Posts tagged: vpn

Introducing PPTP VPNs: The Travelin’ Man’s Best Friend

It’s been almost three years since we introduced VoIP Over VPN to securely interconnect Asterisk® servers. As LogMeIn® continues to squeeze the free Hamachi® VPN into oblivion, we’ll have a new, Really Free™ matrix VPN solution for you in coming weeks. This will let you interconnect up to 256 PBX in a Flash™ servers in minutes, not months, with no muss, no fuss, no fees, and no licensing worries. But today we want to begin VPN Month by turning our attention to those that need a virtual private network to connect back to a home office network or a home for that matter. This includes the traveling businessman or woman, the physician or lawyer with multiple remote offices, and any hub-and-spoke business such as a bank that has small branch offices that need to transparently link back to the mothership for network and communications services. The hidden beauty of PPTP VPNs is that all data (including phone calls) travels through an encrypted tunnel between the satellite office and home base. If you travel for a living and rely on other people’s WiFi networks for Internet access, a layer of network security will be a welcome addition.

Believe it or not, Microsoft introduced the Point-to-Point-Tunneling-Protocol (PPTP) with Windows 95. Back then we knew it as Dial-Up Networking. Suffice it to say that, in those days, PPTP was anything but secure. Unfortunately, the bad name kinda stuck. For the most part, the security issues have been addressed with the possible exception of man-in-the-middle attacks which are incredibly difficult to pull off unless you are a service provider or have access to the wiring closets of your employer. You can read the long history of PPTP VPNs on Wikipedia for more background. If you’re traveling to China or other democracy-challenged destinations, you probably shouldn’t rely upon PPTP for network security. If these security considerations aren’t applicable in your situation, keep reading because PPTP VPNs are incredibly useful and extremely easy to deploy for an extra layer of VoIP and network security in most countries that have severe wiretapping penalties in place.

PPTP VPNs also provide home-away-from-home transparency to home office network services. Simply stated, with a PPTP VPN, you get a private IP address on the home office LAN that lets you do almost anything you could have done sitting at a desk in the home office. There’s more good news. Fifteen years ago, we paid Cisco thousands of dollars for hardware boxes known as PPTP VPN Concentrators. You can still find some of them on eBay. For history buffs, a little company in California originally built these boxes. I think we paid about $3,000 for them. One year later Cisco bought the company and promptly doubled the price. Today, you can Do It For Free™ using your existing PIAF2 server platform. And, trust me, today’s 2-minute setup runs circles around the hoops we jumped through 15 years ago to install PPTP VPNs. Once deployed, they revolutionized mobile computing.

If you’re already running one or more PIAF2™ servers, then adding a PPTP VPN server to an existing system is a job for a Fifth Grader. Remember, you only need to do this on one server at your home base even if you have a dozen. The other good news is there are PPTP VPN clients for almost any platform you can name. Linux, Windows, Macs, Android, as well as iPhones, iPads, and iPod Touch devices all have free PPTP VPN clients that can be activated in less than a minute giving you instant, secure home base access.

Getting Started. We’re assuming you already have a PBX in a Flash 2 server set up behind a hardware-based firewall. If not, start there. Next, we’ll need to download and run the installer for your PPTP VPN Server. Just log into your server as root and issue the following commands:

wget http://incrediblepbx.com/install-pptp
chmod +x install-pptp
./install-pptp

UPDATE: For those of you still running a PBX in a Flash 1.7.x server under CentOS 5, we have a separate install script for you thanks to the great work of scurry7:

wget http://incrediblepbx.com/install-pptp-centos5
chmod +x install-pptp-centos5
./install-pptp-centos5

The Server Install: Five Easy Pieces. The installer will walk you through these five installation steps, but we’ll repeat them here so you have a ready reference down the road.

First, on your hardware-based firewall, map TCP port 1723 to the private IP address of your PIAF2 server. This tells the router to send all PPTP VPN traffic to your PIAF2 server when it hits your firewall. If you forget this step, your PPTP VPN will never work!

Second, you’re going to need a dedicated IP address on your private LAN to assign to the PPTP VPN server. Make sure it’s not an IP address from your router’s DHCP pool of addresses, and make sure it’s not one of the addresses from Step #3 below.

Third, you’re going to need two or more sequential IP addresses on your private LAN to assign to PPTP VPN clients that connect to your server. Remember, the PPTP design makes every remote client a node on your local area network so each client needs a private IP address on your LAN. Figure out how many client devices will be simultaneously connecting to your server and add one to it. Make sure the addresses you choose are in sequential order and not part of your router’s DHCP pool of addresses. Don’t use the address reserved for your PPTP server in Step #2 above. The address range should look something like this entry: 192.168.0.41-49. If you get the syntax wrong, guess what happens? If you screw it up, you can edit your localip and remoteip entries in /etc/pptpd.conf.

Fourth, each user is going to need a username to access your PPTP server. We’re going to set up credentials for one user as part of the install. You can add extra ones by adding entries to /etc/ppp/chap-secrets. For an extra layer of security, make the username as obscure as a password. Just don’t use any special characters. Upper and lowercase letters sprinkled with numbers are perfect. We recommend a length of at least 8 alphanumeric characters.

Fifth, make up an equally secure password to access your PPTP server. Same rules apply as in Step #4.

You’re done. Review your entries very carefully. If all is well, press Enter. If you blink, you may miss the completion of the install process. It’s that quick.

Configuring PPTP Client Devices. As we mentioned, there are available PPTP clients for Linux and Windows machines and Macs as well as Android and Apple smartphones and tablets. We’ve documented the steps for the various client setups on the PBX in a Flash Forum. Come visit! You’ll also discover some great tips from our resident gurus. We also would encourage you to post any questions that arise in your use of PPTP VPNs in that thread. You’ll get a quick and courteous response.

Secure VoIP Calling. The collateral benefit of implementing a PPTP VPN on your PIAF server is that all calls between remote extensions and home base can now be transmitted through a secure VPN tunnel. The only adjustment necessary using a SIP client on either an Android or Apple device is to replace the public server IP address with the server’s LAN IP address, and all of the communications traffic will flow through the VPN tunnel. The way we set up our Android phone with the Bria SIP client is to allocate an extension from the home office PIAF server to the SIP client and then enter the private IP address of the PIAF server in the Bria configuration. Then, when you’re at home base with WiFi, the client just works. And, when you’re on the road, just turn on the PPTP VPN, and Bria will register through the VPN tunnel using the exact same settings. It’s that easy, and it works great with WiFi or 3G/4G.

Checking for Connected Clients. If you get curious about who is logged into your PPTP server, here’s the command that’ll let you know: last | grep ppp.

GPL2 License. The install-pptp application is open source software licensed under GPL2. It has been specifically tailored for use on PBX in a Flash 2 (and now PIAF 1.7.x) servers, but it can easily be adjusted to work with virtually any Linux-based Asterisk system. If you make additions or changes, we hope you’ll share them on our forums for the benefit of the entire VoIP community. Enjoy!

What’s Next? For a more traditional client-server VPN which still relies upon a central server but uses a star topology to connect remote nodes, see this new Nerd Vittles article on the NeoRouter VPN.

Originally published: Monday, April 9, 2012




Need help with Asterisk? Visit the NEW PBX in a Flash Forum.


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

VoIP Prioritizing The World’s Best Traveling Phone

photo courtesy of skitch.com image sharing service

We follow a lot of really smart geeks on Twitter. As you might imagine, there’s a good bit of chatter about the world’s best cellphones. About half are die-hard iPhone users, and the rest are all over the map. Our iPhone is now a glorified iPod and, when you finish reading today, you’ll understand why.

What always has set Macs apart from PCs in our humble opinion is flexibility. So why is it that Apple has gone out of its way to strip that feature from the iPhone? Well, we all know the answer. AT&T and the iTunes Store. Or in a word, money. So what’s missing? For openers, there’s no tethering, the ability to connect your PC to your cellphone when the power goes out so you can send an emergency message or check on your servers at work. And then there’s free calling: the ability to place free SIP calls or Google Voice calls using your cellphone from almost anywhere. And then there’s the money thing. If you’ve traveled to foreign countries with an AT&T-powered iPhone, we don’t have to finish this story. For everyone else, let’s just say the cost of using your iPhone in a foreign country or on a cruise ship is stratospheric.

We’ve watched our friends and colleagues purchase all sorts of add-on gizmos to make up for the shortcomings in the iPhone. These have included secondary cellphones and more recently the MiFi devices which let you pay one of the companies in the American cellphone oligopoly another $60++ per month to tether your notebook and netbook to the cellular data network. Let’s get this straight. We pay a cellphone provider for an unlimited data plan as part of our service, but to transmit data to or from our PC through the plan, add another $60 a month for another data plan with a bandwidth cap. Huh? This is for a service that most of us use intermittently and would prefer to never use because of the lousy performance. Here’s our #1 traveling rule. Never stay in a hotel that doesn’t have WiFi, period. Why would you? The one next door has it!

So let’s go about this by the book… with a requirements analysis first! We want a cellphone that makes cellular calls from most locations, and we want the ability to decide which cell provider we use depending upon where we are. We want the option to make phone calls through our own SIP provider, or Asterisk® server, or Google Voice whenever we feel like it with or without a Wi-Fi connection. And, of course, we want VoIP Prioritization. This means we want our cell phone to prioritize incoming and outgoing calls by attempting to use VoIP services first, cellphone carrier second. Good luck with that one! We also want to be able to check our email using POP3 or IMAP servers. And, when we need to send or receive something on our notebook computer and there’s no WiFi around, we want our cellphone to provide data connectivity. We’re not going to be downloading movies and 1,000-page books all day long. We just want to get an important file attachment from the office so we can read it on a normal screen. And, finally, we’d like a QWERTY keyboard for messaging, and we want to be able to change our own battery, add a memory chip, and swap out SIM cards whenever we’d like. And the music, camera, and GPS functionality would be nice-to-haves on a phone.

Is this so hard? Well, if you’re in the United States and you’re planning to purchase a phone through Sprint, T-Mobile, AT&T, or Verizon to get one of those sign-away-your-life phone discounts, the answer is IMPOSSIBLE! And, to those that are chomping at the bit to tell us how they’ve accomplished some of these miracles with their hacked iPhone, let me just remind you that Apple considers it a national security threat to hack your iPhone thus explaining why Apple also considers it honorable to brick your hacked iPhone at any time despite the fact that you paid for it. Ask yourself if you really want to invest your cellphone dollars with a company spewing forth this kind of bullshit stuff.

And the answer is…

The unlocked U.S. version of the Nokia E71 costs $289.99 at NewEgg, and it’s worth every penny. We’ve been using ours all day, every day for the better part of a year. We’re not going to do a full review of the phone when there’s already an excellent one out there. Start with the allaboutsymbian review and then pick up again here. What isn’t covered in that review is the critical component that we believe sets this phone apart from everything else out there: incredibly simple SIP connectivity and VoIP setup with an Asterisk server because of the native SIP stack and SIP client which is built into the E71’s firmware. And, as you will soon discover, this transforms the E71 into the perfect traveling companion because it makes the E71 just another telephone extension on your home office Asterisk PBX. If secure communications matters, there’s VPN support as well.

Implementing Incoming VoIP Prioritization. Here’s how we’ve set up connectivity to our E71. First, create an extension on your Asterisk server that will be dedicated to remote SIP access from your E71. Let’s use extension 371 in this example. Give it a very secure password because the IP address of your E71 will change as you move from place to place so we can’t really lock down the extension with anything other than a secure password, or you won’t be able to connect. Next, create another extension (372) and forward all incoming calls to that extension to the regular phone number of your E71, i.e. the one provided by your cellphone provider. Then create a Ring Group on your Asterisk server (373) and set up 371 as the only number in the ring group extension list. For the destination if no answer, choose extension 372. Finally, set up your Google Voice number with a destination extension that forwards calls to ring group 373. So the way this will work is that incoming calls to your Google Voice number will ring the SIP connection on your E71 (371) if your E71 is registered to your Asterisk server via SIP. And, when it’s not registered, the calls will be forwarded to the regular phone number of your E71 (372) without any delay since extension 371 isn’t registered with your server. If you get in the habit of searching for WiFi wherever you happen to light and connecting back to your Asterisk server, (as you’ll see, this is a one-click operation), then you’ll have dirt-cheap remote cellphone service on your E71 almost all of the time. And, if you travel to foreign countries, it means that any time your E71 is registered with a WiFi HotSpot, all incoming calls will be free instead of costing an arm-and-a-leg in per minute international roaming fees.

SIP Setup for Nokia E71. John Rogers over at geek.com has written an excellent piece with lots of pretty pictures to show you how to configure your E71 with Asterisk. Rather than reinvent the wheel, here’s the link. It only takes a couple of minutes. We do have a few tips to get you started on the right foot. Make certain that the IP address you enter for your Asterisk server is the public IP address or fully-qualified domain name for your server, not the private IP address inside your firewall. As you roam from one WiFi network to the next, the E71 will automatically configure the phone for the new networks as soon as you choose WLAN Scanning, select a WiFi network, and choose to Connect to your Asterisk server. This is performed from the default screen on your phone so there’s no wading through layer upon layer of menus. After linking and unlinking to different networks about a dozen times, we have found it’s a good idea to shut down the phone, remove the battery momentarily, and then restart the phone. It keeps awkward connect problems from ever occurring. To enable VoIP Prioritization for outbound calling, all you have to do is change one default setting on the Nokia E71: Menu, Tools, Settings, Phone, Call, Default Call Type: Internet Call.

Depending upon your choice of router, using the public IP address of your Asterisk server may cause connectivity issues when you attempt to make a connection through the same WiFi network on which your Asterisk server resides. You can solve this by investing in one of dLink’s Gaming Routers which also provide the necessary tools to prioritize VoIP traffic on your network. Second, make sure you load the latest Nokia firmware for the E71 before you begin configuring your phone. You can check which firmware is installed on your phone by pressing *#0000#. If it’s less than 200.21.118, you need to upgrade, and you’ll need a Windows machine to do it. Here’s the link to Nokia’s upgrade site.

Where To Go From Here. Once you have your E71 performing as a remote Asterisk extension, there are some other must-have’s for your phone. First, you’ll want to purchase JoikuSpot Premium for 15.00€ (about $20). It turns your phone into a WiFi HotSpot whenever you need tethering. Next you’ll want to load Nokia’s OVI store which includes a number of free downloads including Internet Radio, Fring, Nimbuzz, and Web Server. With the web server, you can actually create a blog and let visitors share photos and take pictures using your E71. Try ours to get a taste of what’s available. We think you’ll also find Google Latitude to be a fascinating addition. It lets you produce a free, GPS-enabled map with your current location just like Where In the World Is Nerd Uno. In fact, that map is produced from GPS data generated on our Nokia E71.

A Word of Caution. Finally, we’ll close on a cautionary note. Tempting as it may be to buy Nokia’s latest and greatest cellphone, DON’T! Nokia quietly has dropped the native SIP stack and SIP client on almost all of its newest cellphones presumably to win the love and affection of companies like AT&T. These are the same companies that continue to claim in FCC filings that they have nothing against VoIP on cellphones. The list of VoIP-impaired Nokia cellphones includes the N97 as well as the AT&T-branded E71x. Nokia also has been less than clear about the new N900. Historically, this has meant that SIP functionality has disappeared. So beware of shiny new things… that may not work worth a damn. It’s too bad. Nokia was one of our favorite companies, but it looks like they’re ceding the VoIP technology business to Google’s Android which happens to be next on the Nerd Vittles Radar. Here’s a complete list of Nokia’s SIP-compatible phones. Enjoy!


Enhanced Google Maps. In case you haven’t noticed, we’ve added yet another Google Map to Nerd Vittles. Now, in addition to showing our location with Google Latitude, we also are displaying your location based upon your IP address. We’ll show you how to add something similar to any LAMP-based Linux system in coming weeks. It’s a powerful technology that has enormous potential. If you’re unfamiliar with Google Maps, click on the Hybrid and Satellite buttons and then check out the scaling and navigation options. Double-click to zoom. Incredible!


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Welcome to IP Country: A New Layer of Asterisk Security

image courtesy of fail2ban.org One of the problems with writing a blog like Nerd Vittles is it's more than double the work of your typical blog where a writer pontificates about something and then moves on. What makes Nerd Vittles a little different is that, with help from a number of very gifted developers, we actually create useful applications and then write about how to use them. So you get a bonus for the same low price: free! This obviously imposes some time constraints in order to get fresh material into your hot little hands every week.

This week we turn our attention to Asterisk® Security again and unfortunately the Whole Enchilada is not yet ready. So today you get Chapter I of this topic with a comment that we're still mulling over some enhancements. When those pieces are finished or at least properly evaluated, we'll produce a sequel. Software houses spend years developing applications. And sometimes it takes us more than a week. :-)

Let's start with a few observations which should be quite obvious to those who have wrestled with VoIP or Asterisk for a while. Internet security is a bitch. And Asterisk security is much, much worse. When a few disgruntled people can bring Twitter to its knees because they're mad about some particular tweet or Twitter user, it tells you what we're all up against. Hate to say it but we can all thank Microsoft for years of security neglect that rendered the Windows operating system less than optimum in preventing the spread and deployment of BOTs. And the tools have gotten more dangerous as well. Strangers (our euphemism for these folks) write new software, too.

If you're using PBX in a Flash (and you really should be!), you know that we've devoted enormous resources to Asterisk security. Two years ago when PBX in a Flash was introduced, the majority of people using Asterisk still were using 1234 as the extension password on all or most of their extensions. A couple $100,000 phone bills and lots of public education, and that situation hopefully is behind us. Two years ago, no Asterisk aggregation included a firewall... except PBX in a Flash. Believe it or not, there were individuals running Asterisk servers on the public Internet with a default root password of password. That added more than a few more BOTs to the Internet kettle of fish. Then there were the brute force password hacks that hit Asterisk servers thousands of times per minute guessing passwords. Nothing stood in the way of these attacks until PBX in a Flash introduced Fail2Ban which automatically blacklisted IP addresses after a certain number of failed login attempts. We followed Fail2Ban with our Atomic Flash product which provided a turnkey Hamachi VPN implementation for rock-solid safe remote computing. And, of course, there was a one-minute Hamachi VPN install script for standard PBX in a Flash systems. No other aggregation has it to this day.

The purpose of the history lesson isn't to crow about PBX in a Flash although we're mighty proud of it. Rather we wanted to make you aware that precious little development effort is actually going into security while enormous resources are devoted to things such as Internet faxing, Skype, and Google Voice integration. We'll be the first to admit that we love the latest gee whiz gizmos as much as anybody. But come on. A handful of us who do this purely for fun somehow manage to turn out loads of security enhancements while huge, for-profit companies are devoting virtually zero resources to making Asterisk, SIP, and the VoIP community safer. SIP is about as secure as whispering at a movie theater. Google releases Google Voice with SIP access protected by a 4-digit password. :roll: That approach to security needs to change, or we're all going to wake up sorry one day soon. If this is preaching to the choir, then feel free to pass this article on to one of your brethren who has not yet seen the light! Start by reading our Primer on Asterisk Security.

If you have extremely secure passwords on your Asterisk extensions and trunks, and you have deployed a properly configured firewall with Fail2Ban to protect against brute force attacks, then you're ahead of the curve insofar as Asterisk security is concerned. But what we think is still missing is access restrictions based upon what the military calls a "need to know." Simply stated, it means folks shouldn't get access of any kind to your Asterisk server unless they have a need to be there. And, if we find someone there that doesn't belong, they should be kicked off and banned from further access.

So today we have a new security tool for your Asterisk toolbox: IP Country, country-based network filtering by IP address. In a nutshell, it means configuring your Asterisk server to dramatically reduce the number of IP addresses which can reach your server at all. If you receive anonymous SIP connections from all around the globe that you actually need or if you're attacked from a BOT running on grandma's Windows machine down the block, this may not work for you, but it's another tool in your quiver of arrows. For most servers, it has the potential to reduce the vulnerability from random outside threats substantially. It's taken a lot of research to come up with much of what follows, and we want to express our special thanks to Sandro Gauci and Joe Roper for their assistance. Some of this technology has been around for many years, but unfortunately it was expensive. So we also want to express our special appreciation to MaxMind for releasing their open source GeoLite Country database which is now free for downloading. That is the critical ingredient in much of what follows. So here's a word from our sponsor:

This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.

Scope of Protection. An obvious question is just exactly what are we trying to protect. In our view, it's several things. First, we don't want strangers logging in to extensions on our server and making free calls around the globe using pilfered or hacked passwords. We also don't want strangers using our extensions to masquerade as us for any other purpose. Second, we don't want strangers randomly calling our server using SIP URI's that they've dreamed up. And third, we don't want strangers accessing any other applications on our server including SSH and FTP as well as web and email services.

IP Country Design. As with other security features in Asterisk, FreePBX, and IPtables, our implementation of IP Country uses permit and deny access tables that consist of authorized and unauthorized ranges of IP addresses. There's also a table with the latest GeoLite Country information which is used as the data source for your permit table. When a connection to the server is made, the IP address is checked against the permit table of authorized addresses. If there's no match, we'll consider the connection a stranger. If there is a match, then we'll check the deny table to make certain this particular IP address hasn't been banned. Unless you alter all of our scripts, your system must be using the default MySQL account name of root with a password of passw0rd. As configured in PBX in a Flash, this is NOT a security risk since MySQL access is limited to your server, and your server requires root credentials to log in.

Today's Objective. To get everyone started, we're going to tackle the first two objectives today. The solutions offered should work fine on any FreePBX-based Asterisk system... even those that hide the existence of FreePBX.

For outgoing calls, we'll introduce a new script which runs periodically to examine the IP addresses attached to every SIP and IAX extension and trunk on your Asterisk server. If a stranger's IP address is identified (as explained above), we'll add an IPtables firewall rule to permanently block access to your server from this IP address. These rules are stored in /etc/sysconfig/iptables should you ever need to remove an IP address that has been blocked. You can adjust the script execution frequency based upon the thickness of your wallet. After all, it's your phone bill. This functionality is mutually independent from the incoming call protection outlined below so you can use either or both of the functions to meet your own requirements. For systems that use enormous numbers of SIP URI's for communications around the globe, you might choose to implement just this piece for extension and trunk IP Country protection without altering your incoming dialplan at all. Keep in mind that FreePBX now supports permit and deny IP address filters on extensions, something you really should be using even if you decide against implementing the IP Country security protection layer.

For incoming calls, we're going to modify FreePBX's existing Blacklist functionality to also look up the calling IP address in our IP Country permit and deny tables. If the IP address is authorized, the call will go through. Otherwise, the call will be treated just as if the caller's number were blacklisted. Be aware that incoming calls to one of your commercial DIDs may reflect the IP address of your provider since the caller may be calling from a Plain Old Telephone rather than an IP address. The existing Blacklist functionality can be used to block these unwanted callers. If you live in the United States, you'll probably also want to call 888-382-1222 and place your DIDs in the Do Not Call database. Just call from a phone using the CallerID of the number you wish to block.

Installing GeoLite Country. To get started, log into your server as root and issue the following commands:

cd /
wget http://bestof.nerdvittles.com/applications/ipcountry/ipcountry.tgz
tar zxvf ipcountry.tgz
rm ipcountry.tgz
cd /root/ipcountry
./nv-ipcountry

Once the nv-ipcountry script begins to run, it will download and install the GeoLite Country database into MySQL. You then will be asked whether to add countries to your permit table. Since your permit table is empty at this point, the answer should be yes. You'll then get a list of country codes. Choose the two-character country code desired and type it in UPPERCASE, e.g. US. If you want to add one or more additional countries, just rerun ./nv-ipcountry and do NOT initialize the permit table (which erases all of its contents).

New GeoLite Country databases are released every month or two so get used to the procedure. You'll be using it periodically to keep your list of IP addresses current. We'll cover the update procedure after we get you up and running.

Remember: If no IP addresses for any country are added to the permit table, you will not be able to make calls or register trunks with your providers! The only default entries added to the permit table are the non-routable, private IP address ranges, e.g. 192.168.0, etc. The geolite table is merely a data repository of the latest GeoLite Country database and has no effect on the daily operation of your system! You use it only as a data source for populating your permit table.

Testing IP Country. Before we actually turn anything on, we need to be sure we're not going to blow your Asterisk system out of the water! In short, we want to make sure that every extension that's supposed to be able to make a connection to your PBX still can. And we need to make sure all of your trunk registrations still are working. While you're still in the /root/ipcountry directory, issue the following command: ./test.sh. This script will display all of your SIP and IAX connections and then will tell you whether each connection will pass muster with IP Country security in place. Each IP address should display ok. If any of them show ko, you have a problem. This means that you have an extension or trunk with an IP address that is not included in your permit table. You can scan through the show peers listings in the display to figure out which providers or extensions are associated with any problem IP addresses. Be sure it's not a bad guy first. Then you have a couple of options. You can either manually add the IP address to the permit table as outlined below. Or you can add additional countries which include the missing IP address(es). To decipher the country of any problem IP address, go to this link and plug in the IP address. Once you've made entries in your permit table to cover all of your needed IP addresses, run the test script again just to be sure everything shows ok. Do NOT proceed until you get all ok's, and don't write us if you do.

Manually Adding IP Addresses to IP Country. We've provided a command-line utility which makes it easy to add IP addresses and address ranges to either the permit or deny tables of IP Country. Be very careful using this tool! There's limited error-checking which means it's easy to create a mess. You'll find iputility.php in the /root/ipcountry folder. Since all IP addresses are stored as integers, you can use it to merely discover the integer value of an IP address, or you can actually insert IP addresses into either the permit or deny tables. Here are a few examples to show how the utility works:

./iputility.php 156.130.20.10
Returns the integer value for this IP address; no database update
./iputility.php 156.130.20.10 156.130.20.255
Returns integer values for this IP address range; no database update
./iputility.php 156.130.20.10 deny
Adds this IP address to IP Country deny table
./iputility.php 156.130.20.10 156.130.20.255 permit
Adds this address range to IP Country permit table)

A couple of points worth noting. First, all custom entries in your permit and deny tables using iputility will show a country code of AA. This makes them easy to find using phpMyAdmin if you make a mistake. Second, if you attempt to enter the same IP address range more than once, you'll get a database error since all entries in the tables must be unique. Third, remember that entries in the deny table take precedence over entries in the permit table. So, if the same IP address or address range is in both tables, access will be denied. The reason for this is to make it easy to exclude a few bad apples from a country that you might otherwise find unobjectionable. Finally, keep in mind that manual entries added to the permit table will have to be added again each time you initialize the table and insert new country IP codes after a GeoLite Country refresh. The deny table is unaffected by database refreshes. So make yourself a list of entries you manually insert into the permit table and keep it in a safe place for future reference.

Activating the IP Address Checker. In the /root/ipcountry directory, you'll find the script that we'll use to check your system periodically to be sure all of the extensions and trunks are registered at permitted IP addresses. To run the script manually, log into your server as root and type: /root/ipcountry/ip-checker.sh. When you run it, you shouldn't see any modifications to IPtables, just a string of ok's. So now we want to added the script as a cron job that will be run periodically to watch your system. Edit /etc/crontab and insert the following line at the bottom of the file:

*/1 * * * * /root/ipcountry/ip-checker.sh > /dev/null

*/1 means run the script once a minute, all day and night, every day. */5 means every 5 minutes. You make the call on how safe you'd like your system to be. If you'd like to receive an email or text message every time an IP address is blocked by ip-checker.sh, just edit the filecheck.php script, uncomment the two lines that begin with // and replace yourname@gmail.com with your email or text message address.

WARNING: For ip-checker.sh to work properly with IPtables, there are a couple of prerequisites. First, IPtables must be running on your system with the iptables file located in /etc/sysconfig. Second, your IPtables setup must include an SSH permit rule that looks like this:

-A INPUT -p tcp -m tcp --dport ssh -j ACCEPT

We use this rule as a place finder to determine where to insert new rules to block stranger's IP addresses. If you don't have the above rule, filecheck.php (used by ip-checker.sh) won't be able to insert new rules. So you'll need to manually edit filecheck.php to provide a "hook" that can be used to insert rules into your iptables file. PBX in a Flash systems come preconfigured to support this. With other aggregations, YMMV!

Activating the Incoming Call Checker. To screen incoming calls using your IP Country permit and deny tables, the setup is straight-forward assuming you are running the latest version of FreePBX 2.5. We're going to adjust the Blacklist context to also perform IP address lookups from IP Country when new calls arrive on your PBX. Just log into your server as root and add the following lines to the bottom of the extensions_override_freepbx.conf file in /etc/asterisk:

[app-blacklist-check]
include => app-blacklist-check-custom
exten => s,1,LookupBlacklist()
exten => s,n,GotoIf($["${LOOKUPBLSTATUS}"="FOUND"]?blacklisted)
exten => s,n,Set(TESTAT=${CUT(SIP_HEADER(From),@,2)})
exten => s,n,GotoIf($["${TESTAT}" != ""]?hasat)
exten => s,n,Set(FROM_IP=${CUT(CUT(SIP_HEADER(From),>,1),:,2)})
exten => s,n,Goto(gotip)
exten => s,n(hasat),Set(FROM_IP=${CUT(CUT(CUT(SIP_HEADER(From),@,2),>,1),:,1)})
exten => s,n(gotip),NoOp(Gateway IP is ${FROM_IP})
exten => s,n,NoOp(IP Country Lookup in Progress...)
; put authorized special calls like sipgate's Google Voice ringbacks below
exten => s,n,GotoIf($["${FROM_IP}"="sipgate.com"]?keepon)
exten => s,n,AGI(nv-ipcountry.php|${FROM_IP})
exten => s,n,GotoIf($["${STRANGER}"="true"]?blacklisted)
exten => s,n(keepon),NoOp(** AUTHORIZED CALLER **)
exten => s,n,Return()
exten => s,n(blacklisted),Answer
exten => s,n,Wait(1)
exten => s,n,Zapateller()
exten => s,n,Playback(ss-noservice)
exten => s,n,Hangup

Make sure you remove the line-wrap in the s,n(hasat) line and any others that may have wrapped in the display above! Then save the file and reload your Asterisk dialplan: asterisk -rx "dialplan reload". You're all set! If you'd like email notices when a stranger calls and is blacklisted, edit nv-ipcountry.php in /var/lib/asterisk/agi-bin. Plug in your actual email address in the $email variable and set $emailalerts = 1.

Housekeeping 101. As we mentioned above, the pool and location of IP addresses continues to change so periodic updates are necessary, or you'll end up blocking calls that otherwise should be permitted. MaxMind updates GeoLite Country on the first day of every month so add it to your TO-DO list. We strongly recommend that you perform these steps through an SSH connection from a remote PC. Why? Because, if you forget step 1 while logged directly into your server, you could inadvertently lock yourself out of your own system if the ip-checker script happens to run while your permit table is empty. If you do it from a remote machine, you can simply move to another machine and follow these instructions properly. Otherwise, you've got a serious problem on your main server. If this server provides phones to your business, do the update when the server is idle. So here's the drill:

  1. Comment out the ip-checker.sh /etc/crontab entry
  2. Download new GeoLite Country database from MaxMind
  3. Initialize the ipcountry.permit table
  4. Add authorized countries back into ipcountry.permit table
  5. Add back any custom entries to permit table
  6. Test your IP Country system to make sure you get all ok's
  7. Reactivate ip-checker.sh in /etc/crontab

1. Log into your server as root. To comment out the ip-checker.sh line in /etc/crontab, just add # as the first character on the line and save the file.

2. Change to the /root/ipcountry directory and run ./nv-GeoIPrefresh.

3. While still in the /root/ipcountry directory, run ./nv-ipcountry and choose 1-Yes to initialize your ipcountry.permit table.

4. Continue running or rerun ./nv-ipcountry to add each desired country to your ipcountry.permit table.

5. Run ./iputility.php to add custom IP address entries to your ipcountry.permit table. You do NOT need to reenter addresses in the deny table. It is unaffected by this update procedure.

6. Test your system again to make sure all extensions and trunks get an ok by running ./test.sh.

7. Edit /etc/crontab and remove the # at the beginning of the ip-checker.sh line and save the file.

What's Next. We're still exploring another possibility with IP Country, and that is integrating GeoLite Country directly into IPtables. This would validate every packet coming into your firewall using IP Country-like rules in IPtables. If you want to look at how it could be done, see this excellent writeup. Well, not so fast. Unfortunately, it won't compile under CentOS 5.2. Here's a link to the problem code if there are any Linux gurus in the house. Our reluctance in doing this has to do with performance. Keep in mind that, without stateful packet inspection, every single packet coming into your server would presumably trigger a database lookup. On a busy telephony system generating hundreds of thousands of packets per second, it would take a beast of a server with sufficient memory to cache the entire IP Country database in order to handle the processing load. So now we've got to either learn about or find an expert on the IPtables State Machine. If anyone wants to experiment, please share your expertise with the rest of us. There's a Google Voice invite in it for you, too.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest...

VoIP Over VPN: Securely Interconnecting Asterisk Servers

We’ve just returned from a week in the Pacific Northwest teaching an Asterisk® course for an organization that wants to interconnect satellite offices using Asterisk servers. This coincided with a support request from one of America’s premier airlines which wants to do much the same thing for all of its reservation counters in airports situated in feeder cities around the country. Suffice it to say, PBX in a Flash in conjunction with Asterisk and Hamachi VPNs is perfectly suited to let anyone build these interconnected systems in minutes rather than months. In fact, with less than a day’s worth of introduction to Asterisk and PBX in a Flash, a group of 16 network administrators with no previous Asterisk experience did just that in a one-hour lab session during our training seminar last week. At the risk of (further) destroying our ability to earn a living, here’s how we did it.

Proxmox as a Training Tool. Before we get into the nitty gritty of actually interconnecting Asterisk servers with Hamachi VPNs, let us provide the free tip of the week for those of you that want to experiment with interconnecting Asterisk servers or for those that like to test various Asterisk scenarios without rebuilding servers all day long. There is no finer tool for this than the Proxmox Virtual Environment, a free and easy to use Open Source virtualization platform for running Virtual Appliances and Virtual Machines. With a sale-priced Dell T105 with a Quad Core AMD Opteron processor and 8 gigs of RAM, you’ll have a perfect platform to run about 16 simultaneous PBX in a Flash servers. The trick is finding the machines on sale for half price which is about every other week. Our lab system which matches this configuration was less than $600 with RAM purchased from a third party. You can save most of the shipping cost by using our coupon link in the right column to shop at Dell’s small business site.

Proxmox lets you build virtual machines in two ways: OpenVZ templates or Qemu/KVM Templates and ISO images. While we intend to offer an OpenVZ template for PBX in a Flash soon, currently it’s easy to create your own ISO template using the standard PBX in a Flash ISO image. Once you’ve uploaded your ISO image into Proxmox, simply create a new virtual machine by giving it a name, specifying 512MB of RAM and a 30GB partition. In 10 seconds or less, your new VM will be ready to boot. Start your VM and then open the VNC console window within the Proxmox web interface and install PBX in a Flash just as if you were building a stand-alone machine. When the 15-minute install completes, run through the Orgasmatron Installer setup, and you’ll have your turnkey PBX in a Flash system ready for production in less than 30 minutes.

You don’t have to repeat this drill for every virtual machine. Instead, use the built-in Proxmox backup utility to make a backup image of what you built. Shut down the VM, create a /backup directory, and then schedule the compressed backup in the web browser. When the backup completes, you’ll have a backup image in /backup with a file name like this: vzdump-101.tgz.

To create a new virtual machine, you issue the following command while positioned in the /backup directory specifying the number for the new virtual machine:

vzdump --restore vzdump-101.tgz 102

In about 3 minutes, you’ll have a second virtual machine that’s a clone of the first one. Because it’s a true clone, it would obviously have the same MAC address for the virtual NIC. You don’t want that or all of your VMs would boot up using the same IP address. Using the Proxmox web interface, just edit the new VM 102 by switching from the Status tab to the Hardware tab, delete the existing Ethernet device, and then create a new Ethernet device under the hardware address list pulldown. This will create a new virtual NIC with a new MAC address. So, when you boot VM 102, it will be assigned a new IP address by your DHCP server. You can decipher the new IP address by opening the VNC console window for VM 102 after you boot it up. Now you’re an expert. You can create the additional Baker’s Dozen turnkey PBX in a Flash servers in about an hour. Start all of them up, and you’ve got an instant training facility and PBX in a Flash playground.

April, 2012 Update. See our new article for a current state-of-the-art VoIP VPN.

Creating Hamachi VPN. You obviously don’t need a virtual private network in order to interconnect Asterisk servers. But, as easy as the Hamachi VPN is to set up, especially with PBX in a Flash servers, why wouldn’t you want all of your inter-Asterisk communications secured and encrypted? In addition to the capacity limitation of the Proxmox server, there’s another reason we chose to build 16 PBX in a Flash VMs. That happens to be the number of servers you can interconnect with the Hamachi Virtual Private Network without incurring a charge.1 Why use the Hamachi VPN when OpenVPN is free with unlimited network connections and no strings? The short answer is it’s incredibly simple to set up without public and private key hassles, and it supports dynamic IP server addressing with zero configuration. We plan to cover OpenVPN in a subsequent article but, for many implementations, Hamachi VPNs offer a robust, flexible alternative that can be deployed in minutes.

If you’re not using PBX in a Flash, there are a million good Hamachi VPN tutorials available through a quick Google search. If you are using PBX in a Flash, we’ve done the work for you. With the Orgasmatron Installer build, you’ll find the Hamachi VPN installation script in /root/nv. For other PBX in a Flash systems, just download the install-hamachi.x script from here or, after logging into your server as root, issue the following commands:

wget http://pbxinaflash.net/source/hamachi/install-hamachi.x
chmod +x install-hamachi.x
./install-hamachi.x

Before beginning the Hamachi VPN install, it’s a good idea to make yourself a cheat sheet for the servers you plan to interconnect. We’re going to interconnect 3 servers today, but doing 16 is just more of the same. You’ll need a unique name for your virtual private network. Pick a name that distinguishes this VPN from others you may build down the road. For our example, we’re going to use piaf-vpn. Next, you need a very secure password for your VPN. We’re going to use password for demonstration purposes only. Finally, you need a unique nickname for each of your servers, e.g. piaf-server1, piaf-server2, and piaf-server3 for our example setup today.

For the first Hamachi install, we’ll need to create the new network. For the remaining installs, we’ll simply join the existing network. Keep in mind that you can only remove machines from the network using the same server that was used to create the other VPN accounts initially so build out your virtual private network by starting with your main server, piaf-server1 in our example.

To begin the Hamachi VPN install, run the script using the commands shown above. Type Y to agree to the installer license and then press the Enter key to kick off the install. For the piaf-server1 install, type N to create a new Hamachi network. For the remaining installs, you’d type J to join an existing Hamachi network. Enter the network name you chose above. For our sample, we used piaf-vpn. Type it twice when prompted. Now type your network password and then your nickname for this server when prompted to do so. Then standby while the Hamachi software is installed. It takes a few minutes depending upon the speed of your network connection. And remember, do NOT use our sample network name. Make up your own and don’t forget it. When the install completes, you can review the log if you’d like. Unless something has come unglued, Hamachi should now be running on your first server. Repeat the drill on your other servers.

The next step is to grab some of our scripts to make it easier to manage Hamachi on your servers.

cd /usr/local/bin
wget http://pbxinaflash.net/source/hamachi/hampiaf
wget http://pbxinaflash.net/source/hamachi/hamachi-servers
chmod +x ham*
cd /root
wget http://pbxinaflash.net/source/hamachi/hamachi.faq

The hamachi.faq document provides all of the commands you’ll need to manage Hamachi including the steps to start over with a totally new virtual private network. For now, let’s be sure your network is running. Type: hamachi-servers piaf-vpn using the network name you assigned to your own VPN. Then type it again, and it should display all of the servers on your VPN with their private VPN IP addresses:

root@pbx:~ $ hamachi-servers piaf-vpn
This server:
Identity 5.151.123.1
Nickname piaf-server1
AutoLogin yes
OnlineNet piaf-vpn

Going online in piaf-vpn .. failed, already online
Retrieving peers’ nicknames ..
* [piaf-vpn]
5.151.123.2 piaf-server2
5.151.123.3 piaf-server3

Finally, a word of caution about security. One of the drawbacks of the ease with which you can create Hamachi VPNs is the ease with which you can create Hamachi VPNs. Anyone that knows your network name and password can join your network with one simple command. You can kick them off from the main server where the VPN was created (hampiaf evict piaf-vpn 5.249.146.66), but you can’t keep them from joining. So, protect your network by making the password extremely secure. There currently is no way to change your network password. All you can do is create a new network with a new network name and a more secure password.

Interconnecting Asterisk Servers. Once your VPN is established and all of your servers are on line, then we’re ready to interconnect them with Asterisk and FreePBX. There are a number of ways to do this. For smaller networks, we’re going to show you the easy and secure way using IAX and the VPN you just created. As with the VPN setup, a cheat sheet comes in handy to avoid erroneous entries that would cause your calls between servers to fail. What we recommend is assigning and creating a block of extensions on each of your servers with different ranges of numbers. For example, we’re going to use four-digit extensions in the 1xxx range for piaf-server1, 2xxx for piaf-server2, and 3xxx for piaf-server3. The idea here is that the extensions are unique between your servers. This makes it easy to dial between offices without having to resort to dialing prefixes. So the first step in interconnecting your servers is to build the necessary extensions on each of your servers.

Now for the cheat sheet. Using the hamachi-servers tool above, decipher the VPN IP address of each of your servers and make a chart with the server names, the range of extension numbers, and the VPN IP address of each server. You’ll also need to think up a very secure password. We’re going to use the same one for all of the servers although you certainly don’t need to. So long as the password you choose is secure, there’s really no reason not to use the same one.

piaf-server1 1xxx 5.151.123.1 password
piaf-server2 2xxx 5.151.123.2 password
piaf-server3 3xxx 5.151.123.3 password

Creating Trunks. The next step is to create an IAX trunk on each server for each remaining server in your network. In our example, on piaf-server1, we’d want to create trunks for piaf-server2 and piaf-server3. On piaf-server2, we’d want to create trunks for piaf-server1 and piaf-server3. And so on.

NOTE: Because of a change in IAX design to fix a security issue that arose after this article was originally published, be sure to add the following line in the User Details of each trunk below:

requirecalltoken=no


On your first server (piaf-server1 in our example), using a web browser, open FreePBX and choose Admin, Setup, Trunks and then click Add IAX2 Trunk. Create the trunk to piaf-server2 with the following entries. Leave everything blank except the entries shown below:

While still on piaf-server1, repeat the process to create a trunk for piaf-server3:

On your second server (piaf-server2 in our example), using a web browser, open FreePBX and choose Admin, Setup, Trunks and then click Add IAX2 Trunk. Create the trunk to piaf-server1 with the following entries. Leave everything blank except the entries shown below:

While still on piaf-server2, repeat the process to create a trunk for piaf-server3:

On your third server (piaf-server3 in our example), using a web browser, open FreePBX and choose Admin, Setup, Trunks and then click Add IAX2 Trunk. Create the trunk to piaf-server1 with the following entries. Leave everything blank except the entries shown below:

While still on piaf-server3, repeat the process to create a trunk for piaf-server2:

Creating Outbound Routes. Now we need to tell Asterisk how to route the calls between the servers. In a nutshell, we want calls to extensions in the 1xxx range routed to extensions on piaf-server1, calls to 2xxx extensions routed to piaf-server2, and calls to 3xxx extensions routed to piaf-server3. On each server, create an outbound route for each of the remaining servers. Name the routes server1, server2, and server3 as appropriate. The critical pieces of information in each outbound route are the dial string (which should match the extensions on the server we’re connecting to) and the Trunk Sequence (which should be the appropriate IAX trunk for the server we’re connecting to).

On piaf-server1, we’d have a server2 outbound route with a Dial String of 2xxx and a Trunk Sequence of IAX2/piaf-server2. Then we’d have another server3 route with a Dial String of 3xxx and a Trunk Sequence of IAX2/piaf-server3. If you have a catch-all outbound route, be sure to move these routes above the catch-all in the right column. Then reload your dialplan.

On piaf-server2, we’d have a server1 outbound route with a Dial String of 1xxx and a Trunk Sequence of IAX2/piaf-server1. Then we’d have another server3 route with a Dial String of 3xxx and a Trunk Sequence of IAX2/piaf-server3. If you have a catch-all outbound route, be sure to move these routes above the catch-all in the right column. Then reload your dialplan.

On piaf-server3, we’d have a server1 outbound route with a Dial String of 1xxx and a Trunk Sequence of IAX2/piaf-server1. Then we’d have another server2 route with a Dial String of 2xxx and a Trunk Sequence of IAX2/piaf-server2. If you have a catch-all outbound route, be sure to move these routes above the catch-all in the right column. Then reload your dialplan.

If you’re setting this up with PRI or T1 connections between your servers, you might also want to specify at least secondary trunk sequences for each of the outbound routes to provide some redundancy. For example, on piaf-server1, you might want a secondary Trunk Sequence for server2 that specified IAX2/piaf-server3. Then, if the primary connection between server1 and server2 was down, Asterisk would attempt to complete calls to 2xxx extensions by routing them to server3 and then on to server2 from there. To the caller and call recipient, they’d never know that the direct link between server1 and server2 had failed.

Alternate routing might also be appropriate where you have more capacity between certain servers. For example, if you had a single T1 line between server1 and server3 but you had PRI connections between server1 and server2 and between server2 and server3, then it might make more sense to indirectly route 3xxx calls from server1 through server2 and then on to server3 rather than the direct route from server1 to server3. Enjoy!



Free DIDs While They Last. Sipgate is giving away a free U.S. DID with free incoming calls plus 200 free minutes for outbound calls. Better hurry. Here’s the trunk setup for FreePBX-based systems:

Trunk name: sipgate

type=peer
username=ACCTNO
fromuser=ACCTNO
secret=ACCTPW
context=from-trunk
host=sipgate.com
fromdomain=sipgate.com
insecure=very
caninvite=no
canreinvite=no
nat=no
disallow=all
allow=ulaw&alaw

Registration Strong: ACCTNO:ACCTPW@sipgate.com/YOUR-DID-NUMBER

ACCTNO is the account number assigned to your sipgate account. ACCTPW is the password for your account. YOUR-DID-NUMBER is your 10-digit DID.

Finally create an inbound route using your actual 10-digit DID and assign a destination for the inbound calls.



Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


Twitter Magic. If you haven’t noticed the right margin of Nerd Vittles lately, we’ve added a new link to our Twitter feed. If you explore a little, you’ll discover that the user interface now brings you instant access to every Twitter feed from the convenience of the Nerd Vittles desktop. Enjoy!


whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. See comment #1 below. []

The Ultimate Asterisk Telephony Appliance

gPC miniWe’ve been quietly waiting for Everex to finally get its act together and deliver the Ultimate Asterisk® Telephony Appliance for SOHO users and organizations. Truth be told, it’s the reason we shelved our original VPN in a Flash desktop unit from last August. Thanks to NewEgg, it’s now available and it’s dirt cheap… if you hurry. Would you believe $339 for the gPC mini ET2400. And with this coupon link, you can knock off another $11 and some change. Just sign up for a free eBates account and follow the eBates link to NewEgg to save 2% on your total order plus another $5 for signing up. We, of course, get five dollars wealthier in the process as well.

In addition to a fantastic-looking, small-footprint mini knockoff of your favorite fruit-inspired hardware, here’s what $339 buys you if you act quickly:

  • 2.0GHz Intel® Pentium® Dual-Core Mobile Processor T2450
  • 2MB L2 Cache
  • 160GB SATA Hard Drive
  • 2GB DDR2 667 SDRAM
  • Slot-In DVD-ROM/DVD-RAM/DVD±RW Drive (Double Layer support)
  • Intel® Graphics Media Accelerator GMA950
  • Realtek ALC268 High-Definition Audio
  • 10/100/1000 Ethernet Port
  • 802.11 b/g Wireless LAN
  • Bluetooth Wireless
  • DVI-I Port with DVI to VGA/D-sub Adapter
  • S-Video Port
  • IEEE 1394 Firewire Port
  • (4) USB 2.0 Ports
  • 4-in1 Media Card Reader (SD, MMC, MS, MS Pro)
  • Headphone/Line-Out Port
  • Microphone/Line-In Port
  • Windows Vista Home Premium (for your nearest trash can)

gPC miniYes, you won’t be needing Windows for your new Ultimate Asterisk Telephony Appliance. Very shortly, Nerd Vittles will introduce its turnkey USB flash installer which brings you every Asterisk bell and whistle on the planet in under 15 minutes. We had hoped to introduce the new flash drives this week to celebrate the beginning of Nerd Vittles Fifth Year. But the pricing on 8GB flash drives that provide the compatibility we need to facilitate duplication just weren’t there so we’ll just wait a few weeks until they are. In the meantime, you can order up your new system and enjoy Windows at its very worst for a week or two while realizing a substantial $150 savings on your system. Enjoy!


Want a Bootable PBX in a Flash Drive? Our bootable USB flash installer for PBX in a Flash will provide all of the goodies in the VPN in a Flash system featured last month on Nerd Vittles. You can build a complete turnkey system using almost any current generation PC with a SATA drive and our flash installer in less than 15 minutes!

If you’d like to put your name in the hat for a chance to win a free one delivered to your door, just post a comment below with your best PBX in a Flash story.1

Be sure to include your real email address which will not be posted. The winner will be chosen by drawing an email address out of a hat (the old fashioned way!) from all of the comments posted over the next couple weeks. All of the individuals whose comments were used in today’s story will automatically be included in the drawing as well. Good luck to everyone and Happy New Year!!


New Fonica Special. If you want to communicate with the rest of the telephones in the world, then you’ll need a way to route outbound calls (terminations) to their destination. For outbound calling, we recommend you establish accounts with several providers. We’ve included two of the very best! These include Joe Roper’s new service for PBX in a Flash as well as our old favorite, Vitelity. To get started with the Fonica service, just visit the web site and register. You can choose penny a minute service in the U.S. Or premium service is available for a bit more. Try both. You’ve got nothing to lose! In addition, Fonica offers some of the best international calling rates in the world. And Joe Roper has almost a decade of experience configuring and managing these services. So we have little doubt that you’ll love the service AND the support. To sign up in the USA and be charged in U.S. Dollars, sign up here. To sign up for the European Service and be charged in Euros, sign up here. See the Fonica image which tells you everything you need to know about this terrific new offering. In addition to being first rate service, Fonica is one of the least expensive and most reliable providers on the planet.
 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. This offer does not extend to those in jurisdictions in which our offer or your participation may be regulated or prohibited by statute or regulation. []

Introducing VPN in a Flash: The $499 Mobile Telephony Appliance with Asterisk

Aspire OneWe’ve spent a lot of time designing turnkey Asterisk®-based systems from the early Asterisk at Home days until the latest Orgasmatron Builds1 for PBX in a Flash. So, trust us! Nothing comes close to the new VPN in a Flash Mobile Telephony Appliance. Having endured more than a decade of preparations for national emergencies, we are well aware of the need for well-designed telephony systems which can be deployed on a moment’s notice anywhere. We also appreciate the need for a versatile, portable communications appliance which can be toted from hotel room to hotel room providing secure VoIP communications back to the mothership. And we fully grasp the need of thousands of businesses to transparently deploy remote communications devices at far away places but in a way that they still can be supported from home base. With all that in mind, Tom King and I have spent the last several months designing this VoIP telephony appliance. Now let us introduce you to the new world2 of VPN in a Flash.

Aspire OneUntil six months ago, the hardware simply wasn’t available to provide the GUI performance necessary to create such a portable appliance. But the Intel Atom® processor changed all of that. And now Acer has stepped up with an almost perfect mobile implementation of the Atom motherboard in the Aspire One® Netbook. Weighing in at just over two pounds, it’s totally portable but also a powerhouse. And it’s quiet.

On the software side, the stars all lined up when Fedora® introduced Fedora 10 last week, an almost perfect rendition of the Linux® operating system with every imaginable bell and whistle including a low-overhead KDE® GUI that rivals the very best of Windows® and Mac OS X®. Our challenge was to put all the pieces together and add the very best of the Asterisk® telephony world to the mix. And, of course, we wanted to accomplish all of this while staying true to our open source roots. We think this Fedora Remix3 meets that goal in spades! You certainly could build your own system from the ground up, and we would encourage you to download Fedora 10 and do that when you have a few months of free time on your hands. The new Fedora 10 build is a perfect platform for Asterisk and the latest state-of-the-art hardware. In the meantime, our rendition which configures everything to better support Asterisk in a mobile telephony environment should save you about 500 man-hours. Try it. You’ll see. ;-)

Aspire One Desktop

We also wanted the new system design to include every imaginable communications bell and whistle on the planet including a flexible, turnkey virtual private network implementation, transparent support for wired and wireless networks, a built-in preconfigured softphone which is ready for business, and all of the Nerd Vittles utilities and FreePBX® functionality that has made PBX in a Flash such a hit.

Finally, a new Mondo backup script has been included that lets you clone your entire system to a $20 bootable USB flash drive for incredibly easy system recovery in the event of a hardware catastrophe. And the 2008 introductory price for these built-to-order systems: just $499 plus shipping to US-48 destinations. And there’s loads of documentation, too. With a little luck, a self-installing, bootable flash drive appliance for our friends outside of the United States should be available by early next year.


About the Face Lift. Well, it’s been a painful few days at Nerd Vittles Headquarters. Our former hosting provider, BlueHost, apparently hired a new recruit that deemed our CPU utilization unworthy… in the middle of the night last Thursday. He promptly shut down our site. For any of you considering shared hosting, this is one of the dirty little secrets of the industry. They may promise you unlimited disk storage and unlimited bandwidth, but they don’t really mean it. I’m reminded of Mark Twain’s old adage about bankers: “Bankers are the folks that hand you an umbrella when the sun is shining and want it back the minute it starts to rain.” Internet hosting providers have some of the same gene pool unfortunately.

The sad part of the story is that BlueHost is one of the better providers in the United States, and we, in fact, have recommended them. Hundreds of our readers took us up on our BlueHost recommendation. It gets even worse. We provided free Asterisk support to the BlueHost folks about a year ago when they were attempting to reconfigure their queues. We even brought in a local consultant in their area to assist. Do you think we even got a return call from our fair-weather friends when we were trying to figure out why our site suddenly became a problem? Our site utilization has been fairly steady for more than two years! Suffice it to say, the phone never rang. But that’s all history now. Nerd Vittles has moved to our new high-performance server at WestNIC that also hosts the PBX in a Flash Forum, and we’re happy to be there.

Nothing’s ever simple, of course. WestNIC employs PHP5 while BlueHost still was using PHP4. Even though cPanel made the server transition easy, our particular version of the WordPress blogging software was more than a little long in the tooth. Everything at first appeared to work fine. But it turned out that you could no longer read individual posts. Call us picky but that was a deal breaker. What to do? Suffice it to say that 17 version upgrades later, we’re now current. The only fatality was a few recent comments which got deleted by operator error… mine. :roll:

All good blogs deserve a facelift at least once every five years, don’t you think? Well, we’re about a month shy of our Fifth Anniversary, but it was worth the effort. And the performance boost is nothing short of amazing. We hope you agree. Enjoy!


New Fonica Special. If you want to communicate with the rest of the telephones in the world, then you’ll need a way to route outbound calls (terminations) to their destination. For outbound calling, we recommend you establish accounts with several providers. We’ve included two of the very best! These include Joe Roper’s new service for PBX in a Flash as well as our old favorite, Vitelity. To get started with the Fonica service, just visit the web site and register. You can choose penny a minute service in the U.S. Or premium service is available for a bit more. Try both. You’ve got nothing to lose! In addition, Fonica offers some of the best international calling rates in the world. And Joe Roper has almost a decade of experience configuring and managing these services. So we have little doubt that you’ll love the service AND the support. To sign up in the USA and be charged in U.S. Dollars, sign up here. To sign up for the European Service and be charged in Euros, sign up here. See the Fonica image which tells you everything you need to know about this terrific new offering. In addition to being first rate service, Fonica is one of the least expensive and most reliable providers on the planet.
 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

  1. If you don’t know what an Orgasmatron Build is, use the search function at the top of this page. []
  2. And speaking of new worlds, lawyers love footnotes so you’d better get used to these little numbers. :-) We’ll break you in easy today. There are just a few of them. []
  3. Fedora and the Infinity design logo are trademarks of Red Hat, Inc. Asterisk is a registered trademark of Digium, Inc. All other trademarks and registered trademarks are property of their respective owners. This software aggregation is neither provided nor supported by the Fedora Project and contains non-Fedora and modified Fedora content. Official Fedora software is available through the Fedora Project website. []

Ringbinder theme by Themocracy