Home » Posts tagged 'Internet/Web'

Tag Archives: Internet/Web

The Most Versatile VoIP Provider: FREE PORTING

Introducing OpenVPN for Incredible PBX

We’ve been wrestling with virtual private networks for more than 22 years now. Here’s a quick walk down memory lane. Our adventure began with the Altiga 3000 series VPN concentrators which we introduced in the federal courts in 1999. It was a near perfect plug-and-play hardware solution for secure communications between remote sites using less than secure Windows PCs. Cisco quickly saw the potential, gobbled up the company, and promptly doubled the price of the rebranded concentrators. Over a decade ago, we introduced Hamachi® VPNs to interconnect Asterisk® and PBX in a Flash servers. At the time, Hamachi was free, but that was short-lived when they were subsequently acquired by LogMeIn®. What followed was a short stint with PPTP VPNs which worked great with Macs, Windows PCs, and many phones but suffered from an endless stream of security vulnerabilities. Finally, in April 2012, we introduced the free NeoRouter® VPN. Version 2 still is an integral component in every Incredible PBX® platform today, and PPTP still is available as well. While easy to set up and integrate into multi-site Asterisk deployments, the Achilles’ Heel of NeoRouter remains its inability to directly interconnect many smartphones and stand-alone SIP phones, many of which now support the OpenVPN platform.

The main reason we avoided OpenVPN® over the years was its complexity to configure and deploy.1 In addition, it was difficult to use with clients whose IP addresses were frequently changing. Thanks to the terrific work of Nyr, Stanislas Angristan, and more than a dozen contributors, OpenVPN now has been tamed. And the new server-based, star topology design makes it easy to deploy for those with changing or dynamic IP addresses. Today we’ll walk you through building an OpenVPN server as well as the one-minute client setup for almost any Asterisk deployment and most PCs, routers, smartphones, and VPN-compatible soft phones and SIP phones including Yealink, Grandstream, Snom, and many more. And the really great news is that OpenVPN clients can coexist with your current NeoRouter VPN.

Finally, a word about the OpenVPN Client installations below. We’ve tested all of these with current versions of Incredible PBX 13-13 and 16-15 as well as Incredible PBX 2020 and Incredible PBX 2021. They should work equally well with other server platforms which have been properly configured. However, missing dependencies on other platforms are, of course, your responsibility.

Building an OpenVPN Server Platform

There are many ways to create an OpenVPN server platform. The major prerequisites are a supported operating system, a static IP address for your server, and a platform that is extremely reliable and always available. If the server is off line, all client connections will also fail. While we obviously have not tested all the permutations and combinations, we have identified a platform that just works™. It’s the CentOS 7, 64-bit cloud offering from Vultr. If you use our referral link at Vultr, you not only will be supporting Nerd Vittles through referral revenue, but you also will be able to take advantage of their $100 free credit for new customers. For home and small business deployments, we have found the $5/month platform more than adequate, and you can add automatic backups for an additional $1 a month. Cheap insurance!

A more recent and less costly hosting alternative is the $25/year Crown Cloud offering that we introduced several weeks ago. It includes a free snapshot backup in the $25 annual price.

To get started, create your CentOS 7 instance and login as root using SSH or Putty. Immediately change your password and update and install the necessary CentOS 7 packages. Be sure to turn off SELinux if it is installed by default.

passwd
setenforce 0
# edit /etc/selinux/config
# insert: SELINUX=disabled
# save the SELinux config file
yum -y update
yum -y install net-tools nano wget tar iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl enable iptables

We recommend keeping your OpenVPN server platform as barebones as possible to reduce the vulnerability risk. By default, this installer routes all client traffic through the VPN server which wastes considerable bandwidth. The sed commands below modify this design to only route client VPN traffic through the OpenVPN server.


#!/bin/bash
##filename # openvpn-install-mod
echo "      Fix script /root/openvpn-install.sh to ensure internet traffic doesn't use vpn-tunnel."
echo " "
read -p "     Press 'Enter' to continue at your own risk,  or Ctrl+c to abort."
##trap user non root
if [ "$(id -u)" -ne 0 ]; then
echo ""
echo "Must be run as root user: sudo $0" echo ""
exit 1
fi
# cd /root
echo "     Fetching latest copy of install script  /root/openvpn-install.sh from github.com/Angristan"
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
echo "        running  3 sed commands to ensure only local traffic uses vpn-tunnel :-"
echo '        1st commenting-out line 857'
#### fails to complete with \\"redirect-gateway ## sed -i "s|\\techo 'push \\"redirect-gateway|#\\techo 'push \\"redirect-gateway|" openvpn-install.sh
sed -e '/redirect-gateway d/s/^/#/' -i openvpn-install.sh

echo '2nd commenting-out line 865'
###sed -i "s|push \\"redirect-gateway|#push \\"redirect-gateway|" openvpn-install.sh
sed -e '/redirect-gateway ipv6/s/^/#/' -i openvpn-install.sh

echo '3rd after line 1042 ;  newline 1043   pull-filter ignore redirect-gateway'
###sed -i 's|tls-client|tls-client\\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
sed -i 's|tls-client|tls-client\npull-filter ignore "redirect-gateway"|' openvpn-install.sh

Here are the recommended entries in running the OpenVPN installer:

  • Server IP Address: using FQDN strongly recommended to ease migration issues
  • Enabled IPv6 (no): accept default
  • Port (1194): accept default
  • Protocol (UDP): accept default
  • DNS (3): change to 9 (Google)
  • Compression (no): accept default
  • Custom encrypt(no): accept default
  • Generate Server
  • Client name: firstclient
  • Passwordless (1): accept default

NOTE: On CentOS 7 platforms, edit /usr/lib/systemd/system/openvpn@.service. Scroll down to the ExecStart= line and change %i.conf to %I.conf. Then save the file. Special thanks to @mattburris for catching the error.

In the following steps, we will use IPtables to block all server access except via SSH or the VPN tunnel. Then we’ll start your OpenVPN server:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-openvpn.tar.gz
tar zxvf iptables-openvpn.tar.gz
rm -f iptables-openvpn.tar.gz
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
systemctl enable openvpn@server.service
systemctl restart iptables

Once OpenVPN is enabled, the server can be reached through the VPN at 10.8.0.1. OpenVPN clients will be assigned by DHCP in the range of 10.8.0.2 through 10.8.0.254. You can list your VPN clients like this: cat /etc/openvpn/ipp.txt. You can list active VPN clients like this: cat /var/log/openvpn/status.log | grep 10.8. And you can add new clients or delete old ones by rerunning /root/openvpn-install.sh.

For better security, change the SSH access port replacing 1234 with desired port number:

PORT=1234
sed -i "s|#Port 22|Port $PORT|" /etc/ssh/sshd_config
systemctl restart sshd
sed -i "s|dport 22|dport $PORT|" /etc/sysconfig/iptables
systemctl restart iptables

We’ve made changes in the Angristan script to adjust client routing. By default, all packets from every client flowed through the OpenVPN server which wasted considerable bandwidth. Our preference is to route client packets destined for the Internet directly to their destination rather than through the OpenVPN server. The sed commands added to the base install above do this; however, if you’ve already installed and run the original Angristan script, your existing clients will be configured differently. Our recommendation is to remove the existing clients, make the change below, and then recreate the clients again by rerunning the script. In the alternative, you can execute the command below to correct future client creations and then run it again on each existing client platform substituting the name of the /root/.ovpn client file for client-template.txt and then restart each OpenVPN client.


cd /etc/openvpn
sed -i 's|tls-client|tls-client\\npull-filter ignore "redirect-gateway"|' client-template.txt

Creating OpenVPN Client Templates

In order to assign different private IP addresses to each of your OpenVPN client machines, you’ll need to create a separate client template for each computer. You do this by running /root/openvpn-install.sh again on the OpenVPN server. Choose option 1 to create a new .ovpn template. Give each client machine template a unique name and do NOT require a password for the template. Unless the client machine is running Windows, edit the new .ovpn template and comment out the setenv line: #setenv. Save the file and copy it to the /root folder of the client machine. Follow the instructions below to set up OpenVPN on the client machine and before starting up OpenVPN replace firstclient.ovpn in the command line with the name of .ovpn you created for the individual machine.



Renewing OpenVPN Server’s Expired Certificate

The server certificate will expire after 1080 days, and clients will no longer be able to connect. Here’s what to do next:

systemctl stop openvpn@server.service
cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
systemctl start openvpn@server.service


Installing an OpenVPN Client on CentOS/RHEL

cd /root
yum -y install epel-release
yum --enablerepo=epel install openvpn -y
# copy /root/firstclient.ovpn from server to client /root
# and then start up the VPN client
openvpn --config /root/firstclient.ovpn --daemon
# adjust Incredible PBX firewall below
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom

Running ifconfig should now show the VPN client in the list of network ports:

tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
     inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
     RX packets:9 errors:0 dropped:0 overruns:0 frame:0
     TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100 
     RX bytes:855 (855.0 b)  TX bytes:17254 (16.8 KiB)

And you should be able to login to the VPN server using its VPN IP address:

# enter actual SSH port replacing 1234
PORT=1234
ssh -p $PORT root@10.8.0.1

Installing an OpenVPN Client on Debian and Ubuntu

cd /root
apt-get update
apt-get install openvpn unzip
dpkg-reconfigure tzdata
# copy /root/firstclient.ovpn from server to client /root
# and then start up the VPN client
openvpn --config /root/firstclient.ovpn --daemon
# adjust Incredible PBX firewall below
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom

Running ifconfig should now show the VPN client in the list of network ports:

tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
     inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
     RX packets:9 errors:0 dropped:0 overruns:0 frame:0
     TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100 
     RX bytes:855 (855.0 b)  TX bytes:17254 (16.8 KiB)

And you should be able to login to the VPN server using its VPN IP address:

# enter actual SSH port replacing 1234
PORT=1234
ssh -p $PORT root@10.8.0.1

Installing an OpenVPN Client on Raspbian

The OpenVPN client now is easy to install on the latest Incredible PBX builds for the Raspberry Pi. Log into your server as root and issue the following commands to set your time zone and install the OpenVPN client. pbxstatus should then show the 10.8.0.x VPN address in the Private IP listing.

dpkg-reconfigure tzdata
apt-get install openvpn unzip
# copy your .ovpn template into /root
# edit template and comment out setenv line
# start up the client using actual .ovpn filename
openvpn --config /root/raspi.ovpn --daemon
# adjust Incredible PBX firewall
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom
iptables-restart
pbxstatus


Installing an OpenVPN Client on a Mac

While there are numerous OpenVPN clients for Mac OS X, none hold a candle to Tunnelblick in terms of ease of installation and use. First, create a new client config on your server and copy it (/root/*.ovpn) to a folder on your Mac where you can find it. Download Tunnelblick and install it. Run Tunnelblick and then open Finder. Click and drag your client config file to the Tunnelblick icon in the top toolbar. Choose Connect when prompted. Done.

Installing an OpenVPN Client for Windows 10

The installation procedure for Windows is similar to the Mac procedure above. Download the OpenVPN Client for Windows. Double-click on the downloaded file to install it. Create a new client config on your server and copy it (/root/*.ovpn) to a folder on your PC where you can find it. Start up the OpenVPN client and click on the OpenVPN client in the activity tray. Choose Import File and select the config file you downloaded from your OpenVPN Server. Right-click on the OpenVPN icon again and choose Connect. Done.

Installing an OpenVPN Client for Android

Our favorite OpenVPN client for Android is called OpenVPN for Android and is available in the Google Play Store. Download and install it as you would any other Android app. Upload a client config file from your OpenVPN server to your Google Drive. Run the app and click + to install a new profile. Navigate to your Google Drive and select the config file you uploaded.

Installing an OpenVPN Client for iOS Devices

The OpenVPN Connect client for iOS is available in the App Store. Download and install it as you would any other iOS app. Before uploading a client config file, open the OpenVPN Connect app and click the 4-bar Settings icon in the upper left corner of the screen. Click Settings and change the VPN Protocol to UDP and IPv6 to IPV4-ONLY Tunnel. Accept remaining defaults.

To upload a client config file, the easiest way is to use Gmail to send yourself an email with the config file as an attachment. Open the message with the Gmail app on your iPhone or iPad and click on the attachment. Then choose the Upload icon in the upper right corner of the dialog. Next, choose Copy to OpenVPN in the list of apps displayed. When the import listing displays in OpenVPN Connect, click Add to import the new profile. Click ADD again when the Profile has been successfully imported. You’ll be prompted for permission to Add VPN Configurations. Click Allow. Enter your iOS passcode when prompted. To connect, tap once on the OpenVPN Profile. To disconnect, tap on the Connected slider. When you reopen the OpenVPN Connect app, the OVPN Profiles menu will display by default. Simply tap once on your profile to connect thereafter.

Installing a Web Interface to Display Available Clients

One advantage of NeoRouter is a simple way for any VPN client to display a listing of all VPN clients that are online at any given time. While that’s not possible with OpenVPN, we can do the next best thing and create a simple web page that can be accessed using a browser but only from a connected OpenVPN client pointing to http://10.8.0.1.

To set this up, log in to your OpenVPN server as root and issue the following commands:


yum --enablerepo=epel install lighttpd -y
systemctl start lighttpd.service
systemctl enable lighttpd.service
chown root:lighttpd /var/log/openvpn/status.log
chmod 640 /var/log/openvpn/status.log
cd /var/www
rm -rf lighttpd
wget http://incrediblepbx.com/lighttpd.tar.gz
tar zxvf lighttpd.tar.gz
ln -s /var/log/openvpn/status.log /var/www/lighttpd/status.log
sed -i 's|#server.bind = "localhost"|server.bind = "10.8.0.1"|' /etc/lighttpd/lighttpd.conf
systemctl restart lighttpd.service

 
UPDATE: On some cell phones and on Windows PCs, you may observe that you can no longer reach your favorite web sites after enabling the OpenVPN client. Luckily there’s a simple fix that allows 10.8.0.x traffic to be sent through the OpenVPN tunnel while all other traffic is routed out of your standard network connection. Here’s the fix. Make sure the .ovpn client config file includes the following lines:

pull-filter ignore redirect-gateway
route-nopull
route 10.8.0.0 255.255.255.0

Originally published: Monday, July 20, 2020  Updated: Saturday, June 25, 2022



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Our discussion today is focused on the free, MIT-licensed version of OpenVPN. For details on their commercial offerings, follow this link. []

Interconnecting a Mobile PBX to the Asterisk Mothership

The Holy Grail for a mobile VoIP solution is a simple way to connect back to your primary Asterisk® PBX via Wi-Fi from anywhere in the world to make and receive calls as if you never left. Let’s tick off the potential problems. First, many home-based PBXs are sitting behind NAT-based routers. Second, almost all remote Wi-Fi connections are made through a NAT-based router. Third, chances are the remote hosting platform blocks outgoing email from downstream servers such as a mobile PBX. Fourth, deciphering the IP address of your remote connection can be problematic. Fifth, the chances of experiencing one-way audio or no audio on your VoIP calls is high because of NAT-based routers at both ends of your connection.

Last week we introduced OpenVPN as a solution for those with multiple VoIP sites to interconnect. But there’s a much simpler solution for those that travel regularly and want to avoid the complexity of configuring OpenVPN. Here is a quick thumbnail of the setup we recommend as your mobile companion, and you’ll never have a one-way audio problem again. In terms of hardware, you’ll need a Raspberry Pi 3B+ with its native WiFi support and a Windows or Mac notebook computer for traveling. You’ll also need a NeoRouter VPN server to make this process seamless. If you’ve already set up an OpenVPN server platform, it will work equally well. One advantage of NeoRouter is that clients can be added from the client side without having to create a config file on the VPN server. All you need is a username and password. But the choice of VPN platform is totally a matter of preference. The objective using either OpenVPN or NeoRouter is secure communications to your home base. We don’t want to have to reconfigure either your home PBX or your traveling PBX or your notebook PC based upon changes in your public and private IP addresses.

Today we’ll walk you through the easiest way to set up a (free) NeoRouter server on the Internet. It can be used to connect up to 254 devices on an encrypted private LAN. We’re delighted to have finally found a perfect use for the (free) Google Cloud instance.

Using a RaspberryPi 3B+, build an Incredible PBX 13-13.10 platform by following our previous tutorial. We’ll set this up on your home WiFi network so that you only have to throw the Raspberry Pi and its power supply in your suitcase when you travel. As part of the setup, we’ll download NeoRouter and activate private IP addresses for your notebook computer as well as both of your PBXs (using nrclientcmd). Next, we’ll interconnect the two PBXs using SIP trunks and the NeoRouter private LAN IP addresses. We’ll take advantage of a neat little Raspberry Pi trick by storing a wpa_supplicant.conf template on your PC for the remote WiFi setup even though we don’t yet know anything about the remote LAN. Once we know the SSID and password at the remote destination, we’ll use your notebook computer to edit the template and transfer the file to the /boot folder of your RasPi’s microSD card. When the card then is inserted and the RasPi is booted, it will automatically move the template to the proper /etc/wpa_supplicant folder to successfully activate your WiFi connection. We’ll also load links, a fast text-based browser, just in case you encounter a hotel that requires some sort of acknowledgement or password before establishing your WiFi connection to the Internet.

Setting Up a (free) NeoRouter Server in the Cloud

Because NeoRouter uses a star-based VPN architecture, that means the NeoRouter Server must always be available at the same IP address for all of the NeoRouter Clients (aka Nodes) to talk to. If you already have a cloud-based server that has a static IP address and can handle the traffic cop duties of NeoRouter Server, then that’s an ideal place to install NeoRouter Server. Simply download the Free flavor of NeoRouter Server that matches your existing platform and install it. Add an FQDN for your server’s IP address, and you’re all set. A detailed summary of available management options is included in our previous NeoRouter v2 article.

We devoted a couple weeks to Google Cloud instances last month, and it turned out to be a pretty awful platform for hosting Asterisk. But the free offering looks to be a perfect fit as a hosting platform for NeoRouter Server. You also won’t have to worry about Google going out of business anytime soon. So let us walk you through an abbreviated setup process on the Google Cloud platform. If you’re just getting started with Google Cloud, read our previous article to take advantage of Google’s generous $300 offer to get you started and to generally familiarize yourself with the mechanics of setting up an instance in the Google Cloud.

For NeoRouter Server, navigate to https://console.cloud.google.com. Click the 3-bar image in the upper left corner of your Dashboard. This exposes the Navigation Menu. In the COMPUTE section of the Dashboard, click Compute Engine -> VM Instances. Then click CREATE PROJECT and name it. Now click CREATE INSTANCE and Name it nrserver. The instance name becomes the hostname for your virtual machine. If you want to remain in the Free Tier, choose f1-micro instance as the Machine Type and choose a U.S. Region (us-central1, us-east1 or us-west1). For the Boot Disk, choose CentOS 6 and expand the disk storage to at least 20GB (30GB is available with the Free Tier). For the Firewall setting, leave HTTP and HTTPS disabled. Check your entries carefully and then click the Create button.

When your virtual machine instance comes on line, jot down the assigned public IP address. We’ll need it in a minute. Now click on the SSH pull-down tab and choose Open in a Browser Window. Now we need to set a root password and adjust the SSH settings so that you can login from your desktop computer using SSH or Putty:

sudo passwd root
su root
nano -w /etc/ssh/sshd_config

When the editor opens the SSH config file, add the following entries. Then save the file and restart SSH: service sshd restart

PermitRootLogin yes
PasswordAuthentication yes

You now should be able to log in to your instance as root from your desktop computer using SSH or Putty. Test it to be sure: ssh root@server-IP-address

Before we leave the Google Cloud Dashboard, let’s make the assigned public IP address permanent so that it doesn’t get changed down the road. Keep in mind that, if you ever delete your instance, you also need to remove the assigned static IP address so you don’t continue to get billed for it. From Home on the Dashboard, scroll down to the NETWORKING section and choose VPS Network -> External IP Addresses. Change the Type of your existing address to Static and Name it staticip. Next, choose Firewall Rules in the VPS Network section and click CREATE FIREWALL RULE. Fill in the template like the following leaving the other fields with their default entries. Then click CREATE.

  1. Name: neorouter
  2. Target Tags: neorouter
  3. Source IP Range: 0.0.0.0/0
  4. Protocols/Ports: check tcp: 32976

CAUTION: Before this firewall rule will be activated for your instance, it also must be specified in the Network Tags section for your instance. Shut down your instance and add the neorouter tag by editing your instance. Then restart your instance.

Now we’re ready to install NeoRouter Free v2 Server on your instance. Be sure to choose the Free v2 variety. Log back into your server as root using SSH/Putty and issue these commands:

yum -y update
yum -y install nano
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrserver-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm
/etc/rc.d/init.d/nrserver.sh restart
nrserver -setdomain <DOMAINNAME> <DOMAINPASSWORD>
nrserver -adduser <USERNAME> <PASSWORD> admin
nrserver -enableuser <USERNAME>
nrserver -showsettings

Finally, add the following command to /etc/rc.local so that NeoRouter Server gets started whenever your instance is rebooted:

echo "/etc/rc.d/init.d/nrserver.sh start" >> /etc/rc.local

Installing Incredible PBX 13-13.10 on a Raspberry Pi

We won’t regurgitate our Raspberry Pi tutorial. Simply follow the steps outlined there to acquire the necessary components and to get Incredible PBX 13-13.10 installed. We do want to stress the importance of getting WiFi working, configuring SendMail to use your Gmail credentials as a smarthost, and making sure you added the email addition to /etc/rc.local so that you receive IP address information about your PBX whenever it is rebooted. If you skipped any of these steps, stop here and revisit the RasPi tutorial to complete those items.

Configuring NeoRouter Client on Your Computers

All flavors of Incredible PBX come with the NeoRouter client preinstalled. If your Asterisk-based home PBX is of another variety, you can install the NeoRouter Client matching the architecture of your server from here. Be sure to click on the NeoRouter Free v2 tab before making your selection. The other varieties are incompatible with the Free NeoRouter v2 Server installed above and are not free. Also be sure you match both the operating system and architecture of your server platform. Finally, make certain that TCP 32976 is whitelisted in your firewalls.

On Linux-based (non-GUI) platforms, setting up the NeoRouter Client is done by issuing the command: nrclientcmd. You’ll be prompted for your NeoRouter Server FQDN as well as your username and password credentials. Perform this procedure on both your home PBX and the Raspberry Pi.

To add your Windows or Mac notebook to the NeoRouter VPN, download the appropriate client and run the application which will prompt for your NeoRouter Server FQDN as well as your NeoRouter credentials. Once completed, you should see all three machines in your NeoRouter Free Client Dashboard: your PC as well as your home PBX and Raspberry Pi-based Incredible PBX. Make note of the private VPN addresses (10.0.0.X) of both your home PBX and your Raspberry Pi. These VPN addresses never change, and we’ll need them to interconnect your PBXs and to set up a softphone on your notebook computer.

Admininistrative Tools to Manage NeoRouter

Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

For a complete list of commands: nrserver –help


Interconnecting Your Raspberry Pi and Home PBX

To keep things simple, our setup examples below assume the following NeoRouter VPN addresses: Home PBX (10.0.0.1) and Raspberry Pi (10.0.0.2). Using a browser, you’ll need to login to the GUI of your Home PBX and Raspberry Pi and add a Trunk to each PBX. Be sure to use the same secret on BOTH trunk setups. We don’t recommend forwarding incoming calls from your Home PBX to your Raspberry Pi because most folks won’t be sitting in their hotel room all day to answer incoming calls. Instead, add the number of your smartphone to a Ring Group on the Home PBX and don’t forget the # symbol at the end of the number. On the Raspberry Pi side, we are assuming that whenever a call is dialed from a registered softphone with the 9 prefix, the call will be sent to the Home PBX for call processing (without the 9). For example, 98005551212 would send 800-555-1212 to the Home PBX for outbound routing and 9701 would send 701 to the Home PBX for routing to the 701 extension. You can obviously adjust your dialplan to meet your own local requirements.

On the Home PBX, the chan_sip trunk entries should look like this:

Trunk Name: raspi-remote

PEER DETAILS

host=10.0.0.2
type=friend
context=from-internal
username=home-pbx
fromuser=home-pbx
secret=some-password
canreinvite=no
insecure=port,invite
qualify=yes
nat=yes

On the Raspberry Pi, the chan_sip trunk entries should look like this:

Trunk Name: home-pbx

PEER DETAILS

host=10.0.0.1
type=friend
context=from-internal
username=raspi-remote
fromuser=raspi-remote
secret=some-password
canreinvite=no
insecure=port,invite
qualify=yes
nat=yes

On the Raspberry Pi, add an Outbound Route named Out9-home-pbx pointed to home-pbx Trunk with the following Dial Patterns. For each Dial Pattern, prepend=blank and prefix=9:

dial string: 1NXXNXXXXXX  
dial string: NXXNXXXXXX  
dial string: *98X.
dial string: XXX
dial string: XXXX
dial string: XXXXX
  

Tweaking Your Raspberry Pi for WiFi Mobility

Typically, you don’t know the WiFi SSID or password of your destination location before you travel. Because you won’t be traveling with a monitor and keyboard for your Raspberry Pi, we needed some way to adjust the WiFi credentials on the microSD card to accommodate the destination WiFi network when you arrive. Luckily, the Raspberry Pi folks thought of a clever way to handle this. You can simply plug your microSD card into your notebook PC (Mac ALERT: Don’t forget your SD card dongle!) and add a wpa_supplicant.conf config file to the /boot directory on the card once you arrive at your destination and know the SSID and password of the local WiFi network. When the Raspberry Pi is subsequently booted, the operating system will move the config file to the /etc/wpa_supplicant directory so that your WiFi network will come on line. Here’s what a typical wpa_supplicant.conf file should look like using your actual credentials. The last network section handles open WiFi network connections (think: McDonald’s) if you want to enable them:

country=US
update_config=1

network={
 ssid="your-SSID"
 psk="your-SSID-password"
 key_mgmt=WPA-PSK
 scan_ssid=1
 priority=5
}

network={
 key_mgmt=NONE
 priority=1
}

The other gotcha is that some public WiFi networks require some type of web login procedure before you can actually access the Internet even though an IP address may have been assigned to your Raspberry Pi. To handle this situation, you’ll need a text-based web browser on the Raspberry Pi that can be accessed through your notebook PC using SSH and your Raspberry Pi’s VPN address. Our favorite is links which can be installed on your Raspberry Pi before you pack up.

apt-get install links -y

Once you arrive at your destination, connect both your notebook PC and Raspberry Pi to the same WiFi network, login to the RasPi with SSH at the VPN address assigned to your RasPi, and run links to start the browser. Press <esc> to access the links menu options. If you can’t access your RasPi at the VPN IP address, try its WiFi-assigned local IP address.

Adding a Softphone to Your Notebook PC

Last, but not least, you obviously need a way to make and receive calls once your Raspberry Pi is up and running at the remote site. We recommend installing a softphone on your Mac or PC notebook that connects to an extension on your Raspberry Pi using the VPN IP address of the Raspberry Pi. Using the VPN address assures that the connection will always be available regardless of the WiFi network’s local IP addresses. Everyone has their own favorite softphone, but here are some suggestions.

We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for an extension on your Raspberry Pi. Then enter the VPN IP address of your server plus your extension’s password. Click OK to save your entries.

If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

Adding a Softphone to Your Smartphone

We actually prefer adding a free softphone app to our smartphone. There are a number of alternatives on both the iOS and Android platforms. With iPhones and iPads, we’ve had great success with Acrobits Softphone, Grandstream Wave, Linphone, and Zoiper Lite. All are available in the App Store. For Android devices, Acrobits Groundwire is our favorite. But Grandstream Wave, Linphone, and Zoiper Lite also are available. Keep in mind that Zoiper also supports IAX connections to simplify NAT connections. And, on both platforms, don’t forget that Google now lets you make and receive calls using the new Google Voice app using your old Google Voice numbers that no longer work directly with Asterisk.

Enjoy your pain-free traveling!

Originally published: Monday, April 22, 2019



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



A New VPN for All Seasons: Introducing OpenVPN for Asterisk


This month marks our twentieth anniversary wrestling with virtual private networks. Here’s a quick walk down memory lane. Our adventure began with the Altiga 3000 series VPN concentrators which we introduced in the federal courts in 1999. It was a near perfect plug-and-play hardware solution for secure communications between remote sites using less than secure Windows PCs. Cisco quickly saw the potential, gobbled up the company, and promptly doubled the price of the rebranded concentrators. About 10 years ago, we introduced Hamachi® VPNs to interconnect Asterisk® and PBX in a Flash servers. At the time, Hamachi was free, but that was short-lived when they were subsequently acquired by LogMeIn®. What followed was a short stint with PPTP VPNs which worked great with Macs, Windows PCs, and many phones but suffered from an endless stream of security vulnerabilities. Finally, in April 2012, we introduced the free NeoRouter® VPN. Version 2 still is an integral component in every Incredible PBX® platform today, and PPTP still is available as well. While easy to set up and integrate into multi-site Asterisk deployments, the Achilles’ Heel of NeoRouter remains its inability to directly interconnect many smartphones and stand-alone SIP phones, some of which support the OpenVPN platform and nothing else.

The main reason we avoided OpenVPN® over the years was its complexity to configure and deploy.1 In addition, it was difficult to use with clients whose IP addresses were frequently changing. Thanks to the terrific work of Nyr, Stanislas Angristan, and more than a dozen contributors, OpenVPN now has been tamed. And the new server-based, star topology design makes it easy to deploy for those with changing or dynamic IP addresses. Today we’ll walk you through building an OpenVPN server as well as the one-minute client setup for almost any Asterisk deployment and most PCs, routers, smartphones, and VPN-compatible soft phones and SIP phones including Yealink, Grandstream, Snom, and many more. And the really great news is that OpenVPN clients can coexist with your current NeoRouter VPN.

Finally, a word about the OpenVPN Client installations below. We’ve tested all of these with current versions of Incredible PBX 13-13, 16-15, and Incredible PBX 2020. They should work equally well with other server platforms which have been properly configured. However, missing dependencies on other platforms are, of course, your responsibility.

Building an OpenVPN Server Platform

There are many ways to create an OpenVPN server platform. The major prerequisites are a supported operating system, a static IP address for your server, and a platform that is extremely reliable and always available. If the server is off line, all client connections will also fail. While we obviously have not tested all the permutations and combinations, we have identified a platform that just works™. It’s the CentOS 7, 64-bit cloud offering from Vultr. If you use our referral link at Vultr, you not only will be supporting Nerd Vittles through referral revenue, but you also will be able to take advantage of their $50 free credit for new customers. For home and small business deployments, we have found the $5/month platform more than adequate, and you can add automatic backups for an additional $1 a month. Cheap insurance!

To get started, create your CentOS 7 Vultr instance and login as root using SSH or Putty. Immediately change your password and update and install the necessary CentOS 7 packages:

passwd
yum -y update
yum -y install net-tools nano wget tar iptables-services
systemctl stop firewalld
systemctl disable firewalld
systemctl enable iptables

We recommend keeping your OpenVPN server platform as barebones as possible to reduce the vulnerability risk. By default, this installer routes all client traffic through the VPN server which wastes considerable bandwidth. The sed commands below modify this design to only route client VPN traffic through the OpenVPN server.


cd /root
curl -O https://raw.githubusercontent.com/Angristan/openvpn-install/master/openvpn-install.sh
chmod +x openvpn-install.sh
sed -i "s|\\techo 'push \\"redirect-gateway|#\\techo 'push \\"redirect-gateway|" openvpn-install.sh
sed -i "s|push \\"redirect-gateway|#push \\"redirect-gateway|" openvpn-install.sh
sed -i 's|tls-client|tls-client\\npull-filter ignore "redirect-gateway"|' openvpn-install.sh
./openvpn-install.sh

Here are the recommended entries in running the OpenVPN installer:

  • Server IP Address: using FQDN strongly recommended to ease migration issues
  • Enabled IPv6 (no): accept default
  • Port (1194): accept default
  • Protocol (UDP): accept default
  • DNS (3): change to 9 (Google)
  • Compression (no): accept default
  • Custom encrypt(no): accept default
  • Generate Server
  • Client name: firstclient
  • Passwordless (1): accept default

In the following steps, we will use IPtables to block all server access except via SSH or the VPN tunnel. Then we’ll start your OpenVPN server:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-openvpn.tar.gz
tar zxvf iptables-openvpn.tar.gz
rm -f iptables-openvpn.tar.gz
echo "net.ipv4.ip_forward = 1" >> /etc/sysctl.conf
sysctl -p
systemctl -f enable openvpn@server.service
systemctl start openvpn@server.service
systemctl status openvpn@server.service
systemctl enable openvpn@server.service
systemctl restart iptables

Once OpenVPN is enabled, the server can be reached through the VPN at 10.8.0.1. OpenVPN clients will be assigned by DHCP in the range of 10.8.0.2 through 10.8.0.254. You can list your VPN clients like this: cat /etc/openvpn/ipp.txt. You can list active VPN clients like this: cat /var/log/openvpn/status.log | grep 10.8. And you can add new clients or delete old ones by rerunning /root/openvpn-install.sh.

For better security, change the SSH access port replacing 1234 with desired port number:

PORT=1234
sed -i "s|#Port 22|Port $PORT|" /etc/ssh/sshd_config
systemctl restart sshd
sed -i "s|dport 22|dport $PORT|" /etc/sysconfig/iptables
systemctl restart iptables

04/16 UPDATE: We’ve made changes in the Angristan script to adjust client routing. By default, all packets from every client flowed through the OpenVPN server which wasted considerable bandwidth. Our preference is to route client packets destined for the Internet directly to their destination rather than through the OpenVPN server. The sed commands added to the base install above do this; however, if you’ve already installed and run the original Angristan script, your existing clients will be configured differently. Our recommendation is to remove the existing clients, make the change below, and then recreate the clients again by rerunning the script. In the alternative, you can execute the command below to correct future client creations and then run it again on each existing client platform substituting the name of the /root/.ovpn client file for client-template.txt and then restart each OpenVPN client.


cd /etc/openvpn
sed -i 's|tls-client|tls-client\\npull-filter ignore "redirect-gateway"|' client-template.txt

Creating OpenVPN Client Templates

In order to assign different private IP addresses to each of your OpenVPN client machines, you’ll need to create a separate client template for each computer. You do this by running /root/openvpn-install.sh again on the OpenVPN server. Choose option 1 to create a new .ovpn template. Give each client machine template a unique name and do NOT require a password for the template. Unless the client machine is running Windows, edit the new .ovpn template and comment out the setenv line: #setenv. Save the file and copy it to the /root folder of the client machine. Follow the instructions below to set up OpenVPN on the client machine and before starting up OpenVPN replace firstclient.ovpn in the command line with the name of .ovpn you created for the individual machine.



Renewing OpenVPN Server’s Expired Certificate

The server certificate will expire after 1080 days, and clients will no longer be able to connect. Here’s what to do next:

systemctl stop openvpn@server.service
cd /etc/openvpn/easy-rsa
./easyrsa gen-crl
cp /etc/openvpn/easy-rsa/pki/crl.pem /etc/openvpn/crl.pem
systemctl start openvpn@server.service


Installing an OpenVPN Client on CentOS/RHEL

cd /root
yum -y install epel-release
yum --enablerepo=epel install openvpn -y
# copy /root/firstclient.ovpn from server to client /root
# and then start up the VPN client
openvpn --config /root/firstclient.ovpn --daemon
# adjust Incredible PBX 13-13 firewall below
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom

Running ifconfig should now show the VPN client in the list of network ports:

tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
     inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
     RX packets:9 errors:0 dropped:0 overruns:0 frame:0
     TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100 
     RX bytes:855 (855.0 b)  TX bytes:17254 (16.8 KiB)

And you should be able to login to the VPN server using its VPN IP address:

# enter actual SSH port replacing 1234
PORT=1234
ssh -p $PORT root@10.8.0.1

Installing an OpenVPN Client on Ubuntu 18.04.2

cd /root
apt-get update
apt-get install openvpn unzip
dpkg-reconfigure tzdata
# copy /root/firstclient.ovpn from server to client /root
# and then start up the VPN client
openvpn --config /root/firstclient.ovpn --daemon
# adjust Incredible PBX 13-13 firewall below
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom

Running ifconfig should now show the VPN client in the list of network ports:

tun0 Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
     inet addr:10.8.0.2  P-t-P:10.8.0.2  Mask:255.255.255.0
     UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
     RX packets:9 errors:0 dropped:0 overruns:0 frame:0
     TX packets:39 errors:0 dropped:0 overruns:0 carrier:0
     collisions:0 txqueuelen:100 
     RX bytes:855 (855.0 b)  TX bytes:17254 (16.8 KiB)

And you should be able to login to the VPN server using its VPN IP address:

# enter actual SSH port replacing 1234
PORT=1234
ssh -p $PORT root@10.8.0.1

Installing an OpenVPN Client on Raspbian

Good news and bad news. First the bad news. Today’s OpenVPN server won’t work because of numerous unavailable encryption modules on the Raspberry Pi side. The good news is that NeoRouter is a perfect fit with Raspbian, and our upcoming article will show you how to securely interconnect a Raspberry Pi with any Asterisk server in the world… at no cost.

04/16 Update: We now have OpenVPN working with Incredible PBX for the Raspberry Pi. The trick is that you’ll need to build the latest version of OpenVPN from source before beginning the client install. Here’s how. Login to your Raspberry Pi as root and issue these commands:

apt-get remove openvpn
apt-get update
apt-get install libssl-dev liblzo2-dev libpam0g-dev build-essential -y
cd /usr/src
wget https://swupdate.openvpn.org/community/releases/openvpn-2.4.7.tar.gz
tar zxvf openvpn-2.4.7.tar.gz
cd openvpn-2.4.7
./configure --prefix=/usr
make
make install
openvpn --version

Now you should be ready to install a client config file, start up OpenVPN, and adjust firewall:

cd /root
dpkg-reconfigure tzdata
# copy /root/firstclient.ovpn from server to client /root
# and then start up the VPN client
openvpn --config /root/firstclient.ovpn --daemon
# adjust Incredible PBX 13-13 firewall below
iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT
cd /usr/local/sbin
echo "iptables -A INPUT -s 10.8.0.0/24 -j ACCEPT" >> iptables-custom

Installing an OpenVPN Client on a Mac

While there are numerous OpenVPN clients for Mac OS X, none hold a candle to Tunnelblick in terms of ease of installation and use. First, create a new client config on your server and copy it (/root/*.ovpn) to a folder on your Mac where you can find it. Download Tunnelblick and install it. Run Tunnelblick and then open Finder. Click and drag your client config file to the Tunnelblick icon in the top toolbar. Choose Connect when prompted. Done.

Installing an OpenVPN Client for Windows 10

The installation procedure for Windows is similar to the Mac procedure above. Download the OpenVPN Client for Windows. Double-click on the downloaded file to install it. Create a new client config on your server and copy it (/root/*.ovpn) to a folder on your PC where you can find it. Start up the OpenVPN client and click on the OpenVPN client in the activity tray. Choose Import File and select the config file you downloaded from your OpenVPN Server. Right-click on the OpenVPN icon again and choose Connect. Done.

Installing an OpenVPN Client for Android

Our favorite OpenVPN client for Android is called OpenVPN for Android and is available in the Google Play Store. Download and install it as you would any other Android app. Upload a client config file from your OpenVPN server to your Google Drive. Run the app and click + to install a new profile. Navigate to your Google Drive and select the config file you uploaded.

Installing an OpenVPN Client for iOS Devices

The OpenVPN Connect client for iOS is available in the App Store. Download and install it as you would any other iOS app. Before uploading a client config file, open the OpenVPN Connect app and click the 4-bar Settings icon in the upper left corner of the screen. Click Settings and change the VPN Protocol to UDP and IPv6 to IPV4-ONLY Tunnel. Accept remaining defaults.

To upload a client config file, the easiest way is to use Gmail to send yourself an email with the config file as an attachment. Open the message with the Gmail app on your iPhone or iPad and click on the attachment. Then choose the Upload icon in the upper right corner of the dialog. Next, choose Copy to OpenVPN in the list of apps displayed. When the import listing displays in OpenVPN Connect, click Add to import the new profile. Click ADD again when the Profile has been successfully imported. You’ll be prompted for permission to Add VPN Configurations. Click Allow. Enter your iOS passcode when prompted. To connect, tap once on the OpenVPN Profile. To disconnect, tap on the Connected slider. When you reopen the OpenVPN Connect app, the OVPN Profiles menu will display by default. Simply tap once on your profile to connect thereafter.

Installing a Web Interface to Display Available Clients

One advantage of NeoRouter is a simple way for any VPN client to display a listing of all VPN clients that are online at any given time. While that’s not possible with OpenVPN, we can do the next best thing and create a simple web page that can be accessed using a browser but only from a connected OpenVPN client pointing to http://10.8.0.1.

To set this up, log in to your OpenVPN server as root and issue the following commands:


yum --enablerepo=epel install lighttpd -y
systemctl start lighttpd.service
systemctl enable lighttpd.service
chown root:lighttpd /var/log/openvpn/status.log
chmod 640 /var/log/openvpn/status.log
cd /var/www
rm -rf lighttpd
wget http://incrediblepbx.com/lighttpd.tar.gz
tar zxvf lighttpd.tar.gz
ln -s /var/log/openvpn/status.log /var/www/lighttpd/status.log
sed -i 's|#server.bind = "localhost"|server.bind = "10.8.0.1"|' /etc/lighttpd/lighttpd.conf
systemctl restart lighttpd.service

Latest VPN Security Alerts

Security weakness in popular VPN clients

Originally published: Monday, April 15, 2019  Updated: Saturday, February 29, 2020



Need help with Asterisk? Visit the VoIP-info Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 




 

  1. Our discussion today is focused on the free, MIT-licensed version of OpenVPN. For details on their commercial offerings, follow this link. []

Best of the Internet: American Road Warrior’s Fall Roundup

The Internet is all about sharing the best finds and once a year we like to take a fresh look at what’s new and exciting whether you travel frequently or not. While the primary focus of Nerd Vittles is VoIP technology, you can’t provide the best VoIP solutions without also exploring network and cellular technology. And, as the old saying goes, all work and no play makes Jack a dull boy. When we travel for more than a day or two, we like to have a music and video source other than an iPhone. So let’s start there. And there’s plenty to love here even if you never leave the comfort of your living room.

For movies and TV shows, nothing holds a candle to a $10 subscription to Netflix. You can watch on your phone, or tablet, or PC, and someone else in your family can do the same thing at the same time. For $2 more, you can watch on four devices at a time. If you happen to have a rental unit, your renters will always remember you for the free Netflix subscription. Our second place alternative is primarily for cord cutters. DirecTV Now is just $10/month if you happen to have an AT&T Unlimited Data Plan (regularly $35). That gets you 60+ live channels and 20,000 on demand titles. For an extra $5, you can add HBO. With a two-month prepayment, you can snag a free Roku Premier until September 22, 2017. DirecTV Now also aupports streaming to two simultaneous devices, and a 100-hour DVR is just around the corner.

For cellular service, we’ve never been big fans of corporate tying. Believe it or not, there was a time when most thought it was illegal. But there’s a loophole. So long as you’re not forced to buy the unrelated product, it’s not technically a tying violation. And that’s where we find ourselves today with American oligopolies. You’d be crazy not to take advantage of the opportunities especially since AT&T bought DirecTV. An AT&T unlimited data plan for your cellular service unlocks all sorts of goodies with DirecTV. We’ve mentioned the $25 monthly credit with DirecTV Now. But it’s also available with standard DirecTV subscriptions. And you get HBO and NFL Sunday Ticket at no charge as well. With four devices including a Wi-Fi HotSpot, our cellular plan with AT&T costs under $50/month per device including taxes and fees. It provides unlimited talk, text, and data in the U.S., Canada, Mexico, Puerto Rico, and the U.S. Virgin Islands. The 22GB data throttling gotcha doesn’t apply in many locations including our hometown of Charleston, SC. We racked up 90GB of data usage on the hotspot during our last 8-day vacation. Never a hiccup! Whether you’re in a car, a hotel room, or on a cruise ship, the $59 AT&T Velocity 4G LTE HotSpot is a perfect traveling companion supporting 10 device connections for up to 10 hours.

For international cellular data service, there’s a terrific new option that provides unlimited 4G data service in 100+ countries for $9 per day. This compares favorably with AT&T’s outrageous cruise ship offering of $8.19 per megabyte of data traffic. You can purchase the Skyroam Solis device for $150 on Amazon, or you can rent one in major airports. It supports 5 devices at a time. We can’t give you a first-hand report on the Solis because it was just released this week. But we have ordered one and will provide a Grand Turk update soon. ↙

For music services, Spotify Premium remains the gold standard. $10 a month buys you unlimited streaming of almost every song ever published. $5 more gets you a family plan to support 5 people. For qualifying college students, Spotify Premium is just $5 a month. You can even download the songs to your smartphone or tablet and play them when you don’t have Internet connectivity. For extended vacations, we discovered a new boom box this summer that is worth a careful look. It combines an Android tablet with some terrific speakers to provide 12 hours of non-stop music from your favorite sources including Spotify. It also can access the best radio stations throughout the United States using the iHeartRadio app. And it even includes 8GB of internal storage as well as microSD and USB flash drive support. The Sonicgrace will set you back $190 on Amazon (MSRP: $299.99).

For music junkies, it’s worth noting that the only application that routinely crashed Android unfortunately was TuneIn Radio. For neophytes, TuneIn is the must-have app that provides streaming of virtually every commercial radio station in the world. Here’s the quick fix. We suspected that the problem involved the latest release of TuneIn which you would automatically receive using Google’s Play Store as the download source as Sonicgrace does. So the solution would be to install a prior release. Here’s how. On a desktop PC, download an earlier TuneIn APK from here. We chose 13.7 which happened to work. Next, use Gmail to send yourself a message with this 13.7.apk file as an attachment. Then, on the Sonicgrace, first install Gmail from the Play Store tapping My +:App:PlayStore. Open the Gmail app once the install finishes and then open the email message you sent yourself. Tap on the attachment, and TuneIn will automatically be installed.

For VoIP telephony, here’s another nice surprise. Google’s Amazon Echo Killer, aka Google Home, has a new feature. It can make free calls in the United States and Canada to anyone in your Google Contacts as well as any business you can find with a Google Search. Here’s the best deal we could find if you don’t already own Google Home. It’s also available at Target and WalMart for about $25 more plus tax. And here’s how to start making calls.

Published: Friday, September 1, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

A VPN for All Seasons: Introducing NeoRouter v2

Today, we want to revisit our favorite client-server VPN, NeoRouter. It’s included with all versions of Incredible PBX® and eases the pain of setting up air-tight firewalls as well as High Availability (HA) redundant servers with VoIP. NeoRouter relies upon a central server and uses a star topology to connect remote nodes. The major difference between NeoRouter and PPTP VPNs is that only registered devices participate in the virtual private network so there is no direct access to other machines on the LANs of the registered devices. If you have servers or users scattered all over the countryside, NeoRouter is an excellent (and free) way to manage and interconnect them. All data and communications between the nodes can then be routed through the encrypted VPN tunnel for rock-solid security.

With NeoRouter’s latest 2.3 (free) software, you can set up your VPN server using a PC, a Mac, a Linux or FreeBSD machine, OpenWrt Backfire, Tomato, or even a Raspberry Pi. With all versions of Incredible PBX, the NeoRouter Free Client is automatically installed. To bring up NeoRouter, all you need to do is install the NeoRouter Free Server on one of your machines and then login to the server from each NeoRouter Client using your server credentials. VPN clients also are available for PCs, Macs, Linux and FreeBSD machines, Raspberry Pi, OpenWrt, Tomato as well as Android and iOS phones and tablets. There’s even an HTML5 web application in addition to a Chrome browser plug-in. With the OpenWrt and Tomato devices or if you’re an extreme techie, you can broaden your NeoRouter star configuration and bridge remote LANs. See pp. 58-63 of the NeoRouter User’s Manual.



You can interconnect up to 256 devices to the NeoRouter Free Server at no cost. For $999, you can enlarge your VPN to support 1,000 devices. Screen sharing, remote desktop connections, HTTP, and SSH access all work transparently using private IP addresses of the VPN nodes which are automatically assigned in the 10.0.0.0 private network.

Today we are introducing the second generation of the NeoRouter VPN solution. It’s suitable for use on a dedicated server or running as a virtual machine. Whether to run NeoRouter Free server on a dedicated machine is your call. We never do. And NeoRouter never requires exposure of your entire server to the Internet. Only a single TCP port needs to be opened in your hardware-based firewall or IPtables Linux firewall. The only real requirement is a dedicated IP address for your server so that the client nodes can always find the mothership. We typically run the NeoRouter server component on our failover VoIP server with Wazo HA. We’ll finish up today by showing you how to back up the critical components of NeoRouter Server so that, if your server platform ever should fail, it only takes a few minutes to get back in business on a new server platform. Let’s get started.

Creating Your NeoRouter Server Platform

We’re assuming you already have an Incredible PBX server of some flavor running on a dedicated IP address with the IPtables firewall. If not, start there.

First, on your IPtables firewall, make certain that TCP port 32976 has been whitelisted for public access. On Incredible PBX platforms, this is automatic. You can double-check by running iptables -nL and searching for an entry that looks like this:

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:32976

Second, we need to download and install the NeoRouter Free Server for your platform. Be sure you choose the version that matches your operating system, CPU architecture, and type. Debian and Ubuntu servers use the same code. We do not recommend Raspberry Pi as a suitable platform for your NeoRouter server!

For RedHat/CentOS 64-bit platforms, here’s the download link. While logged into your server as root, issue the following command using the downloaded 64-bit RPM:

rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm

For Ubuntu/Debian 64-bit platforms, use this link. While logged into your server as root, issue the following command using the downloaded 64-bit .deb image:

dpkg -i nrserver-2.3.1.4360-free-ubuntu-amd64.deb

Third, each administrator (admin) and user is going to need a username to access your NeoRouter VPN. You can use the same credentials to log in from multiple client machines, something you may or may not want to do. Here are the commands to create admin and user accounts. Don’t use any special characters in the username and password!

nrserver -adduser username password admin
nrserver -adduser username password user

You’re done. Now let’s register your NeoRouter server with the mothership.

After your NeoRouter Free Server is installed, you can optionally go to the NeoRouter web site and register your new VPN by clicking Create Standalone Domain. Make up a name you can easily remember with no periods or spaces. You’ll be prompted for the IP address of your server in the second screen. FQDNs are NOT permitted.

When a VPN client attempts to login to your server, the server address is always checked against this NeoRouter database first before any attempt is made to resolve an IP address or FQDN using DNS. If no matching entry is found, it will register directly to your server using a DNS lookup of the FQDN. Whether to register your VPN is totally up to you. Logins obviously occur quicker using this registered VPN name, but logins won’t happen at all if your server’s dynamic IP address changes and you’ve hard-coded a different IP address into your registration at neorouter.com.

Configuring and Connecting Your NeoRouter Client

As mentioned previously, there are NeoRouter clients available for almost every platform imaginable, including iPhones, iPads, and our beloved Raspberry Pi. NeoRouter Client software is included in all Incredible PBX builds. If you’re using some other platform, Step #1 is to download whatever client is appropriate to meet your requirements. Here’s the NeoRouter Download Link. Make sure you choose a client for the Free version of NeoRouter. Obviously, the computing platform needs to match your client device. The clients can be installed in the traditional way with Windows machines, Macs, etc. Once enabled, you can use your NeoRouter Client to create a VPN tunnel to connect to any other resource in your virtual private network using SSH, VoIP clients, and web browsers.

To activate the NeoRouter client while logged in as root, type: nrclientcmd. You’ll be prompted for your Domain, Username, and Password. You can use the registered domain name from neorouter.com if you completed that step above. Otherwise, be sure to use the FQDN assigned to your NeoRouter Server. Once you’re logged in, you will be presented with the names and private IP addresses of all of your connected nodes.

To exit from NeoRouter Explorer, type: quit. The NeoRouter client will continue to run so you can use the displayed private IP addresses to connect to any other online devices in your NeoRouter VPN. All traffic from connections to devices in the 10.0.0.0 network will flow through NeoRouter’s encrypted VPN tunnel. This includes inter-office SIP and IAX communications between Asterisk® endpoints. These private IP addresses can also be used to create a High Availability (HA) platform with Wazo even if the servers are not colocated.

Admininistrative Tools to Manage NeoRouter

Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

Browser access to NeoRouter Configuration Explorer (requires user with Admin privileges)

Browser access to NeoRouter Remote Access Client (user with Admin or User privileges)

Manage your account on line at this link

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

Test VPN access: http://www.neorouter.com/checkport.php

For a complete list of commands: nrserver –help

To change client name from default pbx.local: rename-server OR…

  • Edit /etc/hosts
  • Edit /etc/sysconfig/network
  • Edit /etc/sysconfig/network-scripts/ifcfg-eth0
  • Edit /etc/asterisk/vm_general.inc
  • reboot

For the latest NeoRouter happenings, visit the NeoRouter blog and forum.

Backing Up NeoRouter Server for That Rainy Day

Yes, servers fail sooner or later. So it’s best to plan ahead and avoid having to recreate your NeoRouter VPN from scratch. Backing up your server is easy. Log into your server as root and issue the following command:

tar cvzf nr-server-db.tar.gz /usr/local/ZebraNetworkSystems/NeoRouter/NeoRouter_0_0_1.db /usr/local/ZebraNetworkSystems/NeoRouter/Feature.ini

Copy nr-server-db.tar.gz and your NeoRouter Server installer to a safe place!

When that sad day arrives, be sure that your original NeoRouter Server is off line. Then reinstall NeoRouter Server on a new server platform using your original NeoRouter Server installer. If necessary, change the DNS entry for your original NeoRouter server to the new IP address. Then shut down new NeoRouter Server, load your backup, and restart server:

/etc/rc.d/init.d/nrserver.sh stop
cd /
tar zxvf nr-server-db.tar.gz
/etc/rc.d/init.d/nrserver.sh start

Published: Monday, August 21, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Rolling Your Own: Creating a Custom Incredible PBX ISO for Asterisk

We promised to provide the Incredible PBX 13.2 ISO build environment for those of you that wanted to learn how to roll your own ISO. Why would you want to do such thing? Well, we can think of a number of reasons. First, you may just want to learn how sh*t works. Or you may want to impress your boss by building a custom ISO with the corporate logo splattered all over the place. Then there are those that want to add a feature or function that we haven’t included yet so you can share your creation with your friends. For us, the motivation was to provide an Asterisk® aggregation that others could build upon without legal hassles about copyrights and trademarks… you know, a real open source project based upon the GPL license.

Regardless of your motivation, today’s your lucky day. We’re providing an exact duplicate of the build environment that was used to create the Incredible PBX 13.2 ISO. It’s released under the same GPL license that applies to the ISO itself. Copy it, enhance it, give it to your friends, and share your additions so that all of us can learn from you. In addition to the code, we’re actually going to document how to modify it and use it… you know, real instructions.


The Schmoozers were back in full force last week with one accusing us of "stealing" their code and another with this gem:


For the record, we use GPL code of others with full credit to the authors. That’s what the GPL and Asterisk aggregations have always been about. Let’s compare that to our Sangoma® friends who rip the covers off RedHat’s GPL ISO, brand it as their own, and then have the balls to distribute it as closed source code. Repeating a lie over and over doesn’t make it come true!


Getting Started. Before you can use today’s code, you’ll need a suitable platform on which to play. You’ve got a couple of choices. First, you can actually install Incredible PBX 13.2 using last week’s ISO. A second option is to build yourself a virtual machine or a cloud-based server with Scientific Linux 6.7 or even CentOS 6.7 minimal. We recommend 32-bit architecture because the Incredible PBX 3.2 ISO build environment as configured is 32-bit to assure maximum hardware compatibility. The server hardware platform doesn’t really matter. Cheaper means it takes a little longer, but you’ll get the same results.

Installing the Incredible PBX 13.2 ISO Build Environment. Once you have your server up and running, log in as root. This usually isn’t a good idea for a build environment, by the way. We’re doing it because we’re assuming you have a machine dedicated to just building ISOs on which to experiment. Issue these commands to put the ISO build platform in place:

cd /root
setenforce 0
yum -y install wget nano
wget http://incrediblepbx.com/create-ISO-new.tar.gz
tar zxvf create-ISO-new.tar.gz
rm -f create-ISO-new.tar.gz

Creating Your First ISO. Why waste time? Let’s actually build an Incredible PBX ISO to show you how easy it is. Issue the following command to kick off the process: /root/create-ISO-new. Depending upon your server’s specs, the whole build procedure should take a minute or two to complete. When it’s finished, you’ll have a shiny new ISO that can be burned to a DVD or USB thumb drive following the steps documented in our previous tutorial:

ls -all /root/kickstart_build/*.iso

-rw-r--r-- 1 root root 890241024 Nov 24 12:45 /root/kickstart_build/IncrediblePBX13.2.iso

ISO Design Overview. There are lots of ways to design an ISO architecture. We’ve chosen a hybrid approach with a two-phase install. When you first boot from the ISO installer, you get the operating system platform. The server then reboots, and Phase II downloads and then runs the latest Incredible PBX installer. Our main reason for choosing this design is that you don’t have to create a new ISO every time you make changes in the Incredible PBX installer. For those of you that remember the Asterisk@Home and trixbox days, this was a major shortcoming. The ISOs were released about every three to six months, and invariably a major glitch was discovered about a week after the new ISO was introduced. With our two-phase installer, slipstream changes are easy to implement by simply adding a line to the Incredible PBX install script. The ISO itself never has to be updated until a major operating system refresh is necessary.

Adding Packages to Your ISO. With Incredible PBX, RHEL 6.7-compatible packages are added to new servers in a couple of ways. First, there are packages actually included within the ISO itself that are loaded during Phase I of the install, i.e. when Scientific Linux 6.7 platform is installed. These packages must include all necessary dependencies. The kickstart process actually resolves and loads package dependencies as part of the Phase I ISO install procedure. Once the base install is completed, the end-user’s server reboots and then the Phase II install kicks off by downloading and running the Incredible PBX 13-12R installer. Additional RPM packages and a number of other applications in tarball format are downloaded and installed during this Phase II process. Today, we’ll show you how to modify both pieces of the ISO install procedure.

To add RPMs to the ISO itself, keep in mind that the new RPMs must match the architecture of the default build environment. In the case of Incredible PBX, it’s a 32-bit architecture which means you’ll need 32-bit versions of RPMs you wish to add. Otherwise, you will need to replace all of the packages in the build environment with their 64-bit cousins.

There are 3 steps to adding new packages to the ISO build environment.

First, create a temporary directory (/tmp/packages) to use for gathering up the RPMs to be added. This is so you can check your work without screwing up your build environment. To add an RPM, you first need to download it from a repository to your temporary directory. The syntax looks like this where NetworkManager is the name of the RPM you wish to install:

yum -y install --downloadonly --downloaddir=/tmp/packages NetworkManager

Second, move the RPMs from /tmp/packages into your build environment. This must include RPM package dependencies (as was the case when adding NetworkManager):

mv /tmp/packages/*.rpm /root/kickstart_build/isolinux/Packages/.

Third, add the names of your new RPMs to the kickstart config files (ks*.cfg) in /root/kickstart_build/isolinux. The package names go in the section of each kickstart file labeled %packages.

NOTE: You do not have to add the names of RPMs being added because of dependencies in step 3. You DO have to add the actual RPMs and RPM dependencies in step 2. For example, with NetworkManager, only NetworkManager itself needed to be added to the %packages list in the ks*.cfg config files. But the collection of NetworkManager RPMs and its dependencies for step 2 looked like this:

avahi-autoipd-0.6.25-15.el6.i686.rpm
dnsmasq-2.48-14.el6.i686.rpm
libdaemon-0.14-1.el6.i686.rpm
mobile-broadband-provider-info-1.20100122-4.el6.noarch.rpm
ModemManager-0.4.0-5.git20100628.el6.i686.rpm
NetworkManager-0.8.1-99.el6.i686.rpm
NetworkManager-glib-0.8.1-99.el6.i686.rpm
ppp-2.4.5-10.el6.i686.rpm
rp-pppoe-3.10-11.el6.i686.rpm
wpa_supplicant-0.7.3-6.el6.i686.rpm

Changing the ISO Default Boot Menu. Once you have burned the ISO to a DVD-ROM or USB flash drive and booted your server-to-be, a default kickstart menu will be presented: /root/kickstart_build/isolinux/isolinux.cfg. Edit it to customize the splash screen and make any desired changes in the screen title and options displayed to those using your ISO. WARNING: If you modify the ks*.cfg options in the file, you also will need to make similar modifications in the create-ISO-new build script as well as adding new matching ks config files in /root/kickstart_build/isolinux.

Modifying the Phase II ISO Install Procedure. The Phase I install setup already provided in the Incredible PBX ISO will work for any number of ISO requirements you might have because it provides a robust Scientific Linux 6.7 base platform. Now for the fun part. You can modify the Phase II install in any way you like by simply adjusting the download script and hosting it on your own public server.

The Phase II magic is housed in the %post section of the kickstart config files (ks*.cfg). The initial setup in this section will work for almost any setup. It addresses the quirks of getting a working network connection functioning on most server platforms. This got much more complicated with the introduction of UEFI on newer Intel-based servers. But we’ve addressed all of that. To customize the install to run your own Phase II script, you need only modify the last few lines of the %post section:

/bin/echo "cd /root" >> /tmp/firstboot
/bin/echo "/usr/bin/wget http://incrediblepbx.com/incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "/bin/tar zxvf incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "/bin/rm -f incrediblepbx13-12.2-centos.tar.gz" >> /tmp/firstboot
/bin/echo "./Inc*" >> /tmp/firstboot
/bin/chmod +x /tmp/firstboot
eject
%end

These last few lines tell the ISO installer where to find your Phase II script and manage the procedure for downloading it, untarring it, and then running it. To deploy your own Phase II install script, simply modify lines 2, 3, 4, and 5 above. In line 2, provide the public server location of your script in .tar.gz format. In line 3, untar the script in the /root folder of the new server. In line 4, remove the .tar.gz file after it’s been decompressed. In line 5, run the shell script included in your tarball. The remaining lines shown above should be preserved as shown. Once you finish making changes in ks.cfg, copy the %post section to your other kickstart config files and then rerun /root/create-ISO-new to build your new ISO. Enjoy!

Originally published: Friday, December 11, 2015


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

The Voice Recognition Revolution: Move Over Siri and Meet the New Kids

The automobile manufacturers had the right idea years ago. Make it easy to change the temperature in your vehicle. Just say "cooler" or "warmer." That project went about as well as their GPS interfaces are progressing today. So let’s give credit where credit is due. Apple’s Siri revolutionized voice recognition by making it something really useful on the smartphone. If you’ve wondered who Siri actually is, wonder no more. You’re in for a pleasant surprise. Meet Siri from Australia. And Siri U.S.A.:

Google, of course, is not one to be left behind. There was a reason they were offering to transcribe your voicemails for free all those years. They were putting in place the building blocks for a similar system on Android-based phones. Hey, Siri. Meet "OK, Google." And the competition has transformed both products into incredibly useful additions to every smartphone.

Then the latest Silicon Valley Wannabe got into the picture. Let me introduce Alexa for your kitchen or living room masquerading as Amazon’s Echo, a fascinating new half-baked product. If the Echo weren’t so transfixed with selling you music and other stuff from Amazon, it could be a terrific product. Not to be outdone, Google wasted little time introducing their look-alike, OnHub, which makes half-baked look really useful. OnHub does absolutely nothing but serve as a home router with more antennas than the Mars Rover. And now both Apple and Google are circling back to the automobile promising to revolutionize the way in which you talk to or even drive your car. Stay tuned. It’s going to get interesting. And, on the living room front, you’re probably going to need to buy another round of hardware. Even though many building blocks were in place with OnHub, Google left out a microphone… unless they use the one on your smartphone or watch. 😉

So what does all of this have to do with Asterisk® and VoIP telephony? Well, nothing actually… until today. Most of the cool things you can do with your smartphone or sitting in your living room simply weren’t available using a Plain Old telephone. We decided to fix that.

For the tinkerers and experimenters of the world, Google has generously offered free access to their voice recognition software. And today we’ll show you how to put it to good use. In the time it takes to drink your morning coffee, you’ll have a platform on your PBX that’s every bit as capable as Siri. And it’s all free!

Meet Star! When we’re finished today, you’ll be able to pick up any telephone and dial * to obtain the latest weather, news, stock prices, sports scores, time of day, and anything else that an almanac at your fingertips provides. In addition, you’ll be able to call anyone by saying their name or phone number. Not bad for free, huh? Down the road, we’ll work on adding text messaging, email, and scheduling reminders. But today’s release should whet your appetite for what’s possible.

Putting in Place the Star Platform

We don’t own or control most of the components that actually make Star work! That means you’ll need to sign up (for free) for a couple key pieces before the puzzle actually takes shape. Here’s the three-step process.

First, install one of the Certified Incredible PBX builds on either a dedicated server, a virtual machine, or in the Cloud. This tutorial will walk you through the easiest 20-minute installation procedure.

Second, you’ll need to obtain and set up the credentials for two of the third-party components that will bring Star to life. You’ll need a Google Speech Recognition key and a Wolfram Alpha App-ID. Then add an AsteriDex entry to tell Star the zip code of your hometown, and you’re ready to go.

Third, you’ll spend less than a minute installing the Star software on your server.

1. Adding Speech Recognition Support to Incredible PBX

To support many of the Star features, we rely upon Google’s speech recognition service and Lefteris Zafiris’ terrific speech-recog AGI script. Unfortunately (for some), Google now has tightened up the terms of use for their free speech recognition service. Now you can only use it for "personal and development use." If you meet those criteria, keep reading. Here’s how to activate speech recognition on Incredible PBX. Don’t skip any steps!

Finally, let’s be sure you have all the necessary packages in place to support text-to-speech and speech recognition:

yum -y install perl-XML-Simple libesd.so.0 sox perl-libwww-perl

If you’re not on the Incredible PBX platform: yum -y install mpg123

2. Adding Wolfram Alpha Support to Incredible PBX

To use Wolfram Alpha by phone, you first must obtain a free Wolfram Alpha APP-ID. Then issue the following command replacing APP-ID with your actual ID. Do NOT change the yourID portion of the command:

sed -i "s|yourID|APP-ID|" /var/lib/asterisk/agi-bin/4747

3. Adding Your Hometown ZIP Code to AsteriDex

1. Using a browser, visit the IP address of your server.

2. Click on the Nerd Vittles AsteriDex button in the Kennonsoft GUI.

3. Click on the Admin tab in AsteriDex.

4. In the Add Entry column, enter the following data using your hometown ZIP code:

Contact Name: Weather
Contact Phone: 947
Dial Code: your local 5-digit ZIP code

5. Click the Add New Record button to save your entry.

Installing or Upgrading Star

We’ve designed the Star install so that you also can easily update the application by simply running the install-star command again. After logging into your server as root, here are the commands to install or upgrade your Star application:

cd /root
wget http://incrediblepbx.com/install-star.tar.gz
tar zxvf install-star.tar.gz
rm -f install-star.tar.gz
./install-star

10/10 UPDATE: Star apparently was too popular for Google to absorb, and they’ve imposed new limits on TTS playback. So, for the time being, we’ve switched Star back to FLITE for text-to-speech. To update your server, just run the installer again: /root/install-star

Taking Star for a Spin

Here’s a quick summary of the available commands that Star currently supports:

And here are some sample Wolfram Alpha queries to get you started:

Weather in Charleston South Carolina
Weather forecast for Washington D.C.
Next solar eclipse
Otis Redding
Define politician
Who won the 1969 Superbowl? (Broadway Joe)
What planes are overhead? (flying over your server’s location)
Ham and cheese sandwich (nutritional information)
Holidays 2015 (summary of all holidays for 2015 with dates and DOW)
Medical University of South Carolina (history of MUSC)
Star Trek (show history, air dates, number of episodes, and more)
Apollo 11 (everything you ever wanted to know)
Cheapest Toaster (brand and price)
Battle of Gettysburg (sad day 🙂 )
Daylight Savings Time 2015 (date ranges and how to set your clocks)
Tablets by Samsung (pricing, models, and specs)
Doughnut (you don’t wanna know)
Snickers bar (ditto)
Weather (local weather at your server’s location)

For late-breaking updates and news about the Star platform, visit this thread on the PIAF Forum. Enjoy!

Originally published: Tuesday, October 6, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Firewalls 101: Why Every Asterisk Server Should Have a Functioning Firewall


Part of our fundamental disagreement with the FreePBX® design can be summed up in one word: FIREWALL or the lack of a functioning firewall in the FreePBX Distro and in the functionally identical Digium product, AsteriskNOW®.1 Most of the other design choices including the controversial, non-GPL compliant Module Signature Checking mechanism are touted as failsafe ways to detect altered systems even though changes in FreePBX MySQL tables and Asterisk config files can be modified easily without triggering alerts. In short, the Band-Aid® approach to module tampering does nothing to address the fundamental problem, prevention of unauthorized intrusions in the first place.

Some would contend that the included Fail2Ban product is specifically designed to prevent unauthorized intrusions by locking out the bad guys after a certain number of failed login attempts. Assuming Fail2Ban were functioning properly, which does not appear to be the case, putting all your eggs in the Fail2Ban basket also ignores several critical shortcomings in Fail2Ban. First, it has been documented that powerful servers such as Amazon EC2 and Twitter botnets give hackers almost unlimited intrusion attempts before Fail2Ban ever gets a time slice sufficient to scan logs for intrusion attempts. Second, Fail2Ban provides no protection against stealthy distributed bruteforcing activity. For example, if a botnet with 770,000 PCs attacked your server and each PC executed only two login attempts, Fail2Ban never gets triggered even assuming your server could handle the load and Fail2Ban got sufficient server resources to actually scan your logs. Finally, Fail2Ban provides no protection against Zero Day vulnerabilities where an intruder basically walks right into your server because of an unidentified vulnerability lurking in the existing code. Unfortunately, these are not hypothetical situations but regular occurrences over the past 10 years of Asterisk and FreePBX development. In a nutshell, that’s why you need a real firewall. It completely blocks all access to your server by unauthorized users all of the time.

Numerous companies have intentionally exposed Asterisk® servers to the public Internet in a continuing effort to identify problems before they affect "real servers." We know of no similar efforts with a platform that includes FreePBX as an integral component of the server. Why? Because the potential for Zero Day Vulnerabilities in a platform of modular design is enormous. One vulnerable component in FreePBX and the entire house of cards collapses because of the blank check server access that a compromised FreePBX asterisk user account gives to an intruder. It’s the fundamental reason that services such as Apache were engineered to run with different user credentials than a root user in the real world. In essence, the current FreePBX design with Asterisk has elevated asterisk user credentials to allow root-like access to almost every server file and function with the exception of SSH access. And SSH access becomes all but unnecessary given the scope of the GUI functionality provided within FreePBX and the escalated privileges it enjoys.

On FreePBX-based Asterisk servers, the absence of any user account separation means Asterisk, Apache, and FreePBX services all operate under the single asterisk user account. If any piece collapses due to a vulnerability, the intruder gets the keys to the castle including read/write access to Asterisk and FreePBX manager credentials and config files as well as broad MySQL access. This, in turn, exposes your VoIP account credentials in addition to facilitating SQL injection into any and all FreePBX database tables. Because FreePBX "hides" numerous settings in over a hundred MySQL tables, the Asterisk DB, and dozens of Asterisk config files, once the asterisk user account access is compromised, many of the major components on your server could be cleverly reconfigured without leaving much of a hint that your server had been compromised. In fact, VoIP account credentials could be extracted and used elsewhere with no traceable footprint back to your server. For all you would know, your provider compromised your credentials rather than the other way around. Just another reminder that keeping a credit card on file for automatic replenishment with VoIP providers is a very bad idea!

Providing the asterisk user with these broad permissions was a (poor) design choice. Why was it done? To make it easy for the developers to alter virtually everything on your Asterisk server using FreePBX’s integrated Module Admin component. Root user permissions are never required to do much of anything other than server platform upgrades once the FreePBX Distro or AsteriskNOW product is installed. That’s exactly the design one would expect to find in a commercial, closed source software platform. But it’s unusual in the open source community to put it charitably. We trust we’ve made the case why a rock-solid firewall with any product that uses FreePBX modules is absolutely essential. FreePBX is a wonderful GUI, but use of the platform without a properly configured, fully functional firewall could be financially catastrophic not to mention the serious damage it could cause to others including the good reputation of Asterisk in the Internet community.

Our objective next week will be to help you implement a functioning Linux-based software firewall on the FreePBX Distro and AsteriskNOW platforms. It’s FREE! Not only will this improve the security of your server, but it will deny the bad guys a platform from which to launch mischievous acts against the rest of us. Unless you’re running Asterisk on a Cloud-based platform, do all of us a favor NOW! Run, don’t walk, to your nearest electronics store (including WalMart and BestBuy) and purchase one of the dozens of inexpensive NAT-based routers. Install it between the Internet and your server TODAY! This is the one we use, but there are plenty from which to choose including our refurbished one.2


NEWS FLASH:
Download the new FUD-Free Firewall for FreePBX Distro and AsteriskNOW.

Originally published: Monday, August 3, 2015



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Technically, IPtables is running on the FreePBX Distro and AsteriskNOW platforms; however, it’s sole function is to act as the shutdown mechanism for Fail2Ban-detected breaches. It does not independently examine packets. There is no functioning iptables config file. From our vantage point, serving as the Fail2Ban traffic cop doesn’t qualify as a functioning firewall since it lacks any of the traditional IPtables rules that manage PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING of packets. []
  2. Where prices are competitive or availability is a factor, we often recommend Amazon because Amazon provides financial support to Nerd Vittles through our referral links. We encourage everyone to shop independently and purchase products from suppliers that best meet your own requirements. []