wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
VPN in a Flash
- Thread starter wardmundy
- Start date
thunderheart
New Member
- Joined
- Oct 30, 2007
- Messages
- 255
- Reaction score
- 0
Way Kewl
What do you need on the office end. Obviously you need a VPN peer of some description. Are you using Hamachi?
Dallas
What do you need on the office end. Obviously you need a VPN peer of some description. Are you using Hamachi?
Dallas
cosmicwombat
Guru
- Joined
- Nov 2, 2007
- Messages
- 498
- Reaction score
- 0
OK, so....
Sounds like you guys are going with Hamachi now and working towards OpenVPN?
I have made a few runs on OpenVPN without much success. Probably won't try again until Winter.
I like the idea of a small solid state device. The Astralink and Digium appliances are $1K and up. Under $600 sounds good.
Sounds like you guys are going with Hamachi now and working towards OpenVPN?
I have made a few runs on OpenVPN without much success. Probably won't try again until Winter.
I like the idea of a small solid state device. The Astralink and Digium appliances are $1K and up. Under $600 sounds good.
thunderheart
New Member
- Joined
- Oct 30, 2007
- Messages
- 255
- Reaction score
- 0
Kewl Idle screen
Ward,
Can I package a version of that logo with the setup-grandstream script I've been working on?
Dallas
Ward,
Can I package a version of that logo with the setup-grandstream script I've been working on?
Dallas
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
yum install lynx (which actually will be included in the VPN in a Flash distribution) provides a text-mode browser that's adequate with most sites requiring a login. So then you'd ssh to the IP address of the box using your WiFi notebook or java-powered WiFi cellphone (there's an SSH client in FreePBX) and lynx fleebaghotel.com and go through the log in routine from the VPN in a Flash box.
And the Road Warrior's Best Friend...
And the Road Warrior's Best Friend...
edisoninfo
Guru
- Joined
- Nov 19, 2007
- Messages
- 505
- Reaction score
- 4
Can this be used as the stand-alone main office pbx? Or is this only for remote use? I would love a solid state box like this for my SMB installs.
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
It's a good bit more robust than a WalMart Special. So long as the number of simultaneous calls is below 10 or so, it'll work like a champ. Depending upon the number of voicemails, you might want an 8GB SSD instead of a 4GB... for a few cents more. 
Of course, once the dual core, dual processor Intel Atom is released, The Sky's the Limit!
Of course, once the dual core, dual processor Intel Atom is released, The Sky's the Limit!jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
Another work-around for the "login page" issue
Ward,
Another good way to allow people to log in to "fleabagmotel.com" to authorize themselves would be to install the squid proxy on the vpn-in-a-flash box.
With the right iptables rules configured, all outgoing web traffic through the box would appear to come from the box itself. Possibly just setting up NAT correctly would do the trick as well, if the wireless and wired interfaces are not set up as bridged.
Now your wifi laptop or cellphone can connect to the Wifi on the box, and handle the authorization procedure, then every client connected through the box would appear to be the same machine.
On a related note:
I have set up my home network and used iptables on my linux-enabled router (dd-wrt.com) to force all outgoing web traffic through squid on my pbxinaflash box. It works great, and you can optionally configure dansguardian for web filtering (makes me less nervous when my kids are online). It's a transparent proxy (for http, not https, however) so no configuration is necessary on the clients (nor is there a way to bypass the proxy on the clients =-).
I may be able to help out with this part of the project, as I've done quite a bit with OpenVPN for my home and office as well.
For anyone else out there running dd-wrt firmware in their router and using a pbxinaflash server, here are the firewall rules I'm using:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 10.0.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.50 -p tcp --dport 80 -j DNAT --to 10.0.1.50:8080
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.50 -j SNAT --to 10.0.1.1
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.50 -i br0 -p tcp --dport 8080 -j ACCEPT
The router's internal IP is 10.0.1.1.
The pbxinaflash server is 10.0.1.50
The dansguardian process listens on port 8080 (change this above if you go directly to squid on port 3128)
For squid and dansguardian configuration, do some googling.
All my web traffic goes through this box (it's a Wal-Mart special) and I haven't seen any performance hit on my phone traffic. The squid proxy is really nice for accelerating your web browsing, too.
Ward,
Another good way to allow people to log in to "fleabagmotel.com" to authorize themselves would be to install the squid proxy on the vpn-in-a-flash box.
With the right iptables rules configured, all outgoing web traffic through the box would appear to come from the box itself. Possibly just setting up NAT correctly would do the trick as well, if the wireless and wired interfaces are not set up as bridged.
Now your wifi laptop or cellphone can connect to the Wifi on the box, and handle the authorization procedure, then every client connected through the box would appear to be the same machine.
On a related note:
I have set up my home network and used iptables on my linux-enabled router (dd-wrt.com) to force all outgoing web traffic through squid on my pbxinaflash box. It works great, and you can optionally configure dansguardian for web filtering (makes me less nervous when my kids are online). It's a transparent proxy (for http, not https, however) so no configuration is necessary on the clients (nor is there a way to bypass the proxy on the clients =-).
I may be able to help out with this part of the project, as I've done quite a bit with OpenVPN for my home and office as well.
For anyone else out there running dd-wrt firmware in their router and using a pbxinaflash server, here are the firewall rules I'm using:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 10.0.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.50 -p tcp --dport 80 -j DNAT --to 10.0.1.50:8080
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.50 -j SNAT --to 10.0.1.1
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.50 -i br0 -p tcp --dport 8080 -j ACCEPT
The router's internal IP is 10.0.1.1.
The pbxinaflash server is 10.0.1.50
The dansguardian process listens on port 8080 (change this above if you go directly to squid on port 3128)
For squid and dansguardian configuration, do some googling.
All my web traffic goes through this box (it's a Wal-Mart special) and I haven't seen any performance hit on my phone traffic. The squid proxy is really nice for accelerating your web browsing, too.
jeremywillden
Guru
- Joined
- Feb 22, 2008
- Messages
- 152
- Reaction score
- 0
I've got OpenVPN servers set up with dyndns.org names. Even when the IP changes, it works pretty well. You can set up the client config files to look for the name instead of the IP, and you only have to open one port on the server firewall to allow the UDP (or TCP) traffic to the server. It can even masquerade as HTTPS traffic for best portability. I'd be happy to share what I've learned with the project, Ward. Feel free to drop me a line.
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
Thanks. We'd love to have a look. The response and advance orders have been A-M-A-Z-I-N-G. Thanks. As we near a release date and initial production run, we are putting the finishing touches on the documentation and initial setup for VPN in a Flash. Comments, suggestions, questions, and identification of missing pieces are, of course, welcomed!! Just be aware that this still is a work in progress.
Can you post the OpenVPN how-to info
Jeremywillden,
can you post the OpenVPN setup you are using for all of us?
Thanks
TomS
[email protected]
Jeremywillden,
can you post the OpenVPN setup you are using for all of us?
Thanks
TomS
[email protected]
wardmundy
Nerd Uno
- Joined
- Oct 12, 2007
- Messages
- 19,206
- Reaction score
- 5,227
This port opening would obviously be a deal breaker for those that wish to use a server in a network over which they have no control, e.g. public places, hotels, convention centers, cruise ships, office complexes with shared office space, etc.
Have I misunderstood the firewall port requirement with OpenVPN?
It should work......
Ward,
I have a couple customers I set up with OpenVPN for them to use when they travel, and while I haven't tried it with a PBXiaF box yet I see no reason why it wouldn't work. The firewall at the mothership running the OpenVPN server has the port for OpenVPN open, and the remote user (typically a laptop, but a PBXiaF server should work too), runs the OpenVPN client which initiates the connection from the remote end. Since it's an outbound connection most firewalls let it out, and let the replies to it back in. I have had a connection open for hours on end and it has been very reliable, even NetBIOS network browsing on Windows clients starts working after 20-30 minutes
I have my clients set so that all their traffic is routed through the VPN once it is established so that any filters, policies etc. at the main end are enforced on the remote client.
Cheers,
Mike
Ward,
I have a couple customers I set up with OpenVPN for them to use when they travel, and while I haven't tried it with a PBXiaF box yet I see no reason why it wouldn't work. The firewall at the mothership running the OpenVPN server has the port for OpenVPN open, and the remote user (typically a laptop, but a PBXiaF server should work too), runs the OpenVPN client which initiates the connection from the remote end. Since it's an outbound connection most firewalls let it out, and let the replies to it back in. I have had a connection open for hours on end and it has been very reliable, even NetBIOS network browsing on Windows clients starts working after 20-30 minutes
I have my clients set so that all their traffic is routed through the VPN once it is established so that any filters, policies etc. at the main end are enforced on the remote client.
Cheers,
Mike
Latest Posts
-
-
-
BulkVS Trunk(s) using PJSip using Registration
- Latest: jaytaylormn
Forum statistics
Get 3CX - Absolutely Free!
Link up your team and customers 
Phone System Live Chat Video Conferencing
Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.
Verify your Email
Check your inbox!
We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).
Upon verification you will be directed to the 3CX setup wizard.