SIP phone ---SIP--->Asterisk server NIC # 1
|
|
Asterisk server NIC #
2<---IAX---VTUND---INTERNET---VTUND---IAX--->Asterisk server
|
|
PSTN

The Asterisk server NIC # 1 is on a non routable subnet so you don't have to worry about snooping for the SIP part, and the IAX data is encrypted by the time it hits the Internet. I have this running in several locations as well, with the remote Asterisk server running the Locustworld meshbox distribution:

www.locustworld.com

We use a single Meshbox with a second nic added to the Meshbox WiFi bridge using brctl. The single Meshbox acts as firewall, dhcp server, WiFi access point, and Asterisk server all in one. I use Compaq Deskpro En's P-II 400's with 64 meg of RAM and an SMC EliteConnect 2512W PCI card and everything runs nicely. The Meshbox assigns DHCP IP's to the Snoms and an instance of Asterisk is run on the meshbox to provide registration for the Snom. When the Snom dials out, iax.conf on the Meshbox is set to dial into the dialplan on our primary Asterisk server connected to the PSTN. Traffic is encrypted using VTUND. Works good, my salespeople are pleased with it because they can do fancy stuff like call forward, juggle multiple lines, MeetMe, IVR menus, and blind call transfer to the PSTN. Coming from a single POTS line with basic calling features to these remote locations, it's like a different world for them.

Although, the encryption part I'm not too worried about, that's just a bonus. It's not as if we have state secrets or anything.

If you want to use a bolt on in your own distro from server to server, without using the Meshbox distro, you can just run vtund by itself:

http://vtun.sourceforge.net/