Ever wrestled with one of those thorny problems for weeks only to wake up in the middle of the night with the answer? Thus was born Travelin’ Man, a web- based, one-click Asterisk® application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone.
News Flash: Be sure to read our latest article introducing Travelin’ Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that’s lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.
If you’ve read the Incredible PBX series of articles on Nerd Vittles, you already know what a thorny problem remote phone access is if you want to preserve the overall security of your server. Indeed, our recommendation has been to leave SIP access closed on your hardware-based firewall because of the dangers inherent in activating remote SIP access. Now we have a better idea!
Today’s new approach works like this. First, we’ll run a little script that secures all of your extensions with permit entries locking down all these connections to the IP address range within your private network. Then we’ll open the SIP and RTP ports on your hardware and software firewalls and map these ports to your Asterisk server’s private IP address. With this setup, no one can attempt remote SIP logins to your server because Asterisk blocks all SIP extension connection attempts except those originating inside your LAN. To manage external phone connections to your server, the install script creates a new virtual Apache web server on your Incredible PBX using port 83. We’ll enable and map TCP port 83 on your hardware and software firewalls to your server as well. Web access with port 83 is limited to running the Travelin’ Man app to activate external phones.
Now we’re ready to set up access to your server for remote devices. For each extension you wish to enable for remote access, we’ll create a special web directory using an obscure, random file name which will serve as the web link for the Travelin’ Man web app. For example, in the diagram above, directory 184778 manages extension 501, directory 2389957h manages extension 701, and directory 6993h5j manages extension 702. This is accomplished by simply changing the extension number in the index.php script stored in each directory.
When one of these web links is accessed remotely, the PHP script will automatically reconfigure Asterisk to enable access to the designated SIP extension on your server using the remote IP address from which the web page was accessed. And, of course, there’s an additional layer of SIP security as well. You still need your extension credentials to actually log in to your server with a softphone to place and receive calls. The Travelin’ Man installation process takes only a couple minutes, and the remote SIP activation procedure takes just a couple seconds each time you want remote access from a different location. Here’s a quick example of how it actually works.
Let’s assume we want to use the new $3.95 Bria SIP softphone on an iPad to connect as extension 501 on our Incredible PBX back at home. The problem is that the dynamic IP address of your iPad changes at each new site on your itinerary. Some locations have WiFi while others only have 3G connections.
First, we’ll generate an icon to run Travelin’ Man from your iPad desktop. Use the same procedure with an iPhone or iPod Touch, and there’s a similar procedure for Android devices.1 You only have to do this once. Start up Safari on the iPad to access the new port 83 web server at the random web address the installer created to support extension 501. That web address is something like this using your own FQDN2: http://myserver.dyndns.org:83/184778. After establishing the link once, we’ll hit the + button in Safari and choose Add to Home Screen. This creates the TravelMan icon on the iPad. See the screenshot below of our demo iPad setup which used extension 221 instead of 501.
Once configured, it’s just two clicks to enable your remote phone anywhere: click once on the TravelMan icon. When your IP address is confirmed, return to your Home Screen and click the Bria softphone icon to establish a SIP connection back to your server. Behind the scenes, the Travelin’ Man application will generate the required permit entry for your remote IP address mapping it to the designated extension on your server, and then it will reload your SIP settings to make your Asterisk server accessible to the Bria softphone in your hotel room. The entire process takes only a couple seconds.
If your company happens to have a dozen traveling salesmen, then you’d simply assign a dedicated extension to each employee and create secure directory names for each person (e.g. 2389957h and 6993h5j in diagram above) with a copy of the Travelin’ Man app configured for that employee’s extension number. Now your entire mobile workforce has connectivity back to the home office from any location on the globe. And, when an employee leaves the company and another arrives, just create a new name for the old employee’s web directory to preserve the security of your system (e.g. 184778 in our example becomes 78hd773). Keep in mind that each time the Travelin’ Man app is run for any extension, it wipes out any previously authorized IP address entry for that extension. Thus, the security of your Incredible PBX is always preserved.
Prerequisites. Before proceeding with today’s install, you must be running a stock install of Incredible PBX with PBX in a Flash behind a properly-secured, hardware-based firewall3. We recommend the latest version of Asterisk 1.4 because it addresses a SIP vulnerability that might cause you problems if malformed SIP packets are targeted at your server. The current release of PBX in a Flash (220.127.116.11 Silver) is ideal, but any version of PBX in a Flash can be brought current with Asterisk using the update-source and update-fixes tools. Travelin’ Man assumes that you have the Incredible PBX base install of extensions: 501 plus 701-715. You can obviously add more or remove some, but you’ll need to manually adjust sip_custom_post.conf to reflect your actual extension list after the install completes.
The installer has been encrypted for your/our own protection. In source form, the script would allow anyone to defeat the Incredible PBX requirement. Doing so would mean the required IPtables security component would not be in place and properly configured to protect the underlying system from attack. So we’ve opted to play Big Brother to avoid potential security problems for all of us down the road. This article clearly explains all the necessary components if some folks want to roll their own version. We just don’t want the responsibility if something goes horribly wrong. As Forrest Gump would say, “Shit Happens.” If you don’t believe it, check out the latest security scramble in the trixbox forums.
Installation. Now we’re ready to get started. So log into your Incredible PBX as root and issue the following commands:
tar zxvf travelinman.tar.gz
NOTE: If you’re using PIAF2 with CentOS 6.2, you’ll need to use the updated version of Travelin’ Man because of a syntax change in the Apache config file:
tar zxvf travelinman2.tar.gz
The first step in the install procedure is to lock down access to all of your extensions to your private LAN subnet. In case you ever want to do this on another server not running the Incredible PBX, here’s a link to our privip.sh shell script that shows how to do it. This should work on most FreePBX-based Asterisk systems.
Once the extensions are locked down, the script will modify your IPtables and Apache configurations to permit web access on port 83. Next, it will adjust your Asterisk setup to support the Travelin’ Man permit scheme. This involves reworking of sip_custom_post.conf so that permit settings for individual extensions can be stored in files named 501.inc, 701.inc, etc. Finally, the installation procedure will set up a single web site to support extension 501 with a randomized directory name for remote access.4 This setup will be stored in /var/www/travelman. To activate support for additional extensions, you would simply copy the subdirectory giving it a new random name: cp -r dir1 dir2. Then edit config.php in the new subdirectory and change the $extension entry.
To complete the install, you must reconfigure your hardware-based firewall and map the following ports to the private IP address of your server:
When the installation is completed, it will show you how to access the new web site for extension 501 using either a fully-qualified domain name or a public or private IP address. Now just follow the steps at the beginning of this article to set up your Android or iDevice, and test things out. Enjoy!
Reminders: Be sure to review the comments to this article and the related support forum thread for a week or two for late-breaking enhancements and issues. Also, Incredible PBX comes preconfigured with call forwarding activated for extension 501. Don’t forget to either disable it or set up a real call forwarding number for extension 501 if you want your cellphone to ring. From any extension on your server, just dial *72501 to set up call forwarding. To cancel call forwarding and pass calls directly to the registered 501 softphone, dial *74 and enter 501. Also be aware that the default RingAll ring group (700) configuration on Incredible PBX systems does not include extension 501. So add 501 if you want your remote extension to ring for incoming calls.
Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.
whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
Some Recent Nerd Vittles Articles of Interest…
- To create a desktop icon for Travelin’ Man on Android devices, navigate to the link with your browser. Then save the link as a Bookmark by clicking the Star icon in your browser then click Add. Return to the Home Screen and, from the screen on which you wish to add the icon, touch and hold your finger on the screen. When the Add to Home Screen menu appears, choose Shortcuts then Bookmarks and select the link you previously saved. As with iDevices, you only have to do this once. [↩]
- FQDN = Fully-qualified domain name [↩]
- We recommend the dLink Router/Firewall. Low Cost: $35 WBR-2310 Best: DGL-4500 [↩]
- If you’d like to download the web site code independently from the Travelin’ Man install procedure, here’s the link. [↩]