Home » Search results for 'sip uri' (Page 3)

Search Results for: sip uri

The Most Versatile VoIP Provider: FREE PORTING

Meet Linphone: Free Worldwide Calling to Anybody with SIP

Earlier this year we demonstrated how to set up a publicly-accessible Asterisk® server to enable free worldwide calling using SIP URIs which are email-like addresses for VoIP and video calls. But not everyone has an Asterisk server so today’s tutorial extends free calling to everyone with a Windows or Linux PC, a Mac, or any smartphone or tablet. All you need is a desktop computer with wired or wireless Internet access or, on a smartphone or tablet, a cell data plan or WiFi connection will suffice. When friends sign up, their calls also will be free.

The secret sauce on all of these platforms is the Linphone app (shown above) which can be downloaded and used at no cost. Source code is available for those that want it. Use it as often and for as long as you like. Here are the Linphone download links for each of the platforms:

The only other piece you’ll need to get started is a free Linphone SIP account. Sign up here. Once you’ve signed up, simply respond to the confirmation email to activate your account. Your registration gets you credentials to plug into your Linphone app that you downloaded above. In addition, it gets you a free Linphone SIP URI which looks something like this: yourname@sip.linphone.org. This is the SIP URI address that anyone in the world can use to contact you. Here are the pieces you’ll need to plug into your desktop or smartphone app:

  • Account Name
  • Account Password
  • Domain: sip.linphone.org

Be very careful not to lose your password. You can’t retrieve it, and you can’t change it without knowing the original password. All you can do is delete your account and start over.

The Linphone feature set is downright impressive. Here’s what you and your friends will be using at zero cost:

IMPORTANT TIP: Missing audio or one-way audio is a common problem on SIP calls. For best results, configure your account in the Linphone app to use UDP for the Transport, disable the Outbound Proxy, configure stun.linphone.org as the Stun Server, and enable ICE. In Network settings, turn off IPv6 and Media Encryption. In Audio settings, enable Opus, G.722, PCMU, and PCMA only. In Video settings, enable both VP8 and H.264. Then close the app and reopen it.

Once you have your Linphone credentials, another option in addition to using one of the SIP clients above is to acquire a stand-alone SIP telephone which can easily be connected to your Linphone SIP account. While there are literally hundreds of SIP telephones from which to choose, here’s a $35 offering from Grandstream that we use. It’s available from Amazon.1

Unlike other proprietary communications apps, the beauty of using Linphone with its native SIP URI support is you can call any SIP phone in the world for free whether the recipient uses Linphone or not. For example, to annoy your friends and spammers, you can transfer their calls to Lenny: 2233435945@sip2sip.info or 883510001198938@sip.inum.net. And here are some other SIP URI calls you might want to try. Store them in your Linphone Phonebook.

Yahoo News Headlines - news@demo.nerdvittles.com
Yahoo News Headlines - 951@demo.nerdvittles.com
Weather by Zip Code  - weather@demo.nerdvittles.com
Weather by Zip Code  - 947@demo.nerdvittles.com
Directory Assistance - information@demo.nerdvittles.com
Directory Assistance - 411@demo.nerdvittles.com
Lenny for Spammers   - 53669@demo.nerdvittles.com
Technical Support    - 0@sip.incrediblepbx.com
Call Any TollFree #  - **1800XXXXXXX@tollfree.future-nine.com

There are now more than 2,000 VoIP networks worldwide that support SIP URI access. Any person or organization with an account on any of these networks can be reached at no cost via SIP URI or via several hundred PSTN numbers. Using a SIP URI dialing prefix, you can call any referenced network@sipbroker.com. For example, *656news@sipbroker.com would reach the Nerd Vittles News Headlines from Yahoo. Or choose a local access number from the SipBroker worldwide directory, e.g. 702-789-0530 and then dial *656951 at the prompt.

Of course, every 3CX platform provides dedicated SIP URIs for every extension on the PBX. Our recent article covers adding SIP URI access to any Asterisk PBX.

If you want to associate a phone number with your Linphone SIP URI, you can do it in a couple of ways. First, using a smartphone, you can link your cell number to Linphone within the Linphone app itself. If you have a free DID from IPComms, you can point it to your Linphone SIP URI. If you have a $1/month CallCentric DID, it can also be pointed to your Linphone SIP URI. A 25¢/month iNum DID from LocalPhone.com also can be pointed to your SIP URI. LocalPhone supports Nerd Vittles through referral revenue from your 25¢ investment. 🙂

Speaking of iNUMs, you can reach anyone with an iNUM DID by dialing the iNUM number in SIP URI format: 8835100xxxxxxxx@sip.inum.net. One of the real beauties of signing up for an iNUM number as well is that it can be reached in most places around the globe by dialing a local number from any telephone. As part of the iNum initiative, local access numbers have been established in more than 50 countries around the globe. By placing a local call from any telephone to one of these local access numbers, any individual with an iNum phone number anywhere in the world can be reached without further cost. Here is a current list of the local access numbers. If the link is down (frequently), try here or here or the iNUM listing here. Once your call is answered, simply enter the 15-digit iNum phone number you wish to reach, and you will be connected. It’s worth pointing out that iNUMs aren’t as unwieldy as they may appear. The numbers always begin with 8835100 followed by 8 digits starting with a zero.



And another iNUM listing from DSL Reports:

Country             City                     Access Number
------------------- ------------------------ ---------------
Argentina           Buenos Aires             +54 1159839500
Australia           Sydney                   +61 280148200
Austria                                      +43 720880500
Bahrain                                      +973 16199200
Belgium             Brussels                 +32 28081771
Brazil              Brasilia                 +556135500791
Brazil              Florianopolis            +554840420809
Brazil              Rio De Janeiro           +552135006959
Brazil              Sao Paulo                +551146803621
Bulgaria            Sofia                    +359 24917555
Canada              Calgary                  (403) 775-1446
Canada              Edmonton                 (780) 669-9257
Canada              Halifax                  (902) 982-6937
Canada              London                   (519) 488-9336
Canada              Montreal                 (514) 907-7500
Canada              Ottawa                   (613) 686-4519
Canada              Quebec City              (418) 800-0384
Canada              St. Johns, Newfoundland  (709) 757-0060
Canada              Regina                   (306) 988-1600
Canada              Toronto                  (416) 800-4303
Canada              Toronto                  (647) 724-8777
Canada              Vancouver                (778) 786-3497
Canada              Winnipeg                 (204) 272-8182
Chile               Santiago                 +56 25813444
Croatia             Zagreb                   +385 17776363
Cyprus              Nicosia                  +357 22030500
Czech Republic      Prague                   +420 246019777
Denmark                                      +45 69918686
Dominican Republic  Santiago                 (829) 947-9610
El Salvador                                  +503 21131899
Estonia                                      +372 6681881
Finland             Helsinki                 +358 942419200
France              Paris                    +33 170619800
Germany             Frankfurt                +4969257385876
Germany             Frankfurt                +4969257380439
Greece              Athens                   +30 2111768444
Hungary             Budapest                 +36 14088951
Ireland             Dublin                   +353 15262600
Israel              Tel Aviv                 +972 37219555
Italy               Rome                     +39 0662207777
Japan               Tokyo                    +81 345209777
Latvia              Vilnius                  +370 52059090
Lithuania                                    +371 67652500
Luxembourg                                   +352 20880108
Malta                                        +35627780107
Mexico              Guadalajara              +52 3346242977
Mexico              Mexico City              +52 5511678222
Mexico              Monterrey                +52 8141703540
Netherlands         Amsterdam                +31 208080808
New Zealand         Auckland                 +64 99250499
Norway              Oslo                     +47 21031306
Panama                                       +507 8322488
Peru                Lima                     +51 17085500
Poland              Warsaw                   +48 223982688
Portugal            Lisbon                   +351 308803219
Puerto Rico         Bayamon Norte            (787) 395-7140
Romania                                      +40 318103500
Singapore                                    +65 31581212
Slovakia            Bratislava               +421 233002555
Slovenia            Ljubljana                +386 16001422
South Africa        Johannesburg             +27105002854
South Africa        Pretoria                 +27120042701
Spain               Barcelona                +34 931815653
Spain               Madrid                   +34 911883777
Sweden              Stockholm                +46 852500111
Switzerland         Zurich                   +41 435006262
United Kingdom      London                   +44 2033556363
United States       Albuquerque              (505) 225-8243
United States       Charlotte                (980) 202-0283
United States       Charlotte                (980) 236-0398
United States       Kansas City              (913) 951-0932
United States       Chicago                  (312) 253-4880
United States       Houston                  (713) 474-2323
United States       Los Angeles              (213) 221-3799
United States       New York                 (646) 843-6969
United States       Phoenix                  (602) 354-9444
United States       San Diego                (619) 330-9640
United States       San Francisco            (650) 360-0999
United States       Santa Barbara            (805) 308-9649
United States       Seattle                  (206) 420-5904
United States       Spokane, WA              (509) 931-0459
United States       Tacoma, WA               (253) 343-1529

More iNUM details are available here. If sip.inum.net is down, try 81.201.82.50.

Let’s tie all the pieces together now. Linphone gives you and your friends a free SIP URI as well as a SIP client for any platform to make and receive SIP voice and video calls. You can associate this SIP URI with your cellphone number as well as a free or almost free phone number (DID) that’s available from IPComms, CallCentric, and other providers. If you sign up for a LocalPhone iNUM number, you also can associate it with your Linphone SIP URI. So you can be reached on your Linphone client by SIP URI, by iNUM, and by regular phone numbers. You can place unlimited calls to any SIP URI or iNUM worldwide at no cost. What’s not to like?

Deploying Linphone as an Asterisk Trunk

If you don’t have an Asterisk PBX, you can stop reading here. The good news is you can also use a Linphone SIP account as a SIP trunk on your Asterisk PBX. Once configured, you can add an Incoming Route and send the incoming Linphone SIP URI calls to any destination desired: an extension, a ring group, an IVR, or even a Conference Room. Using the FreePBX® or Incredible PBX® GUI, create a chan_SIP Trunk and name it linphone. In the PEER DETAILS, enter the following using your actual Linphone username and password:

type=friend
qualify=yes
insecure=port,invite
host=sip.linphone.org
disallow=all
context=from-trunk
dtmfmode=rfc2833
allow=g722&ulaw
fromuser=your-username
defaultuser=your-username
secret=your-password

For the Registration String: your-username:your-password@sip.linphone.org/99999

Next, create an Inbound Route using 99999 as the DID entry. Route the call to your desired destination, SAVE your settings, and you’re in business.

There’s one more nice surprise. Linphone accounts work much like the old key telephones and Google Voice setup that we all knew and loved. What that means is you can register the same Linphone account in multiple places, e.g. as an Asterisk trunk and elsewhere using one of the Linphone softphone apps. When incoming calls to your SIP URI arrive, they will ring on both your Asterisk PBX and your Linphone softphone as long as you haven’t routed the Linphone trunk to a destination that automatically answers the calls such as an IVR.

HINT: If you’re using dual registrations and routing the Linphone trunk to an extension, we recommend disabling voicemail on that extension so that Asterisk doesn’t automatically answer the call and send it to voicemail when the extension is not registered or answered.

To make outbound calls from extensions on your PBX using the Linphone trunk, the easiest way is to create custom extensions in the [from-internal-custom] context in /etc/asterisk/ extensions_custom.conf. Make up an unused extension number (90210 in this example), enter the Linphone account name you wish to call (acctname in this example), save the file, and reload your dialplan: exten => 90210,1,Dial(SIP/acctname@linphone).

Another way to create a Custom Extension is using the FreePBX or Incredible PBX GUI. Under Applications -> Extensions -> Add Custom Extension, assign an extension number for the extension. Click on the Advanced tab and enter SIP/acctname@linphone in the Dial field. Click Submit button and reload the dialplan at the prompt. Enjoy your worldwide free calling.

Originally published: Monday, April 29, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. This phone requires a wired network connection. Some of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. []

SIP Happens! Deploying a Publicly-Accessible Asterisk PBX – replaced

We’ve previously documented the benefits of SIP URI calling. Because the calls are free from and to anywhere in the world, the use case is compelling. The drawbacks, particularly with Asterisk® servers, have primarily centered around the security implications of exposing SIP on a publicly-accessible server. Today we want to take a fresh look at a possible SIP implementation for Asterisk based upon the pioneering work of Dr. Lin Song back in the PBX in a Flash heyday. We’ve embellished Lin’s original IPtables creation with additional security mechanisms now available with Fail2Ban, Asterisk, FreePBX®, and Travelin’ Man 3 as well as a terrific tutorial from JavaPipe. All of Lin’s work and ours is open source GPL3 code which you are more than welcome to use or improve pursuant to the terms of the GPL3 license.

Consider this. If everyone in the world had an accessible SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends upon your platform. With Asterisk they look like this: SIP/somebody@FQDN.yourdomain.com. On SIP phones, SIP URIs look like this: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if the called party had a POTS phone. Asterisk® processes SIP URIs in much the same way as calls originating from commercial trunk providers, but anonymous SIP calls are blocked.

Before we get too deep in the weeds, let us take a moment to stress that we don’t recommend this SIP design for mission-critical PBXs because there still are some security risks with denial of service attacks and other vulnerabilities. For these deployments, Incredible PBX® coupled with the Travelin’ Man 3 firewall which blocks SIP access except from whitelisted IP addresses and FQDNs has no equal. When properly deployed, the bad guys cannot even see your server much less attack it. A typical use case for today’s new SIP design would be a public Asterisk server that provides anonymous SIP access to the general public without any exposure to corporate jewels. For example, we’ve put up a demonstration server that provides news and weather reports. In the corporate world, an equivalent deployment might provide access to a product database with pricing and availability details. Our rule of thumb before deploying today’s platform would be to ask yourself what damage could be inflicted if your server were totally compromised. If the answer is zero, then proceed. Otherwise, stick with Incredible PBX and the Travelin’ Man 3 firewall. The ideal platform for deployment using the same rule of thumb as above is one of these $7 to $15/year OpenVZ cloud platforms.

Overview. There are a number of moving parts in today’s implementation. So let’s briefly go through the steps. Begin with a cloud-based installation of Incredible PBX. Next, we’ll upgrade the Fail2Ban setup to better secure a publicly-accessible Asterisk server. We’ll also customize the port for SSH access to reduce the attack rate on the SSH port. You’ll need a fully-qualified domain name (FQDN) for your server because we’ll be blocking all access to your server by IP address. If you want to allow SIP URI calls to your server, you’ll need this FQDN. If you want to also allow SIP registrations from this same FQDN, then a single FQDN will suffice; however, with OpenVZ platforms, we recommend using a different (and preferably more obscure) FQDN for SIP registrations since registered users have an actual extension on your PBX that is capable of making outbound calls which usually cost money. In this case, the obscure FQDN performs double-duty as the equivalent of a password to your PBX. For example, an FQDN such as hk76dl34z.yourdomain.com would rarely be guessed by an anonymous person while sip.yourdomain.com would be fairly obvious to attempted intruders. But that’s your call.

Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name. We’ll also define all of the extensions on your Asterisk server which can be reached with SIP URI invitations. These could be actual extensions, or ring groups, or IVRs, or Asterisk applications. The choice is yours. These SIP URI authorizations can be either numeric (701@sip.yourdomain.com) or alpha (weather@sip.yourdomain.com) or alphanumeric (channel7@sip.abc.com). Finally, we’ll put the new IPtables firewall rules in place and adjust your existing iptables-custom setup to support the new publicly-accessible PBX. For example, we’ll still use whitelist entries for web access to your server since anonymous users would cause nothing but mischief if TCP ports 80 and 443 were exposed. It’s worth noting that KVM platforms provide a more robust implementation of IPtables that can block more types of nefarious traffic. We’ve supplemented the original article with a KVM update below. With OpenVZ platforms, we have to rely upon Asterisk to achieve IP address blocking and some types of packet filtering. So why not choose a KVM platform? It’s simple. These platforms typically cost twice as much as equivalent OpenVZ offerings. With this type of deployment, KVM is worth it.

Installing Incredible PBX Base Platform

Today’s design requires an Incredible PBX platform on a cloud-based server. Start by following this tutorial to put the pieces in place. We recommend you also install the Whole Enchilada addition once the base install is finished. Make sure everything is functioning reliably before continuing.

Upgrading the Fail2Ban Platform

Because this will be a publicly-accessible server, we’re going to tighten up the Asterisk configuration in Fail2Ban and lengthen the bantime and findtime associated with Fail2Ban’s Asterisk log monitoring. We also recommend that you whitelist the IP addresses associated with your server and PCs from which you plan to access your server so that you don’t inadvertently block yourself.

Log into your server as root and issue the following commands. When the jail.conf file opens in the nano editor, scroll down to line 34 and add the IP addresses you’d like to whitelist to the existing ignoreip settings separating each IP address with a space. Then press Ctrl-X, Y, then Enter to save your changes. Verify that Fail2Ban restarts successfully.

cd /etc/fail2ban
wget http://incrediblepbx.com/fail2ban-public.tar.gz
tar zxvf fail2ban-public.tar.gz
rm -f fail2ban-public.tar.gz
nano -w jail.conf
service fail2ban restart

If you ever get locked out of your own server, you can use the Serial Console in your VPS Control Panel to log into your server. Then verify that your IP address has been blocked by issuing the command: iptables -nL. If your IP is shown as blocked, issue this command with your address to unblock it: fail2ban-client set asterisk unbanip 12.34.56.78

Obtaining an FQDN for Your Server

Because we’ll be blocking IP address SIP access to your server, you’ll need to obtain one or perhaps two FQDNs for your server. If you manage DNS for a domain that you own, this is easy. If not, you can obtain a free FQDN from ChangeIP here. Thanks, @mbellot.

For the FQDN that you’ll be using for SIP registrations on your server, configure Asterisk to use it by logging into your server as root and issuing the following command using your new FQDN, e.g. xyz.yourdomain.com. Thanks, @ou812.

echo "domain=xyz.yourdomain.com" >> /etc/asterisk/sip_custom.conf

SECURITY ALERT: Never use the SIP URI MOD on a server such as this one with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

Customizing the [sip-external-custom] Context

All FreePBX-based servers include a sip-external-custom context as part of the default installation; however, we need a customized version to use for a publicly-accessible PBX. You can’t simply update the context in /etc/asterisk/extensions.conf because FreePBX will overwrite the changes the next time you reload your dialplan. Instead we have to copy the context into extensions_override_freepbx.conf and make the changes there. So let’s start by copying the new template there with the following commands:

cd /tmp
wget http://incrediblepbx.com/from-sip-external.txt
cd /etc/asterisk
cat /tmp/from-sip-external.txt >> extensions_override_freepbx.conf
rm -f /tmp/from-sip-external.txt
nano -w extensions_override_freepbx.conf

When the nano editor opens the override file, navigate to line #10 of the [from-sip-external] context and replace xyz.domain.com with the FQDN you want to use for SIP invites to your server. These are the connections that are used to actually connect to an extension on your server (NOT to register). As noted previously, this can be a different FQDN than the one used to actually register to an extension on your server. Next, scroll down below line #24, and you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. The 13th position in the dialplan is required for all authorized calls.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

You can leave these in place, remove them, or add new entries depending upon which extensions you want to make publicly accessible on your server. Here are some syntax examples for other types of server access that may be of interest.

; Call VoIP Users Conference
exten => 882,13,Dial(SIP/vuc@vuc.me)
exten => vuc,13,Dial(SIP/vuc@vuc.me)
; Call Default CONF app
exten => 2663,13,Dial(local/${EXTEN}@from-internal)
exten => conf,13,Dial(local/2663@from-internal)
; Call Bob at Local Extension 701
exten => 701,13,Dial(local/${EXTEN}@from-internal)
exten => bob,13,Dial(local/701@from-internal)
; Call Default Inbound Route thru Time Condition
exten => home,13,Goto(timeconditions,1,1)
; Call Inbound Trunk 8005551212
exten => 8005551212,13,Goto(from-trunk,${DID},1)
; Call Lenny
exten => 53669,13,Dial(local/${EXTEN}@from-internal)
exten => lenny,13,Dial(SIP/2233435945@sip2sip.info)
; Call any toll-free number (AT&T Directory Assistance in example)
exten => information,13,Dial(SIP/18005551212@switch.starcompartners.com)

Once you’ve added your FQDN and authorized SIP URI extensions, save the file: Ctrl-X, Y, then Enter.

One final piece is required to enabled anonymous SIP URI connections to your server:

echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf

Now restart Asterisk: amportal restart

UPDATE for DialPlan Junkies: We received a few inquiries following publication inquiring about the dialplan design. We’ve taken advantage of a terrific feature of Asterisk which lets calls fall through to the next line of a dialplan if there is no match on a Goto(${EXTEN},13) command. For example, if a caller dials ward@sip.domain.com and there is a line 12 in the dialplan directing the call to ward,13 which exists, call processing will continue there. However, if the extension does not exist, the call will not be terminated. Instead, if there exists a more generic line 13 in the dialplan, e.g. exten => _X.,13,Goto(s,1), call processing will continue there. We use this trick to then redirect the call to an ‘s’ extension sequence to announce that the called extension could not be reached. It’s the reason all of the whitelisted extensions have to have the same line 13 designation so that call processing can continue with the generic line 13 when a specific extension match fails.

Configuring IPtables for Public SIP Access

You may recall that, with Incredible PBX, we bring up the basic IPtables firewall using the /etc/sysconfig/iptables rules. Then we add a number of whitelist entries using /usr/local/sbin/iptables-custom. We’re going to do much the same thing with today’s setup except the rule sets are a bit different. Let’s start by putting the default iptables-custom file in place:

cd /usr/local/sbin
wget http://incrediblepbx.com/iptables-custom-public.tar.gz
tar zxvf iptables-custom-public.tar.gz
rm -f iptables-custom-public.tar.gz
nano -w iptables-custom

When the nano editor opens, scroll to the bottom of the file. You’ll note that we’ve started a little list of notorious bad guys to get you started. Fail2Ban will actually do a pretty good job of managing these, but for the serious recidivists, blocking them permanently is probably a good idea. In addition to the bad guys, you’ll want to whitelist your own IP addresses and domains so that you don’t get blocked from FreePBX web access to your server. The syntax looks like the following two examples:

/usr/sbin/iptables -I INPUT -s pbxinaflash.dynamo.org -j ACCEPT
/usr/sbin/iptables -I INPUT -s 8.8.8.8                -j ACCEPT

Whenever you make changes to your IPtables configuration, remember to restart IPtables using the following command ONLY: iptables-restart

Now let’s put the final IPtables piece in place with the default IPtables config file:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-public.tar.gz
tar zxvf iptables-public.tar.gz
rm -f iptables-public.tar.gz
nano -w iptables

When the nano editor opens the file, scroll down to line 51 which controls the TCP port for SSH access to your server. We strongly recommend you change this from 22 to something in the 1000-2000 range. HINT: Your birth year is easy to remember. In the next step, we’ll make the change in your SSH configuration as well.

Next, scroll down to lines 143 and 144. Replace YOUR_HOSTNAME.no-ip.com on both lines with the FQDN of your server that will be used to accept SIP invitations (connections) on your server. These entries have no effect on SIP registrations which we covered above!

Once you’ve made these changes, save the file BUT DO NOT RESTART IPTABLES JUST YET.

Securing the SSH Access Port

TCP port 22 is probably one of the most abused ports on the Internet because it controls access to SSH and the crown jewels by default. Assuming you changed this port in the IPtables firewall setup above, we now need to change it in your SSH config file as well. Edit /etc/ssh/sshd_config and scroll down to line 12. Change the entry to: Port 1999 assuming 1999 is the port you’ve chosen. Be sure to remove the comment symbol (#) at the beginning of the line if it exists. Then save the file. Now reboot your server, and you should be all set.

Dealing with the Bad Guys

You’ll be amazed how quickly and how many new friends you’ll make on the public Internet within the first few hours. You can watch the excitement from the Asterisk CLI by logging into your server as root and issuing the command: asterisk -rvvvvvvvvvv. Another helpful tool is to monitor your IPtables status which will show IP addresses that have been temporarily blocked by Fail2Ban: iptables -nL. This will catch most of the bad guys and block them. But some are smarter than others, and many know how to spoof IP addresses in SIP packets as you will quickly see. Unlike on KVM platforms, IPtables on most OpenVZ platforms cannot search packets for text strings which is a simple way to block many of these attackers. HINT: You get what you pay for. And, in some cases, attackers disguise their address or use yours. We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. A typical SIP INVITE before such a call is dropped only consumes about 100 bytes so it’s usually not a big deal. You also can manually block callers using the Fail2Ban client with the desired IP address: fail2ban-client set asterisk banip 12.34.56.78.

Additional Security on KVM Platforms

As we mentioned above, a KVM platform provides considerably more security for your public-facing server because you can block entire countries using the ipset extension to IPtables. You can read all about it here. After considerable discussion and suggestions on the PIAF Forum, we would offer the following code which blocks the countries we have identified as causing the majority of problems. First, modify your /etc/sysconfig/iptables configuration and insert the following code in the IPSPF section of the script around line 93. You can change the list of blocked countries to meet your own needs. Just be sure to make the same country-code changes in the blockem.sh script which we will cover in step 2. A list of available country codes can be found here. Save your changes, but do NOT restart IPtables just yet.

-A IPSPF -m set --match-set cn src -j DROP
-A IPSPF -m set --match-set ru src -j DROP
-A IPSPF -m set --match-set ps src -j DROP
-A IPSPF -m set --match-set kp src -j DROP
-A IPSPF -m set --match-set ua src -j DROP
-A IPSPF -m set --match-set md src -j DROP
-A IPSPF -m set --match-set nl src -j DROP
-A IPSPF -m set --match-set fr src -j DROP

Second, we want to add a new /etc/blockem.sh script and make it executable (chmod +x /etc/blockem.sh). Make sure the country list in line #5 matches the dropped countries list you added to IPtables in step #1 above.

#!/bin/bash
cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \\
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
service iptables restart
wait
service fail2ban restart
exit 0

Third, try things out by running the script: /etc/blockem.sh. Verify that IPtables is, in fact, blocking the listed countries: iptables -nL.

BUG: Some early releases had a missing line which caused the IPSPF section of code in the IPtables script not to be executed. You can test whether you’re missing the necessary line by issuing the following command:

 grep "INPUT -j IPSPF" /etc/sysconfig/iptables

If the result is a blank line, then issue the following command to fix the problem:

sed -i 's|-A INPUT -j ASIP|-A INPUT -j IPSPF\\n-A INPUT -j ASIP|' /etc/sysconfig/iptables

Finally, we recommend adding the script to /etc/rc.d/rc.local so that it gets run whenever you reboot your server.

In choosing a KVM platform, we’ve had good luck with the $5/month Digital Ocean platform where you still can get a $100 credit to kick the tires for 60 days, Vultr (similar pricing to D.O. without the 60-day credit). With either of these providers, you can add automatic backups for an extra dollar a month. In the bargain basement (may not be here tomorrow) category, we like (and use) both the SnowVPS KVM $15/year and AlphaRacks KVM $22/year offerings. Many other low-cost options are documented on the LowEndBox site. Just don’t invest more than you can afford to lose… and make a backup.1

Connecting a SIP Phone to Kamailio or LinPhone

If you followed along in our initial Kamailio adventure, then it’s easy to test some SIP URI calls to your new server. You can connect virtually any kind of SIP telephone or endpoint to Kamailio. Another easy way to try out SIP calling is to first set up a free LinPhone SIP Account.

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we’ll get you started with one of our favorite (free) softphones, YateClient. It’s available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your Kamailio or LinPhone account you’ve previously created. You’ll need the IP address of your Kamailio server or LinPhone’s FQDN (sip.linphone.org) plus your account’s password. Fill in the Yate Client template using the IP address or FQDN as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to one of the SIP URIs you authorized on your new Asterisk server: sip:947@sip.yourdomain.com.

If you don’t happen to have a Kamailio server or a LinPhone SIP account to play with but you have another Asterisk server, then the simple way to enable SIP URI extensions is by editing /etc/asterisk/extensions_custom.conf. In the [from-internal-custom] context, add an extension that can be used to contact any desired SIP URI. Then reload your dialplan: asterisk -rx "dialplan reload". Now dial that extension (2468 in the following example) from any phone connected to your Asterisk server. The entry would look something like this to call the SIP URI on your new server for the latest weather forecast:

exten => 2468,1,Dial(SIP/weather@sip.yourdomain.com)

Originally published: Monday, January 28, 2019  Updated: Wednesday, February 6, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. []

SIP Happens! And Kamailio Makes It Easy, Part I




If ever there was a Swiss Army Knife for SIP, Kamailio (a.k.a. OpenSER) is the hands-down winner. The flexibility of this open source SIP server is legendary. Whether it’s secure communications, insulation from brute force attacks, load balancing, failover, WebRTC, or the return of shared line appearances on your office phone system, Kamailio can handle it while processing thousands of call setups per second on minimal hardware platforms.

Our plan for today is to walk you through setting up a Debian-based Kamailio server on an inexpensive cloud platform that is suitable for making thousands of free SIP phone calls worldwide. Down the road, we’ll walk you through using Kamailio as a frontend for one or more Asterisk® servers to insulate your communications workhorses without sacrificing network security. If, like us, you managed an office which migrated from key telephones to a platform like Asterisk, then you will most certainly appreciate the ability to once again let your managers and secretaries share phone lines without the aggravation of call parking and pickup. Other than removing a free office coffee machine, I can’t think of any single event that ever prompted a staff and management revolt quite like the one we experienced with the removal of key telephones. Little wonder that it’s part of all Cisco and Avaya phone systems as well as cloud offerings from Vonage, 8X8, Jive, and probably others.

Before we begin our adventure, let me caution everyone that this is an experimental platform with a tutorial prepared by a Kamailio novice. While we’ve done our homework, digging out information on Kamailio is a challenge because many of the experts depend upon Kamailio consulting for their livelihood. It’s quite similar to the early Asterisk years. We also don’t vouch for the longevity of any of these VPS providers. Reread our article for details.

SIP URI (Free) Calling Opportunities

We mentioned free SIP phones in our introduction of Kamailio. But let that sink in for a moment. As we have stressed for many years, SIP calls to anyone with a public SIP URI (somebody@somewhere.com) are entirely free to anyone worldwide. And you can talk as long as you like. All that’s required is an Internet connection, a SIP phone or softphone, and a SIP URI. As part of the Kamailio implementation, we’ll show you how easy it is to create SIP URIs for all your friends and business acquaintances securely… in seconds. First, let’s take a moment to consider what SIP URI (free) calling opportunities are available. There literally are millions of SIP URI resources that await. But, unless you want to be one of the "don’t call us, we’ll call you" folks, you also will need one or more SIP URIs for yourself. YOU DON’T NEED A KAMAILIO SERVER TO OBTAIN A SIP URI. Here are just a few of the possibilities. Using SIP Broker, you can call anyone on more than 2,000 VoIP networks around the globe. Using a softphone and a free or almost free registration with VoIP.ms, CallCentric, or LocalPhone, you not only get a SIP URI, but you also can request an iNUM number which also doubles as a SIP URI by coupling it with @81.201.82.50. 3CX and pbxes.org also offer SIP URIs to complement their free offerings. All of these companies will let you connect a softphone or SIP endpoint directly to their service without the need for an Asterisk PBX in the middle.1 You can even refer your favorite spam callers to Lenny via SIP URI: 2233435945@sip2sip.info.

Deploying a Cloud-Based Debian Server

We hope you took advantage of one of the special VPS offerings we highlighted to start the New Year. Some are still available with annual pricing that’s less than the cost of most lunches these days. We recommend a cloud platform because (1) it’s cheap, (2) it’s easy to set up a Debian platform, and (3) it provides a static IP4 address for your server. When you sign up or if you wish to reconfigure an existing VPS that you may have gathering dust, just choose the Debian 8/64 operating system and assign an FQDN to your server. Once you get your credentials, log into the server as root with the password that was provided. Immediately change your root password and issue the following commands to bring Debian up to date. We also strongly recommend changing the SSH port to deter would-be attackers. A TCP port in the 1000-2000 range works wonders. Simply edit /etc/ssh/sshd_config and change the Port 22 entry before rebooting. HINT: Birth years make the SSH port easy to remember.

passwd
apt-get update
apt-key update
apt-get dist-upgrade
apt-get -y install gcc flex bison libmysqlclient-dev make libssl-dev nano
apt-get -y install libcurl4-openssl-dev libxml2-dev libpcre3-dev ntp ntpdate
reboot

Once the reboot is complete, log back into your server’s new SSH port using this syntax where 1234 is the port number you chose.

ssh -p 1234 root@server-ip-address

Now we’re ready to install the necessary packages to support Kamailio:

apt -y install mysql-server
mysql_secure_installation
apt -y install kamailio kamailio-mysql-modules
apt -y install kamailio-dbg
apt -y install kamailio-extra-modules
apt -y install kamailio-outbound-modules
apt -y install kamailio-presence-modules
apt -y install kamailio-tls-modules
apt -y install kamailio-utils-modules
apt -y install kamailio-websocket-modules

Configuring Kamailio’s kamctlrc File

For today, we’ll be configuring Kamailio to allow user logins from SIP endpoints including SIP phones and softphones. Down the road, we’ll change things up to let Kamailio serve as the front-end to one or more Asterisk PBXs. But let’s learn to walk before we start running. We’ll be editing three configuration files and then adding a SIP account to support logging in from a SIP phone. Let’s begin with kamctlrc.

(1) Edit kamctlrc: nano -w /etc/kamailio/kamctlrc

(2) Start by uncommenting SIP_DOMAIN and insert the FQDN you associated with your VPS.

(3) Uncomment DBENGINE line and make certain it points to MYSQL.

(4) Uncomment the following line: DBRWUSER="kamailio".

(5) Uncomment the DBRWPW line and insert your own password between the quotes.

(6) Uncomment the following line: DBROUSER="kamailioro".

(7) Uncomment the DBROPW line and insert a different password between the quotes.

(8) Uncomment the DBACCESSHOST line and insert the IP address of your server.

(9) Drop down near the bottom of the file and uncomment the PID_FILE line.

(10) Save the file.

Configuring Kamailio’s kamailio.cfg Startup File

(1) Edit kamailio.cfg: nano -w /etc/kamailio/kamailio.cfg

(2) Make the top of the startup file look like the following:

#!KAMAILIO
#!define WITH_MYSQL
#!define WITH_AUTH
#!define WITH_USRLOCDB
#!define WITH_ANTIFLOOD
#!define WITH_PRESENCE
# change next line to comment to disable logging
#!define WITH_ACCDB
#
# Kamailio (OpenSER) SIP Server v4.2 - default configuration script

(3) Find the line: #!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"

(4) Change the kamailiorw entry to the password you entered in step #5 above.

(5) Tighten up security a bit by searching for the line containing friendly-scanner.

(6) Immediately above that line, cut-and-paste this addition from Fred Posner at AstriCon:

### Posner additions
        if ($ua =~ "(friendly-scanner|sipvicious|sipcli)") {
                xlog("L_INFO","script kiddies from IP:$si:$sp - $ua \n");
$sht(ipban=>$si) = 1;
                sl_send_reply("200", "OK");
                exit;
        }
        if($au =~ "(\=)|(\-\-)|(')|(\#)|(\%27)|(\%24)" and $au != $null) {
                xlog("L_INFO","[R-REQINIT:$ci] sql injection from IP:$si:$sp - $au \n");
$sht(ipban=>$si) = 1;
                exit;
        }
###

(7) Save the file.

(8) Generate the MySQL database and tables to support Kamailio: kamdbctl create

(9) At every prompt, type Y to add the feature.

(10) Open MySQL as root using the actual MySQL password you assigned when adding the MySQL package:

mysql -u root -ppassw0rd kamailio

(11) At the MySQL prompt, cut-and-paste the following commands:

ALTER TABLE acc ADD COLUMN src_user VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE acc ADD COLUMN src_domain VARCHAR(128) NOT NULL DEFAULT '';
ALTER TABLE acc ADD COLUMN src_ip varchar(64) NOT NULL default '';
ALTER TABLE acc ADD COLUMN dst_ouser VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE acc ADD COLUMN dst_user VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE acc ADD COLUMN dst_domain VARCHAR(128) NOT NULL DEFAULT '';
ALTER TABLE missed_calls ADD COLUMN src_user VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE missed_calls ADD COLUMN src_domain VARCHAR(128) NOT NULL DEFAULT '';
ALTER TABLE missed_calls ADD COLUMN src_ip varchar(64) NOT NULL default '';
ALTER TABLE missed_calls ADD COLUMN dst_ouser VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE missed_calls ADD COLUMN dst_user VARCHAR(64) NOT NULL DEFAULT '';
ALTER TABLE missed_calls ADD COLUMN dst_domain VARCHAR(128) NOT NULL DEFAULT '';
quit

Configuring Kamailio Defaults in /etc/default/kamailio

(1) Edit Kamailio defaults: nano -w /etc/default/kamailio

(2) Make the startup defaults look like the following:

#
# Kamailio startup options
#

# Set to yes to enable kamailio, once configured properly.
RUN_KAMAILIO=yes

# User to run as
USER=kamailio

# Group to run as
GROUP=kamailio

# Amount of shared and private memory to allocate
# for the running Kamailio server (in Mb)
SHM_MEMORY=128
PKG_MEMORY=4

# Config file
CFGFILE=/etc/kamailio/kamailio.cfg

(3) Save the file.

Managing Kamailio Startups & Shutdowns

With all the pieces in place, here’s how to start, restart, stop, and check status of Kamailio:

systemctl start kamailio
systemctl restart kamailio
systemctl stop kamailio
systemctl status kamailio

Adding Users/Accounts to Kamailio

Now we’re ready to add accounts to Kamailio. These can be numeric, alphanumeric, or purely alpha entries. They become the user’s respective SIP URIs when coupled with @FQDN where FQDN is the fully-qualified domain name assigned to your server:

kamctl add username userpw

As you probably have guessed, kamctl is the main management tool for Kamailio. Issuing the command by itself will list all of the possible options that are available.

Monitoring Kamailio Access

There are a number of ways to monitor access (both legitimate and otherwise) to your Kamailio server. Here are a few of our favorites:

systemctl status kamailio
cat /var/log/syslog | grep kamailio
mysql -u root -ppassw0rd kamailio -e "select * from acc"
mysql -u root -ppassw0rd kamailio -e "select * from missed_calls"

Connecting a SIP Phone to Kamailio

You can connect virtually any kind of SIP telephone or endpoint to Kamailio. You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we’ll get you started with one of our favorite (free) softphones, YateClient. It’s available for almost all desktop platforms.

Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for the account you created above. You’ll need the IP address of your server plus your account’s password. Fill in the Yate Client template using the IP address or FQDN of your Server as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.

Once the Yate softphone shows that it has registered with Kamailio, try a test call to Lenny by dialing sip:2233435945@sip2sip.info.

Next week, we’ll tackle security. If you run systemctl status kamailio for a few days, you’ll understand why. We’ll also get your Kamailio server interconnected with Asterisk so that inbound calls to your new SIP URI pass through to Asterisk transparently. Enjoy!

Originally published: Monday, January 14, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Some of our links refer users to sites or service providers when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from these providers to help cover the costs of our blog. We never recommend particular products solely to generate commissions. []

R.I.P. GVSIP: A Final Farewell to Google Voice



It’s been a death by a thousand cuts, but today marks the end of the Google Voice era with Asterisk®. Since Google removed XMPP support and transitioned to their new GVSIP platform, many have held out hope that Google hadn’t moved to a purely commercial platform with their ObiHai deal. Yesterday, the head of the Google Voice project requested that all Asterisk GVSIP implementations be discontinued citing Google’s Terms of Service. We hinted this was coming back in July and have reproduced our tweet below. We have since removed all of our articles pertaining to GVSIP, and we would encourage all of our readers to honor Google’s wishes and move on. We’ve made it easy with a $50 gift certificate from Skyetel (expires March 31, 2019). It will buy you many months of free VoIP service.



You still have several options with your Google Voice trunks. First, you can forward all incoming calls to Google Voice to another phone or DID of your choosing. This costs you nothing other than a minute to set it up. Second, you can port out your Google Voice number to another provider. Skyetel will cover your porting expense at their end during your first 60 days of service. Google charges $3 to port out your number unless you originally ported it into Google in which case it is free. Here’s how. Although we’re not big fans, a third option is to purchase an OBi200 device and continue to use your Google Voice trunk with Asterisk. Our tutorial from last May will show you how. Effective 10/1/2023, $25/month minimum spend at Skyetel is required.

As we’ve mentioned often, the beauty of VoIP is not having to put all of your telephony eggs in a single basket. Google’s latest move reinforces how important it actually is to configure several VoIP trunks on your server. While Skyetel and Vitelity are both excellent primary trunks and rarely experience an outage, it’s still a good idea to have a backup. VoIP.ms (free iNUM), CircleNet, CallCentric ($1/mo. DID and iNUM), LocalPhone (25¢/mo. iNUM), Future-Nine, AnveoDirect, and V1VoIP are excellent options. Most don’t cost you anything unless you make calls. Review our complete SIP tutorial here: Developing a Cost-Effective SIP Strategy.

Dale Carnegie Award: ObiHai Man of the Year

Originally published: Friday, November 16, 2018



Need help with Asterisk? Join our new MeWe Support Site.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



VoIP 101: Developing a Cost-Effective SIP Strategy

In the lead up to the demise of Google Voice XMPP service next week, we wanted to offer what we have found to be a cost-effective SIP strategy which takes advantage of the best of all worlds. We would divide SIP offerings into five broad categories: business-class unlimited SIP trunks, Old Faithful SIP providers, Mom-and-Pop SIP services, dirt-cheap termination services, and Gee Whiz SIP providers. As we have said many times, the beauty of setting up an Asterisk® PBX such as Incredible PBX® is you don’t have to put all your VoIP eggs in one basket. In our particular case, that has included a mix of Google Voice trunks plus all five of the SIP categories above. Today we want to document why we’ve personally made the selections we’ve made and hope that it provides a roadmap for your own VoIP setup while encouraging you to venture out of your safe zone and try some new VoIP options.

The all-you-can-eat business plans, which we previously have covered, make little sense for most home and small business users. Then there are the rock-solid, long term pay-as-you-go providers such as Vitelity and CallCentric that make perfect sense as your primary DID and SIP provider. While they may not always be the cheapest VoIP providers, the tradeoff is dependability and long-term reliability for your VoIP platform. In the case of Vitelity, it turns out the Nerd Vittles DID special (detailed below) from our Platinum Sponsor is perhaps one of the best VoIP deals on the planet.

The third category of SIP providers and our personal favorite is what we would call the mom-and-pop providers. These are typically one or two-person operations that offer incredible deals on all-you-can-eat VoIP plans for home users. Included in this category are Vestalink (available to existing customers only), Future-Nine and CircleNet. VestaLink originally began as OBiVoice and morphed over trademark issues. While the service is no longer available to new customers, it remains the best bargain at $72 for two years of unlimited inbound and outbound residential calling services. A close second goes to Future-Nine and their "Future 5 Grey" plan which provides 1,500 inbound and 1,500 outbound minutes a month for only $5. You can sign up here. Be sure to read the Terms of Services carefully, especially item #18. The New Kid on the Block is CircleNet. In addition to very attractive pay-by-the-minute offerings of $.005 per minute to most of the U.S. and Canada, they also have an $8 a month all-you-can-eat plan for residential customers that includes a very reasonable 5,000 minutes a month for calls to the following countries: United States, Canada, Australia, Bangladesh, Belgium, Brazil, Chile, Cyprus, Denmark, Finland, France, Germany, Greece , Guam, Hungary, India,Ireland, Italy, Japan, Latvia, Mexico, Netherlands, New Zealand, Norway, Poland, Puerto Rico, Singapore, Spain, Sweden, Taiwan, Thailand, United Kingdom, and Vatican City. Just let them know that you plan to use it with an Asterisk-based PBX. CircleNet also is offering Nerd Vittles readers a free month of the $8/month service to kick the tires. Simply send an email to sales@circlenet.us with your valid email address to take advantage of the offer. One free trial per customer/email address. CircleNet also offers a $15 a month business plan with even more minutes.

A fourth class of VoIP providers is the dirt-cheap termination services including Anveo Direct, TelecomsXchange, V1VoIP and the Betamax companies for low-cost international calling. These providers make terrific additions for supplementing your other VoIP services. TelecomsXchange is our personal favorite because of the special deal they have extended to Incredible PBX users. You get access to 300 VoIP wholesalers and can read about their services in this Nerd Vittles article. V1VoIP also has some terrific deals with 15¢/mo. DIDs from 13,000 Rate Centers and incoming and outgoing U.S. call pricing as low as $.003 per minute (not a typo!). Anveo Direct was perhaps the first provider to offer wholesale pricing to consumers, and they remain a terrific service both for DID and origination services with T.38 fax support as well as many of the lowest cost SIP terminations worldwide featuring user-configurable least-cost routing. Check out their pricing and rates here.

Finally, there are the SIP providers such as VoIP.ms that offer a rich collection of special features that you won’t find in many places and certainly not under the same roof. These features include SMS messaging, SIP URI proxying and iNUM for free worldwide calling, and fax support. Every one of these features is free when you sign up for an account at VoIP.ms. We encourage you to take advantage of these little known free services to enhance your PBX.

Putting It All Together. Now that we’ve covered the options, let’s go over how we would actually implement this. For the inbound trunk and primary DID, we’d recommend a SIP trunk from either Vitelity, VoIP.ms, or CallCentric. If you have multiple, simultaneous inbound calls, then the Nerd Vittles Vitelity special below can’t be beat because it provides four call paths. In addition, you get SMS support on the same trunk. Many people now assume your primary number supports SMS. We actually get dozens of unsolicited SMS messages on our home number from schools, churches, and political groups. If incoming call volume isn’t an issue, then VoIP.ms and CallCentric also offer a free iNUM number for your account. And VoIP.ms throws in a SIP URI as well.

For outbound calling for home and SOHO deployments, we recommend at least one of the mom-and-pop, all-you-can-eat providers: Future-Nine or CircleNet. If international calling is a requirement, you can’t beat the CircleNet offering. In addition to using your primary incoming provider, we also recommend you set up SIP accounts with a couple of the dirt-cheap termination providers. These don’t cost you anything other than a modest deposit unless you actually use them to place calls. And, when your primary outbound service has an outage, your PBX will never miss a beat.

The icing on the cake always has been several Google Voice trunks which work well for IVRs, Stealth AutoAttendants with DISA support, and faxing. While this may change with the demise of XMPP support, it appears that Bill Simon’s SIP Gateway to Google Voice will live on. With the Nerd Vittles sign-up link, you can migrate your existing Google Voice XMPP connections to the Simonics gateway for $4.99 each should the need arise. Enjoy!

Originally published: Monday, June 11, 2018


CircleNet SIP Setup for FreePBX/IncrediblePBX/VitalPBX/Issabel:

username=acct-id
type=friend
trustrpid=yes
sendrpid=yes
secret=acct-pword
qualify=yes
nat=yes
insecure=port,invite
host=sip.circlenet.biz
fromuser=acct-id
context=from-trunk
disallow=all
allow=ulaw

Registration String: acct-id:acct-pword@sip.circlenet.biz:5060/did-num

Future-Nine SIP Setup for FreePBX/IncrediblePBX/VitalPBX/Issabel:

username=acct-num
type=friend
trustrpid=yes
sendrpid=yes
secret=acct-pword
qualify=yes
nat=yes
insecure=port,invite
host=incoming.future-nine.com
fromuser=acct-num
context=from-trunk
canreinvite=no
disallow=all
allow=ulaw

Registration String: acct-num:acct-pword@incoming.future-nine.com/acct-num


Need help with Asterisk? Visit the PIAF Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Introducing Digium’s Awesome SIP Phones for Asterisk



If you’ve been waiting for a low-cost, feature-rich SIP phone that meshes perfectly with your Asterisk® PBX, your prayers have been answered. Digium has just released not one, but four, new SIP phones with prices starting at $59. No, that’s not a typo. Digium gave us a couple of early models to play with, and today we’ll walk you through the incredibly simple setup. We would begin by noting that, despite the pricing, these phones are configured with nothing resembling a bargain basement feature set. All four models have color displays, HD Voice, POE for use without the $15 power adapter, and at least two lines. The phones can be configured using the phones themselves, or through a slick web interface, or with auto-provisioning by MAC address. Beginning with the $89 A22, the top three models support gigabit Ethernet. With the $119 A25, you get four line registrations as well as a second LCD supporting six Rapid Dial keys or up to 30 BLF entries. The top-of-the-line $169 A30 supports six line registrations and an LED setup that closely matches our previous VoIP Phone of the Year, Yealink’s T46G. While the phones were not designed for use with Switchvox®, we found them to be plug-and-play with 3CX® which is probably also true with Switchvox even though we have not tested them on that platform. We have been using our A22 phone with one line connected to Incredible PBX® for the Raspberry Pi and the second connected to VitalBox. We’ve had zero issues with the phone, and sound quality is excellent.



Connecting Digium’s A-Series IP Phone

To get started, you’ll need a power source for the phone which can be either a POE network connection or a power adapter. You’ll also need to connect to a network that can provide DHCP or VLAN configuration data. Once the phone boots up, press the checkmark button (✓) twice to display the IP address assigned to the phone. Using a desktop browser, navigate to that IP address and enter admin:789 as the default login credentials.

Configuring a SIP Extension on Your IP Phone

Once you’re logged in, click on the Line tab and fill in the blanks for the SIP1 account using the desired extension number, extension password, and IP address of your Asterisk server. Be sure Activate is checked. It should look something like the following. Then click Apply.

This one-minute setup is all that’s required to put your new phone into production with Asterisk. You’re ready to make and receive calls. The L1 button on the A20 or A22 phone (pictured above) should now be lit. To light up the L2 button, add a second SIP connection by repeating the drill after choosing the SIP2 Line from the pull-down menu. If you have redundant PBXs, fill in the IP address of the Backup server, and the phone will automatically failover when the primary PBX goes down. It doesn’t get any easier than that.

With 3CX extensions, the setup is virtually identical except the phone’s Authentication Name field should reflect the Authentication Name chosen when setting up the 3CX extension.

Customizing Your SIP Phone Settings

VoiceMail Setup. The voicemail button can be activated for one or both SIP lines in the Advanced Settings tab under each of the SIP connections. Check the Subscribe to Voice Message box and enter the Voice Message Number to retrieve your voicemails, e.g. *98701 for extension 701 on an Asterisk PBX or 999 for a 3CX extension’s voicemail.

Customizing Phone Display. If you’d like to customize the branding and background image on your phone, navigate to Phone Settings and click the Advanced tab. Here’s a link to download one of our favorite beach scenes (pictured above), or you can use your own 320×240 BMP image on the A20 and A22. The high end phones use a 480×272 BMP image. The Asterisk label at the top of the phone’s display can also be adjusted in the Greeting Words field. We’re Enchilada fans personally. 🙂

Changing Passwords and PINs. You also can adjust the passwords and PINs for the phone device itself under the Phone Settings:Advanced tab. The default is 789. To modify the admin credentials for the browser interface or to add new accounts, go to System and click on the Account tab. Because the phone can be configured using either the phone itself or the browser interface, you’ll need to change both sets of passwords to secure your phone.

Adjusting Codecs. Depending upon your PBX setup, you may need to adjust or reorder the codecs for one or both of your SIP lines. Simply navigate to Line:SIP1:Codec Settings and make any necessary changes. HINT: You’ll rarely have a problem if you make G.711U (U.S.) or G.711A (elsewhere) your primary codec although G.722 is what you’ll want for HD Voice. This is especially important if you’re using Google Voice trunks or 3CX client software.

Auto-Provisioning Your A20, A22, and A25 Phones

Let’s get to the fun stuff now. Everything we’ve covered (and much more) can be scripted with these new phones. You can read all about it here. For today, let’s get your Phonebook Contacts populated using your AsteriDex database entries. And then you can press the Down button on the phone to retrieve your Contacts.

Setting Up Phone Provisioning. Before you can auto-provision your phone, both your phone and your Asterisk server need a little navigation information. Let’s start with the phone so login as admin:789 to get started. Click on the System option and then the Auto Provision tab. Write down the last 12 digits of your phone’s MAC address (CPE Serial Number highlighted above). Check the DownloadDeviceConfig option (as shown). Disable the DHCP Option and the SIP Plug and Play options by clicking on the respective tabs. Then open the Static Provisioning Server option (as shown). Enter the local IP address of your server assuming your phone and server are both behind a firewall. For the Protocol Type, choose HTTP. For the Update Mode, choose Update After Reboot. Then click the Apply button.

Next, let’s configure the phone so that you can press the Down arrow button to access your Phonebook Contacts. Click on the Function Key option in the left margin. Then look in the Programmable Keys section and locate the row with the settings for the Down button. Change the entry in the Desktop column to Phonebook. Then click the Apply button.

Configuring Asterisk for Phone Provisioning. Now we need to get your server set up to support phone provisioning. The way provisioning works is we will set up a provisioning profile for each phone which will be processed by your web server whenever a phone is rebooted. This profile will also tell the phone where to find your Phonebook Contacts XML file. To get started, navigate to /var/www/html and create a new .cfg file for each of your phones using the 12-character MAC address of the phone, e.g. 000123456789.cfg. The file should look like the following with the exception of the Auto Pbook Url entry which should reflect the local IP address of your server:

<<VOIP CONFIG FILE>>Version:2.0.0.0

<PHONE CONFIG MODULE>
LCD Title          :IncredblePBX

<AUTOUPDATE CONFIG MODULE>
Download CommonConf:0
Download DeviceConf:1
Check FailTimes    :5
update PB Interval :720
Clr PB B4 Import   :1
Trust Certification:0
Enable Auto Upgrade:0
Upgrade Server 1   :
Upgrade Server 2   :
Auto Upgrade intval:24
Auto Pbook Url     :http://192.168.0.108/phonebook.xml

<<END OF FILE>>

Populating Phonebook Contacts with AsteriDex. Now we’re ready to build the Phonebook Contacts file (phonebook.xml) using the AsteriDex 4 database. Just issue the following commands and then reboot each of your phones (Menu+8+Yes):

cd /var/www/html/asteridex4
wget http://incrediblepbx.com/asterisk-phonebook.tar.gz
tar zxvf asterisk-phonebook.tar.gz
rm -f asterisk-phonebook.tar.gz
php asterisk-phonebook.php

Digium A-Series IP Phone User Guide

Last but not least, take a look at Digium’s A-Series IP Phone User Guide (PDF) for more tips.

Final Thoughts on A-Series IP Phones

If you couldn’t already tell, we’re quite impressed with the new A-Series phones from Digium. If you’re on a budget, the $59 model is one terrific bargain for home or SOHO use. The only thing you’re really forfeiting with this phone is the gigabit Ethernet port which will have zero impact on small and medium-sized network implementations of a VoIP server. Rather than buying power adapters for your phones, drop by your favorite WalMart and purchase a network switch that includes POE support. They start at about $30. Then pick one of these phones up from your favorite provider and let us know what you think. You’ll also be helping to fund Digium’s open source Asterisk project. Enjoy!

Originally published: Friday, April 13, 2018





Need help with VitalPBX? Visit the VitalPBX Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



VitalPBX in the Cloud: Providers, Backups, & Airtight Security

Last month we introduced VitalPBX, a terrific new (free) VoIP platform that’s about as intuitive as software can get. We followed up with a dozen Incredible PBX applications that really showed off the flexibility of this new Asterisk® platform. And today we’re pleased to introduce two new cloud solutions that offer our whitelist firewall design for security plus automatic backups. Both Digital Ocean and Vultr offer terrific performance coupled with a $5/month price point that is easy on your wallet. Our tip of the hat goes to Digital Ocean this month because they are again offering a $10 credit on new accounts while also generously supporting Nerd Vittles. That translates into two free months of VitalPBX in the Cloud service for you to kick the tires. If you like what you see, you can spring for the extra $1 a month and add automatic backups to your $5/mo. bill going forward. With a $10 credit, what’s to lose?

To get started, set up an account with one of these cloud providers and create a $5 a month server with 64-bit CentOS 7 in your choice of cities. Once you have your root password, log into your new server as root using SSH or Putty. On Digital Ocean, you will be prompted to change your password the first time you login. On Vultr, you have to manually do it by issuing the command: passwd. Then you’re ready to begin the VitalPBX install. Just issue the following commands and then grab a cup of coffee.

cd /root
yum -y install wget nano tar
wget https://raw.githubusercontent.com/wardmundy/VPS/master/vps.sh
chmod +x vps.sh
./vps.sh

The base install takes less than 15 minutes to complete. When it’s finished, use a web browser from your desktop PC and log into the IP address of your new VitalPBX server. You’ll be prompted to set up an admin password for GUI access and then you register your server with Telesoft. Should you ever forget your admin password, here’s how to force a reset on your next login from a browser:

mysql ombutel -e 'update ombu_settings set value = "yes" where name = "reset_pwd"'

After logging in, you’ll be presented with the VitalPBX Dashboard:



From here, the drill is pretty much the same as what was outlined in our original VitalPBX tutorial. So jump over there to complete your set up and configure extensions, trunks, routes, and a few other settings for your new PBX. Then pick back up here to secure your server!

Security Methodology. What is different on the cloud platform is you don’t have a hardware-based firewall to protect your server. So we’ll need to configure VitalPBX using its built-in firewalld and Fail2Ban applications. Our preference is to use a whitelist of IP addresses to access your server and its resources. In that way, the Bad Guys never even see your server on the Internet. Our security philosophy is simple. If you can’t see it, you can’t hack it.

In addition to a WhiteList of public IP addresses, we also will enable a secure NeoRouter VPN front door to your server as well as a PortKnocker backdoor thereby providing three separate and secure ways to gain server access without publicly exposing VitalPBX to the Internet. If you have a better way, by all means go for it. After all, it’s your phone bill.

Firewall and Fail2Ban Setup. To begin, login to the VitalPBX GUI with a browser using your admin credentials. Then do the following:

(1.) Add NeoRouter VPN Protocol TCP Port 32976 in Admin:Security:Firewall:Services.

(2.) Add NeoRouter VPN Action ACCEPT rule in Admin:Security:Firewall:Rules.

(3.a.) WhiteList your client and server IP addresses in Admin:Security:Firewall:WhiteList.
(3.b.) WhiteList 127.0.0.1 (for localhost) and 10.0.0.0/24 (for NeoRouter VPN).
(3.c.) WhiteList the IP addresses of any potential unregistered trunk providers.
(3.d.) WhiteList the public IP addresses of any extensions you plan to install.

(4.) Enable Fail2Ban in Admin:Security:Intrusion Detection.

(5.a.) WhiteList your client IP address(es) in Admin:Security:Intrusion Detection:Whitelist.
(5.b.) WhiteList the NeoRouter VPN subnet, 10.0.0.0/24, as well.

(6.) Remove the following rules from Admin:Security:Firewall:Rules

SIP
HTTP
HTTPS
SSH
IAX2
PJSIP

(7.) Reload the VitalPBX dialplan by clicking the Red indicator (upper right of the GUI).

(8.) Verify IPtables WhiteList: iptables -nL | grep ACCEPT

(9.) Verify Fail2Ban WhiteList: grep -r ignoreip /etc/fail2ban/jail.d/*

Travelin’ Man 3 Addition. One of the major shortcomings in the firewalld implementation of IPtables is the lack of any support for fully-qualified domain names in their WhiteList. For those that want to use dynamic DNS updating services with custom FQDNs to manage remote user access to your server, this is a serious limitation even though PortKnocker alleviates some of the misery. So here’s our solution. We have reworked the Travelin’ Man 3 toolkit for VitalPBX so that you can use command line scripts to add (add-ip and add-fqdn), remove (del-acct), and manage (ipchecker) your WhiteList using either IP addresses (add-ip) or FQDNs (add-fqdn). The automatic update utility (ipchecker) will keep your FQDNs synchronized with your dynamic IP address service by updating the WhiteList every 10 minutes between 5 a.m. and 10 p.m. daily. Keep in mind that this is a supplement to the existing VitalPBX firewall setup documented above. And we only recommend that you add it if you plan to implement automatic management of dynamic IP addresses with FQDNs for your extensions and remote users.

If you plan to use the TM3 addition, you are strongly urged to not make further firewall changes using the VitalPBX GUI unless (1) you can also remember to keep your desktop PC’s IP address whitelisted in VitalPBX and (2) you remember to restart IPtables (iptables-restart) in the CLI after having made firewall changes in the VitalPBX GUI. Otherwise, you will lose your Travelin’ Man 3 WhiteList entries which means folks will get locked out of your server until the TM3 WhiteList is updated by running iptables-restart. All TM3 WhiteListed entries are stored and managed in individual text files in /root with a file extension of .iptables. Do not manually delete them!

To install the TM3 addition, issue the following commands:

cd /
wget http://incrediblepbx.com/tm3-vitalpbx.tar.gz
tar zxvf tm3-vitalpbx.tar.gz
rm -f tm3-vitalpbx.tar.gz
echo "/usr/local/sbin/iptables-boot" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
echo "*/10 5-22 * * * root /usr/local/sbin/ipchecker > /dev/null 2>&1" >> /etc/crontab

Using DynDNS to Manage FQDNs. The key ingredient with Travelin’ Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don’t want to have to manually adjust anything. So what you’ll first need is a DynDNS account. Other free providers are available but are less flexible. For $40 a year, DynDNS lets you set up 30 FQDNs and keep the IP addresses for those hostnames current. That’s more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator’s account. Sounds simple? It is.

Getting Started with Travelin’ Man 3. Here are the 5 tools that are included in the TM3 suite for VitalPBX:

  • add-ip some-label ip-address – Allows you to add an IP address to the WhiteList
  • add-fqdn some-label FQDN – Allows you to add an FQDN to the WhiteList
  • del-acct some-label.iptables – Deletes an IP address or FQDN from WhiteList
  • ipchecker – Runs every 10 minutes to synchronize FQDNs; do NOT run manually
  • iptables-restart – Restarts IPtables and adds TM3 WhiteListed IPs and FQDNs
  • iptables-boot – Loads TM3 WhiteListed IPs and FQDNs on boot only
  • show-whitelist – Displays contents of both VitalPBX and TM3 WhiteLists

Using Email to Manage Your WhiteList. We have one new addition to Travelin’ Man 3 for the VitalPBX platform. Now your authorized users can send an email to the VitalPBX server to whitelist an IP address and gain access. Two different passwords are supported and can be handed out to different classes of PBX users, e.g. administrators and ordinary users. Using the "permanent" password lets someone add an IP address to the VitalPBX whitelist permanently. Using the "temporary" password lets a user add an IP address to the whitelist until the next reboot or firewall restart. In both cases, the administrator gets an immediate email showing the whitelisted IP address, who requested it, and the type of whitelist entry that was requested. The syntax for the email request is straight-forward. Just send an email to the special email account set up to handle these requests and include a Subject for the message that looks exactly like this where 8.8.8.8 is the IP address to be whitelisted and some-password is one of the two passwords: WhiteList 8.8.8.8 PW some-password

As most of you know, we’re sticklers for security, and there’s plenty of it here. First, we recommend you use an obscure FQDN for your server so that it is not easily guessed by someone wanting to do harm. Second, we assume your IP address also won’t be published. Third, the email account name also should be obscure. Think of it as another password. For example, martin432 would be a good choice while whitelist would be pretty lousy. Keep in mind that the only people sending mail to this account will be folks that need immediate access to your PBX. Finally, BOTH of the passwords to use the email feature need to be long and difficult to decipher. A mix of alphanumeric characters and upper and lowercase letters is strongly recommended because it makes successful penetration nearly impossible.

To begin, we need to reconfigure your VitalPBX Firewall to accept incoming email on TCP port 25. In Admin:Security:Firewall:Services, Add a new service that looks like the following: Name: SMTP    Protocol: TCP    Port: 25. Then SAVE your entry.

Next, we need to add a VitalPBX Firewall Rule that allows incoming SMTP traffic. In Admin:Security:Firewall:Rules, Add a new rule: Service: SMTP    Action: Accept. Then SAVE.

Next, we need to log into the Linux CLI as root to do a couple of things. First, we need to reconfigure Postfix to accept emails from outside our server. Replace 8.8.8.8 with the actual IP address of your server. Replace smtp.myserver.com with the actual FQDN of your server. If you don’t have one, simply remove the FQDN from the command.

yum -y install mailx
postconf -e "mynetworks = 127.0.0.0/8, 8.8.8.8"
postconf -e "mydestination = smtp.myserver.com, localhost.localdomain, localhost"
postconf -e "inet_interfaces = all"
postconf -e "recipient_delimiter = +"
service postfix restart

Second, we need to add an email account to process the incoming emails. Replace someuser on each line with that obscure account name you plan to use for incoming emails. Then send yourself a test email and be sure it arrives. The last command cleans out the mail account.

adduser someuser --shell=/bin/false --no-create-home --system -U 
echo "test" | mail -s "Hello World" someuser
mail -u someuser
> /var/mail/someuser

Finally, we need to set up your passwords and admin email address in /root/mailcheck. To begin, insert your actual mail account name in the following command by replacing realuser and then execute the command:

sed -i 's|someuser|realuser|' /root/mailcheck

Now edit /root/mailcheck with nano or your favorite editor and change the TempPW, PermPW, and MyEMail entries. Then save the file and add the following entry to /etc/crontab:

*/3 5-22 * * * root /root/mailcheck > /dev/null 2>&1
 

CAUTION: Because of the bifurcated nature of the integration of TM3’s WhiteList into the VitalPBX firewall setup, be advised that you never want to make a change in the VitalPBX GUI’s firewall configuration without assuring that the desktop machine from which you are making that change is already included in the VitalPBX Whitelist (see #3.a., above). The same applies to issuing an iptables-restart from the Linux CLI. The reason is there are two separate whitelists and either of these actions would temporarily disable the TM3 WhiteList until the iptables-restart procedure was executed AND completed. In both situations, you most probably would be locked out of web and SSH access to your own server. A VitalPBX firewall reload only restarts firewalld with the VitalPBX WhiteList, and an iptables-restart from the CLI first restarts firewalld without the TM3 WhiteList rules and then adds the TM3 WhiteList rules after the firewalld reload is completed. We have added safeguards to some of the TM3 utilities to keep you from shooting yourself in the foot by requiring the VitalPBX WhiteList addition before you can use the TM3 iptables-restart and del-acct utilities; however, this is not the case with ipchecker which typically runs as a cron job from localhost. Because there is no safeguard mechanism, do NOT run it manually unless you’re sure you first have whitelisted your desktop PC’s IP address in the VitalPBX GUI (see #3.a., above). Without getting down in the weeds, we also have no ability to control the internal workings of the VitalPBX firewall. Should you get locked out of your server, there are three remedies. The first is the email solution documented above. The second is to use PortKnocker to regain access. The third is to use the localhost console in the Digital Ocean or Vultr control panel to issue the iptables-restart command. You might want to print this out for a rainy day. 🙂

PortKnocker Installation. You may not know the remote IP addresses of everyone using your PBX, and some of your users may travel to different sites and need a temporary IP address whitelisted while using a WiFi hotspot. And, not that it would happen to you, but once in a while an administrator locks himself out of his own server by changing IP addresses without first whitelisting the new address. The solution to all of these problems is easy with PortKnocker. The user simply sends three sequential pings to ports known only by you and your users using the machine or smartphone that needs access. You can read our original tutorial for more detail. For today, let’s get PortKnocker installed and configured with your three random ports. You can review the assignment at any time by displaying /root/knock.FAQ which also explains how to send the knocks using a desktop machine or a smartphone.

cd /root
wget http://incrediblepbx.com/knock-vitalpbx.sh
chmod +x knock-vitalpbx.sh
./knock-vitalpbx.sh

As with other Incredible PBX Travelin’ Man 3 implementations, IP addresses whitelisted using PortKnocker only last until the next reboot, or until you issue the following command firewall-cmd --reload (does not reload TM3 WhiteList), or until you execute a firewall update from within the VitalPBX GUI (does not reload TM3 WhiteList), or until you issue the command iptables-restart which restarts the firewall AND loads the TM3 WhiteList entries. To permanently WhiteList IP addresses, follow the procedure in Step #3 above or add the entries using the TM3 utilities documented in the previous section.

NeoRouter Installation. A virtual private network (VPN) is perhaps the safest way to access any server including VitalPBX. All of your communications is securely encrypted and you connect to the server through a network tunnel using a non-routable, private IP address. There are many VPNs from which to choose. Our personal favorite is NeoRouter because up to 256 devices can be interconnected at zero cost, and you can set the whole thing up in minutes with virtually no networking expertise. If you want all of the background on NeoRouter, see our latest tutorial.

NeoRouter uses a star topology which means you must run the NeoRouter Server application on a computer platform that is accessible over the Internet all the time. Then each of the remote devices or servers runs the NeoRouter Client application, connects to the server to obtain a private IP address, and then can communicate with all of the other devices connected to the VPN. If you already have a NeoRouter Server in place, then you can skip the server installation step and skip down to installing the NeoRouter Client on your VitalPBX server.

NeoRouter Server Setup. If you’re just getting started with NeoRouter, the first step is setting up the NeoRouter Server on a platform of your choice. If you’re using the Automatic Backup feature of Digital Ocean or Vultr, then your VitalPBX server is probably as good a site as any. NeoRouter Server uses minimal resources, and outages shouldn’t be a problem except for hurricanes, tornados, and bombs. But, just so you know, if the NeoRouter Server is down, none of the NeoRouter Clients can access the VPN or any other clients so you’d have to resort to public IP addresses for network access.

To install NeoRouter Server on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrserver-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm

Next, create at least one account with administrator privileges and one account with user privileges to your NeoRouter VPN:

nrserver -adduser admin-name admin-password admin
nrserver -adduser user-name user-password user

The commands to manage NeoRouter Server are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrserver.service
Check status: systemctl status nrserver.service
Restart server: systemctl restart nrserver.service
Change settings: nrserver -help

NeoRouter Client Setup. Whether you’re running NeoRouter Server on your VitalPBX platform or not, you’ll still need to install and configure the NeoRouter Client software in order to access the server through the VPN using a remote computer, smartphone, or tablet. NeoRouter Clients for Linux, Windows, Macs, FreeBSD, Mobile, OpenWRT, Tomato, and HTML5 are available here. Be sure to choose the NRFree V2 platform tab before downloading a client, or you’ll get the wrong client software and nothing will work! Ask us how we know.

To install NeoRouter Client on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrclient-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrclient-2.3.1.4360-free-centos-x86_64.rpm

As with NeoRouter Server, the commands to manage NeoRouter Client are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrservice.service
Check status: systemctl status nrservice.service
Restart client: systemctl restart nrservice.service
Login to VPN: nrclientcmd

The main requirement after installing the software is to login to your VPN: nrclientcmd. You’ll be prompted for the FQDN or IP address of your NeoRouter Server and then the admin or user credentials. If successful, you’ll get a display of all the machines logged into the VPN, including the VitalPBX server.

NeoRouter Network Explorer – somebody@vultr.guest

> My Computers
10.0.0.2 vultr.guest

Available Commands: changeview, wakeonlan, setproxy, changepassword, quit
Enter command:

The next step is to download and install NeoRouter Client software on your desktop computer and smartphone. Then you can remotely connect to your VitalPBX server from those platforms. In our example above, you could login to 10.0.0.2 with either SSH or your web browser and never have to worry about whitelisting your remote machines with VitalPBX.

Checking VitalPBX Status. As with other Incredible PBX platforms, we have reworked the pbxstatus utility to support VitalPBX. Running it from the command prompt will display the status of all of the key services on your PBX. Note the addition of the VPN’s IP address which tells you that NeoRouter Client is alive and well:



Configuring Automatic Backups. When you’re ready to enable backups for a Digital Ocean droplet, navigate to the list of droplets for your account. Click the Droplet name for which you’d like to enable backups, and then click the Backups menu item. This will display the cost of backups for the given droplet. Click the Enable Backups button to enable backups.

The Vultr setup is similar. Automatic backup settings are managed through the Vultr control panel. Once you log into your account, visit the server’s management area, click on your server in the dialog, and then click on the "Backups" tab for your VPS. Click Enable Backups. On either platform, the backup option adds a $1 a month to the cost of the $5 server. That’s pretty cheap insurance.

Originally published: Monday, April 2, 2018





Need help with VitalPBX? Visit the VitalPBX Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Back to Basics: Configuring Extensions, Trunks & Routes

With last week’s release of Incredible PBX 13-13 Lean with Asterisk® 13 and FreePBX® 13 GPL modules, it seemed like an opportune time to revisit the initial setup process of an Asterisk-based PBX. Configuring extensions, trunks, and routes are the fundamental steps in successfully interconnecting your PBX to the telecommunications network. So today we’ll walk through the initial setup process in some detail for those that are just getting started. And we think old-timers may find some hidden nuggets in the exercise as well.

Overview of the Initial Asterisk Setup Process

For those new to PBXs, here’s a two paragraph summary of how Voice over IP (VoIP) works. Phones connected to your PBX are registered with Extensions so that they can make and receive calls. When a PBX user picks up a phone and dials a number, an Outbound Route tells the PBX which Trunk to use to place the call based upon established dialing rules. Unless the dialed number is a local extension, a Trunk registered with some service provider accepts the call, and the PBX sends the call to that provider. The provider then routes the call to its destination where the recipient’s phone rings to announce the incoming call. When the recipient picks up the phone, the conversation begins.

Looking at things from the other end, when a caller somewhere in the world wishes to reach you, the caller picks up a telephone and dials a number known as a DID that is assigned to you by a provider with whom you have established service. When the provider receives the call to your DID, it routes the call to your PBX based upon destination information you established with the provider. Your PBX receives the call with information identifying the DID of the call as well as the CallerID name and number of the caller. An Inbound Route on your PBX then determines where to send the call based upon that DID and CallerID information. Typically, a call is routed to an Extension, a group of Extensions known as a Ring Group, or an IVR or AutoAttendant giving the caller choices on routing the call to the desired destination. Once the call is routed to an Extension, the PBX rings the phone registered to that Extension. When you pick up the phone, the conversation begins.

Configuring Asterisk to Support NAT-Based Routing

With a VoIP server, many PBXs and Extensions are housed behind a NAT-based router that is found in most homes and businesses. These routers assign private IP addresses that are not accessible from the Internet. This causes SIP routing headaches because there are actually two legs to every call, one on the private IP address of your server or extension and another on the public Internet with an entirely different IP address. Routers supposedly handle this handoff of the call using Network Address Translation (NAT) and SIP ALG. With Asterisk-based PBXs, we want the PBX itself to handle the NAT chores so it is critically important to do three things when setting up your PBX. First, turn off SIP ALG on every router used by your PBX and every extension connected to your PBX. Second, tell your PBX about your public and private IP address setup. Step #2 is done in the Incredible PBX GUI with a browser. Login as admin and choose Settings:Asterisk SIP Settings. In the NAT Settings section of the form, click Detect Network Settings. Make sure your public and private IP addresses are correctly listed. Then click Submit and reload your dialplan when prompted. Failure to perform BOTH of these steps typically results in calls with one-way audio, i.e. where either you or the called party can’t hear the other party in the conversation. The third rule to remember is to always configure SIP Extensions on your PBX with NAT Mode=YES. This is rarely harmful and failure to configure SIP extensions in this way typically causes one-way audio in calls as well. IAX extensions avoid NAT issues.

Configuring Extensions with Incredible PBX GUI

Extensions are created using the Incredible PBX GUI: Applications:Extensions. Many SIP phones expect extensions to communicate on UDP port 5060. If this is the case with your SIP phone or softphone, then always create Chan_SIP extensions which communicate on UDP 5060. If your SIP phone or softphone provide port flexibility, then you have a choice in the type of SIP extension to create: Chan_SIP or the more versatile PJSIP. Just remember to always configure SIP extensions with NAT Mode=YES in the Advanced tab. If your VoIP phones or softphones support IAX connectivity, you may wish to consider IAX extensions which avoid NAT problems.

When you create a new Extension, a new entry is automatically created in the PBX Internal Directory. If you wish to allow individual users to manage their extensions or use the WebRTC softphone, then you will also have to create a (very) secure password for User Control Panel (UCP) access. Choose Admin:User Management and click on the key icon of the desired extension to assign a password for UCP and WebRTC access.

Configuring SIP Phones with Incredible PBX GUI

SIP phones and softphones typically require three pieces of information: the IP address of your server, the extension number, and the extension password. If you’re using a PJSIP extension, you also will need to change the port to UDP 5061. If your server is behind a NAT-based router, SIP phones also behind the same router need to use the private LAN address rather than the public IP address. If the SIP phones are outside the router protecting the PBX, then use the public IP address and make certain that you also map ports 5060 and 5061 from your router to the private LAN address of your PBX.

The PIAF Forum can provide you with helpful information in choosing high quality SIP phones. Yealink phones are highly recommended with minimal issues. Cisco phones are the most difficult to configure. Insofar as free softphones, we recommend the Zoiper 3 offerings for Windows, Mac, iOS, and Android. Zoiper 5 still is experiencing some growing pains. A key advantage of the Zoiper softphone is it supports IAX extensions which eliminate the NAT issues entirely. On the Mac platform, we also recommend the Telephone app which is available in the App Store. For SRTP communications, use Grandstream Wave.

Configuring Trunks with Incredible PBX GUI

Perhaps the most difficult component to configure in the PBX is the Trunk. Almost every provider has a different way of doing things. We’ve taken some of the torture out of the exercise by providing a script which will configure settings for dozens of providers in seconds. Once installed, all you need to do is edit the desired Trunk (Connectivity:Trunks), change the Disable Trunk entry to No, and insert your credentials in both the PEER Details and Registration string of the SIP Settings Outgoing and Incoming tabs.

To install the Trunk setups on your PBX, log into your server as root and issue the following commands only once:

cd /root
wget http://incrediblepbx.com/create-sample-trunks.tar.gz
tar zxvf create-sample-trunks.tar.gz
rm create-sample-trunks.tar.gz
./create-sample-trunks

Incredible PBX Wholesale Providers Access

Nerd Vittles has negotiated a special offer that gives you instant access to 300+ wholesale carriers around the globe. In lieu of paying the $650 annual fee for the service, a 13% wholesale surcharge is assessed to cover operational costs of TelecomsXchange. In addition, TelecomsXchange has generously offered to contribute a portion of the surcharge to support the Incredible PBX open source project. See this Nerd Vittles tutorial for installation instructions and signup details.

Configuring Google Voice with Incredible PBX GUI

The advantage of Google Voice trunks for those of you in the United States is that all of your calls within the U.S. and Canada are free. You can’t beat the price, and it has worked reliably for many, many years. There are three different ways to set up Google Voice trunks with Incredible PBX. For a one-time fee of $4.99 with this coupon, you can use the Simonics GV/SIP gateway to configure a Google Voice account using OAuth 2 authentication. Then just set up the Simonics SIP trunk on your PBX to point to the Simonics gateway. A second option is to choose the (recommended) OAuth 2 authentication method for Google Voice when you initially install Incredible PBX 13-13. Finally, you can choose plain-text passwords for Google Voice when you set up Incredible PBX. The drawback of this last option is Google has hinted that they may discontinue support of plain-text passwords.


Here are the initial setup steps on the Google side:

1. Set up a dedicated Gmail and Google Voice account to use exclusively for this Google Voice setup on your PBX. Head over to the Google Voice site and register. You’ll need to provide a U.S. phone number to verify your account by either text message or phone call.



2. Once you have verified your account by entering your verification code, you’ll get a welcome message from Mr. Google. Click Continue to Google Voice.



3. Provide an existing U.S. phone number for verification. It can be the same one you used to set up your Google account in step #1.



4. Once your phone number has been verified, choose a DID in the area code of your choice.



Special Note: Google continues to tighten up on obtaining more than one Google Voice number from the same computer or the same IP address. If this is a problem for you, here’s a workaround. From your smartphone, install the Google Voice app from iPhone App Store or Google’s Play Store. Then open the app and login to your new Google account. Choose your new Google Voice number when prompted and provide a cell number with SMS as your callback number for verification. Once the number is verified, log out of Google Voice. Do NOT make any calls. Now head back to your PC’s browser and login to https://voice.google.com. You will be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number and opened the Google Voice interface, click on the 3 vertical dots in the left sidebar (it’s labeled More). When it opens, click Legacy Google Voice in the sidebar. That will return you to the old UI. Now click on the Gear icon (upper right) and choose Settings. Make sure the Google Chat option is selected and disable forwarding calls to whatever default phone number you set up.

5. When your DID has been assigned, click the More icon at the bottom of the left column of the Google Voice desktop. Click Legacy Google Voice. Now click the Settings icon on your legacy Google Voice desktop. Make certain that Forward Calls to Google chat is checked and disable calls to your forwarding number. Click on the Calls tab and select Call Screening:OFF, CallerID (Incoming):Display Caller’s Number, and Global Spam Filtering:checked. The remaining entries should be blank.

6. Google Voice configuration is now complete. Sign out of your Google Voice account.


The Simonics GV-SIP Gateway Solution. Here’s the quick thumbnail of the steps to put all the pieces in place. First, we set up a Google Voice account at Google as documented above. Next, we’ll set up an account at the Simonics site to link our Google Voice account to the Simonics SIP Gateway. Then we’ll plug our Simonics SIP credentials into the preconfigured Simonics trunk on Incredible PBX. Finally, we’ll add Incoming and Outgoing Routes to tell Incredible PBX how to process Google Voice calls.

Now you’re ready to set up an account on the Simonics site. With this Nerd Vittles link, there’s a one-time fee of $4.99.

1. Start by registering your new Google account.

2. After paying the $4.99 registration fee via PayPal, proceed through the setup process to link your Google Voice account and 11-digit Google Voice phone number to the Simonics SIP Gateway.

3. You then will be provided your SIP username and password as well as the gateway address, gvgw.simonics.com, to use in building your SIP trunk on your PBX.



4. If your SIP credentials ever get compromised, regenerate your password by logging back into the Simonics GW site.

Now it’s time to configure your Simonics trunk in Incredible PBX. Start by logging into the web interface as admin with your admin password from above. Click Connectivity:Trunks and choose the Simonics trunk in the PBX Configuration menu. The Simonics trunk template will display:

1. Untick the Disable Trunk check box.

2. In Outbound CallerID, insert your 10-digit Google Voice number.

3. In username, insert GV1 followed by your 10-digit Google Voice number.

4. In secret, insert your Simonics SIP password.

5. In the Registration String, insert GV1 followed by your 10-digit Google Voice number followed by a colon (:)

6. In the Registration String after the colon, insert your Simonics SIP password.

7. In the tail of the Registration String after the slash (/), insert your 10-digit Google Voice number.

8. Click Submit Changes and then Reload the Dialplan when prompted.


Configuring GV Trunk with Motif in the GUI. If you elect to configure your Google Voice trunk natively using the Incredible PBX GUI, you first will need to obtain a Refresh_Token if you elected to use OAuth 2 authentication.

1. Be sure you are still logged into your Google Voice account. If not, log back in at https://voice.google.com.

2. In a separate browser tab, go to the Google OAUTH Playground using your browser while still logged into your Google Voice account.

3. Once logged in to Google OAUTH Playground, click on the Gear icon in upper right corner (as shown below).

  3a. Check the box: Use your own OAuth credentials
  3b. Enter Incredible PBX OAuth Client ID:

466295438629-prpknsovs0b8gjfcrs0sn04s9hgn8j3d.apps.googleusercontent.com

  3c. Enter Incredible PBX OAuth Client secret: 4ewzJaCx275clcT4i4Hfxqo2
  3d. Click Close

4. Click Step 1: Select and Authorize APIs (as shown below)

  4a. In OAUTH Scope field, enter: https://www.googleapis.com/auth/googletalk
  4b. Click Authorize APIs (blue) button.

5. Click Step 2: Exchange authorization code for tokens

  5a. Click Exchange authorization code for tokens (blue) button

  5b. When the tokens have been generated, Step 2 will close.

6. Reopen Step 2 and copy your Refresh_Token. This is the "password" you will need to enter (together with your Gmail account name and 10-digit GV phone number) when you add your GV trunk in the Incredible PBX GUI. Store this refresh_token in a safe place. Google doesn’t permanently store it!

7. Authorization tokens NEVER expire! If you ever need to remove your authorization tokens, go here and delete Incredible PBX Google Voice OAUTH entry by clicking on it and choosing DELETE option.

Switch back to your Gmail account and click on the Phone icon at the bottom of the window to place one test call. Once you successfully place a call, you can log out of Google Voice and Gmail.

Yes, this is a convoluted process. Setting up a secure computing environment often is. Just follow the steps and don’t skip any. It’s easy once you get the hang of it. And you’ll sleep better.

Now you’re ready to configure your Google Voice account in Incredible PBX. You do it from within the Incredible PBX GUI by choosing Connectivity:Google Voice. Just plug in your Google Voice Username, enter your refresh_token from Step #6 above as your Google Voice Password, enter your 10-digit Google Voice Phone Number, and check the first two boxes: Add Trunk and Add Outbound Routes. Then click Submit and Apply Settings to save your new entries.

If you elected to use plain-text passwords for Google Voice, simply skip obtaining OAuth 2 credentials and substitute your plain-text password for the refresh_token when you create the Google Voice trunk above. If you have trouble getting Google Voice to work using a plain-text password, try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

IMPORTANT: Once you’ve entered your credentials, you MUST restart Asterisk from the Linux command line, or Google Voice calls will fail: amportal restart

Configuring Outbound Routes in Incredible PBX GUI

Outbound Routes serve a couple of purposes. First, they assure that calls placed by users of your PBX are routed out through an appropriate trunk to reach their destination in the least costly manner. Second, they serve as a security mechanism by either blocking or restricting certain calls by requiring a PIN to complete the calls. For example, if you only permit 10-digit calls and route all of those calls out through a Google Voice trunk, there is zero risk of running up an exorbitant phone bill because of unauthorized calls unless you’ve deposited a lot of money in your Google Voice account. This raises another important security tip. Never authorize recurring charges on credit cards registered with your VoIP providers and, if possible, place pricing limits on calls with your providers. If a bad guy were to break into your PBX, you don’t want to give the intruder a blank check to make unauthorized calls. And you certainly don’t want to join the $100,000 Phone Bill Club.

To create outbound routes in the Incredible PBX GUI, navigate to Connectivity:Outbound Routes and click Add Outbound Route. In the Route Settings tab, give the Outbound Route a name and choose one or more trunks to use for the outbound calls. In the Dial Patterns tab, specify the dial strings that must be matched to use this Outbound Route. NXXNXXXXXX would require only 10-digit numbers with the first and fourth digits being a number between 2 and 9. Note that Outbound Routes are searched from the top entry to the bottom until there is a match. Make certain that you order your routes correctly and then place test calls watching the Asterisk CLI to make sure the calls are routed as you intended.

Configuring Inbound Routes in Incredible PBX GUI

Inbound Routes, as the name implies, are used to direct incoming calls to a specific destination. That destination could be an extension, a ring group, an IVR or AutoAttendant, or even a conference or DISA extension to place outbound calls (hopefully with a very secure password). Inbound Routes can be identified by DID, CallerID number, or both. To create Inbound Routes, choose Connectivity:Inbound Routes and then click Add Inbound Route. Provide at least a Description for the route, a DID to be matched, and the Destination for the incoming calls that match. If you only want certain callers to be able to reach certain extensions, add a CallerID number to your matching criteria. You can add Call Recording and CallerID CNAM Lookups under the Other tab.

Bug Fix for Incredible Fax Installer

If you installed Incredible PBX 13-13 during the past week, be advised that removal of a GitHub repo will prevent the Incredible Fax installer in /root from completing successfully. Here’s the fix:

sed -i 's|joshnorth|wardmundy|' /root/incrediblefax11.sh

Also note that, with the Incredible PBX 13-13 Lean install, you must manually create a Custom Destination using the GUI. This is the destination to use for receipt of incoming faxes. The settings for the new Custom Destination should look like this:

target -> custom-fax-iaxmodem,s,1
label  -> Fax (HylaFax)
return -> no

You now have a functioning PBX. Down the road, we’ll tackle some of the more esoteric features of Asterisk so… Stay Tuned!

Published: Monday, October 30, 2017  


NEW YEAR’S TREAT: If you could use one or more free DIDs in the U.S. with unlimited inbound calls and unlimited simultaneous channels, then today’s your lucky day. TelecomsXChange and Bluebird Communications have a few hundred thousand DIDs to give away so you better hurry. You have your choice of DID locations including New York, New Jersey, California, Texas, and Iowa. The DIDs support Voice, Fax, Video, and even Text Messaging (by request). The only requirement at your end is a dedicated IP address for your VoIP server. Once you receive your welcome email with your number, be sure to whitelist the provider’s IP address in your firewall. For Incredible PBX servers, use add-ip to whitelist the UDP SIP port, 5060, using the IP address provided in your welcoming email.

Here’s the link to order your DIDs.

Your DID Trunk Setup in your favorite GUI should look like this:

Trunk Name: IPC
Peer Details:
type=friend
qualify=yes
host={IP address provided in welcome email}
context=from-trunk

Your Inbound Route should specify the 11-digit DID beginning with a 1. Enjoy!



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…