I HAVE A DREAM Remote extensions on PBX behind NAT firewall (neither with fixed external IPs)

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Following, I am trying essentially the same thing - but I DO have access to the firewall.
I want to register a SIP phone (Linphone or similar) on an iPhone to my PBX, behind NAT firewall.
Since the iPhone will always have a dynamic IP - I am struggling to see how to do that.

For remote extensions, I setup an openVPN on the remote phone itself (Yealink T-48S) with an Untangle firewall.
Options:
  1. Forward all SIP to the PBX, and use Ward's "wide open internet" rules.
  2. Forward SIP from the carrier's network like @dicko mentioned (but that potentially fails if the phone is on wifi).
  3. Forward all SIP to the PBX, load a dynamic dns client on the phone and use Ward's Travelin' Man to whitelist the dns name.
  4. Load a VPN client on the phone.
Option 3 is probably the least open/least battery draining option. Option 4 is what you are already doing. I tend to favor Option 1 or 3 but with my own rules (nothing against Ward's rules - I stole a couple of things from him - but already had my own iptables "environment" developed over the years).
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I accept that and I have been more explicit. having SIP on 34254 or only accept TLS or TCP connections would further limit any risk.
I use TCP on mobiles anyway, seems easier on the battery,

If he only forwards TCP it would eliminate most scans, even if TCP SIP is on 5060.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
VPN is easiest if you have no control over your office firewall..

Assuming no control over her router/firewall:
  • Setup openvpn server on the cloud instance.
  • Setup openvpn client on the PBX,
I have the openvpn server on cloud instance working ✅
I've also configured the 'mini smart router' to connect as a client to the openvpn server✅.

I'd really appreciate some directions on how to configure the PBX openvpn client as I think if I just set it up normally, it'll route all traffic through the VPN and all the local phones will be unable to connect. How do I make the vpn client be just the 'destination' for traffic originating from the remote extension but not affect any other network routes?
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
I have the openvpn server on cloud instance working ✅
I've also configured the 'mini smart router' to connect as a client to the openvpn server✅.

I'd really appreciate some directions on how to configure the PBX openvpn client as I think if I just set it up normally, it'll route all traffic through the VPN and all the local phones will be unable to connect. How do I make the vpn client be just the 'destination' for traffic originating from the remote extension but not affect any other network routes?
Post your server config and client profiles, OK to remove any cert/key info. If obfuscating IPs/hostnames, just be consistent.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Post your server config and client profiles, OK to remove any cert/key info. If obfuscating IPs/hostnames, just be consistent.

server.conf
Code:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
param -out dh2048.pem 2048
dh dh2048.pem
topology subnet
remote-cert-eku "TLS Web Client Authentication"
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 8.8.8.8"
keepalive 10 120
tls-crypt myvpn.tlsauth
cipher AES-256-CBC
max-clients 10
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log-append  openvpn.log
verb 3
explicit-exit-notify 1

client.ovpn
Code:
client
tls-client
ca ca.crt
cert aquevo.crt
key aquevo.key
tls-crypt myvpn.tlsauth
remote-cert-eku "TLS Web Server Authentication"
proto udp
remote xxx.xxx.xxx.xxx 1194 udp
dev tun
topology subnet
pull
user nobody
group nobody

In case helpful, the PBX has an IP address of 192.168.4.117 and all the current phones have an ip adresses on the 192.168.4.0 subnet

Thanks in advance for any assistance
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Remove the "push" lines from the server config and restart the service. Only traffic destined for the 10.8.0.0 net will go out the vpn. On the phone you will need to connect to the openvpn ip address of the pbx.

I think Ward's default rules should allow for the entire 10.* address block to connect, but check iptables on the pbx to be sure and whitelist if necessary.

This should be sufficient for a handful of phones. You can get more involved and start pushing your internal dns and routes for the internal network, but it's probably overkill for now.
 

dhoppy

Active Member
Joined
Mar 9, 2009
Messages
439
Reaction score
179
If you have access to the end users router, I would setup dynamic dns on the end user router, and then whitelist the dynamic hostname you create on the PBX. add-fqdn instead of add-ip. The ipchecker script updates every 10 minutes I think (you could change that).
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Remove the "push" lines from the server config and restart the service. Only traffic destined for the 10.8.0.0 net will go out the vpn. On the phone you will need to connect to the openvpn ip address of the pbx.

I think Ward's default rules should allow for the entire 10.* address block to connect, but check iptables on the pbx to be sure and whitelist if necessary.

This should be sufficient for a handful of phones. You can get more involved and start pushing your internal dns and routes for the internal network, but it's probably overkill for now.
Thanks a million, it's all working I just need to workout how setup the openvpn client on the pbx to automatically run on startup AND to automatically reconnect in case of failure/disconnection.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
If you have access to the end users router, I would setup dynamic dns on the end user router, and then whitelist the dynamic hostname you create on the PBX. add-fqdn instead of add-ip. The ipchecker script updates every 10 minutes I think (you could change that).
The default rule (set by by Ward) is to allow the entire 10.X.X.X subnet seeing as the only way to get a 10. address would be to 'be on' the LAN or to have gotten hold of the VPN certificates and keys, the flexibility (the client can take the mini VPN router and her phone anywhere and just plug N' play) of just leaving the 10 subnet exposed I think outweighs the (what I feel to be minuscule) security risk posed. If I've gotten this wrong please explain the risk so that I (and others reading this thread) can make an informed decision.
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Thanks a million, it's all working I just need to workout how setup the openvpn client on the pbx to automatically run on startup AND to automatically reconnect in case of failure/disconnection.
Great!

The client is usually pretty good about reconnecting.
 

GerryGerry

Member
Joined
Dec 26, 2015
Messages
57
Reaction score
9
Great!

The client is usually pretty good about reconnecting.
OK, I've set it to run as a service on the PBX by renaming (copying) the client.ovpn to /etc/openvpn/server.conf and then executing chkconfig --level 35 openvpn

On the cloud instance config, I've got :
keepalive 10 120
In the event of a disconnect, how long will the client keep on trying to reconnect, is it indefinitely?
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
It will retry infinite by default, with a 5 second pause between attempts. After 5 unsuccessful attempts it will double that wait to 10 seconds and attempt 5 more, then double to 20 seconds, and so on, until the wait time is 300 seconds.

Your keepalive line means ping every 10 seconds, and restart connection if it fails for 2 minutes.
 

Members online

No members online now.

Forum statistics

Threads
25,783
Messages
167,523
Members
19,204
Latest member
jmtracey
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top