The Incredible PBX: Remote Phone Meets the Travelin’ Man
Ever wrestled with one of those thorny problems for weeks only to wake up in the middle of the night with the answer? Thus was born Travelin’ Man, a web- based, one-click Asterisk application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone.
If you’ve read the Incredible PBX series of articles on Nerd Vittles, you already know what a thorny problem remote phone access is if you want to preserve the overall security of your server. Indeed, our recommendation has been to leave SIP access closed on your hardware-based firewall because of the dangers inherent in activating remote SIP access. Now we have a better idea!
Today’s new approach works like this. First, we’ll run a little script that secures all of your extensions with permit entries locking down all these connections to the IP address range within your private network. Then we’ll open the SIP and RTP ports on your hardware and software firewalls and map these ports to your Asterisk server’s private IP address. With this setup, no one can attempt remote SIP logins to your server because Asterisk blocks all SIP extension connection attempts except those originating inside your LAN. To manage external phone connections to your server, the install script creates a new virtual Apache web server on your Incredible PBX using port 83. We’ll enable and map TCP port 83 on your hardware and software firewalls to your server as well. Web access with port 83 is limited to running the Travelin’ Man app to activate external phones.
Now we’re ready to set up access to your server for remote devices. For each extension you wish to enable for remote access, we’ll create a special web directory using an obscure, random file name which will serve as the web link for the Travelin’ Man web app. For example, in the diagram above, directory 184778 manages extension 501, directory 2389957h manages extension 701, and directory 6993h5j manages extension 702. This is accomplished by simply changing the extension number in the index.php script stored in each directory.
When one of these web links is accessed remotely, the PHP script will automatically reconfigure Asterisk to enable access to the designated SIP extension on your server using the remote IP address from which the web page was accessed. And, of course, there’s an additional layer of SIP security as well. You still need your extension credentials to actually log in to your server with a softphone to place and receive calls. The Travelin’ Man installation process takes only a couple minutes, and the remote SIP activation procedure takes just a couple seconds each time you want remote access from a different location. Here’s a quick example of how it actually works.
Let’s assume we want to use the new $3.95 Bria SIP softphone on an iPad to connect as extension 501 on our Incredible PBX back at home. The problem is that the dynamic IP address of your iPad changes at each new site on your itinerary. Some locations have WiFi while others only have 3G connections.
First, we’ll generate an icon to run Travelin’ Man from your iPad desktop. Use the same procedure with an iPhone or iPod Touch, and there’s a similar procedure for Android devices.1 You only have to do this once. Start up Safari on the iPad to access the new port 83 web server at the random web address the installer created to support extension 501. That web address is something like this using your own FQDN2: http://myserver.dyndns.org:83/184778. After establishing the link once, we’ll hit the + button in Safari and choose Add to Home Screen. This creates the TravelMan icon on the iPad. See the screenshot below of our demo iPad setup which used extension 221 instead of 501.
Once configured, it’s just two clicks to enable your remote phone anywhere: click once on the TravelMan icon. When your IP address is confirmed, return to your Home Screen and click the Bria softphone icon to establish a SIP connection back to your server. Behind the scenes, the Travelin’ Man application will generate the required permit entry for your remote IP address mapping it to the designated extension on your server, and then it will reload your SIP settings to make your Asterisk server accessible to the Bria softphone in your hotel room. The entire process takes only a couple seconds.
If your company happens to have a dozen traveling salesmen, then you’d simply assign a dedicated extension to each employee and create secure directory names for each person (e.g. 2389957h and 6993h5j in diagram above) with a copy of the Travelin’ Man app configured for that employee’s extension number. Now your entire mobile workforce has connectivity back to the home office from any location on the globe. And, when an employee leaves the company and another arrives, just create a new name for the old employee’s web directory to preserve the security of your system (e.g. 184778 in our example becomes 78hd773). Keep in mind that each time the Travelin’ Man app is run for any extension, it wipes out any previously authorized IP address entry for that extension. Thus, the security of your Incredible PBX is always preserved.
Prerequisites. Before proceeding with today’s install, you must be running a stock install of Incredible PBX with PBX in a Flash behind a properly-secured, hardware-based firewall3. We recommend the latest version of Asterisk 1.4 because it addresses a SIP vulnerability that might cause you problems if malformed SIP packets are targeted at your server. The current release of PBX in a Flash (1.7.5.5 Silver) is ideal, but any version of PBX in a Flash can be brought current with Asterisk using the update-source and update-fixes tools. Travelin’ Man assumes that you have the Incredible PBX base install of extensions: 501 plus 701-715. You can obviously add more or remove some, but you’ll need to manually adjust sip_custom_post.conf to reflect your actual extension list after the install completes.
The installer has been encrypted for your/our own protection. In source form, the script would allow anyone to defeat the Incredible PBX requirement. Doing so would mean the required IPtables security component would not be in place and properly configured to protect the underlying system from attack. So we’ve opted to play Big Brother to avoid potential security problems for all of us down the road. This article clearly explains all the necessary components if some folks want to roll their own version. We just don’t want the responsibility if something goes horribly wrong. As Forrest Gump would say, “Shit Happens.” 
If you don’t believe it, check out the latest security scramble in the trixbox forums.
Installation. Now we’re ready to get started. So log into your Incredible PBX as root and issue the following commands:
cd /root
wget http://incrediblepbx.com/travelinman.tar.gz
tar zxvf travelinman.tar.gz
./travelinman.x
The first step in the install procedure is to lock down access to all of your extensions to your private LAN subnet. In case you ever want to do this on another server not running the Incredible PBX, here’s a link to our privip.sh shell script that shows how to do it. This should work on most FreePBX-based Asterisk systems.
Once the extensions are locked down, the script will modify your IPtables and Apache configurations to permit web access on port 83. Next, it will adjust your Asterisk setup to support the Travelin’ Man permit scheme. This involves reworking of sip_custom_post.conf so that permit settings for individual extensions can be stored in files named 501.inc, 701.inc, etc. Finally, the installation procedure will set up a single web site to support extension 501 with a randomized directory name for remote access.4 This setup will be stored in /var/www/travelman. To activate support for additional extensions, you would simply copy the subdirectory giving it a new random name: cp -r dir1 dir2. Then edit config.php in the new subdirectory and change the $extension entry.
To complete the install, you must reconfigure your hardware-based firewall and map the following ports to the private IP address of your server:
TCP 83
UDP 5060
UDP 10000-20000
When the installation is completed, it will show you how to access the new web site for extension 501 using either a fully-qualified domain name or a public or private IP address. Now just follow the steps at the beginning of this article to set up your Android or iDevice, and test things out. Enjoy!
Reminders: Be sure to review the comments to this article and the related support forum thread for a week or two for late-breaking enhancements and issues. Also, Incredible PBX comes preconfigured with call forwarding activated for extension 501. Don’t forget to either disable it or set up a real call forwarding number for extension 501 if you want your cellphone to ring. From any extension on your server, just dial *72501 to set up call forwarding. To cancel call forwarding and pass calls directly to the registered 501 softphone, dial *74 and enter 501. Also be aware that the default RingAll ring group (700) configuration on Incredible PBX systems does not include extension 501. So add 501 if you want your remote extension to ring for incoming calls.
The Incredible PBX: Basic Installation Guide
Adding Skype to The Incredible PBX
Adding Incredible Backup… and Restore to The Incredible PBX
Adding Multiple Google Voice Trunks to The Incredible PBX
Adding Remotes, Preserving Security with Incredible PBX
Continue reading Basic Installation Guide, Part II.
Continue reading Basic Installation Guide, Part III.
Continue reading Basic Installation Guide, Part IV.
Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.
Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.
whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! After the free hour of outbound calling, Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.Some Recent Nerd Vittles Articles of Interest…
- To create a desktop icon for Travelin’ Man on Android devices, navigate to the link with your browser. Then save the link as a Bookmark by clicking the Star icon in your browser then click Add. Return to the Home Screen and, from the screen on which you wish to add the icon, touch and hold your finger on the screen. When the Add to Home Screen menu appears, choose Shortcuts then Bookmarks and select the link you previously saved. As with iDevices, you only have to do this once. [↩]
- FQDN = Fully-qualified domain name [↩]
- We recommend the dLink Router/Firewall. Low Cost: $35 WBR-2310 Best: DGL-4500 [↩]
- If you’d like to download the web site code independently from the Travelin’ Man install procedure, here’s the link. [↩]
Tags: asterisk, Cellular, IncrediblePBX, piaf, sip, sip phone, softphone
Internet/Web, Smartphones, Technology, Telephony | ward | Monday, June 28, 2010 | 
Comments (8)
Unlike most Asterisk-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice
Are we going to secure them anyway? Absolutely. But instead of the constant worry over new security vulnerabilities, Orgasmatron 5.2 lets you enjoy exploring the world of Asterisk and VoIP telephony with an incredibly rich feature set that you won’t find anywhere else, period! We’ll resist making any other device analogies, but the idea here is to protect the good guy (you!) while keeping the bad guys out. No penetration. No worries. Simple as that.
New Asterisk Security Model. Orgasmatron 5.2 maintains our design goal of running an absolutely secure Asterisk PBX from behind a hardware-based firewall with either NO INBOUND PORTS exposed to the Internet with SIPgate or an IP-address-restricted IAX port for IPkall. Don’t defeat this security mechanism by exposing additional ports on your PBX in a Flash server to Internet access. And choose your NAT-based firewall/router carefully. All of these devices are not created equally. Not only do some perform better than others, but certain models are notoriously bad at handling NAT-based routing tasks, a critical requirement in the Asterisk VoIP environment. In almost every case of problems with one-way audio, the real culprit can be traced back to a crappy router. For $35, you really can’t go wrong with the 
Swiss Army Knife Inventory. There’s no need for a Swiss Army Knife if you don’t know what all the blades are for. So, for those that are wondering what’s included in the Orgasmatron 5.2 build, here’s a feature list of the components you get in addition to the base PBX in a Flash build with CentOS 5.4, Asterisk 1.4, FreePBX 2.6, and Apache, SendMail, MySQL, PHP, phpMyAdmin, IPtables Linux firewall, Fail2Ban, and WebMin. Please note that A2Billing, Cepstral TTS, Hamachi VPN, and Mondo Backups are optional and may be installed using the scripts that are provided.
Installing PBX in a Flash. Here’s a quick tutorial to get PBX in a Flash installed. We recommend you install the latest PIAF 1.6 beta on a new Atom-based PC. This beta is virtually identical to version 1.4 except it uses CentOS 5.4 instead of CentOS 5.2. This means it works better with newer hardware including Atom-based computers and newer network cards. Unlike other Asterisk aggregations, PBX in a Flash utilizes a two-step install process. The ISO only installs the CentOS operating system. Once installed, the server reboots and downloads a payload file that includes Asterisk, FreePBX, and many other VoIP and Linux utilities. We use the identical payload for versions 1.3, 1.4, 1.5, and 1.6 of PBX in a Flash. The beta label simply means we haven’t had time to sufficiently test CentOS. But this is not a Microsoft-style beta so fear not! 
Configuring a SIP Phone. There are hundreds of terrific SIP telephones and softphones for Asterisk-based systems. Once you get things humming along, you’ll want a real SIP telephone, and you’ll find lots of recommendations on Nerd Vittles. For today, let’s download a terrific (free) softphone to get you started. We recommend X-Lite because there are versions for Windows, Mac, and Linux. So download your favorite from 
Configuring SIPgate. If you live in the U.S. and have a cellphone, we’d recommend the SIPgate option since no adjustment of your hardware-based firewall is required. Otherwise, skip to the IPkall setup below. Step #1 is to request a SIPgate invite at 
Configuring Google Voice. Google Voice still is by invitation only so the first thing you’ll need is an 
Adding Your Credentials to PBX in a Flash. We’re ready to insert your Google Voice credentials and SIPgate/IPkall number into PBX in a Flash. You’ll need four pieces of information: your 10-digit Google Voice phone number, your Google Voice account name (which is the email address you used to set up your GV account), your GV password (no spaces!), and your 11-digit SIPgate or IPkall RingBack DID (beginning with a 1). Don’t get the 10-digit GV number mixed up with the 11-digit SIPgate/IPkall RingBack DID, or nothing will work. 
Configuring FreePBX. Now shift back to your Desktop and, using a web browser, log in to FreePBX 2.6 at the following link substituting your actual IP address for ipaddress: http://ipaddress/admin. You’ll be prompted for a user name (maint) and password (the one you just created with passwd-master). Depending upon which intermediate provider you’re using, do the following:
Orgasmatron Test Flight. The proof is in the pudding as they say. So let’s try two simple tests. First, from another phone, call your Google Voice number. Your softphone should begin ringing shortly. Answer the call and make sure you can send and receive voice on both phones. Hang up. Now let’s place an outbound call. Using the softphone, dial your cellphone number. Google Voice should transparently connect you. Answer the call and make sure you can send and receive voice on both phones. If everything is working, congratulations! 
Solving One-Way Audio Problems. If you experience one-way audio on some of your phone calls, you may need to adjust the settings in /etc/asterisk/sip_custom.conf. Just uncomment the first two lines by removing the semicolons. Then replace 173.15.238.123 with your public IP address, and replace 192.168.0.0 with the subnet address of your private network. Save the file and restart Asterisk with the command: amportal restart.
Choosing a VoIP Provider. For this week, we’ll point you to some things to play with on your new server. Then, in the subsequent articles below, we’ll cover in detail how to customize every application that’s been loaded. Nothing beats free when it comes to long distance calls. But nothing lasts forever. So we’d recommend you set up another account with Vitelity using our special link below. This gives your PBX a secondary way to communicate with every telephone in the world, and it also gets you a second real phone number for your new system… so that people can call you. Here’s how it works. You pay Vitelity a deposit for phone service. They then will bill you $3.99 a month for your new phone number. This $3.99 also covers the cost of unlimited inbound calls (two at a time) delivered to your PBX for the month. For outbound calls, you pay by the minute and the cost is determined by where you’re calling. If you’re in the U.S., outbound calls to anywhere in the U.S. are a little over a penny a minute. If you change your mind about Vitelity and want a refund of the balance in your account, all you have to do is ask.
Homework. Your homework for this week is to do some exploring. FreePBX is a treasure trove of functionality, and the Orgasmatron build adds a bunch of additional options. See if you can find all of them. For starters, you’ll want to activate CallerID Lookups in FreePBX. Choose Setup, CID Superfecta, Default and enter the maint password you created with passwd-master. Then choose Tools, Module Administration, CallerID Lookup, Enable, Process and Save the Settings. Then edit each of the Inbound Routes and choose CallerID Superfecta as the CID Lookup Source. Save your changes. Finally, choose Setup, CallerID Lookup Sources, CallerID Superfecta and be sure your maint password created with passwd-master is correct here, too. If not, update it. For additional tips, 
Be sure to log into your server as root and look through the scripts added in the /root/nv folder. You’ll find all sorts of goodies to keep you busy. s3cmd.faq tells you how to quickly activate the 
Twitter
