On my previous blog I discussed how to install and set up OpenVPN. Now will take a look on how we could be able to use VPN to
connect Asterisk vi IAX2 servers.
1. Assuming this scenario
The OpenVPN server(Asterisk A) is at 10.8.0.1
The OpenVPN client(Asterisk B) is at 10.8.0.10
(At server B)
Add an entry on the iax.conf like this
[MdPhone2]
type=friend
auth=plaintext
username=MdPhil2
secret=md2004
context=incoming
canreinvite=yes
host=10.8.0.1
disallow=all
allow=ulaw
jitterbuffer=yes
(At server A)
[MdPhil2]
type=friend
auth=plaintext
username=MdPhone2
secret=md2004
context=MDI-Phones
canreinvite=no
host=10.8.0.10
host=dynamic
disallow=all
allow=ulaw
qualify=4000
2. Next add this on your dialplan route
(At server B)
exten => _1XX,1,Answer()
exten => _1XX,2,Dial(IAX2/MdPhil2@MdPhone2/${EXTEN}@MDI-Phones)
exten => _1XX,3,Hangup
(At server A)
exten => _1XX,1,Answer()
exten => _1XX,2,Dial(IAX2/MdPhone2@MdPhil2/${EXTEN}@incoming,90,t)
exten => _1XX,3,Hangup
3. Go to the asterisk console
/usr/sbin/asterisk -r
Issue command:
iax2 reload
dialplan reload
And you are done. You have now Asterisk with IAX2 connection via VPN.
Hope you find this useful. Thanks, Cheers and God Bless!!!
Thursday, May 21, 2009
Securing Your VOIP Connections with VPN (Installation and SetUp of OpenVPN)
In this tutorial I'll be discussing on how to install and setup OpenVPN.
What is VPN anyway? VPN stands for Virtual Private Network. It is a network within a network. A VPN allows the creation of a virtual network that can use other networks (e.g. the public internet) for transport. VPNs often encrypt any data they send over the transport network. In other words data being transmitted of WAN is encrypted thus it is secured.
For the instruction on how to install Asterisk, kindly refer to my other tutorials on this blog (http://consciencespeaks.blogspot.com/2009/01/asterisk-installation.html).
Before getting any further we will first discuss a quick start on how to setup the OpenVPN. So here are the steps:
1. Install the OpenVPN package. You may have it via yum or you can have it from source.
yum install openvpn
2. Copy configuration files.
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
3. Make all the files under directory easy-rsa executables
chmod -R 755 /etc/openvpn/easy-rsa
4. CA configuration
cd /etc/openvpn/easy-rsa/
vi vars
then scroll down to the bottom, edit as you like.
export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=CALIFORNIA
export KEY_ORG=”LINUX”
export KEY_EMAIL=”rowell@mindragon.com”
#. ./vars (note a space between . . )
#./clean-all
5. Build CA
#./build-ca
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [VIC]:
Locality Name (eg, city) [MELBOURNE]:
Organization Name (eg, company) [THROXVPN]:
Organizational Unit Name (eg, section) []:Throx
Common Name (eg, your name or your server’s hostname) []:throx.net
Email Address [name@mail.com]:
Some information above already entered in step 4, hust hit enter and go to next line.
6. Next we will build the server key and certificate
./build-key-server asteriskus
7. Building Diffie Hellman
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
(Wait until it finished)
8. Next edit the server.conf to point all the generated files to the proper path. Take note that the keys and certificate are located at /etc/openvpn/easy-rsa/keys
you should have something like this:
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/asteriskus.crt
key easy-rsa/keys/asteriskus.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd ; note we will need this so as to have a fix IP address for each connecting vpn clients
Save the file
9. Next we will generate the key and certificate for our connecting clients.
./build-key asteriskph
Here you will be asked somewhat similat to what we had at step 5 but assigned a different "Common Name" for this / each client. Say for instance I assigned this as with common name asteriskph. (we will use this later on)
We will have the following files
asteriskph.crt, asteriskph.key, asteriskph.csr
10. Now create a directory ccd so as to have
/etc/openvpn/ccd
then under that directory create a file with filename equal to the Common Name of cert of the connectiong client (which we created at step 9.
so
vi /etc/openvpn/ccd/asteriskph
then add this entry
ifconfig-push 10.8.0.10 10.8.0.11 ; in this case the client will have an IP address of 10.8.0.10 everytime it connects to VPN
11. Now you can start the openvpn by issuing
/sbin/service openvpn start
12. Be sure to open up the port 1194 on the firewall to allow connections
Next will set up the VPN at the client side.
1. Download and install OpenVPN at the client side
2. Copy the client key, csr and crt and ca.crt from the OpenVPN server to the client server.
3. Copy the client configuration file
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
4. create keys directory under openvpn folder so as to have /etc/openvpn/keys
copy or move all the client's key, crt and ca.crt to that folder
5. Edit the client.conf
You must have something like this:
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194 ; here the IP of the remote (OpenVPN server)
6. Then you may now start the openvpn client
/sbin/service openvpn start
7. In order to verify that your vpn client is running, issue
/sbin/ifconfig
and you should have something like:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.11 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4774 errors:0 dropped:0 overruns:0 frame:0
TX packets:4759 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:876230 (855.6 KiB) TX bytes:884454 (863.7 KiB)
if you want to verify also of that of server you can issue the same command and something like above should show up.
Of course to verify further ping the other server using the VPN IP address assigned. (e.g. ping 10.8.0.1 it should have reply...)
[rowell@MDPHAsterisk openvpn]$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=202 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=203 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=204 ms
Now you have a running OpenVPN. Hope you find this stuffs useful. Thanks, Cheers and God Bless!!!
What is VPN anyway? VPN stands for Virtual Private Network. It is a network within a network. A VPN allows the creation of a virtual network that can use other networks (e.g. the public internet) for transport. VPNs often encrypt any data they send over the transport network. In other words data being transmitted of WAN is encrypted thus it is secured.
For the instruction on how to install Asterisk, kindly refer to my other tutorials on this blog (http://consciencespeaks.blogspot.com/2009/01/asterisk-installation.html).
Before getting any further we will first discuss a quick start on how to setup the OpenVPN. So here are the steps:
1. Install the OpenVPN package. You may have it via yum or you can have it from source.
yum install openvpn
2. Copy configuration files.
#cp -r /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
#cp /usr/share/doc/openvpn-2.0.9/sample-config-files/server.conf /etc/openvpn/
3. Make all the files under directory easy-rsa executables
chmod -R 755 /etc/openvpn/easy-rsa
4. CA configuration
cd /etc/openvpn/easy-rsa/
vi vars
then scroll down to the bottom, edit as you like.
export KEY_COUNTRY=US
export KEY_PROVINCE=CA
export KEY_CITY=CALIFORNIA
export KEY_ORG=”LINUX”
export KEY_EMAIL=”rowell@mindragon.com”
#. ./vars (note a space between . . )
#./clean-all
5. Build CA
#./build-ca
Generating a 1024 bit RSA private key
………………………++++++
…………………….++++++
writing new private key to ‘ca.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
State or Province Name (full name) [VIC]:
Locality Name (eg, city) [MELBOURNE]:
Organization Name (eg, company) [THROXVPN]:
Organizational Unit Name (eg, section) []:Throx
Common Name (eg, your name or your server’s hostname) []:throx.net
Email Address [name@mail.com]:
Some information above already entered in step 4, hust hit enter and go to next line.
6. Next we will build the server key and certificate
./build-key-server asteriskus
7. Building Diffie Hellman
#./build-dh
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
(Wait until it finished)
8. Next edit the server.conf to point all the generated files to the proper path. Take note that the keys and certificate are located at /etc/openvpn/easy-rsa/keys
you should have something like this:
port 1194
proto udp
dev tun
ca easy-rsa/keys/ca.crt
cert easy-rsa/keys/asteriskus.crt
key easy-rsa/keys/asteriskus.key
dh easy-rsa/keys/dh1024.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
client-config-dir ccd ; note we will need this so as to have a fix IP address for each connecting vpn clients
Save the file
9. Next we will generate the key and certificate for our connecting clients.
./build-key asteriskph
Here you will be asked somewhat similat to what we had at step 5 but assigned a different "Common Name" for this / each client. Say for instance I assigned this as with common name asteriskph. (we will use this later on)
We will have the following files
asteriskph.crt, asteriskph.key, asteriskph.csr
10. Now create a directory ccd so as to have
/etc/openvpn/ccd
then under that directory create a file with filename equal to the Common Name of cert of the connectiong client (which we created at step 9.
so
vi /etc/openvpn/ccd/asteriskph
then add this entry
ifconfig-push 10.8.0.10 10.8.0.11 ; in this case the client will have an IP address of 10.8.0.10 everytime it connects to VPN
11. Now you can start the openvpn by issuing
/sbin/service openvpn start
12. Be sure to open up the port 1194 on the firewall to allow connections
Next will set up the VPN at the client side.
1. Download and install OpenVPN at the client side
2. Copy the client key, csr and crt and ca.crt from the OpenVPN server to the client server.
3. Copy the client configuration file
cp /usr/share/doc/openvpn-2.0.9/sample-config-files/client.conf /etc/openvpn/
4. create keys directory under openvpn folder so as to have /etc/openvpn/keys
copy or move all the client's key, crt and ca.crt to that folder
5. Edit the client.conf
You must have something like this:
client
dev tun
proto udp
remote XXX.XXX.XXX.XXX 1194 ; here the IP of the remote (OpenVPN server)
6. Then you may now start the openvpn client
/sbin/service openvpn start
7. In order to verify that your vpn client is running, issue
/sbin/ifconfig
and you should have something like:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.8.0.10 P-t-P:10.8.0.11 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:4774 errors:0 dropped:0 overruns:0 frame:0
TX packets:4759 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:876230 (855.6 KiB) TX bytes:884454 (863.7 KiB)
if you want to verify also of that of server you can issue the same command and something like above should show up.
Of course to verify further ping the other server using the VPN IP address assigned. (e.g. ping 10.8.0.1 it should have reply...)
[rowell@MDPHAsterisk openvpn]$ ping 10.8.0.1
PING 10.8.0.1 (10.8.0.1) 56(84) bytes of data.
64 bytes from 10.8.0.1: icmp_seq=1 ttl=64 time=202 ms
64 bytes from 10.8.0.1: icmp_seq=2 ttl=64 time=203 ms
64 bytes from 10.8.0.1: icmp_seq=3 ttl=64 time=204 ms
Now you have a running OpenVPN. Hope you find this stuffs useful. Thanks, Cheers and God Bless!!!
Tuesday, May 19, 2009
The Return of the OpenSER (OpenSIPs)
It has been long while that I've been silent on doing stuffs about OpenSER, ahm I mean OpenSIPs. Ok since there were lot of changes and progress happened with this project and I was not able to keep an eye on this, well let us start from the very beginning. From the point of where we should suppose to start and yes it's about installation.
Alright to begin with,
1. Install all the Linux packages/dependencies needed (please refer to my old blog on this http://consciencespeaks.blogspot.com/2008/06/getting-started-with-openser.html).
2. Get the latest source package of OpenSIPs (currently it's 1.5.x series)
wget http://opensips.org/pub/opensips/1.5.0/src/opensips-1.5.0-tls_src.tar.gz
3. Unzip and extract the files
tar xvzf opensips-1.5.0-tls_src.tar.gz
4. cd to the source directory
cd opensips-1.5.0-tls
5. Do following for compilation and installation
make clean
make all
make install ; it seems to be simplified ah ;-) by default everything will be installed at /usr/local
6. Now edit first openserctlrc
vi /usr/local/etc/opensips/opensipsctlrc
uncomment the line that says
DBENGINE=MYSQL
7. Now we can create the database for the OpenSIPs
/usr/local/sbin/opensipsdbctl create
; this will prompt for mysql root password
*Note that upon execution of this command it will create 2 users for OpenSIPs
; by default the mysql database user created is:
username: opensips
password: opensipsrw
8. Now edit opensips.cfg
vi /usr/local/etc/opensips/opensips.cfg
uncomment all lines in configuration file opensips.cfg which are related to
authentication:
- loadmodule "/usr/lib/opensips/modules/db_mysql.so"
- loadmodule "/usr/lib/opensips/modules/auth.so"
- loadmodule "/usr/lib/opensips/modules/auth_db.so"
- modparam("usrloc", "db_mode", 2)
- modparam("auth", "calculate_ha1", yes)
- modparam("auth_db", "password_column", "password")
- if (!www_authorize("sip.org", "subscriber")) {
www_challenge("sip.org", "0");
break;
Make sure you change the two sip.org instances in the above config, to your
domain, or realm. In my case, I changed this to 192.168.2.235 which was the
IP address of this box.
Also, be sure to comment out the following line:
modparam("usrloc", "db_mode", 0)
9. Now let us copy the init script so as to start OpenSIPs as service ( such as starting it at boot). Copy the openser.init which can be found on the base directory of the OpenSIPs source. In my case it is at /usr/src
cp /usr/src/opensips-1.5.0-tls/packaging/rpm/opensips.init /etc/init.d/openser
chmod 755 /etc/init.d/opensips
/sbin/chkconfig --add opensips
also before you start the openser correct the path of its service execution
vi /etc/init.d/opensips
change the following line
osips=/usr/sbin/opensips
with this one since we installed the binaries on path /usr/local
osips=/usr/local/sbin/opensips
10. Now you can start OpenSIPs service
/sbin/service opensips start
To check if it is running issue
ps aux|grep opensips
you should see something like this
root 4210 0.3 0.6 43048 3548 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
root 4214 0.0 0.2 43048 1216 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
root 4217 0.0 0.2 43048 1140 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
11. To test we will create user / SIP account to test our set up. We can do this by using the opensipsctl tool
/usr/local/sbin/opensipsctl add mytest 'abc123!@#'
*Note you might encounter problem once you issued the command above and complaining for the SIP_DOMAiN. To fix that,
issue the command as follows:
export SIP_DOMAIN=192.168.2.235
Now re issue the command for adding new user / SIP account
12. Test it by registering a softphone and filling up the phone's registration info's. You should be able to register already.
Here are some more helpful links:
http://opensips.svn.sourceforge.net/viewvc/opensips/trunk/INSTALL
Hope you find these stuffs useful. Thanks, Cheers and God Bless!!!!
Alright to begin with,
1. Install all the Linux packages/dependencies needed (please refer to my old blog on this http://consciencespeaks.blogspot.com/2008/06/getting-started-with-openser.html).
2. Get the latest source package of OpenSIPs (currently it's 1.5.x series)
wget http://opensips.org/pub/opensips/1.5.0/src/opensips-1.5.0-tls_src.tar.gz
3. Unzip and extract the files
tar xvzf opensips-1.5.0-tls_src.tar.gz
4. cd to the source directory
cd opensips-1.5.0-tls
5. Do following for compilation and installation
make clean
make all
make install ; it seems to be simplified ah ;-) by default everything will be installed at /usr/local
6. Now edit first openserctlrc
vi /usr/local/etc/opensips/opensipsctlrc
uncomment the line that says
DBENGINE=MYSQL
7. Now we can create the database for the OpenSIPs
/usr/local/sbin/opensipsdbctl create
; this will prompt for mysql root password
*Note that upon execution of this command it will create 2 users for OpenSIPs
; by default the mysql database user created is:
username: opensips
password: opensipsrw
8. Now edit opensips.cfg
vi /usr/local/etc/opensips/opensips.cfg
uncomment all lines in configuration file opensips.cfg which are related to
authentication:
- loadmodule "/usr/lib/opensips/modules/db_mysql.so"
- loadmodule "/usr/lib/opensips/modules/auth.so"
- loadmodule "/usr/lib/opensips/modules/auth_db.so"
- modparam("usrloc", "db_mode", 2)
- modparam("auth", "calculate_ha1", yes)
- modparam("auth_db", "password_column", "password")
- if (!www_authorize("sip.org", "subscriber")) {
www_challenge("sip.org", "0");
break;
Make sure you change the two sip.org instances in the above config, to your
domain, or realm. In my case, I changed this to 192.168.2.235 which was the
IP address of this box.
Also, be sure to comment out the following line:
modparam("usrloc", "db_mode", 0)
9. Now let us copy the init script so as to start OpenSIPs as service ( such as starting it at boot). Copy the openser.init which can be found on the base directory of the OpenSIPs source. In my case it is at /usr/src
cp /usr/src/opensips-1.5.0-tls/packaging/rpm/opensips.init /etc/init.d/openser
chmod 755 /etc/init.d/opensips
/sbin/chkconfig --add opensips
also before you start the openser correct the path of its service execution
vi /etc/init.d/opensips
change the following line
osips=/usr/sbin/opensips
with this one since we installed the binaries on path /usr/local
osips=/usr/local/sbin/opensips
10. Now you can start OpenSIPs service
/sbin/service opensips start
To check if it is running issue
ps aux|grep opensips
you should see something like this
root 4210 0.3 0.6 43048 3548 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
root 4214 0.0 0.2 43048 1216 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
root 4217 0.0 0.2 43048 1140 ? S 21:21 0:00 /usr/local/sbin/opensips -P /var/run/opensips.pid
11. To test we will create user / SIP account to test our set up. We can do this by using the opensipsctl tool
/usr/local/sbin/opensipsctl add mytest 'abc123!@#'
*Note you might encounter problem once you issued the command above and complaining for the SIP_DOMAiN. To fix that,
issue the command as follows:
export SIP_DOMAIN=192.168.2.235
Now re issue the command for adding new user / SIP account
12. Test it by registering a softphone and filling up the phone's registration info's. You should be able to register already.
Here are some more helpful links:
http://opensips.svn.sourceforge.net/viewvc/opensips/trunk/INSTALL
Hope you find these stuffs useful. Thanks, Cheers and God Bless!!!!
Thursday, May 14, 2009
Gumising sa katotohanan
I have to admit to myself na wla syang nararamdaman para sakin
It's all illusion that I am trying to portray
Everything is a false belief
Everything is just a dream and fantasy
Tama na ang ilusyon I have to face the truth
Kailangan na akong mabuhay sa katotohanang di sya para sakin
And there will be no chance para maging kami
Napakahibang ko at nagpapaloko ako sa sarili kong ilusyon
As if everything may come into reality
Pero hinde eh
Enough is enough for all these insanity
For making myself to believe in the story telling I have in mind
I am just hurting myself to realize that everything is just form of my imagination
Kahibangang kailangan ng tigilan
It is too much ... sobra na ang sakit...
Ayoko ng umasa sa isang istoryang wla rin namang katuturan
Ayoko ko ng mamuhay sa mundong puro pangarap na lng
Let's stop this craziness, it's all worthless and futile
Isara mo na ang telon ng pagkukunwari
Ilibing ang damdamin na wla rin namang kapupuntahan
Tma na ang ilusyon
Gumising ka......
It's all illusion that I am trying to portray
Everything is a false belief
Everything is just a dream and fantasy
Tama na ang ilusyon I have to face the truth
Kailangan na akong mabuhay sa katotohanang di sya para sakin
And there will be no chance para maging kami
Napakahibang ko at nagpapaloko ako sa sarili kong ilusyon
As if everything may come into reality
Pero hinde eh
Enough is enough for all these insanity
For making myself to believe in the story telling I have in mind
I am just hurting myself to realize that everything is just form of my imagination
Kahibangang kailangan ng tigilan
It is too much ... sobra na ang sakit...
Ayoko ng umasa sa isang istoryang wla rin namang katuturan
Ayoko ko ng mamuhay sa mundong puro pangarap na lng
Let's stop this craziness, it's all worthless and futile
Isara mo na ang telon ng pagkukunwari
Ilibing ang damdamin na wla rin namang kapupuntahan
Tma na ang ilusyon
Gumising ka......
Tuesday, May 12, 2009
Ngiti
Minamasdan kita
Nang hindi mo alam
Pinapangarap kong ikaw ay akin
Mapupulang labi
At matinkad mong ngiti
Umaabot hanggang sa langit
Huwag ka lang titingin sa akin
At baka matunaw ang puso kong sabik
Sa iyong ngiti ako'y nahuhumaling
At sa tuwing ikaw ay gagalaw
Ang mundo ko'y tumitigil
Para lang sayo
Ang awit ng aking puso
Sana'y mapansin mo rin
Ang lihim kong pagtingin
Minamahal kita ng di mo alam
Huwag ka sanang magagalit
Tinamaan yata talaga ang aking puso
Na dati akala ko'y manhid
Hindi pa rin makalapit
Inuunahan ng kaba sa aking dibdib
Sa iyong ngiti ako'y nahuhumaling
At sa tuwing ikaw ay lalapit
Ang mundo ko'y tumitigil
Ang pangalan mo sinisigaw ng puso
Sana'y madama mo rin
Ang lihim kong pagtingin
Sa iyong ngiti ako'y nahuhumaling
(Sa iyong ngiti)
Sa tuwing ikaw ay gagalaw
Ang mundo ko'y tumitigil
Para lang sa'yo...
(Para lang sa'yo ang awit ng aking puso)
Sana ay mapansin mo rin...
Ang lihim kong pagtingin
Sa iyong ngiti...
Nang hindi mo alam
Pinapangarap kong ikaw ay akin
Mapupulang labi
At matinkad mong ngiti
Umaabot hanggang sa langit
Huwag ka lang titingin sa akin
At baka matunaw ang puso kong sabik
Sa iyong ngiti ako'y nahuhumaling
At sa tuwing ikaw ay gagalaw
Ang mundo ko'y tumitigil
Para lang sayo
Ang awit ng aking puso
Sana'y mapansin mo rin
Ang lihim kong pagtingin
Minamahal kita ng di mo alam
Huwag ka sanang magagalit
Tinamaan yata talaga ang aking puso
Na dati akala ko'y manhid
Hindi pa rin makalapit
Inuunahan ng kaba sa aking dibdib
Sa iyong ngiti ako'y nahuhumaling
At sa tuwing ikaw ay lalapit
Ang mundo ko'y tumitigil
Ang pangalan mo sinisigaw ng puso
Sana'y madama mo rin
Ang lihim kong pagtingin
Sa iyong ngiti ako'y nahuhumaling
(Sa iyong ngiti)
Sa tuwing ikaw ay gagalaw
Ang mundo ko'y tumitigil
Para lang sa'yo...
(Para lang sa'yo ang awit ng aking puso)
Sana ay mapansin mo rin...
Ang lihim kong pagtingin
Sa iyong ngiti...
Lihim na Pagtingin
nahihiya akong aminin ang nararamdaman ko sayo
di ko alam kung dapat ko bang ipagtapat sa yo
O habang buhay ko na lng na itatago
May bahagi sa puso ko na gusto ng magsalita
Pero tikom ang bibig ko at halos wlang masabi
Pilit na kinukubli ang tunay na nararamdaman
Damdamin na matagal ng naghihintay ng pagkakataon
Damdamin na umaasang magmahal at mahalin din
Masaya akong araw araw kang pagmasdan
Pero Masakit din dahil hanggang tanaw lang ang kaya kong magawa
Umaasang darating ang araw na magkakalakas din ng loob
Umaasang Magkakaroon din ng tapang balang araw
Pero sa bawat pagkakataong ninais kong humakbang
Di man lng ako makakilos at makapagsalita
Para akong binuhasan ng yelo
Para akong inawitan ng adarna at naging bato
Wlang imik at tanging mga biro lng ang kayang sambitin
Hindi ko alam kung bakit at parang may takot na pumipigil
Takot na baka sa pagkakataong malaman mo
Doon na mag iiba ang lahat
Takot na sa pagkakataong masambit ng aking labi
Ang mga bagay na tunay na nilalaman nito
Iyon na ang magiging hudyat ng katapusan
Mga pangarap na bigla na lang maglalaho na parang bula
Mga panaginip na madalas kong himlayan ng mga pangarap
Mga pangarap na minsa'y nanaginip na maging tayo man lng
di ko alam kung dapat ko bang ipagtapat sa yo
O habang buhay ko na lng na itatago
May bahagi sa puso ko na gusto ng magsalita
Pero tikom ang bibig ko at halos wlang masabi
Pilit na kinukubli ang tunay na nararamdaman
Damdamin na matagal ng naghihintay ng pagkakataon
Damdamin na umaasang magmahal at mahalin din
Masaya akong araw araw kang pagmasdan
Pero Masakit din dahil hanggang tanaw lang ang kaya kong magawa
Umaasang darating ang araw na magkakalakas din ng loob
Umaasang Magkakaroon din ng tapang balang araw
Pero sa bawat pagkakataong ninais kong humakbang
Di man lng ako makakilos at makapagsalita
Para akong binuhasan ng yelo
Para akong inawitan ng adarna at naging bato
Wlang imik at tanging mga biro lng ang kayang sambitin
Hindi ko alam kung bakit at parang may takot na pumipigil
Takot na baka sa pagkakataong malaman mo
Doon na mag iiba ang lahat
Takot na sa pagkakataong masambit ng aking labi
Ang mga bagay na tunay na nilalaman nito
Iyon na ang magiging hudyat ng katapusan
Mga pangarap na bigla na lang maglalaho na parang bula
Mga panaginip na madalas kong himlayan ng mga pangarap
Mga pangarap na minsa'y nanaginip na maging tayo man lng
Subscribe to:
Posts (Atom)