Hi all,
I wanted to share with you a solution I successfully put in place to better manage the firewall in the case of frequent changes of IPs (switch between data and wifi) on my mobile.
It has been running great for a few weeks now.
===========================================================================
Short-Story
===========================================================================
I have been using for a while a slightly modified version of Travelin'man 3 and it has been mostly good for my needs, except :
Prob 1: I hate captchas
------------------------
Using a service (noip.com and alikes) to handle another dynamic dns for my phone and have to "confirm" it every few weeks. Plus having to install an app specifically for that.
Prob 2: Not quick enough (cron job every x minutes to reload iptables)
----------------------------------------------------------------------
I'm using the excellent Groudwire app to connect to my PBX server, and especially their push notifications for registration (in a nutshell, they register my account on their SIPS server and they send a push notification to my phone in case of a call so my phone can register my pbx and take the call).
That way, I save a lot of battery as my phone doesn't have to keep an opened connection with the pbx.
The problem is that my phone could not reconnect to my PBX if that call is received in between two cron jobs in case of network change.
===========================================================================
Solution : OWNTRACKS (https://owntracks.org/) and MQTT (http://mqtt.org/)
===========================================================================
I had already Owntracks for some homeautomation and decided to reuse it.
OwnTracks allows you to keep track of your own location. You can build your private location diary or share it with your family and friends (...)
MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport (...)
--------
Easiest
--------
Server
.......
PBX Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)
Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)
How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make an initial connection to your server. (As per their doc : When using MQTT, the broker connection is not maintained permanently. A reconnect will be attempted regularly or when a message is sent.)
2/ (Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (Server) A service/script subscribes to that topic and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.
The result is blazing fast (less then a second), so the phone IP is always allowed to the PBX.
--------------------
Harder (what I have)
--------------------
Server 1 (IOT)
..............
IOT Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)
Server 2 (PBX)
..............
PBX Server SUBSCRIBING to that IOT Server (so no hole in iptables)
Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)
How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make a connection to your server.
2/ (IOT Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (PBX Server) A service/script subscribes to that topic on the IOT server and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.
4/ (IOT Server) (Icing on the cake) It updates the DNS for that matching username on the free Digital Ocean DNS service (eg: myphoneuser.dyndns.mydomain.com) (see https://www.digitalocean.com/commun...-with-v2-api-bash-script-using-curl-in-ubuntu)
The result is as blazing fast (less then a second), so the phone IP is always allowed to the PBX.
I will try to put together and clean my various bit of code here and there.
In the meantime, what do you think about this approach ?
Best,
Raph
I wanted to share with you a solution I successfully put in place to better manage the firewall in the case of frequent changes of IPs (switch between data and wifi) on my mobile.
It has been running great for a few weeks now.
===========================================================================
Short-Story
===========================================================================
I have been using for a while a slightly modified version of Travelin'man 3 and it has been mostly good for my needs, except :
Prob 1: I hate captchas
------------------------
Using a service (noip.com and alikes) to handle another dynamic dns for my phone and have to "confirm" it every few weeks. Plus having to install an app specifically for that.
Prob 2: Not quick enough (cron job every x minutes to reload iptables)
----------------------------------------------------------------------
I'm using the excellent Groudwire app to connect to my PBX server, and especially their push notifications for registration (in a nutshell, they register my account on their SIPS server and they send a push notification to my phone in case of a call so my phone can register my pbx and take the call).
That way, I save a lot of battery as my phone doesn't have to keep an opened connection with the pbx.
The problem is that my phone could not reconnect to my PBX if that call is received in between two cron jobs in case of network change.
===========================================================================
Solution : OWNTRACKS (https://owntracks.org/) and MQTT (http://mqtt.org/)
===========================================================================
I had already Owntracks for some homeautomation and decided to reuse it.
OwnTracks allows you to keep track of your own location. You can build your private location diary or share it with your family and friends (...)
MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport (...)
--------
Easiest
--------
Server
.......
PBX Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)
Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)
How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make an initial connection to your server. (As per their doc : When using MQTT, the broker connection is not maintained permanently. A reconnect will be attempted regularly or when a message is sent.)
2/ (Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (Server) A service/script subscribes to that topic and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.
The result is blazing fast (less then a second), so the phone IP is always allowed to the PBX.
--------------------
Harder (what I have)
--------------------
Server 1 (IOT)
..............
IOT Server runs Mosquitto server (MQTT server) (https://mosquitto.org/) over SSL with an opened port in iptables.
As for security, you define client ids, username+password and client certificates.
(more here: http://www.steves-internet-guide.com/mqtt-security-mechanisms/)
Server 2 (PBX)
..............
PBX Server SUBSCRIBING to that IOT Server (so no hole in iptables)
Phone
.....
Owntracks on your phone is configured to use your server with the correct credentials
(More here: https://owntracks.org/booklet/features/tls/)
How it works (focused on network)
.................................
1/ (Phone) As soon as the network changes, Owntracks tries to make a connection to your server.
2/ (IOT Server) The incoming IP is logged and the mosquitto server sends as a message with details of the connection (amongst them, origin IP) in a $SYS topic (mosquitto server health topic)
3/ (PBX Server) A service/script subscribes to that topic on the IOT server and matches specific username and client-id. If matched, it sends an iptables delete command for the old IP and sends an iptables input command with that new IP.
4/ (IOT Server) (Icing on the cake) It updates the DNS for that matching username on the free Digital Ocean DNS service (eg: myphoneuser.dyndns.mydomain.com) (see https://www.digitalocean.com/commun...-with-v2-api-bash-script-using-curl-in-ubuntu)
The result is as blazing fast (less then a second), so the phone IP is always allowed to the PBX.
I will try to put together and clean my various bit of code here and there.
In the meantime, what do you think about this approach ?
Best,
Raph