Posts tagged: Networking

Rolling Your Own: Creating a Custom Incredible PBX ISO for Asterisk

We promised to provide the Incredible PBX 13.2 ISO build environment for those of you that wanted to learn how to roll your own ISO. Why would you want to do such thing? Well, we can think of a number of reasons. First, you may just want to learn how sh*t works. Or you may want to impress your boss by building a custom ISO with the corporate logo splattered all over the place. Then there are those that want to add a feature or function that we haven’t included yet so you can share your creation with your friends. For us, the motivation was to provide an Asterisk® aggregation that others could build upon without legal hassles about copyrights and trademarks… you know, a real open source project based upon the GPL license.

Regardless of your motivation, today’s your lucky day. We’re providing an exact duplicate of the build environment that was used to create the Incredible PBX 13.2 ISO. It’s released under the same GPL license that applies to the ISO itself. Copy it, enhance it, give it to your friends, and share your additions so that all of us can learn from you. In addition to the code, we’re actually going to document how to modify it and use it… you know, real instructions.


The Schmoozers were back in full force last week with one accusing us of “stealing” their code and another with this gem:


For the record, we use GPL code of others with full credit to the authors. That’s what the GPL and Asterisk aggregations have always been about. Let’s compare that to our Sangoma® friends who rip the covers off RedHat’s GPL ISO, brand it as their own, and then have the balls to distribute it as closed source code. Repeating a lie over and over doesn’t make it come true!


Getting Started. Before you can use today’s code, you’ll need a suitable platform on which to play. You’ve got a couple of choices. First, you can actually install Incredible PBX 13.2 using last week’s ISO. A second option is to build yourself a virtual machine or a cloud-based server with Scientific Linux 6.7 or even CentOS 6.7 minimal. We recommend 32-bit architecture because the Incredible PBX 3.2 ISO build environment as configured is 32-bit to assure maximum hardware compatibility. The server hardware platform doesn’t really matter. Cheaper means it takes a little longer, but you’ll get the same results.

Installing the Incredible PBX 13.2 ISO Build Environment. Once you have your server up and running, log in as root. This usually isn’t a good idea for a build environment, by the way. We’re doing it because we’re assuming you have a machine dedicated to just building ISOs on which to experiment. Issue these commands to put the ISO build platform in place:

cd /root
setenforce 0
yum -y install wget nano
wget http://incrediblepbx.com/create-ISO-new.tar.gz
tar zxvf create-ISO-new.tar.gz
rm -f create-ISO-new.tar.gz

Creating Your First ISO. Why waste time? Let’s actually build an Incredible PBX ISO to show you how easy it is. Issue the following command to kick off the process: /root/create-ISO-new. Depending upon your server’s specs, the whole build procedure should take a minute or two to complete. When it’s finished, you’ll have a shiny new ISO that can be burned to a DVD or USB thumb drive following the steps documented in our previous tutorial:

ls -all /root/kickstart_build/*.iso

-rw-r--r-- 1 root root 890241024 Nov 24 12:45 /root/kickstart_build/IncrediblePBX13.2.iso

ISO Design Overview. There are lots of ways to design an ISO architecture. We’ve chosen a hybrid approach with a two-phase install. When you first boot from the ISO installer, you get the operating system platform. The server then reboots, and Phase II downloads and then runs the latest Incredible PBX installer. Our main reason for choosing this design is that you don’t have to create a new ISO every time you make changes in the Incredible PBX installer. For those of you that remember the Asterisk@Home and trixbox days, this was a major shortcoming. The ISOs were released about every three to six months, and invariably a major glitch was discovered about a week after the new ISO was introduced. With our two-phase installer, slipstream changes are easy to implement by simply adding a line to the Incredible PBX install script. The ISO itself never has to be updated until a major operating system refresh is necessary.

Adding Packages to Your ISO. With Incredible PBX, RHEL 6.7-compatible packages are added to new servers in a couple of ways. First, there are packages actually included within the ISO itself that are loaded during Phase I of the install, i.e. when Scientific Linux 6.7 platform is installed. These packages must include all necessary dependencies. The kickstart process actually resolves and loads package dependencies as part of the Phase I ISO install procedure. Once the base install is completed, the end-user’s server reboots and then the Phase II install kicks off by downloading and running the Incredible PBX 13-12R installer. Additional RPM packages and a number of other applications in tarball format are downloaded and installed during this Phase II process. Today, we’ll show you how to modify both pieces of the ISO install procedure.

To add RPMs to the ISO itself, keep in mind that the new RPMs must match the architecture of the default build environment. In the case of Incredible PBX, it’s a 32-bit architecture which means you’ll need 32-bit versions of RPMs you wish to add. Otherwise, you will need to replace all of the packages in the build environment with their 64-bit cousins.

There are 3 steps to adding new packages to the ISO build environment.

First, create a temporary directory (/tmp/packages) to use for gathering up the RPMs to be added. This is so you can check your work without screwing up your build environment. To add an RPM, you first need to download it from a repository to your temporary directory. The syntax looks like this where NetworkManager is the name of the RPM you wish to install:

yum -y install --downloadonly --downloaddir=/tmp/packages NetworkManager

Second, move the RPMs from /tmp/packages into your build environment. This must include RPM package dependencies (as was the case when adding NetworkManager):

mv /tmp/packages/*.rpm /root/kickstart_build/isolinux/Packages/.

Third, add the names of your new RPMs to the kickstart config files (ks*.cfg) in /root/kickstart_build/isolinux. The package names go in the section of each kickstart file labeled %packages.

NOTE: You do not have to add the names of RPMs being added because of dependencies in step 3. You DO have to add the actual RPMs and RPM dependencies in step 2. For example, with NetworkManager, only NetworkManager itself needed to be added to the %packages list in the ks*.cfg config files. But the collection of NetworkManager RPMs and its dependencies for step 2 looked like this:

avahi-autoipd-0.6.25-15.el6.i686.rpm
dnsmasq-2.48-14.el6.i686.rpm
libdaemon-0.14-1.el6.i686.rpm
mobile-broadband-provider-info-1.20100122-4.el6.noarch.rpm
ModemManager-0.4.0-5.git20100628.el6.i686.rpm
NetworkManager-0.8.1-99.el6.i686.rpm
NetworkManager-glib-0.8.1-99.el6.i686.rpm
ppp-2.4.5-10.el6.i686.rpm
rp-pppoe-3.10-11.el6.i686.rpm
wpa_supplicant-0.7.3-6.el6.i686.rpm

Changing the ISO Default Boot Menu. Once you have burned the ISO to a DVD-ROM or USB flash drive and booted your server-to-be, a default kickstart menu will be presented: /root/kickstart_build/isolinux/isolinux.cfg. Edit it to customize the splash screen and make any desired changes in the screen title and options displayed to those using your ISO. WARNING: If you modify the ks*.cfg options in the file, you also will need to make similar modifications in the create-ISO-new build script as well as adding new matching ks config files in /root/kickstart_build/isolinux.

Modifying the Phase II ISO Install Procedure. The Phase I install setup already provided in the Incredible PBX ISO will work for any number of ISO requirements you might have because it provides a robust Scientific Linux 6.7 base platform. Now for the fun part. You can modify the Phase II install in any way you like by simply adjusting the download script and hosting it on your own public server.

The Phase II magic is housed in the %post section of the kickstart config files (ks*.cfg). The initial setup in this section will work for almost any setup. It addresses the quirks of getting a working network connection functioning on most server platforms. This got much more complicated with the introduction of UEFI on newer Intel-based servers. But we’ve addressed all of that. To customize the install to run your own Phase II script, you need only modify the last few lines of the %post section:

/bin/echo "cd /root" >> /tmp/firstboot
/bin/echo "/usr/bin/wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "/bin/tar zxvf incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "/bin/rm -f incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "./Inc*" >> /tmp/firstboot
/bin/chmod +x /tmp/firstboot
eject
%end

These last few lines tell the ISO installer where to find your Phase II script and manage the procedure for downloading it, untarring it, and then running it. To deploy your own Phase II install script, simply modify lines 2, 3, 4, and 5 above. In line 2, provide the public server location of your script in .tar.gz format. In line 3, untar the script in the /root folder of the new server. In line 4, remove the .tar.gz file after it’s been decompressed. In line 5, run the shell script included in your tarball. The remaining lines shown above should be preserved as shown. Once you finish making changes in ks.cfg, copy the %post section to your other kickstart config files and then rerun /root/create-ISO-new to build your new ISO. Enjoy!

Originally published: Friday, December 11, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 
Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    The 30-Second PBX: Introducing Proxmox 4 for the Intel NUC and Asterisk 13

    With the advent of cloud-based computing and desktop virtual machine platforms like VirtualBox, we haven’t played with dedicated hardware for Asterisk® in a couple of years. WOW! It’s just amazing the quantum leaps in miniaturization, price, and performance that have transpired during our absence. Last week, we introduced a dedicated server platform for under $200 that could serve as a small business PBX for almost any 20-30 person organization. Today, meet Big Brother. You’re looking at all the components that make up the $500 Intel® NUC D54250WYK with a Core i5 dual-core processor, a 250GB mSATA drive, and 16GB of RAM. While you install the RAM and disk drive yourself, if you can unscrew 5 screws and have 5 minutes to spare, you can handle this. With the addition of the just released (free) Proxmox 4 virtualization platform, it can run a half dozen powerful stand-alone applications without ever breaking a sweat. Little wonder that Digital Ocean and CloudAtCost are all but giving away server resources. They almost have to given the developments in stand-alone hardware.

    Buying Your Hardware

    So here’s how we started. Of course, you can adjust the components and the merchant to meet your own requirements. For us, Amazon1 works great, and the prices are competitive. Who else delivers on Sunday? Despite the notice that the computer would be here on Monday, we knew better. And sure enough it was in the box with the other Sunday goodies. Remove the four screws from the bottom feet of the computer, and the case opens easily. Next, unscrew the screw from the bottom of the motherboard that holds the SSD drive in place securely. Snap in the mSATA drive and the two memory sticks, replace the screws, and you’re in business.

    Initial Setup of the Intel NUC Platform

    Our unit actually came with the latest BIOS preinstalled, but you’ll want to always upgrade the BIOS on any Intel motherboard. Everything generally gets better with each new upgrade. The rest of the firmware is fine as is unless you plan to use the computer as a Windows machine. You’ll find all the downloads here. The firmware you want is version 0041, and the file you want is WY0041.BIO. Copy it to the top level directory of a DOS-formatted USB flash drive using any desktop computer. On the Intel NUC, plug in a USB keyboard and mouse as well as the USB flash drive and a USB CD/DVD drive. Then connect a network cable. Finally, connect a monitor using a microHDMI to HDMI cable, and you’re all set. Once we’re finished configuring the Intel NUC, you can stick it on a shelf that has power and a network connection. No other peripherals are necessary as everything can be managed through SSH or a web browser.

    To upgrade the BIOS, boot the computer by plugging it in and pressing the power button on top. Press F7 during the initial POST, choose the USB flash drive, select the .BIO file, and press ENTER. Once the BIOS is loaded, the machine will reboot.

    Introducing Proxmox 4.0 Virtual Environment

    When it comes to virtualization, we’ve been big fans of Proxmox for a very long time. We introduced Proxmox for VoIP virtualization over six years ago. Things have come a long way since then. And Proxmox VE 4.0 is the culmination of years of hard work by a very talented development team. You can read all about the new feature set and support for KVM and Linux Containers here. Our own take on virtualization is that OpenVZ templates were appealing because they installed and loaded quickly. The downside was they shared a single (proprietary) kernel which often led to security issues and made firewall implementation at the virtual machine level difficult. Of course, any applications such as DAHDI that required kernel implementation were extremely complex to implement and use. Now that almost all of Intel’s and AMD’s processors support virtualization extensions (Intel VT or AMD-V), we were not one to shed tears when Proxmox dropped support for OpenVZ and replaced it with Linux Containers. In fact, for our purposes, they could have left out Linux Containers as well. They suffer from some of the same quirks that made OpenVZ implementations problematic. The platform we’ve chosen for VoIP implementation has full support for virtualization extensions which means you can load and run complex applications such as Windows and Incredible PBX just as if you were using standalone hardware. The only real difference is we’re going to provide a template for building KVM-based Incredible PBX virtual machines in under 30 seconds. So you’ll get the best of both worlds, standalone computer functionality coupled with jaw-dropping implementation speed. For those that train or support multiple independent organizations as well as those that love to tinker and experiment, our solution has no equal.

    To begin, download the Proxmox VE 4.0 ISO and burn it to a CD or DVD.

    As we mentioned last week, if you don’t happen to have one, LG’s tiny USB-powered DVD Writer is the best $25 you will ever spend. And they keep getting cheaper!

    Installing Proxmox VE 4.0 on the Intel NUC

    Now we’re ready to get started. Insert the Proxmox VE 4.0 CD into the drive connected to your Intel NUC and boot the machine. Press F10 during POST and choose the CD/DVD drive to start the Proxmox install. Accept the license agreement and fill in the blanks. The important piece is to give your server a hostname. Just be sure it starts with proxmox4, e.g. proxmox4.incrediblepbx.com or use your own domain: proxmox4.yourdomain.com. The actual domain becomes important only if your server will be directly connected to the Internet in which case the FQDN obviously matters. Otherwise, Proxmox needs the hostname to manage things internally. Assign a permanent IP address for your server or use DHCP to obtain an IP address and then reserve that IP address for use by Proxmox in your router’s settings. Either way works fine, but you don’t want the IP address changing down the road.

    BIOS Adjustments to Support Proxmox VE 4.0

    Once the Proxmox install completes, it’s time to reboot. During the POST, press F2 to access Intel’s Visual BIOS. If you followed along last week, you’ll recall that we made some changes to accommodate Legacy booting of the server in lieu of UEFI. This week we need a different approach because of some quirks in the Proxmox server implementation procedure. We pulled our hair out (what little is left) for a couple days wrestling with this because the server wouldn’t automatically boot in either Legacy boot mode OR UEFI mode. The reason is because Proxmox puts a GPT label on the drive signifying that it’s a UEFI-compatible device whether UEFI is disabled in the BIOS or not. This confuses the Intel NUC bootloader. So you end up with a boot failure and the cryptic message “No boot device found.” Proxmox blames Intel for a buggy BIOS even though Intel developed the GPT specification. If you enjoy food fights, break out the popcorn and enjoy the dialog on the Proxmox Forum. Suffice it to say, there’s a difference of opinion about who should fix this. Here’s the easy way to resolve the impasse.

    In Visual BIOS, click Advanced tab. Click Boot tab. Click Boot Priority. Make it look like this:

    If the BuiltIn EFI Shell option doesn’t appear, don’t worry about it. Just press F10 to save your changes anyway. When your server reboots, it will drop into the EFI shell. Type the following commands pressing ENTER after each entry:

    fs0:
    echo "fs0:\EFI\proxmox\grubx64.efi" > fs0:\startup.nsh
    startup.nsh

    At this point, your server should boot into Proxmox. On reboot, the EFI shell will appear momentarily followed by an automatic boot into Proxmox. Solved!

    Using Incredible PBX with Proxmox 4.0

    You now have a functioning Proxmox server. When you reboot and login as root, the server will tell you how to access the Proxmox GUI with your browser. Before we put the necessary pieces in place to support Incredible PBX, we want to provide a very brief technical overview of how best to use Proxmox virtualization based upon our testing. Using a methodology similar to that demonstrated by AVOXI using Docker at this year’s AstriCon meeting, we use a backup image to instantiate “KVM containers.” We hear some of you saying, “There’s no such animal.” And right you are. The nomenclature is different, but the concept is similar. In fact, our simulated KVM Containers work exactly like OpenVZ and Linux Containers with none of the drawbacks of a shared kernel. And the good news is Proxmox 4 implements this perfectly through its backup and restore mechanisms. New kernel-based virtual machines can be created in under 30 seconds. Following initial login to a new KVM as root from the console, we individualize the KVM by randomizing passwords, creating new SSH credentials, and setting up a custom whitelist for the Incredible PBX IPtables firewall. The initialization procedure takes less than a minute and is only run the first time you log into your new KVM as root. The bash init script is here: /etc/profile.d/helloworld.sh.

    Preliminary Setup Steps with Proxmox 4.0

    The most important setup step is to put your Proxmox server behind a hardware-based firewall or configure the built-in firewall to keep out the bad guys. Proxmox has had their share of security vulnerabilities over the years so this is really critical. It’s beyond the scope of this article to walk through the entire firewall setup process, but you’ll find plenty of literature on the Proxmox Wiki and Forum as well as on the Internet. Each of your KVMs will have its own preconfigured whitelist using the IPtables firewall, and any of the Incredible PBX tutorials can walk you through adding and changing entries in those whitelists.

    To use the backup and restore functionality of Proxmox, you’ll need to create a backup storage directory in the Proxmox GUI. After logging in as root, click Datacenter in the Server View, click the Storage tab, click the Add button, and choose Directory from the pulldown list. Fill in the blanks like this using VZDump Backup File for the Content type:

    If you have access to a Cloud-based or local NFS device, it’s just as easy to create an additional backup directory on your NFS server. Follow the same steps and choose NFS from the Storage pulldown. With NFS, you must first set up a storage directory with NFS permissions for the IP address of your Proxmox server.

    Last, but not least, you need to learn your way around in the GUI. proxmox4 is the name of your server if you followed our recommended setup for your hostname. Under the server, you will find entries for each of your KVM, Linux Containers (LXC), and other drives, e.g. local, backup, and synology.

    To add a new LXC image to your server, choose local -> Content -> Templates, pick the desired LXC image, and click Download.

    To add new ISO images to your server for building KVMs, choose local -> Content -> Upload, pick ISO Image as the Content type, choose the ISO from your desktop by pressing Select File, then click Upload button.

    To start up Virtual Machines once you have created them, click on the VM number under proxmox and click Start. To access the virtual machine once it has begun booting, click Console.

    To shutdown a KVM, click on the VM number under proxmox and click Shutdown. Or you can type halt after logging into the KVM as root from the KVM’s Console.

    For a list of all available content, choose proxmox4 -> local -> Content.

    Loading the Incredible PBX 13 Components into Proxmox 4.0

    We need to put two pieces into place to get things rolling with Incredible PBX 13. There are two ways to create Incredible PBX 13 KVMs. You can do it manually from the IncrediblePBX13.iso just as you would on a stand-alone machine. Or you can restore from the IncrediblePBX13 KVM backup image to create a new KVM. The first method takes about 30 minutes. The second method takes less than 30 seconds. The choice is all yours. The results are exactly the same.

    Before you can create KVMs, we need to put the Incredible PBX 13 backup image and the Incredible PBX 13 ISO in their proper places. To save some time and steps, we’re going to load the backup image by logging into the Proxmox server as root. For the ISO image, we’ll use the GUI.

    To install the Incredible PBX 13 backup image, log into your server as root using SSH and issue these commands:

    cd /
    wget 'http://downloads.sourceforge.net/project/pbxinaflash/IncrediblePBX13-12 with Incredible PBX GUI/IncrediblePBX13-KVM.tar.gz'
    tar zxvf IncrediblePBX13-KVM.tar.gz
    rm IncrediblePBX13-KVM.tar.gz
    

    To install the Incredible PBX 13 ISO image, first use a web browser to download IncrediblePBX13.iso to your desktop from SourceForge. Next, login to your Proxmox GUI and choose proxmox4 -> local -> Content -> Upload, pick ISO Image as the Content type, choose IncrediblePBX13.iso from your desktop by pressing Select File, then click the Upload button.

    Your Incredible PBX 13 backup image should now appear under proxmox4 -> backup -> Content.

    Your Incredible PBX 13 ISO image should now appear under proxmox4 -> local -> Content.

    Building Your First Incredible PBX 13 Virtual Machine

    To create a new Incredible PBX Virtual Machine, click the options in the order shown on the image above. Use any VM number desired. In less than 30 seconds, you’ll have your first 10GB Incredible PBX 13 Virtual Machine in place:

    Initializing KVM Network Device MAC Address. If you ever create more than one KVM from the same backup image, you must initialize the network device’s MAC address before starting the KVM. Otherwise, you will get a conflicting network connection and a mess. Best practice: ALWAYS initialize the network device MAC address when you first create a new KVM from a backup. Click on the VM number in the left column under proxmox4. Then click the Hardware tab, click Network Device, and Edit. Erase the existing MAC address and click OK. Now it’s safe to start the KVM. The telltale sign that you forgot to do this will be a flaky network connection on one or more of your KVMs. If it happens, just delete the offending KVM and create a new one. You won’t forget but once. 😉

    To start your new Incredible PBX Virtual Machine, click on the VM number in the left column under proxmox4. Then click the Start button on the right side of the Proxmox GUI header. The Tasks list at the bottom of the GUI will show it loading. Now click on the Console button at the top of the GUI to open a QEMU console session with your virtual machine. At the login prompt, login in as root with the default password: password. The startup script will complete the customization of your server in less than a minute. Then you’re ready to go. Complete the same configuration steps that you would on any new Incredible PBX server:

    Change your root password and make it very secure: passwd
    Create admin PW to access Incredible GUI and FreePBX® GPL modules: /root/admin-pw-change
    Set your correct time zone: /root/timezone-setup
    Create admin PW for web apps: htpasswd /etc/pbx/wwwpasswd admin
    Make a copy of your Knock codes: cat /root/knock.FAQ
    Decipher IP address and other info about your server: status

    Now it’s time to pick up the Incredible PBX 13 tutorial for CentOS and continue on with your adventure if you’ve never done this before. Then take a good look at the Incredible PBX Application User’s Guide to get the most out of your new server.

    Building a second, third, and fourth KVM is just as easy as building the first one.

    Backing Up Incredible PBX 13 Virtual Machines

    The real beauty of virtualization and Proxmox in particular is that you can make instantaneous backups of your virtual machine at any time whether the virtual machine is running or not. Those backups can be copied to off-site storage for safe keeping. The critical component of any server is the reliability of and ease with which you can recover from a catastrophic failure. It doesn’t get any easier than this.

    To make a backup of your virtual machine to your backup directory, click on the VM ID number in the left column. Then click Backup -> Backup Now. Fill in the blanks of the backup template.

    To make a backup of your virtual machine to a local or off-site NFS device, it’s just as easy. Click on the VM ID number in the left column. Then click Backup -> Backup Now. Fill in the blanks of the backup template. Makes you want to run right out and buy a Synology NAS/NFS device, doesn’t it?

    Restoring a virtual machine from a backup is just as easy as it was to create the virtual machine image from our backup above. Just choose your backup image instead of the one we provided.

    Backing up your virtual machines is only half the story, of course. It also is important to get a backup of the whole enchilada, i.e. the entire Proxmox server. Luckily, the latest version of Clonezilla works perfectly after you have applied the UEFI BIOS patch as documented above. Enjoy!

    Originally published: Monday, October 19, 2015






    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. Some of our purchase links refer users to Amazon and other sites when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from merchants to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support Amazon and other merchants because they support us. []

    Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


    Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

    Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

    Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect “real servers.” We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

    On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX “hides” numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

    Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

    Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


    NEWS FLASH:
    Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

    Originally published: Monday, August 3, 2015




    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
    2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []

    A Firsthand Look at Disaster Recovery: Tethering and IAX with Asterisk

    One of the exciting challenges of building a swimming pool is knowing that it’s just a matter of time until your Internet connection dies. As you might imagine, swimming pools are major construction and involve a lot of digging. And digging usually means some oops moments when cables get cut. In our case, we had watched the folks digging the trenches for all of the pool plumbing to be sure they didn’t accidentally whack one of three coax cables coming into our house. And, when it came time to cover up the trenches, we pointed out the orange cables to the Bobcat driver knowing we were finally home free. Not so fast! Two minutes later, Mario had driven the Bobcat right over the primary Internet cable leaving the shredded remains sticking up through the dirt. Oops. Sorry. Shit happens!

    Looking on the positive side, we chuckled, “What a perfect opportunity to test our backup Asterisk® system!” Our backup system is pretty clever if we do say so. It relies upon a Verizon WiFi HotSpot running on our Galaxy smartphone and a duplicate of our Asterisk-based PBX in a Flash™ server running as a virtual machine under VirtualBox on an iMac desktop. The entire setup takes less than a minute to activate. Well, that was the plan anyway.

    It turns out that Verizon does SIP a little differently with a SIP ALG in the path so Asterisk couldn’t register with all but one of our dozen SIP providers. Congratulations, CallCentric! The workaround is to enable STUN. That is now possible with Asterisk 11. Short of that, you’re left with CallCentric. Unfortunately for us, we don’t do much SIP trunking with CallCentric, and none of our primary DIDs are connected through them. The other option is to add port=5080 to your trunk setup with any SIP trunks you register with VoIP.ms using a username and password. Our attention span was too short to tackle STUN in the middle of this crisis. But there’s good news. Verizon doesn’t mess with IAX network traffic at all. Since a couple of our primary DIDs are registered with VoIP.ms using IAX trunks, restoring these IAX trunks to full functionality took less than a minute. That is step one of a three-step process. You need inbound trunks, phones, and outbound trunks to get your redundant VoIP server back in business.

    Getting phones to function on what is now a purely WiFi network (through the Verizon HotSpot) can be problematic unless you’ve done your homework and sprinkled a few WiFi-capable SIP phones around your home or office. In our case, we still have Grandstream’s GXP2200 Android phones scattered everywhere so it was just a matter of plugging in the WiFI adapters and rebooting. The newer GXV3240 would work just as well.1

    All that remained was enabling several trunks for outbound calls. Since VoIP.ms IAX trunks support both incoming and outgoing calls, we were home free. And, with Google Voice trunks, it was simply a matter of jumping through Google’s security hoops to reenable the connections on a new IP address.

    Lessons Learned. Here’s a quick checklist for those of you that think about disaster recovery for your home or for clients and businesses. Nothing beats some advance planning. If money is no object, then WiFi tethering from a smartphone with one of the major providers whose service works well in your home or office environment is the way to go. 4G is a must!

    In our case, money was an object so we had the foresight to acquire a Verizon SIM card from eBay that included an unlimited data plan. With this setup, it costs only $1 a day extra to add WiFi tethering, and you can turn it off and on as often as you like without any additional fees or surcharges. There also are no additional charges for using boatloads of data! We’re actually writing this column with a tethered connection from a hotel in Washington (results above). To give you some idea of why an unlimited data plan is important, our home operation burned through 4 gigs of data in less than 24 hours once we activated WiFi tethering. Of course, there were people doing things other than making phones calls, but tethering enables 5 connections to function just about like the cable modem service you originally had in place. So expect the data usage to be substantial. Everybody likes 24/7 Internet service.

    Loss of phone calls through a PBX is more of an annoyance than a crisis these days because almost everyone also has a smartphone. Even so, the SIP gotcha with Verizon Wireless was a surprise because we hadn’t really tested our super-duper emergency system in advance. That wasn’t too smart obviously. The old adage applies. Do as we say, not as we do. Unplug your cable modem or DSL connection and actually test your backup system before D-Day arrives.

    On the VoIP provider end, now is the time to set up an account with a provider that offers both SIP and IAX connectivity. Step 2 is to actually configure an IAX trunk (as a subaccount to use VoIP.ms parlance) and test it. IAX trunks actually have fewer headaches with NAT, but there are only a handful of providers that still provide the service. Find one now and make certain that your primary DIDs will roll over to the IAX trunk in case of an outage. I’m always reminded that we have Mark Spencer to thank for IAX. It was his brainchild. Thank you, Mark! With VoIP.ms, you also can spoof your CallerID so that calls will still appear to originate from your primary Asterisk PBX.

    Keep in mind that a VirtualBox-based Asterisk virtual machine and a Desktop computer both need an IP address and will have to be started on WLAN0 rather than ETH0. Remember, your wired connection is now dead.

    You’re also going to want to acquire at least a couple of WiFi-capable SIP phones that can be connected with your Asterisk server using your WiFi HotSpot. Also make certain that you have a preconfigured IPtables firewall on your backup system. Remember, your hardware-based firewall connected to your cable modem won’t provide any protection once you switch to HotSpot operation. Lucky for you, Incredible PBX™ servers come preconfigured with a locked-down IPtables firewall and a WhiteList. Just add the new IP addresses of your server and phones, and you’re secure on the public Internet.

    Finally, let’s do the HotSpot connection math. You’ll need an IP address for your desktop computer running VirtualBox. You’ll need a second IP address for the Asterisk virtual machine. Then you’ll need an IP address for every WiFi-enabled SIP phone. If the maximum number of connections is five on your HotSpot, that means you’ve got the necessary capacity for at most 3 WiFi SIP phones assuming you don’t enable a WiFi printer and if nobody else wants to use a computer during the outage. The other option is to add an inexpensive travel router with bridge mode to your mix of 5 devices. We always keep one handy for extended trips. A properly configured travel router provides an additional WiFi network with some extra WiFi connections. Good luck!



    Security Alerts. Serious SSL and FreePBX security vulnerabilities have been discovered AND patched during the past week. If you have not patched your server and Asterisk, FreePBX, Apache, and/or WebMin are exposed to the public Internet, you have a serious problem on your hands. See this thread for details on the FreePBX vulnerability. And see this thread for the steps necessary to patch SSL in Asterisk, Apache, and Webmin. While Incredible PBX servers were automatically patched for the FreePBX vulnerability, the SSL issues require manual patching and an Asterisk upgrade. A script for upgrading Asterisk 11 servers is included in the message thread linked above. ALWAYS run your VoIP server behind a firewall with no Internet port exposure to Asterisk, FreePBX, SSH, or the Apache and Webmin web servers! And, if you think all of this security stuff is just a silly waste of your time, then read about the latest lucky recipient of a $166,000 phone bill.

    Originally published: Monday, October 20, 2014



    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. Some of our links refer users to Amazon or other service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. However, when pricing is comparable or availability is favorable, we support these providers because they support us. []

    It’s An Oligopoly, Stupid: What’s Wrong with Comcast Business Class Internet?

    Let’s begin with what sounds like a fairy tale but turns out to be a nightmare. After watching your country invest hundreds of millions of dollars in taxpayer-subsidized infrastructure, you’ve finally decided it’s time to buy your own car. You visit the only car dealer in town and are told that all vehicles are leased, not sold, for a period of three years. Cars come in three models. Would you like a 200, 300, or 400 horsepower engine? You opt for the 400 horsepower model and, just as your new car sputters off the lot, you discover a 14-page list of Terms and Conditions in your glove box. The document reveals that the manufacturer doesn’t make any guarantees regarding the performance or reliability of your new vehicle. And, if you attempt to return the car in a couple months because of the vehicle’s unreliability or lousy performance, you agree to forfeit 75% of the entire cost of the 3-year lease. And, no, you cannot sublease or even give your crappy purple Scion1 to somebody else. Aside from the fact that Scion actually makes great automobiles with excellent warranties, the only real difference in this scenario and The World According to Comcast is the fact that, with a car, the item being leased becomes less valuable every day. With Comcast, prices continue to go up, and up, and up…


    So perhaps you think the cellphone oligopoly is similar. The Bell Sisters could only wish. With a cellphone plan, the carriers actually subsidize the cost of your discounted cellphone by spreading the cost over a period of two years. Thus, their early termination fees which typically run $200 to $300 are closely tied to recovery of the subsidized cost of your discounted phone. With Comcast, the company is not providing any hardware that you don’t actually pay for either up front or on a pay-as-you-go basis. Build out costs are payable in advance. Cable modems are leased by the month. When you discontinue service, the cable modem is returned and handed out to the next poor sucker customer waiting in line.

    GDE Error: Error retrieving file - if necessary turn off error checking (404:Not Found)

    Early Termination Fees. So let’s calculate the fee that Comcast could impose if you decide after a couple months that your business can no longer survive on their “Business Class” level of service and performance. On the Business Internet D50 plan (note that there’s no mention in the contract that this has been touted by the sales rep as a 50Mbit down, 10Mbit up Internet service), the “discounted” cost with one static IP address is $125 per month for 36 months = $4,500. You used the service for two months which reduces the lease balance to $4,250. The 75% Early Termination Fee for the service you never used and for which Comcast made no representation as to performance or reliability works out to a whopping $3,187.50. Makes your $125 monthly cellphone bill sound like a bargain, doesn’t it?

    According to Craig Moffet, an analyst at the Wall Street firm Bernstein Research, Comcast and Time Warner are making a 97 percent margin on their “almost comically profitable” Internet services. So this is clearly not a case of recovering infrastructure costs. After all, most of those were either paid or subsidized by federal, state, and local governments. This is simply an oligopolist doing what they do best in unregulated local markets with almost zero competition by regulatory design. It’s good old-fashioned price gouging! What a coincidence that Comcast also happens to be one of the “top ten” political contributors in the United States.

    Internet Performance. The other glaring problem lies with Comcast selling tiers of service at different price points while providing no assurance that the performance levels will ever be met. We all appreciate that Internet performance can vary; however, the Comcast terms go far beyond that. If Comcast provided a 2400 baud modem level of performance for three years, our reading of the contract terms suggests that Comcast is fully within its rights even though the service was sold as offering 50 megabit download speeds. Comcast’s terms and conditions specifically disclaim any responsibility for achieving any performance measurement ever. In short, the speed designations allow Comcast to charge higher rates without offering anything of contractual value to the customer in return.

    How’s the Service? Let us briefly replay the last 8 days of dealing with Comcast Business Class in our office. This all transpired while a Comcast sales rep was pitching a new 3-year contract as the only way for us to decouple our existing Business Class Internet “service” from our residential cable TV bill. This would allow us to once again get business class support without a 30-minute residential support run-around on every Business Class Internet support call, a highly touted (and necessary!) feature that actually worked during the first two years of our first contract.

    Sunday, Oct. 6, 6 a.m. – Preparing to leave town for AstriCon 10. Internet dead.
    Sunday, Oct. 6, 7 a.m. – Reset cable modem, Comcast tests modem. All fine. Internet still dead.
    Monday, Oct. 7, all day – Repeat of Sunday. Internet still dead.
    Tuesday, Oct. 8, all day – Same story.
    Wednesday, Oct. 9, all day – Same story.
    Thursday, Oct. 10, 4 p.m. – Another hour with Comcast support. Will try to schedule visit for Friday.
    Friday, Oct. 11, 10 a.m. – Tech arrives. Takes one look at modem and declares the unit defective.
    Friday, Oct. 11, rest of day – Internet works.
    Saturday, Oct. 12, 6 a.m. – Internet dead. Comcast reports A-OK. Is the modem in bridge mode? Yes.
    Sunday, Oct. 13, 3 p.m. – Comcast support: In bridge mode? Ooops. No. Internet finally works.
    Monday, Oct. 14, 4 p.m. – Internet dead. Looks like a fiber cut. Offers 1 month Internet credit.
    Monday, Oct. 14, 9 p.m. – Internet works.

    What Can You Do About It? For openers, raise hell with your favorite Congressman. Assuming he or she didn’t receive a “political contribution,” it might actually help. Then write or visit your state and local elected representatives and hand them a copy of this article if you’re too shy to tell your own story. Nearly everybody has a ‘Comcast Story’ to tell. Encourage all of these folks either to open up the marketplace for real competition or to establish local initiatives to bring affordable Internet service to local businesses and communities. Last, but not least, write your local newspaper and encourage them to shine a spotlight on business practices such as these. You might be surprised by the results. If there’s an organization that deserves a lower job approval rating than Congress, we have a tip for you.

    What’s Next? We’ve reached out to @ComcastCares for comment. We’ll let you know if there’s a meaningful response.

    Originally published: Tuesday, October 15, 2013




    Need help with Asterisk? Visit the PBX in a Flash Forum.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…

    1. With apologies to Scion that actually makes perfectly functional and dependable automobiles! Listen to the song for details. []

    Introducing NeoRouter 1.9 VPN: Still a Shining Star

    In a previous article, we introduced PPTP VPNs for interconnecting remote users and branch offices to a central network hub. Known as a hub-and-spoke VPN, the advantage of this design is it lets remote users participate as peers in an existing home office LAN. It’s simple to set up and easy to maintain. The drawback is vulnerability to man-in-the-middle attacks.

    Today, we want to revisit the more traditional client-server VPN which relies upon a central server but uses a star topology to connect remote nodes. The major difference is that only registered devices participate in the virtual private network so there is no direct access to other machines on the LANs of the registered devices. If you have servers scattered all over the countryside, however, this is an excellent way to manage and interconnect them. All data and communications between the nodes can then be routed through the encrypted VPN tunnel for rock-solid security and NSA avoidance. Well, maybe and maybe not…

    https://twitter.com/chrisVEGGIE16/status/364463018647629824

    With NeoRouter’s latest 1.9 (free) software, you can set up your VPN server using a PC, a Mac, a Linux or FreeBSD machine, OpenWrt Backfire, Tomato, or even a Raspberry Pi. VPN clients are available for PCs, Macs, Linux and FreeBSD machines, Raspberry Pi, OpenWrt, Tomato as well as Android and iOS phones and tablets. There’s even an HTML5 web application in addition to a Chrome browser plug-in. With the OpenWrt and Tomato devices or if you’re an extreme techie, you can broaden your NeoRouter star configuration to include bridging of remote LANs. See pp. 47-50 of the NeoRouter User’s Manual.

    You can interconnect up to 256 devices at no cost. For $999, you can enlarge your VPN to support 1,000 devices. Screen sharing, remote desktop connections, HTTP, and SSH access all work transparently using private IP addresses of the VPN nodes which are automatically assigned in the 10.0.0.0 private network.

    Several years ago, we kissed Hamachi goodbye. Suffice it to say, LogMeIn put the squeeze on the free version to the point that it became next to worthless. In fact, you’d be hard-pressed to find any mention of a free version of Hamachi (other than a trial edition) on LogMeIn’s current web site. Here’s a feature comparison which says it better than we could:

    Today we are introducing the second generation of the NeoRouter VPN solution. We have a simple installation script that works with any current PBX in a Flash™ server. It’s suitable for use on a dedicated server or running as a virtual machine. Whether to run NeoRouter 1.9 server on a dedicated machine is your call. Keep in mind that a dedicated platform isolates your VPN server from your PBX which generally is a better network strategy. Regardless of the installation scenario you choose, remember that neither option requires exposure of your entire server to the Internet. Only a single TCP port needs to be opened in your hardware-based firewall and IPtables Linux firewall.

    NeoRouter Setup with PIAF™. We’re assuming you already have a PBX in a Flash server set up behind a hardware-based firewall. If not, start there. Next, we’ll need to download and run the installer for your new NeoRouter Server. It also installs the client. Just log into your server as root and issue the following commands:

    wget http://incrediblepbx.com/install-neorouter
    chmod +x install-neorouter
    ./install-neorouter

    The installer will walk you through these five installation steps, but we’ll repeat them here so you have a ready reference down the road.

    First, on your hardware-based firewall, map TCP port 32976 to the private IP address of your PIAF server. This tells the router to send all NeoRouter VPN traffic to your PIAF server when it hits your firewall. If you forget this step, your NeoRouter VPN will never work!

    Second, we’re going to use your server’s public IP address as the destination for incoming traffic to your NeoRouter VPN. If this is a dynamic IP address, you’ll need an FQDN that’s kept current by a service such as DynDNS.com.

    Third, each administrator and user is going to need a username to access your NeoRouter VPN. You can use the same credentials to log in from multiple client machines, something you may or may not want to do. We’re going to set up credentials for one administrator as part of the install. You can add extra ones by adding entries with one of the following commands using the keyword admin or user. Don’t use any special characters in the username and password!

    nrserver -adduser username password admin
    nrserver -adduser username password user

    Fourth, make up a very secure password to access your NeoRouter VPN. No special characters.

    You’re done. Review your entries very carefully. If all is well, press Enter. If you blink, you may miss the completion of the install process. It’s that quick.

    Fifth, after your NeoRouter 1.9 VPN is installed, you can optionally go to the NeoRouter web site and register your new VPN by clicking Create Standalone Domain. Make up a name you can easily remember with no periods or spaces. You’ll be prompted for the IP address of your server in the second screen. FQDNs are NOT permitted.

    When a VPN client attempts to login to your server, the server address is always checked against this NeoRouter database first before any attempt is made to resolve an IP address or FQDN using DNS. If no matching entry is found, it will register directly to your server using a DNS lookup of the FQDN. Whether to register your VPN is totally up to you. Logins obviously occur quicker using this registered VPN name, but logins won’t happen at all if your server’s dynamic IP address changes and you’ve hard-coded a different IP address into your registration at neorouter.com.

    Setting Up a NeoRouter Client. As mentioned previously, there are NeoRouter clients available for almost every platform imaginable, including iPhones, iPads, and our beloved Raspberry Pi. So Step #1 is to download whatever clients are appropriate to meet your requirements. Here’s the NeoRouter Download Link. Make sure you choose a client for the Free version of NeoRouter. And make sure it is a version 1.9 client! Obviously, the computing platform needs to match your client device. The clients can be installed in the traditional way with Windows machines, Macs, etc. Older NeoRouter 1.7 clients still work with the new 1.9 server; however, the Android client is much improved and now provides the same functionality as the Mac and Windows clients. In short, you can use your NeoRouter VPN tunnel to connect to another resource using SSH, VoIP clients, and web browsers.

    CentOS NeoRouter Client. As part of the installation above, we have automatically installed the NeoRouter client for your particular flavor of CentOS 6, 32-bit or 64-bit. In order to access resources on your NeoRouter server from other clients, you will need to activate the client on your server as well. This gets the server a private IP address in the 10.0.0.0 network.

    To activate the client, type: nrclientcmd. You’ll be prompted for your Domain, Username, and Password. You can use the registered domain name from neorouter.com if you completed step #5. Or you can use the private IP address of your server. If your router supports hairpin NAT, you can use the public IP address or server’s FQDN, if you have one. After you complete the entries, you’ll get a display that looks something like this:

    To exit from NeoRouter Explorer, type: quit. The NeoRouter client will continue to run so you can use the displayed private IP addresses to connect to any other online devices in your NeoRouter VPN. All traffic from connections to devices in the 10.0.0.0 network will flow through NeoRouter’s encrypted VPN tunnel. This includes inter-office SIP and IAX communications between Asterisk® endpoints.

    Admin Tools for NeoRouter. Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

    Browser access to NeoRouter Configuration Explorer (requires user with Admin privileges)

    Browser access to NeoRouter Network Explorer (user with Admin or User privileges)

    Manage your account on line at this link

    To access your NeoRouter Linux client: nrclientcmd

    To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

    To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

    To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

    For a list of client devices: nrserver -showcomputers

    For a list of existing user accounts: nrserver -showusers

    For the settings of your NeoRouter VPN: nrserver -showsettings

    To add a user account: nrserver -adduser username password user

    To add admin account: nrserver -adduser username password admin

    Test VPN access: http://www.neorouter.com/checkport.php

    For a complete list of commands: nrserver –help

    To change client name from default pbx.local: rename-server OR…

    • Edit /etc/hosts
    • Edit /etc/sysconfig/network
    • Edit /etc/sysconfig/network-scripts/ifcfg-eth0
    • Edit /etc/asterisk/vm_general.inc
    • reboot

    For the latest NeoRouter happenings, follow the NeoRouter blog on WordPress.com.

    Upgrading NeoRouter 1.7 Server to 1.9. If you followed our previous tutorial to install NeoRouter 1.7 Server, then upgrading to version 1.9 is easy. Log into your NeoRouter 1.7 server as root and download either the 32-bit or 64-bit 1.9 server software for your operating system. Then issue the following commands:


    /etc/rc.d/init.d/nrserver.sh stop
    rpm -Uvh nrserver-1.9*
    /etc/rc.d/init.d/nrserver.sh start
    chkconfig nrserver.sh on

    GPL2 License. The install-neorouter application is open source software licensed under GPL2. The NeoRouter Server and Client software is freeware but not open source. This installer has been specifically tailored for use on PBX in a Flash servers, but it can be adjusted to work with virtually any Linux-based Asterisk system. If you make additions or changes, we hope you’ll share them on the PIAF Forum for the benefit of the entire VoIP community. Enjoy!


    Deals of the Week. There are a few amazing deals still on the street, but you’d better hurry. First, for new customers, Sangoma is offering a board of your choice from a very impressive list at 75% off. For details, see this thread on the PIAF Forum. Second, a new company called Copy.com is offering 20GB of free cloud storage with no restrictions on file size uploads (which are all too common with other free offers). Copy.com has free sync apps for Windows, Macs, and Linux systems. To take advantage of the offer, just click on our referral link here. We get 5GB of extra storage, too, which will help avoid another PIAF Forum disaster. Finally, O’Reilly has over 1,000 Packt Ebooks on sale for 50% off until August 15. Better hurry!

    Originally published: Tuesday, August 6, 2013




    Need help with Asterisk? Visit the PBX in a Flash Forum.


     

    Don’t miss the first-ever FreePBX World on August 27-28 at the Mandalay Bay in Las Vegas. For complete details, see this post on the FreePBX blog.


     

    We are pleased to once again be able to offer Nerd Vittles’ readers a 20% discount on registration to attend this year’s 10th Anniversary AstriCon in Atlanta. Here’s the Nerd Vittles Discount Code: AC13NERD.


     
    Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.


    ​​3CX is a software PBX that’s easy to install & manage. It includes integrated softphones, WebRTC conferencing and essential add-ons out of the box, at no additional cost. Try the free edition at www.3cx.com.

  • Run on Premise or in the Cloud, on Windows and soon Linux
  • Softphones for iOS, Android, Win & Mac
  • Easy install, backup & restore, version upgrades
  • Automatically configures IP Phones, SIP Trunks & Gateways

  • Some Recent Nerd Vittles Articles of Interest…