on separate ports :)

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

Configuring User's/Administrator's Access:
``````````````````````````````````````


Add and Remove domains:
````````````````````````


Customize the Portal:
```````````````````




Credits:
Flavio E. Goncalves http://www.sermyadmin.org/
Michel Spice who is my friend/teacher/supporter.
My family who is very supportive, my wife who lets me work late night :)

Saturday, April 25, 2009

MediaProxy 2.3.x & OpenSIPS 1.5.x Integration

MediaProxy is made up of (at least) two components: A dispatcher and a relay. MediaProxy Server allows specialized processing of clients behind NAT. It has following characteristics:
  • Use of the DNS SRV records to load balance the requests.
  • Can be executed in a seperate server offloading the SIP Proxy.
  • Allows web monitoring.

A detailed description of features and documentation is available at their official site www.ag-projects.com

Latest version can be downloaded at following link:
MediaProxy Download

Basic Steps in Installation:
For people running Debian testing or unstable on an i386 architecture there is an official public repository provided by AG Projects. To use it, add these lines in /etc/apt/sources.list

# AG Projects software
deb http://ag-projects.com/debian unstable main
deb-src http://ag-projects.com/debian unstable main


*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***

The MediaProxy source already includes the necessary files to build Debian packages. They should probably also work without changes for Ubuntu, though they have not been tested with it.

To build Debian/Ubuntu packages, you can do the following (this is known to work with Debian testing and unstable and should work without changes in Ubuntu 8.04 Hardy as well, though they were not tested there):

apt-get update
apt-get install devscripts cdbs debhelper python-all-dev python-support \
libnetfilter-conntrack-dev python-application python-cjson \
python-gnutls python-twisted-core python-twisted-names \
python-zopeinterface python-pyrad python-sqlobject

Then unpack MediaProxy and in the directory where it was unpacked run:

debuild

You can safely ignore the pgp signing error at the end of the build process, that is only because you do not have the pgp key for the person who is listed as maintainer for the package. The packages are build fine even if they are not signed.

After building them, you can find the .deb packages in the parent directory, from where you can install them using dpkg:

cd ../
dpkg -i mediaproxy-*.deb

or you can install just the ones you need on that particular system. Please note that mediaproxy-dispatcher and mediaproxy-relay both depend on mediaproxy-common so you have to install it too along with either of them.

*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***


Install the AG Projects debian software signing key:
wget http://download.ag-projects.com/agp-debian-gpg.key
apt-key add agp-debian-gpg.key

Now Run
aptitude update
aptitude install mediaproxy-dispatcher mediaproxy-relay mediaproxy-web-sessions

Log:
root@:/usr/local/src# wget http://download.ag-projects.com/agp-debian-gpg.key
root@:/usr/local/src# apt-key add agp-debian-gpg.key
root@:/usr/local/src# aptitude update
root@:/usr/local/src# aptitude install mediaproxy-dispatcher mediaproxy-relay mediaproxy-web-sessions

Above process complains about dependencies thus follow process below...

Manual Installation Process of MediaProxy:
Prerequisites
~~~~~~~~~
In order to build and install, MediaProxy has the following requirements:

- Linux (at least 2.6.18) with the following features compiled in:
- netfilter support
- connection tracking support
- connection tracking netlink interface
- connection tracking event notification API
- netfilter "NOTRACK" target support
- netfilter "CONNMARK" target support
- netfilter "connmark" match support
- IPv4 connection tracking support
- IP tables support
- IP tables Full NAT support

Distribution provided kernel images should normally provide of all these features as modules. The Debian kernel images have all these features available and can be used out of the box.

- libnetfilter-conntrack (at least version 0.0.89)
Most of the Linux distributions separate a library package into runtime and development packages. To build MediaProxy, the development version is needed (it usually has a -dev suffix in the package name).

- Python (at least 2.4)
http://python.org

- Twisted framework (at least 2.5.0 with epollreactor support)
http://twistedmatrix.com

- python-zopeinterface (this is also a requirement for twisted)
http://zope.org/Products/ZopeInterface

- python-application (at least 1.0.9)
http://pypi.python.org/pypi/python-application

- GNU-TLS
http://www.gnu.org/software/gnutls

- python-gnutls
http://pypi.python.org/pypi/python-gnutls

- python-cjson
http://pypi.python.org/pypi/python-cjson

For the database accounting module:
SQLObject
http://sqlobject.org

For the RADIUS accounting module:
pyrad (at least 1.1)
http://www.wiggy.net/code/pyrad/

You have to install the following software in order to get the conntrack-tools working, make sure that you have installed them correctly before going forward:

  • Linux kernel version >= 2.6.18 (http://www.kernel.org) that, at least, has support for:
- connection tracking system
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_IPV4=m

- nfnetlink
CONFIG_NETFILTER_NETLINK=m

- ctnetlink (nf_conntrack_netlink)
CONFIG_NF_CT_NETLINK=m

- connection tracking event notification API
CONFIG_NF_CONNTRACK_EVENTS=y

(To check that the event API is enabled in the kernel, make sure you have loaded nf_netlink_conntrack module, run conntrack -E and generate traffic, you should see network events)

  • libnfnetlink: the netfilter netlink library available at:
http://www.netfilter.org/projects/libnfnetlink/files/

  • libnetfilter_conntrack: the netfilter conntrack library available at:
http://www.netfilter.org/projects/libnetfilter_conntrack/files/


Now proceed by first checking the kernal version:
$ uname -a

My kernel version meets the requirement thus i will skip the steps related to kernel install...

Next download files from official site:
http://www.netfilter.org/projects/libnfnetlink/files/
[x] libnfnetlink-0.0.41.tar.bz2 06-Mar-2009 17:31 234K
[x] libnfnetlink-0.0.41.tar.bz2.sig 06-Mar-2009 17:31 65

# tar xvfj libnfnetlink-0.0.41.tar.bz2
# cd libnfnetlink-0.0.41
# ./configure
# make
# make install

Now download:
http://www.netfilter.org/projects/libnetfilter_conntrack/downloads.html#libnetfilter_conntrack-0.0.99

[x] libnetfilter_conntrack-0.0.99.tar.bz2 : GPG signature (key) : md5sum 960c3d347d7f4e3fe7437aa198f36e6e

# tar xvfj libnetfilter_conntrack-0.0.99.tar.bz2
# cd libnetfilter_conntrack-0.0.99

To compile and install conntrack-tools
just follow the classical steps:


# ./configure
# make
# make install

Next check other dependencies:
Download Python 3.0.1 from the link
http://www.python.org/download/ and install as follows:

root:/usr/local/src# tar -xzvf Python-3.0.1.tgz
root:/usr/local/src# cd Python-3.0.1
root:/usr/local/src/Python-3.0.1# ./configure
root:/usr/local/src/Python-3.0.1# make
...
...
Python build finished, but the necessary bits to build these modules were not found:
_curses _curses_panel _sqlite3
_tkinter bz2 readline
To find the necessary bits, look in setup.py in detect_modules() for the module's name.

root:/usr/local/src/Python-3.0.1# make install
...
...
* Note: not installed as 'python'.
* Use 'make fullinstall' to install as 'python'.
* However, 'make fullinstall' is discouraged,
* as it will clobber your Python 2.x installation.

Next download install Twisted Framework 8.2.0 from this link http://twistedmatrix.com/trac/

root:/usr/local/src# tar xvfj Twisted-8.2.0.tar.bz2
root:/usr/local/src# cd Twisted-8.2.0

Download Zope Interfaces 3.1.0 or above:
http://zope.org/Products/ZopeInterface

Untar file and install as follows:
root:/usr/local/src/Twisted-8.2.0# tar xvfz zope.interface-3.3.0.tar.gz
root:/usr/local/src/Twisted-8.2.0# cd zope.interface-3.3.0
root:/usr/local/src/Twisted-8.2.0/zope.interface-3.3.0# python setup.py build
root:/usr/local/src/Twisted-8.2.0/zope.interface-3.3.0# python setup.py install
root:/usr/local/src/Twisted-8.2.0/zope.interface-3.3.0# cd ..
root:/usr/local/src/Twisted-8.2.0# python setup.py install
...
...
Installed /usr/lib/python2.5/site-packages/Twisted-8.2.0-py2.5-linux-x86_64.egg
Processing dependencies for Twisted==8.2.0
Searching for zope.interface==3.3.1
Best match: zope.interface 3.3.1
Removing zope.interface 3.3.0 from easy-install.pth file
Adding zope.interface 3.3.1 to easy-install.pth file

Using /usr/lib/python2.5/site-packages
Finished processing dependencies for Twisted==8.2.0

Above installations also took care of python-zopeinterface, python-application, python-cjson, and GNU-TLS (python-gnutls) dependencies...

Next Database Dependencies:
SQLObject is a popular Object Relational Manager for providing an object interface to your database, with tables as classes, rows as instances, and columns as attributes.

SQLObject includes a Python-object-based query language that makes SQL more abstract, and provides substantial database independence for applications.
root:/usr/local/src# easy_install -U SQLObject

Next download and install pyrad:
pyrad is an implementation of a RADIUS client as described in RFC2865. It takes care of all the details like building RADIUS packets, sending them and decoding responses.

root:/usr/local/src/Python-3.0.1# mv /home/wiz/Documents/pyrad-1.1.tar.gz .
root:/usr/local/src/Python-3.0.1# tar xvfz pyrad-1.1.tar.gz
root:/usr/local/src/Python-3.0.1# cd pyrad-1.1
root:/usr/local/src/Python-3.0.1/pyrad-1.1# python setup.py install
...
...


Installing MediaProxy:
Add DNS SRV records in the for the SIP domains you wish to serve. Put them at the same priority with different weights to allow load balancing of traffic. Put them at different priorities to allow fallback.

Example:

Considering your domain is mydomain.com and you wan to dedicate 3 main servers and 2 fallbacks. The main servers you want to distribute traffic among are 2 1Ghz machines (named nat1 and nat2) and a 2Ghz machine (nat3). You want 25% from the traffic to go to each 1Ghz machine and 50% to the 2Ghz machine. For the fallbacks (nat4 and nat5) you want to distribute the traffic equally among the 2 machines.

_mediaproxy._tcp.mydomain.com. IN SRV 0 25 25060 nat1.mydomain.com.
_mediaproxy._tcp.mydomain.com. IN SRV 0 25 25060 nat2.mydomain.com.
_mediaproxy._tcp.mydomain.com. IN SRV 0 50 25060 nat3.mydomain.com.
_mediaproxy._tcp.mydomain.com. IN SRV 10 50 25060 nat4.mydomain.com.
_mediaproxy._tcp.mydomain.com. IN SRV 10 50 25060 nat5.mydomain.com.

If your DNS provider does not support SRV records, take a look at Managed DNS http://www.managed-dns.org

In this setup, the traffic will be distributed between the nat1, nat2 and nat3 machines in a proportion of 25%+25%+50%. If one goes offline the other 2 will take it's traffic share redistributing the load balancing according to their own weight. If all of nat1, nat2, nat3 stop responding, nat4 and nat5 will be used distributing the traffic among them equally (50%+50%)

# mkdir /etc/mediaproxy
# mkdir /etc/mediaproxy/tls
# cd usr/local/src/mediaproxy

Download and copy in the directory:
# tar xvfz mediaproxy-2.3.4.tar.gz
# cd mediaproxy-2.3.4
# ./setup.py build
# ./setup.py install

running install
running build
running build_py
running build_ext
running build_scripts
running install_lib
running install_scripts
changing mode of /usr/bin/media-dispatcher to 755
changing mode of /usr/bin/media-relay to 755
running install_egg_info
Removing /usr/lib/python2.5/site-packages/mediaproxy-2.3.4.egg-info
Writing /usr/lib/python2.5/site-packages/mediaproxy-2.3.4.egg-info

Enable IP Forwarding by making changes in /etc/sysctl.conf file...
Permanently enable ip forwarding,,,
# gedit /etc/sysctl.conf &
...

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# echo 1 > /proc/sys/net/ipv4/ip_forward
# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1


+ Make directory, copy necessary files to proper directories, and setup ownership:
$ mkdir /var/run/mediaproxy
$ cp config.ini.sample /etc/mediaproxy/config.ini
$ cp tls/* /etc/mediaproxy/tls/

Starting MediaProxy Dispatcher...
# ./media-dispatcher --no-fork
# ./media-dispatcher &


OpenSIPS+MediaProxy Integration:
# mkdir /var/run/mediaproxy
# gedit config.ini &

Make following changes in file...

[Relay]
dispatchers = mydomain.net:5060 _sip._udp.mydomain.net
port_range = 50000:60000
log_level = DEBUG
on_hold_timeout = 1800

[Dispatcher]
listen = 10.1.10.205:50000
management_use_tls = no
log_level = DEBUG
accounting = radius

[Radius]
; This section needs to be configured if radius accounting is enabled
; OpenSIPS RADIUS configuration file. All RADIUS cofiguration parameters will
; be read from this file, including dictionary files.
;
;config_file = /etc/opensips/radius/client.conf
config_file = /etc/freeradius/clients.conf

; Additional dictionary file with MediaProxy specific attributes.
;additional_dictionary = radius/dictionary
additional_dictionary = /etc/freeradius/dictionary

[OpenSIPS]
socket_path = '/var/run/opensips/socket'


Now edit opensips.cfg file to include MediaProxy...
#
# ----- nat_traversal
#**
loadmodule "nat_traversal.so"
#**
modparam("nat_traversal", "keepalive_interval", 90)
modparam("nat_traversal", "keepalive_method", "OPTIONS")
modparam("nat_traversal", "keepalive_from", "sip:keepalive@mydomain.com")


#
# --> nathelper
#**
loadmodule "nathelper.so"
#**
modparam("nathelper", "natping_interval", 60)
modparam("nathelper", "ping_nated_only", 1)
modparam("nathelper", "sipping_bflag", 7)
modparam("nathelper", "received_avp", "$avp(i:801)")
modparam("nathelper", "sipping_from", "sip:pinger@mydomain.com")

#
#**
loadmodule "mediaproxy.so"
#**
#--------------- Default Values
modparam("mediaproxy", "mediaproxy_socket", "/var/run/mediaproxy/dispatcher.sock")
modparam("mediaproxy", "mediaproxy_timeout", 500)
modparam("mediaproxy", "signaling_ip_avp", "$avp(s:nat_ip)")
modparam("mediaproxy", "media_relay_avp", "$avp(s:media_relay)")

#--------------- Main Routing Logic

#

RTPProxy 1.2.x Installation & Integration with OpenSIPS 1.5x

Before we start any thing, we need to know where we stand. By knowing current status, we could save us lot of headaches and time. Organization is the key to an effecient solution.

Lets first consider some questions about the server you have in place!!!

If you have public IP address for your server then don't worry about comments. If you don't then you have to have a way for a dynamic IP (from your ISP provider) to be resolved. Register with http://www.dyndns.com/ which woulld allow your dynamic IP to be resolved. OpenSIPS has to be on Static IP so you are listening on a specific address but your domain name needs to be resolved to your dynamic IP.

Step 01:
We will install RTP proxy for audio devices since softphone doesn't have media plug-ins; also if you have dynamic IP (from your ISP provider) then install DynDNS Update Clients "ddclient" for dyndns to automatically update the ip address when it changes

Link to ddclient installation instructions:
http://mexpolk.wordpress.com/2008/01/29/ubuntu-gutsy-dyndns-client-setup/

$ sudo apt-get install ssh libio-socket-ssl-perl
$ sudo apt-get install ddclient



Step 02:
@@@@ Server install RTPProxy 03/01/2009 @@@@
Configure Router for the Ports to be used by rtpproxy by opening them first (Read Consideration at the end of this article).

-- Use dpkg command to list installed software "dpkg –get-selections"

$ mkdir /backup
$ dpkg --get-selections > /backup/installed-software.log


Basic steps...

Code:
$ cd /usr/src
$ wget http://b2bua.org/chrome/site/rtpproxy-1.2.0.tar.gz
$ tar -xzvf rtpproxy-1.2.0.tar.gz

Change to the directory and install the program .
Code:
$ cd rtpproxy-1.2
$ ./configure
$ make
$ make install


Create a system user with no privileges and start the daemon running
Code:
$ adduser rtpproxy -d /home/rtpproxy -s /bin/false
$ rtpproxy -u rtpproxy

Now rtpproxy should be running and if you check in /var/run you should see rtpproxy.sock and rtpproxy.pid

Consideration:
Creating the user rtpproxy was not essential, you can run the daemon under whatever user you are logged in as by simply typing rtpproxy at the command but I read that it is safe practice to run the daemon under a non privileged user. (Maybe someone can comment on the linux user I added. I am not 100% on the security of the user added with no password but the way I understand it the user cannot access the system until a password is created.)

By default rtpproxy uses UDP ports 35000-65000 and these should be opened any firewalls in front of rtpproxy.

The Remote Control Mode can be activated by starting RTP Proxy with `-s' command line argument:

$ rtpproxy -s udp:address:port

Arguments: address is either IPv4 or IPv6 local address at which command should be accepted or "*" if rtpproxy should accept commands at all local interfaces; port is UDP port, if omitted port 22222 is used.

If RTPproxy is already running use force_sock function as shown below:
modparam("nathelper", "force_socket", "udp:localhost:22222")

Running Manually:
$ rtpproxy -F -l your-public-ip -s udp:localhost:port-no

e.g. $ rtpproxy -F -l 127.0.0.1 -s udp:192.168.1.2:9000

if above command is used to start rtpproxy then change your opensips.cfg file like this...
modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:port-no")
modparam("nathelper", "force_socket", "udp:localhost:port-no")

Followings are examples for starting manually with user parameter...
$ rtpproxy -l 192.168.1.2 -s udp:127.0.0.1:50000 -u usrname &
OR
$ rtpproxy -s udp:127.0.0.1:50000 -f -u opensips -l 192.168.1.2 &


WARNING: command protocol contains no security or authentication measures, so that you should be using other means to secure RTP Proxy, such as firewall or even better a VPN between machine running RTP Proxy and machine which runs a software that controls it.

I have OpenSIPS operating successfully before installing RTPProxy

Check if process is running with the following command...

Code:
# ps axw /bin/egrep rtp
OR
# netstat -axep grep rtpproxy


Sample config file for RTP proxy Integration with OpenSIPS 1.5.x
#
# $Id: nathelper.cfg 5875 2009-07-15 19:05:20Z bogdan_iancu $
#
# simple quick-start config script including nathelper support
# This default script includes nathelper support. To make it work
# you will also have to install Maxim's RTP proxy. The proxy is enforced
# if one of the parties is behind a NAT.
#
# If you have an endpoing in the public internet which is known to
# support symmetric RTP (Cisco PSTN gateway or voicemail, for example),
# then you don't have to force RTP proxy. If you don't want to enforce
# RTP proxy for some destinations than simply use t_relay() instead of
# route(1)
#
# Sections marked with !! Nathelper contain modifications for nathelper
#
# NOTE !! This config is EXPERIMENTAL !
#
# @@@ There are additional changes made by Rookie which is
# @@@ not functional yet. Its giving only one way audio because
# @@@ RTP packets are being lost...
#
####
###
##
#
# -- Global Parameters
#
##
###
####
/* uncomment and configure the following line if you want opensips to
bind on a specific interface/port/proto (default bind on all available)
*/

children = 8
debug = 6 # debug level (cmd line: -dddddddddd)
fork = yes

group = "opensips"
user = "opensips"
/* uncomment the next line to disable TCP (default on) */
#disable_tcp=yes
disable_tcp = no

log_facility = LOG_LOCAL0 # LOG_DAEMON
log_stderror = yes # (cmd line: -E)
tcp_children = 6

check_via=no # (cmd. line: -v)
dns=no # (cmd. line: -r)
rev_dns=no # (cmd. line: -R)


/* uncomment the next line to enable the auto temporary blacklisting of
not available destinations (default disabled) */
#disable_dns_blacklist=no

/* uncomment the next line to enable IPv6 lookup after IPv4 dns
lookup failures (default disabled) */
#dns_try_ipv6=yes

/* uncomment the next line to disable the auto discovery of local aliases
based on revers DNS on IPs (default on) */
#auto_aliases=no

/* uncomment the following lines to enable TLS support (default off) */
#disable_tls = no
#listen = tls:your_IP:5061
#tls_verify_server = 1
#tls_verify_client = 1
#tls_require_client_certificate = 0
#tls_method = TLSv1
#tls_certificate = "/usr/local/etc/opensips/tls/user/user-cert.pem"
#tls_private_key = "/usr/local/etc/opensips/tls/user/user-privkey.pem"
#tls_ca_list = "/usr/local/etc/opensips/tls/user/user-calist.pem"

port=5060

/* uncomment and configure the following line if you want opensips to
bind on a specific interface/port/proto (default bind on all available)
*/
listen=udp:mydomain.com:5060

#*** set module path
mpath="//lib64/opensips/modules/"


####
###
##
# Modules Section
# ```````````````
# Loading moduels and
# Setting module-specific parameters
##
###
####


# Uncomment this if you want to use SQL database
loadmodule "db_mysql.so"

loadmodule "signaling.so"
loadmodule "sl.so"
loadmodule "tm.so"
loadmodule "rr.so"
loadmodule "maxfwd.so"
loadmodule "usrloc.so"
loadmodule "registrar.so"
loadmodule "textops.so"
loadmodule "mi_fifo.so"

# !! Nathelper
loadmodule "nathelper.so"

#
#***
#
loadmodule "uri_db.so"
loadmodule "uri.so"
loadmodule "xlog.so"
loadmodule "acc.so"
#
#**
#


# Uncomment this if you want digest authentication
# db_mysql.so must be loaded !
loadmodule "auth.so"
loadmodule "auth_db.so"

/* uncomment next line for aliases support
NOTE: a DB (like db_mysql) module must be also loaded */
loadmodule "alias_db.so"

/* uncomment next line for multi-domain support
NOTE: a DB (like db_mysql) module must be also loaded
NOTE: be sure and enable multi-domain support in all used modules
(see "multi-module params" section ) */
loadmodule "domain.so"

#
#**
#
loadmodule "dialog.so"
loadmodule "avpops.so"

#loadmodule "drouting.so"
#loadmodule "nat_traversal.so"
#loadmodule "mediaproxy.so"
#
#**
#

/* uncomment the next two lines for presence server support
NOTE: a DB (like db_mysql) module must be also loaded */
#loadmodule "presence.so"
#loadmodule "presence_xml.so"


####
###
##
# ----------------- setting module-specific parameters ---------------
##
###
####

# ----- mi_fifo params -----
modparam("mi_fifo", "fifo_name", "/tmp/opensips_fifo")

#**
modparam("mi_fifo", "fifo_mode", 0660)
modparam("mi_fifo", "fifo_group", "opensips")
modparam("mi_fifo", "fifo_user", "opensips")
modparam("mi_fifo", "reply_dir", "/tmp/")
modparam("mi_fifo", "reply_indent", "\t")


# ----- registrar params -----
modparam("registrar", "method_filtering", 1)

/* uncomment the next line to disable parallel forking via location */
# modparam("registrar", "append_branches", 0)
/* uncomment the next line not to allow more than 10 contacts per AOR */
#modparam("registrar", "max_contacts", 10)

# -- usrloc params --
#modparam("usrloc", "db_mode", 0)
# Uncomment this if you want to use SQL database
# for persistent storage and comment the previous line
modparam("usrloc", "db_mode", 2)
modparam("usrloc", "db_url",
"mysql://opensips:opensipsrw@localhost/opensips")

modparam("usrloc", "user_column", "username")
modparam("usrloc", "domain_column", "domain")
modparam("usrloc", "contact_column", "contact")
modparam("usrloc", "expires_column", "expires")
modparam("usrloc", "q_column", "q")
modparam("usrloc", "callid_column", "callid")
modparam("usrloc", "cseq_column", "cseq")
modparam("usrloc", "methods_column", "methods")
modparam("usrloc", "flags_column", "flags")
modparam("usrloc", "user_agent_column", "user_agent")
modparam("usrloc", "received_column", "received")
modparam("usrloc", "socket_column", "socket")
modparam("usrloc", "use_domain", 0)
modparam("usrloc", "desc_time_order", 0)
modparam("usrloc", "timer_interval", 60)
modparam("usrloc", "matching_mode", 0)

# ----- uri_db params -----
/* by default we disable the DB support in the module as we do not need it
in this configuration */
modparam("uri_db", "use_uri_table", 0)
modparam("uri_db", "db_url", "")


# -- auth db params --
# Uncomment if you are using auth module
modparam("auth_db", "calculate_ha1", yes)

#
# If you set "calculate_ha1" parameter to yes (which true in this config),
# uncomment also the following parameter)
modparam("auth_db", "password_column", "password")
modparam("auth_db", "db_url",
"mysql://opensips:opensipsrw@localhost/opensips")
modparam("auth_db", "load_credentials", "")


# ----- rr params -----
# add value to ;lr param to cope with most of the UAs
modparam("rr", "enable_full_lr", 1)
# do not append from tag to the RR (no need for this script)
modparam("rr", "append_fromtag", 0)

#
# !! Nathelper
#
modparam("usrloc", "nat_bflag", 6)
modparam("nathelper", "ping_nated_only", 1) # Ping only clients behind NAT
modparam("nathelper", "sipping_bflag", 8)
modparam("nathelper", "received_avp", "$avp(i:801)")

# RTPProxy setup
modparam("nathelper", "rtpproxy_sock", "udp:127.0.0.1:50100")
modparam("nathelper", "force_socket", "udp:localhost:50100")


# ----- acc params -----
/* what sepcial events should be accounted ? */
modparam("acc", "early_media", 1)
modparam("acc", "report_ack", 1)
modparam("acc", "report_cancels", 1)

/* by default ww do not adjust the direct of the sequential requests.
if you enable this parameter, be sure the enable "append_fromtag"
in "rr" module */
modparam("acc", "detect_direction", 0)

/* account triggers (flags) */
modparam("acc", "failed_transaction_flag", 3)
modparam("acc", "log_flag", 1)
modparam("acc", "log_missed_flag", 2)

/* uncomment the following lines to enable DB accounting also */
modparam("acc", "db_flag", 1)
modparam("acc", "db_missed_flag", 2)


#
# ----- multi-module params -----
/* uncomment the following line if you want to enable multi-domain support in the modules (dafault off) */
#modparam("alias_dbauth_dbusrlocuri_db", "use_domain", 1)

# ----- alias_db params -----
/* uncomment the following lines if you want to enable the DB based
aliases */
modparam("alias_db", "db_url",
"mysql://opensips:opensipsrw@localhost/opensips")


# ----- domain params -----
/* uncomment the following lines to enable multi-domain detection support */
modparam("domain", "db_url",
"mysql://opensips:opensipsrw@localhost/opensips")
modparam("domain", "db_mode", 1) # Use caching

#**
modparam("domain", "domain_table", "domain")
modparam("domain", "domain_col", "domain")

#
# ------- dialog --------
#**
modparam("dialog", "db_mode", 1)
modparam("dialog", "db_update_period", 30)
modparam("dialog", "dlg_flag", 4)
modparam("dialog", "dlg_match_mode", 1)

#
# --> avpops params -----
#**
modparam("avpops", "avp_table", "usr_preferences")
modparam("avpops", "use_domain", 1)


# ************
# ----- presence params -----
/* uncomment the following lines if you want to enable presence */
#modparam("presencepresence_xml", "db_url",
# "mysql://opensips:opensipsrw@localhost/opensips")
#modparam("presence_xml", "force_active", 1)
#modparam("presence", "server_address", "sip:192.168.1.2:5060")


#*** MySQL DB ***
modparam("dialogavpopsuri_db", "db_url", "mysql://opensips:opensipsrw@localhost/opensips")


###
##
# -- MAIN request routing logic
##
###


route{
#
# -- 1 -- Request Validation
#
xlog("L_INFO", "New request - Request/failure/branch routes: M=$rm RURI=$ru F=$fu T=$tu IP=$si ID=$ci\n");

# initial sanity checks -- messages with
# max_forwards==0, or excessively long requests
if (!mf_process_maxfwd_header("10")) {
sl_send_reply("483","Too Many Hops...");
exit;
};
if (msg:len >= 2048 ) {
sl_send_reply("513", "Message too big...");
exit;
};

#
# -- 2 -- Routing Preprocessing
#
xlog("L_INFO", "MsgFlag:[$mf] \n");

# Some systems (like Asterisk) use OPTIONS as a kind of "ping", than we
# answer it with 200 OK.
if (method == "OPTIONS") {
sl_send_reply("200", "OK");
return;
};


# !! Nathelper
# Special handling for NATed clients; first, NAT test is
# executed: it looks for via!=received and RFC1918 addresses
# in Contact (may fail if line-folding is used); also,
# the received test should, if completed, should check all
# vias for rpesence of received
if (nat_uac_test("3")) {
# Allow RR-ed requests, as these may indicate that
# a NAT-enabled proxy takes care of it; unless it is
# a REGISTER

if (is_method("REGISTER") !is_present_hf("Record-Route")) {
log("LOG:Someone trying to register from private IP, rewriting\n");
# This will work only for user agents that support symmetric
# communication. We tested quite many of them and majority is
# smart enough to be symmetric. In some phones it takes a
# configuration option. With Cisco 7960, it is called
# NAT_Enable=Yes, with kphone it is called "symmetric media" and
# "symmetric signalling".

# Rewrite contact with source IP of signalling
fix_nated_contact();
if ( is_method("INVITE") ) {
fix_nated_sdp("1"); # Add direction=active to SDP
};
force_rport(); # Add rport parameter to topmost Via
setbflag(6); # Mark as NATed

# if you want sip nat pinging
setbflag(8);
};
};

# subsequent messages withing a dialog should take the
# path determined by record-routing
if (loose_route()) {
# mark routing logic in request
append_hf("P-hint: rr-enforced\r\n");
route(1);
exit;
};

# we record-route all messages -- to make sure that
# subsequent messages will go through our proxy; that's
# particularly good if upstream and downstream entities
# use different transport protocol
if (!is_method("REGISTER"))
record_route();

if (!uri==myself) {
# mark routing logic in request
append_hf("P-hint: outbound\r\n");
route(1);
exit;
};

# if the request is for other domain use UsrLoc
# (in case, it does not work, use the following command
# with proper names and addresses in it)
if (uri==myself) {

if (is_method("REGISTER")) {

# Uncomment this if you want to use digest authentication
#if (!www_authorize("siphub.org", "subscriber")) {
# www_challenge("siphub.org", "0");
# return;
#};

save("location");
exit;
};

lookup("aliases");
if (!uri==myself) {
append_hf("P-hint: outbound alias\r\n");
route(1);
exit;
};

# native SIP destinations are handled using our USRLOC DB
if (!lookup("location")) {
sl_send_reply("404", "Not Found");
exit;
};
};
append_hf("P-hint: usrloc applied\r\n");
route(1);
}

route[1]
{
# !! Nathelper
if (uri=~"[@:](192\.168\.10\.172\.(1[6-9]2[0-9]3[0-1])\.)" && !search("^Route:")){
sl_send_reply("479", "We don't forward to private IP addresses");
exit;
};

# if client or server know to be behind a NAT, enable relay
if (isbflagset(6)) {
force_rtp_proxy();
};

# NAT processing of replies; apply to all transactions (for example,
# re-INVITEs from public to private UA are hard to identify as
# NATed at the moment of request processing); look at replies
t_on_reply("1");

# send it out now; use stateful forwarding as it works reliably
# even for UDP2TCP
if (!t_relay()) {
sl_reply_error();
};
}

# !! Nathelper
onreply_route[1] {
# NATed transaction ?
if (isbflagset(6) && status =~ "(183)2[0-9][0-9]") {
fix_nated_contact();
force_rtp_proxy();
# otherwise, is it a transaction behind a NAT and we did not
# know at time of request processing ? (RFC1918 contacts)
} else if (nat_uac_test("1")) {
fix_nated_contact();
};
}

Wednesday, April 15, 2009

OpenSIPS+MySQL+FreeRADIUS integration and installation/configuration

I'm no expert but a humble student please feel free to contribute your expert advise and short cuts, may be we all grow in the process!!!

`` Objectives:

1. Package/Dependencies Installation
2. Database MySQL 5.0.51a Configuration
3. FreeRADIUS 2.1.4 Configuration
4. Radiusclient-ng Installaion
5. OpenSIPS 1.5.1 Configuration

Package/Dependencies Installation:

Steps In Building Ubuntu Server 8.04.2 (hardy) packages
Double check dependencies and packages on the following:
official site link

a) Install dependencies:
apt-get install autotools-dev
apt-get install debhelper
apt-get install libgdbm-dev
apt-get install libiodbc2-dev
apt-get install libkrb5-dev
apt-get install libldap2-dev
apt-get install libltdl3-dev
apt-get install libmysqlclient15-dev
apt-get install libpam0g-dev
apt-get install libpcap-dev
apt-get install libperl-dev
apt-get install libpq-dev
apt-get install libsasl2-dev
apt-get install libsnmp-dev
apt-get install libtool
apt-get install python-dev

b) Download the source of latest FreeRADIUS version :
c) Extract files in /usr/src directory.
d) switch to newly extracted directory:

Before running followings you must have following files in the directory you issue these commands:
freeradius_2.1.4-0.dsc
freeradius_2.1.4-0.tar.gz
freeradius-server-2.1.4.tar.gz
freeradius-server-2.1.4.tar.gz.sig

##... freeradius_2.1.4-0.dsc file's contents as follows:
Format: 1.0
Source: freeradius
Binary: freeradius, freeradius-krb5, freeradius-ldap, freeradius-postgresql, freeradius-mysql, freeradius-iodbc, freeradius-dialupadmin, freeradius-dbg
Architecture: any
Version: 2.1.4-0
Maintainer: Nicolas Baradakis
Standards-Version: 3.7.3.0
Build-Depends: autotools-dev, debhelper (>= 5), dpatch (>= 2), dpkg-dev (>= 1.13.19), libgdbm-dev, libiodbc2-dev, libkrb5-dev, libldap2-dev, libltdl3-dev, libmysqlclient15-dev | libmysqlclient-dev, libpam0g-dev, libpcap-dev, libperl-dev, libpq-dev, libsasl2-dev, libsnmp9-dev | libsnmp-dev, libssl-dev, libtool (>= 1.5), python-dev, snmp
Files:
42c7d892e1f2f0dfe531ed2ba7f64f1d 3762749 freeradius_2.1.4-0.tar.gz
##...

$ dpkg-source -x *.dsc
$ cd freeradius-2.1.4/

There are some changes that must be done in order to successfully build the package. Make changes in "/debian/rules" file as follows

$ vi debian/rules

From:
confflags += --without-openssl --without-rlm_eap_peap --without-rlm_eap_tls --without-rlm_eap_ttls –without-rlm_otp

To:
confflags += --with-openssl --with-rlm_eap_peap --with-rlm_eap_tls --with-m_eap_ttls --with-rlm_otp

e) Mark the following lines to remark or delete them from file:

# if dh_shlibdeps -p $$pkg -- -O grep -q libssl; then \
# echo "$$pkg links to openssl" ; \
# exit 1 ;
# fi ;
# done

Installing the binary packages
It's best to build FreeRADIUS packages using dpkg-buildpackage (Installing directly from source confuses dpkg about the files installed on the system and it's not possible to uninstall the files later) If you don't have following packages installed use aptitude to install them!!!

(snmp , dpatch, build-essential)

$ aptitude install dpkg-dev
$ aptitude install libssl-dev
$ aptitude install fakeroot

f) Now execute the following command to build binaries:

# fakeroot dpkg-buildpackage -b -uc

Got too many warnings/errors, the output is at the following link:
ERRORS LOG


OR alternatively type the following on command prompt:
$ dpkg-buildpackage -rfakeroot
$
$ radiusd -X
Exec-Program: returned: 1
rlm_eap: Failed to initialize type tls
/usr/local/etc/raddb/eap.conf[17]: Instantiation failed for module "eap"
/usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap".
/usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.
}
}
Errors initializing modules

g) Last but not least you will see the .deb files in extract directory build them one by one or all together:

$ sudo dpkg -i ../freeradius_*.deb
gpg: skipped "Alan DeKok ": secret key not available
gpg: [stdin]: clearsign failed: secret key not available
dpkg-genchanges >../freeradius_2.1.4-0_amd64.changes
dpkg-genchanges: including full source code in upload
dpkg-buildpackage: full upload; Debian-native package (full source is included)
dpkg-buildpackage: warning: Failed to sign .dsc and .changes file


Critical to create directory if it doesn't exists:
$ mkdir /var/run/radiusd

Alternative ways of Building Ubuntu packages

- Using synaptic:
$ synaptic

select the following packages:
x freeradius
x freeradius-dbg
x freeradius-dialupadmin
x freeradius-ldap
x freeradius-mysql
(It didn't work, so i moved to plan b)
- Building from source:
bash$ tar zxvf freeradius-[version].tar.gz

bash$ ./configure
bash$ make
bash$ su - root
bash# make install
bash# radiusd -X

/usr/local/etc/raddb/eap.conf[17]: Failed to link to module 'rlm_eap': libfreeradius-eap-2.1.5.so: cannot open shared object file: No such file or directory /usr/local/etc/raddb/sites-enabled/inner-tunnel[223]: Failed to find module "eap". /usr/local/etc/raddb/sites-enabled/inner-tunnel[176]: Errors parsing authenticate section.


Database MySQL Configuration:

Configuring the FreeRADIUS with MySQL

First the MySQL bits (creating the db & its admin user).
Do the following from your shell.

On the MySQL shell type the following:
CREATE DATABASE radius;
GRANT ALL ON radius.* TO radius@localhost IDENTIFIED BY "radpass";
exit;

In my case only:
$ mysqladmin -u root -p create radius
$ cd /usr/share/doc/freeradius/examples
$ gunzip mysql.sql.gz
$ mysql -u root -p radius < mysql="" u="" root="" p="" radius="">show databases;

+--------------------+
Database
+--------------------+
information_schema
mysql
opensips
radius
+--------------------+
4 rows in set (0.00 sec)

mysql> use radius;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables;
+------------------+
Tables_in_radius
+------------------+
nas
radacct
radcheck
radgroupcheck
radgroupreply
radippool
radpostauth
radreply
usergroup
+------------------+
9 rows in set (0.00 sec)

mysql> \q
Bye

cp sql.conf /etc/freeradius/
cd /etc/freeradius/

Now edit your /etc/freeradius/sql.conf
#
# Configuration for the Freeradius SQL module using MySQL database and a
# central radacct table. To use monthly tables with auto-rotation see
# radius_accounting.conf and radius_accounting.proc
#
sql {
driver = "rlm_sql_mysql"
server = "127.0.0.1"
login = "root"
password = "secretpwd"
radius_db = "radius"
acct_table = "radacct"
sqltrace = no
sqltracefile = ${logdir}/sqltrace-%Y%m%d.log
num_sql_socks = 25
connect_failure_retry_delay = 60

Reset the user/password/database parameters to reflect the changes (eg. radius/radpass/radius); to turn the NAS management from MySQL, search for the line...


Configuring FreeRADIUS Server:

Configuring FR servers and clients. OpenSIPS server is the client of the RADIUS server. It uses the libradiusclient-ng to connect to FR server.

i) Add OpenSIPS as FR Client:
First we define the devices (remote access gw, 802.1x switches, access points) that will send the authentication and accounting packets to the FR server. I am making SIP proxy server as the FR client, which will be sending accounting requests. Files that are going to be updated are as follows:

/etc/freeradius/clients.conf
/etc/freeradius/dictionary.conf
/etc/freeradius/radiusd.conf
/etc/freeradius/sql.conf
/etc/freeradius/sites-available/default.conf

- Edit the /etc/freeradius/clients.conf first.
Make following changes in section:
client localhost {
....
# # secret and password are mapped through the "secrets" file.
secret = opensips
shortname = OpenSIPS
# # the following three fields are optional, but may be used by
# # checkrad.pl for simultaneous usage checks
nastype = other
....
....
}

- Enable MySQL accounting in FR by editing the cofig file
$ vi /etc/freeradius/radiusd.conf
Make following changes in sections:

security {
....
....
# PROXY CONFIGURATION
#

##?? $INCLUDE proxy.conf
$INCLUDE ${confdir}/proxy.conf

##?? $INCLUDE clients.conf
$INCLUDE ${confdir}/clients.conf
....
....
}

# MODULE CONFIGURATION
#
# The names and configuration of each module is located in this section.
#
# After the modules are defined here, they may be referred to by name,
# in other sections of this configuration file.
#
modules {
...
$INCLUDE sql.conf
...
}

+ Edit /etc/freeradius/sites-available/default
Un comment/add the lines for auth_log, digest, sql, and ldap in accounting section.
accounting {
...
...
#???
acct_unique

#
# If you want to have a log of authentication requests,
# un-comment the following line, and the 'detail auth_log'
# section, above.
auth_log

#
# Create a 'detail'ed log of the packets.
# Note that accounting requests which are proxied
# are also logged in the detail file.
detail

#
# If you have a Cisco SIP server authenticating against
# FreeRADIUS, uncomment the following line, and the 'digest'
# line in the 'authenticate' section.
digest

#
# Look in an SQL database. The schema of the database
# is meant to mirror the "users" file.
#
# See "Authorization Queries" in sql.conf
sql

#
# The ldap module will set Auth-Type to LDAP if it has not
# already been set
ldap
...
...
}

+ Copy the OpenSIPS dictionary to /etc/freeradius
$ cp /usr/local/share/freeradius/dictionary.openser /etc/freeradius

+ Include the OpenSIPS in the RADIUS server configuration file as follows:
vi /etc/freeradius/dictionary

+ Add this line in /etc/freeradius/dictionary ...
$INCLUDE /etc/freeradius/dictionary.openser

+ Make directory and setup ownership:
$ mkdir /var/run/freeradius
$ chown freerad:freerad /var/run/freeradius/*
$ chown freerad:freerad /var/run/freeradius

+ Restart the FR server:
$ /etc/init.d/freeradius stop
$ freeradius -X
...
...

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/freeradius/freeradius.sock
Listening on proxy address * port 1814
Ready to process requests.


Radiusclient-ng
ii) Configure the RADIUS Client (radiusclient-ng):

Download tar file radiusclient-ng-0.5.6.tar.gz from official site
# tar zxvf radiusclient-ng-0.5.6.tar.gz
# cd radiusclient-ng-0.5.6

Above process failed since it couldn't find /debian/changelog

Thus i followed following steps:

The radiusclient-ng must be compiled manually, as it is not included in the Debian distribution. Here I used the version 0.5.6

1. Checkout from berlios CVS (hit ENTER when asked for the password):

$ cd /usr/local/src
$ mkdir radiusclient-ng
$ cd radiusclient-ng
$ cvs -d:pserver:anonymous@cvs.radiusclient-ng.berlios.de:/cvsroot/radiusclient-ng login
$ cvs -z3 -d:pserver:anonymous@cvs.radiusclient-ng.berlios.de:/cvsroot/radiusclient-ng co -r RELENG_0_5_6 radiusclient-ng
$ mv radiusclient-ng radiusclient-ng-5.6
$ cd radiusclient-ng-5.6

Note: change the RELENG value to the release version you want to check out, and make the appropriate alterations to the following secitons

Note: cvs often makes problems when you are behind a firewall which blocks cvs (port 2401). To test if you can reach the CVS server try with telnet: “telnet cvs.radiusclient-ng.berlios.de 2401”

2. correct version labeling

We edit the debian/changelog file to have debian packages with the correct version number: change “radiusclient-ng (0.5.0) unstable; urgency=low” to “radiusclient-ng (0.5.6) unstable; urgency=low”

3. build the Debian packages
$ dpkg-buildpackage -rfakeroot -tc


****** I got stuck at this point when i couldn't go any further, so i
went to following link and downloaded libradiusclient-ng-dev

http://packages.ubuntu.com/hardy/amd64/libradiusclient-ng-dev/download
Used the pkg installer to install and tried to install again

$ dpkg-buildpackage -rfakeroot -tc

I only got a warning but it didnt complain about .so like before
Next i followed following steps:

4. install the packages

$ cd ..
$ su (if you are not super user)
$ dpkg -i libradius-ng-dev_0.5.6_amd64.deb libradius-ng_0.5.6_amd64.deb
$ radiusclient-ng_0.5.6_amd64.deb
$ exit

NOW I got following errors:
(Reading database ... 118048 files and directories currently installed.)
Unpacking libradius-ng-dev (from libradius-ng-dev_0.5.6_amd64.deb) ...
dpkg: error processing libradius-ng-dev_0.5.6_amd64.deb (--install):
trying to overwrite `/usr/include/radiusclient-ng.h', which is also
in package libradiusclient-ng-dev
Selecting previously deselected package libradius-ng.
Unpacking libradius-ng (from libradius-ng_0.5.6_amd64.deb) ...
dpkg: error processing libradius-ng_0.5.6_amd64.deb (--install):
trying to overwrite `/usr/lib/libradiusclient-ng.so.2.0.0', which is
also in package libradiusclient-ng2
Selecting previously deselected package radiusclient-ng.
Unpacking radiusclient-ng (from radiusclient-ng_0.5.6_amd64.deb) ...
dpkg: dependency problems prevent configuration of radiusclient-ng:
radiusclient-ng depends on libradius-ng; however:
Package libradius-ng is not installed.
dpkg: error processing radiusclient-ng (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
libradius-ng-dev_0.5.6_amd64.deb
libradius-ng_0.5.6_amd64.deb
radiusclient-ng

The following is the list of files that should have been in place and datestamp should have been current but it shows older dates, it was bazar behavior.

/usr/include/radiusclient-ng.h
/usr/lib/libradiusclient-ng.a
/usr/lib/libradiusclient-ng.la
/usr/lib/libradiusclient-ng.so
/usr/share/doc/libradiusclient-ng-dev/BUGS
/usr/share/doc/libradiusclient-ng-dev/CHANGES.gz
/usr/share/doc/libradiusclient-ng-dev/README
/usr/share/doc/libradiusclient-ng-dev/README.Debian
/usr/share/doc/libradiusclient-ng-dev/README.radexample
/usr/share/doc/libradiusclient-ng-dev/changelog.Debian.gz
/usr/share/doc/libradiusclient-ng-dev/changelog.gz
/usr/share/doc/libradiusclient-ng-dev/copyright

*** ***
Somehow i got messed up with older version of radiusclient-ng, and those older files were causing conflict thus i have to remove all the .a and .la files, move .h files. Even all this didn't work it complains about files that i have moved to tmp directory but it says they are there eventhough they are not grrrrrrrr :#

Mike my mentor, my teacher, and my colleague steeped in on my request; fixed the problem magically (trade secret) and finally installed the package manually using ./configure, make, and make install :~{

Thanks a bunch Mike Spice, you are the greatest :)

Lets move on to my objective completion phases ;)

iii) Copy and edit the file
... (/etc/radiusclient-ng/dictionary):

$ cp /home/wiz/Documents/RadiusCDRTool/radiusclient-ng/dictionary.radius /etc/radiusclient-ng/dictionary.radius
$ vi /etc/radiusclient-ng/dictionary

Add the following lines at the end of file:
#***
# The file name given here should be an absolute path.
#***
$INCLUDE /etc/freeradius/dictionary.openser

iv) Edit the file (/etc/radiusclient-ng/servers):
Add the following line at the end of the file...

127.0.0.1 opensips

Now the file should look like this:
#Server Name or Client/Server pair ... Key
#---------------- ... ... ... ... ... ... ... ... ... ... ---------------
#portmaster.elemental.net ... ... ... ... hardlyasecret
#portmaster2.elemental.net ... ... ... . donttellanyone
127.0.0.1 opensips

v) Edit the file (/etc/radiusclient-ng/radiusclient.conf):
Make following changes by adding IP address of RADIUS server

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver localhost
acctserver 127.0.0.1


Configure OpenSIPS:
The "acc" module have support for RADIUS but its not enabled thus opensips.cfg file needs additional script to enable the RADIUS support.

a) Re-compile OpenSIPS first to start the integration process:

I figured its good time to break my OpenSIPS 1.5.0 and install 1.5.1, it would resolve some of the issues I'm having.

Buckle-up...






Sunday, December 7, 2008

OpenSIPS NAT Traversal Troubleshooting

OpenSIPS, Asterisk, FreeRADIUS, RTPProxy, RTPProxy/Mediaproxy, CDRTools.

Objectives:

I am trying to achieve the followings:

  • I have 3 UAC within network and another 20 agents are registered to the OpenSIPS (X-Lite users) outside network.
  • Most of the users are behind NAT.
  • When these X-Lite users dials with a SIP ID from their soft phone / ATA / UAC (they should use user ID as a prefix), it should go to a SIP server, supplied by us (SIP invite). Later we would like it to add PSTN GW too so provision has to be in the configuration but commented out for the timebeing.
  • Calls made through UA/UAC/ATA configured with DID goes to SIP Server, should go to user behind NAT configured to DID, and then it should receive/send calls to a PSTN gw (registered user is able to make calls to DIDs or registered SIP user, no unauthorized SIP forwarding).
  • Asterisk used to monitor, voice mail, agent's caller id should be changed to DID number. If anyone calls, we should be able to see their DID/User ID as a caller's number/name. It should be changed via OpenSIPS, not via Asterisk.
  • I would like to authenticate all users and load balancing via FreeRADIUS .

Currently I can make successful calls within the network and UAC registers outside the network but getting one way sound...

Problem:

I am having trouble configuring NAT traversal part, FreeRADIUS is not installed or included in configuration, and also the Asterisk part is not configured or checked. Since, I'm stuck an NAT Traversal thus above mentioned software is not added in configuration but needed to configure.