Home » Posts tagged 'cloud computing' (Page 5)

Tag Archives: cloud computing

The Most Versatile VoIP Provider: FREE PORTING

Incredible PBX in the Cloud: A $10/Year VoIP Cloud Platform

We’ve been inching toward a new low-cost plateau for VoIP cloud providers, and today we have a new milestone that finally makes running VoIP servers out of your home or office look like the horse-and-buggy days. $10 a year now buys you a cloud platform that is less expensive than the cost of electricity to run a server on premise. You get 2GB of RAM, 20GB of SSD storage, two virtual core processors, and 2TB of monthly bandwidth. If you prepay for 3 years, you can double either the RAM or SSD storage by simply opening a ticket after you sign up. It’s a near perfect platform for Incredible PBX 13-13 with CentOS 6.9. Add a Google Voice trunk and you get unlimited calling in the U.S. and Canada combined with a feature set that you’ll be hard-pressed to find on any PBX at any price. Putting all the pieces in place is about as simple as preparing slice-and-bake cookies, and you’ll be up and running before the cookies come out of the oven. Skip that hamburger lunch and come join the VoIP revolution!



So what’s the catch? Well, there’s no catch with Incredible PBX 13-13 and CentOS 6.9. But this HiFormance platform uses OpenVZ with SolusVM, and SolusVM has some serious bugs with their CentOS 7 and Debian 9 implementations. That rules out using VitalPBX, Issabel, or Wazo. Someone always asks, "If the platform is so great, why aren’t you using it?" And our answer is we are. We have deployed HiFormance cloud-based VoIP servers running Incredible PBX 13-13 in Atlanta, Buffalo, Chicago, and Los Angeles without any hiccups in service. Performance is excellent. Support is excellent. So run, don’t walk, to sign up for one of these before they’re all gone. You won’t be disappointed. Just fill out the entries as shown above once you log into the HiFormance site. Nerd Vittles receives no commissions from signups.

Getting Started with Incredible PBX 13-13

Once your virtual machine is up and running with CentOS 6.9, log into your server as root and issue the following commands to get started. Use the first command to immediately change your root password. Then you’ll be ready to begin the Incredible PBX install. It’s a two-step process. First, the installer will bring your version of CentOS up to current specs and load the necessary packages to support Asterisk® and FreePBX®. The first stage takes 22 minutes.

passwd
cd /root
yum -y update
yum -y install net-tools nano wget tar
wget http://incrediblepbx.com/incrediblepbx-13-13-LEAN.tar.gz
tar zxvf incrediblepbx-13-13-LEAN.tar.gz
rm -f incrediblepbx-13-13-LEAN.tar.gz
./IncrediblePBX-13-13.sh

When the base install finishes, your server will reboot. Simply log back in as root and run the installer a second time. Be sure your console window is at least 80 x 28, or the install will fail. If in doubt, expand it to full screen. You’ll be prompted whether to implement Google Voice plain text or OAuth 2 passwords.1 OAuth is strongly recommended. In fact, OAuth is required if you wish to install the Whole Enchilada upgrade which gets you several dozen preconfigured applications for Asterisk. Make your selection, and the installer will work its magic. Return in 12 minutes.

./IncrediblePBX-13-13.sh

Reboot one final time when the installer finishes the setup, and Incredible PBX LEAN will be ready to go. Log back in as root. This will kick off the Automatic Update Utility to load any last minute additions, bug fixes, and security patches. After the status menu displays, run the following apps to set a very secure admin password for web access to the GUI and to choose your default time zone:

/root/admin-pw-change
/root/timezone-setup

One of the unique features of Incredible PBX 13-13 is that most of the major components of the aggregation including Asterisk are compiled from source code on the fly. This has several advantages. First, you always get the latest version of the source code. And, second, the source code is available on your server so that you can make any future modifications desired to meet your own unique requirements. You won’t find this in any other VoIP implementation. It’s one of the reasons Incredible PBX takes a bit longer to install than many of the canned offerings that rely upon precompiled packages that are difficult to modify.

WebMin is also installed and configured as part of the base install. The root password for access is the same as your Linux root password. We strongly recommend that you not use WebMin to make configuration changes to your server. You may inadvertently damage the operation of your PBX beyond repair. WebMin is an excellent tool to LOOK at how your server is configured. When used for that purpose, we highly recommend WebMin as a way to become familiar with your Linux configuration.

Using the Incredible PBX 13-13 Web GUI

Most of the configuration of your PBX will be performed using the web-based Incredible PBX GUI with its FreePBX 13 GPL modules. Use a browser pointed to the IP address of your server and choose Incredible PBX Admin. Log in as admin with the password you configured in the previous step. HINT: You can always change it if you happen to forget it. You can safely ignore the warning about a missing swap file. You have plenty of RAM, and OpenVZ platforms don’t permit swap files. If you’re worried about it, choose the 3-year prepayment option and double your ram from 2GB to 4GB which is more than ample for even the busiest PBXs.

NOTE: If you plan to upgrade to the Whole Enchilada, you can skip the rest of this section. It’s for those that wish to roll their own PBX from the ground up.

To get a basic system set up so that you can make and receive calls, you’ll need to add a VoIP trunk, create one or more extensions, set up an inbound route to send incoming calls to an extension, and set up an outbound route to send calls placed from your extension to a VoIP trunk that connects to telephones in the real world. You’ll also need a SIP phone or softphone to use as an extension on your PBX. Our previous tutorial will walk you through this setup procedure. Over the years, we’ve built a number of command line utilities including a script to preconfigure SIP trunks for more than a dozen providers in seconds. You’ll find links to all of them here.

Continue Reading: Configuring Extensions, Trunks & Routes

Reconfiguring PortKnocker for OpenVZ

By default, PortKnocker monitors activity on eth0. Most OpenVZ platforms including HiFormance use venet0:0 as the default Ethernet port. Issue the following commands to get PortKnocker up and running. Then pbxstatus should show PortKnocker working.

echo 'OPTIONS="-i venet0:0"' >> /etc/sysconfig/knockd
service knockd restart
pbxstatus

Reconfiguring NeoRouter VPN for OpenVZ

On OpenVZ platforms including HiFormance, you’ll need to enable TUN/TAP in the Control Panel for your VPS. After adjusting the setting, reboot your server. Then the NeoRouter VPN client will function properly.

Upgrading to Incredible PBX Whole Enchilada

There now are two more pieces to put in place. The sequence matters! Be sure to upgrade to the Whole Enchilada before you install Incredible Fax. If you perform the steps backwards, you may irreparably damage your fax setup by overwriting parts of it.

The Whole Enchilada upgrade script now is included in the Incredible PBX LEAN tarball. Upgrading to the Whole Enchilada is simple. Log into your server as root and issue the following commands. Be advised that this upgrade will overwrite all of your existing Incredible PBX setup including any extensions, trunks, and routes you may have created previously. You also will be prompted to reset all of your passwords as part of the upgrade. Install time: 2 minutes.

cd /root
./Enchilada*

If you accidentally installed Incredible Fax before upgrading to the Whole Enchilada, you may be able to recover your Incredible Fax setup by executing the following commands. It’s worth a try anyway.

amportal a ma install avantfax
amportal a r

Installing Incredible Fax with HylaFax/AvantFax

You don’t need to upgrade to the Whole Enchilada in order to use Incredible Fax; however, you may forfeit the opportunity to later upgrade to the Whole Enchilada if you install Incredible Fax first. But the choice is completely up to you. To install Incredible Fax, log into your server as root and issue the following commands. Install time: 2 minutes.

cd /root
./incrediblefax13.sh

After entering your email address to receive incoming faxes, you’ll be prompted about two dozen times to choose options as part of the install. Simple press the ENTER key at each prompt and accept all of the defaults. When the install finishes, make certain that you reboot your server to bring Incredible Fax on line. There will be a new AvantFax option in the Incredible PBX GUI. The default credentials for AvantFax GUI are admin:password; however, you first will be prompted for your Apache admin credentials which were set when you installed Incredible PBX 13-13 LEAN or the Whole Enchilada. Then you’ll be asked to change your AvantFax password.




Upgrading to IBM Speech Engines

NOV. 1 UPDATE: IBM has moved the goal posts effective December 1, 2018:

If you’ve endured Google’s Death by a Thousand Cuts with text-to-speech (TTS) and voice recognition (STT) over the years, then we don’t have to tell you what a welcome addition IBM’s new speech utilities are. We can’t say enough good things about the new IBM Watson TTS and STT offerings. While IBM’s services are not free, that’s really theoretical for most of our readers. Your first month on the platform is entirely free. And, after that, you get 1,000 minutes a month of free STT voice recognition services. And the first million characters of text-to-speech synthesis are FREE every month as well. So let’s put the pieces in place so you’ll be ready to play with the Whole Enchilada. Here’s our tutorial that will walk you through the one-time IBM setup.

Next, login to your Incredible PBX server and issue these commands to update your Asterisk dialplan and edit ibmtts.php:

cd /var/lib/asterisk/agi-bin
./install-ibmtts-dialplan.sh
nano -w ibmtts.php

Insert your credentials in $IBM_username and $IBM_password. Verify that $IBM_url matches the entry provided when you registered with IBM. Then save the file: Ctrl-X, Y, then ENTER. Now reload the Asterisk dialplan: asterisk -rx "dialplan reload". Try things out by dialing 951 (news) or 947 (Weather) from an extension registered on your PBX.

To get IBM’s Speech to Text service configured, while still logged in to your Incredible PBX server, issue these commands to edit getnumber.sh:

cd /var/lib/asterisk/agi-bin
nano -w getnumber.sh

Insert your API_USERNAME and API_PASSWORD in the fields provided. Then save the file: Ctrl-X, Y, then ENTER. Update your Voice Dialer (411) to use the new IBM STT service:

sed -i '\\:// BEGIN Call by Name:,\\:// END Call by Name:d' /etc/asterisk/extensions_custom.conf
sed -i '/\\[from-internal-custom\]/r ibm-411.txt' /etc/asterisk/extensions_custom.conf
asterisk -rx "dialplan reload"

Now try out the Incredible PBX Voice Dialer with AsteriDex by dialing 411 and saying "Delta Airlines." Check back next week for the Whole Enchilada apps tutorial.

Configuring Google Voice with Incredible PBX

The advantage of Google Voice trunks for those of you in the United States is that all of your calls within the U.S. and Canada are free. You can’t beat the price, and it has worked reliably for many, many years. There are three different ways to set up Google Voice trunks with Incredible PBX. For a one-time fee of $4.99 with this coupon, you can use the Simonics GV/SIP gateway to configure a Google Voice account using OAuth 2 authentication. Then just set up the Simonics SIP trunk on your PBX to point to the Simonics gateway. A second option is to choose the (recommended) OAuth 2 authentication method for Google Voice when you initially install Incredible PBX 13-13. Finally, you can choose plain-text passwords for Google Voice when you set up Incredible PBX. The drawback of this last option is Google has hinted that they may discontinue support of plain-text passwords.

Here are the initial setup steps on the Google side:

1. Set up a dedicated Gmail and Google Voice account to use exclusively for this Google Voice setup on your PBX. Head over to the Google Voice site and register. You’ll need to provide a U.S. phone number to verify your account by either text message or phone call.



2. Once you have verified your account by entering your verification code, you’ll get a welcome message from Mr. Google. Click Continue to Google Voice.



3. Provide an existing U.S. phone number for verification. It can be the same one you used to set up your Google account in step #1.



4. Once your phone number has been verified, choose a DID in the area code of your choice.



Special Note: Google continues to tighten up on obtaining more than one Google Voice number from the same computer or the same IP address. If this is a problem for you, here’s a workaround. From your smartphone, install the Google Voice app from iPhone App Store or Google’s Play Store. Then open the app and login to your new Google account. Choose your new Google Voice number when prompted and provide a cell number with SMS as your callback number for verification. Once the number is verified, log out of Google Voice. Do NOT make any calls. Now head back to your PC’s browser and login to https://voice.google.com. You will be presented with the new Google Voice interface which does not include the Google Chat option. But fear not. At least for now there’s still a way to get there. After you have set up your new phone number and opened the Google Voice interface, click on the 3 vertical dots in the left sidebar (it’s labeled More). When it opens, click Legacy Google Voice in the sidebar. That will return you to the old UI. Now click on the Gear icon (upper right) and choose Settings. Make sure the Google Chat option is selected and disable forwarding calls to whatever default phone number you set up.

5. When your DID has been assigned, click the More icon at the bottom of the left column of the Google Voice desktop. Click Legacy Google Voice. Now click the Settings icon on your legacy Google Voice desktop. Make certain that Forward Calls to Google chat is checked and disable calls to your forwarding number. Click on the Calls tab and select Call Screening:OFF, CallerID (Incoming):Display Caller’s Number, and Global Spam Filtering:checked. The remaining entries should be blank.

6. Google Voice configuration is now complete. Sign out of your Google Voice account.


The Simonics GV-SIP Gateway Solution. Here’s the quick thumbnail of the steps to put all the pieces in place. First, we set up a Google Voice account at Google as documented above. Next, we’ll set up an account at the Simonics site to link our Google Voice account to the Simonics SIP Gateway. Then we’ll plug our Simonics SIP credentials into the preconfigured Simonics trunk on Incredible PBX. Finally, we’ll add Incoming and Outgoing Routes to tell Incredible PBX how to process Google Voice calls.

Now you’re ready to set up an account on the Simonics site. With this Nerd Vittles link, there’s a one-time fee of $4.99.

1. Start by registering your new Google account.

2. After paying the $4.99 registration fee via PayPal, proceed through the setup process to link your Google Voice account and 11-digit Google Voice phone number to the Simonics SIP Gateway.

3. You then will be provided your SIP username and password as well as the gateway address, gvgw.simonics.com, to use in building your SIP trunk on your PBX.



4. If your SIP credentials ever get compromised, regenerate your password by logging back into the Simonics GW site.

Now it’s time to configure your Simonics trunk in Incredible PBX. Start by logging into the web interface as admin with your admin password from above. Click Connectivity:Trunks and choose the Simonics trunk in the PBX Configuration menu. The Simonics trunk template will display:

1. Untick the Disable Trunk check box.

2. In Outbound CallerID, insert your 10-digit Google Voice number.

3. In username, insert GV1 followed by your 10-digit Google Voice number.

4. In secret, insert your Simonics SIP password.

5. In the Registration String, insert GV1 followed by your 10-digit Google Voice number followed by a colon (:)

6. In the Registration String after the colon, insert your Simonics SIP password.

7. In the tail of the Registration String after the slash (/), insert your 10-digit Google Voice number.

8. Click Submit Changes and then Reload the Dialplan when prompted.


Configuring GV Trunk with Motif in the GUI. If you elect to configure your Google Voice trunk natively using the Incredible PBX GUI, you first will need to obtain a Refresh_Token if you elected to use OAuth 2 authentication.

1. Be sure you are still logged into your Google Voice account. If not, log back in at https://voice.google.com.

2. In a separate browser tab, go to the Google OAUTH Playground using your browser while still logged into your Google Voice account.

3. Once logged in to Google OAUTH Playground, click on the Gear icon in upper right corner (as shown below).

  3a. Check the box: Use your own OAuth credentials
  3b. Enter Incredible PBX OAuth Client ID:

466295438629-prpknsovs0b8gjfcrs0sn04s9hgn8j3d.apps.googleusercontent.com

  3c. Enter Incredible PBX OAuth Client secret: 4ewzJaCx275clcT4i4Hfxqo2
  3d. Click Close

4. Click Step 1: Select and Authorize APIs (as shown below)

  4a. In OAUTH Scope field, enter: https://www.googleapis.com/auth/googletalk
  4b. Click Authorize APIs (blue) button.

5. Click Step 2: Exchange authorization code for tokens

  5a. Click Exchange authorization code for tokens (blue) button

  5b. When the tokens have been generated, Step 2 will close.

6. Reopen Step 2 and copy your Refresh_Token. This is the "password" you will need to enter (together with your Gmail account name and 10-digit GV phone number) when you add your GV trunk in the Incredible PBX GUI. Store this refresh_token in a safe place. Google doesn’t permanently store it!

7. Authorization tokens NEVER expire! If you ever need to remove your authorization tokens, go here and delete Incredible PBX Google Voice OAUTH entry by clicking on it and choosing DELETE option.

Switch back to your Gmail account and click on the Phone icon at the bottom of the window to place one test call. Once you successfully place a call, you can log out of Google Voice and Gmail.

Yes, this is a convoluted process. Setting up a secure computing environment often is. Just follow the steps and don’t skip any. It’s easy once you get the hang of it. And you’ll sleep better.

Now you’re ready to configure your Google Voice account in Incredible PBX. You do it from within the Incredible PBX GUI by choosing Connectivity:Google Voice. Just plug in your Google Voice Username, enter your refresh_token from Step #6 above as your Google Voice Password, enter your 10-digit Google Voice Phone Number, and check the first two boxes: Add Trunk and Add Outbound Routes. Then click Submit and Apply Settings to save your new entries.

If you elected to use plain-text passwords for Google Voice, simply skip obtaining OAuth 2 credentials and substitute your plain-text password for the refresh_token when you create the Google Voice trunk above. If you have trouble getting Google Voice to work using a plain-text password, try this Google Voice Reset Procedure. It usually fixes connectivity problems. If it still doesn’t work, enable Less Secure Apps using this Google tool.

IMPORTANT: Once you’ve entered your credentials, you MUST restart Asterisk from the Linux command line, or Google Voice calls will fail: amportal restart

Incredible PBX Wholesale Providers Access

Nerd Vittles has negotiated a special offer that gives you instant access to 300+ wholesale carriers around the globe. In lieu of paying the $650 annual fee for the service, a 13% wholesale surcharge is assessed to cover operational costs of TelecomsXchange. In addition, TelecomsXchange has generously offered to contribute a portion of the surcharge to support the Incredible PBX open source project. See this Nerd Vittles tutorial for installation instructions and signup details.

Continue Reading: Configuring Extensions, Trunks & Routes

Don’t Miss: Incredible PBX Application User’s Guide covering the 31 Whole Enchilada apps

Originally published: Monday, April 16, 2018


Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a difficult place to address support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forum. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, the PIAF Forum is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.


NEW YEAR’S TREAT: If you could use one or more free DIDs in the U.S. with unlimited inbound calls and unlimited simultaneous channels, then today’s your lucky day. TelecomsXChange and Bluebird Communications have a few hundred thousand DIDs to give away so you better hurry. You have your choice of DID locations including New York, New Jersey, California, Texas, and Iowa. The DIDs support Voice, Fax, Video, and even Text Messaging (by request). The only requirement at your end is a dedicated IP address for your VoIP server. Once you receive your welcome email with your number, be sure to whitelist the provider’s IP address in your firewall. For Incredible PBX servers, use add-ip to whitelist the UDP SIP port, 5060, using the IP address provided in your welcoming email.

Here’s the link to order your DIDs.

Your DID Trunk Setup in your favorite GUI should look like this:

Trunk Name: IPC
Peer Details:
type=friend
qualify=yes
host={IP address provided in welcome email}
context=from-trunk

Your Inbound Route should specify the 11-digit DID beginning with a 1. Enjoy!



Need help with Asterisk? Join our new MeWe Support Site.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



  1. Complete Google Voice setup tutorial is available here. []

VitalPBX in the Cloud: Providers, Backups, & Airtight Security

Last month we introduced VitalPBX, a terrific new (free) VoIP platform that’s about as intuitive as software can get. We followed up with a dozen Incredible PBX applications that really showed off the flexibility of this new Asterisk® platform. And today we’re pleased to introduce two new cloud solutions that offer our whitelist firewall design for security plus automatic backups. Both Digital Ocean and Vultr offer terrific performance coupled with a $5/month price point that is easy on your wallet. Our tip of the hat goes to Digital Ocean this month because they are again offering a $10 credit on new accounts while also generously supporting Nerd Vittles. That translates into two free months of VitalPBX in the Cloud service for you to kick the tires. If you like what you see, you can spring for the extra $1 a month and add automatic backups to your $5/mo. bill going forward. With a $10 credit, what’s to lose?

To get started, set up an account with one of these cloud providers and create a $5 a month server with 64-bit CentOS 7 in your choice of cities. Once you have your root password, log into your new server as root using SSH or Putty. On Digital Ocean, you will be prompted to change your password the first time you login. On Vultr, you have to manually do it by issuing the command: passwd. Then you’re ready to begin the VitalPBX install. Just issue the following commands and then grab a cup of coffee.

cd /root
yum -y install wget nano tar
wget https://raw.githubusercontent.com/wardmundy/VPS/master/vps.sh
chmod +x vps.sh
./vps.sh

The base install takes less than 15 minutes to complete. When it’s finished, use a web browser from your desktop PC and log into the IP address of your new VitalPBX server. You’ll be prompted to set up an admin password for GUI access and then you register your server with Telesoft. Should you ever forget your admin password, here’s how to force a reset on your next login from a browser:

mysql ombutel -e 'update ombu_settings set value = "yes" where name = "reset_pwd"'

After logging in, you’ll be presented with the VitalPBX Dashboard:



From here, the drill is pretty much the same as what was outlined in our original VitalPBX tutorial. So jump over there to complete your set up and configure extensions, trunks, routes, and a few other settings for your new PBX. Then pick back up here to secure your server!

Security Methodology. What is different on the cloud platform is you don’t have a hardware-based firewall to protect your server. So we’ll need to configure VitalPBX using its built-in firewalld and Fail2Ban applications. Our preference is to use a whitelist of IP addresses to access your server and its resources. In that way, the Bad Guys never even see your server on the Internet. Our security philosophy is simple. If you can’t see it, you can’t hack it.

In addition to a WhiteList of public IP addresses, we also will enable a secure NeoRouter VPN front door to your server as well as a PortKnocker backdoor thereby providing three separate and secure ways to gain server access without publicly exposing VitalPBX to the Internet. If you have a better way, by all means go for it. After all, it’s your phone bill.

Firewall and Fail2Ban Setup. To begin, login to the VitalPBX GUI with a browser using your admin credentials. Then do the following:

(1.) Add NeoRouter VPN Protocol TCP Port 32976 in Admin:Security:Firewall:Services.

(2.) Add NeoRouter VPN Action ACCEPT rule in Admin:Security:Firewall:Rules.

(3.a.) WhiteList your client and server IP addresses in Admin:Security:Firewall:WhiteList.
(3.b.) WhiteList 127.0.0.1 (for localhost) and 10.0.0.0/24 (for NeoRouter VPN).
(3.c.) WhiteList the IP addresses of any potential unregistered trunk providers.
(3.d.) WhiteList the public IP addresses of any extensions you plan to install.

(4.) Enable Fail2Ban in Admin:Security:Intrusion Detection.

(5.a.) WhiteList your client IP address(es) in Admin:Security:Intrusion Detection:Whitelist.
(5.b.) WhiteList the NeoRouter VPN subnet, 10.0.0.0/24, as well.

(6.) Remove the following rules from Admin:Security:Firewall:Rules

SIP
HTTP
HTTPS
SSH
IAX2
PJSIP

(7.) Reload the VitalPBX dialplan by clicking the Red indicator (upper right of the GUI).

(8.) Verify IPtables WhiteList: iptables -nL | grep ACCEPT

(9.) Verify Fail2Ban WhiteList: grep -r ignoreip /etc/fail2ban/jail.d/*

Travelin’ Man 3 Addition. One of the major shortcomings in the firewalld implementation of IPtables is the lack of any support for fully-qualified domain names in their WhiteList. For those that want to use dynamic DNS updating services with custom FQDNs to manage remote user access to your server, this is a serious limitation even though PortKnocker alleviates some of the misery. So here’s our solution. We have reworked the Travelin’ Man 3 toolkit for VitalPBX so that you can use command line scripts to add (add-ip and add-fqdn), remove (del-acct), and manage (ipchecker) your WhiteList using either IP addresses (add-ip) or FQDNs (add-fqdn). The automatic update utility (ipchecker) will keep your FQDNs synchronized with your dynamic IP address service by updating the WhiteList every 10 minutes between 5 a.m. and 10 p.m. daily. Keep in mind that this is a supplement to the existing VitalPBX firewall setup documented above. And we only recommend that you add it if you plan to implement automatic management of dynamic IP addresses with FQDNs for your extensions and remote users.

If you plan to use the TM3 addition, you are strongly urged to not make further firewall changes using the VitalPBX GUI unless (1) you can also remember to keep your desktop PC’s IP address whitelisted in VitalPBX and (2) you remember to restart IPtables (iptables-restart) in the CLI after having made firewall changes in the VitalPBX GUI. Otherwise, you will lose your Travelin’ Man 3 WhiteList entries which means folks will get locked out of your server until the TM3 WhiteList is updated by running iptables-restart. All TM3 WhiteListed entries are stored and managed in individual text files in /root with a file extension of .iptables. Do not manually delete them!

To install the TM3 addition, issue the following commands:

cd /
wget http://incrediblepbx.com/tm3-vitalpbx.tar.gz
tar zxvf tm3-vitalpbx.tar.gz
rm -f tm3-vitalpbx.tar.gz
echo "/usr/local/sbin/iptables-boot" >> /etc/rc.d/rc.local
chmod +x /etc/rc.d/rc.local
systemctl enable rc-local
echo "*/10 5-22 * * * root /usr/local/sbin/ipchecker > /dev/null 2>&1" >> /etc/crontab

Using DynDNS to Manage FQDNs. The key ingredient with Travelin’ Man 3 is automatic management of dynamic IP addresses. When a user or even the administrator moves to a different location or IP address, we don’t want to have to manually adjust anything. So what you’ll first need is a DynDNS account. Other free providers are available but are less flexible. For $40 a year, DynDNS lets you set up 30 FQDNs and keep the IP addresses for those hostnames current. That’s more than ample for almost any small business but, if you need more horsepower, DynDNS.com can handle it. What we recommend is setting up a separate FQDN for each phone on your system that uses a dynamic IP address. This can include the administrator account if desired because it works in exactly the same way. When the administrator extension drops off the radar, a refresh of IPtables will bring all FQDNs back to life including the administrator’s account. Sounds simple? It is.

Getting Started with Travelin’ Man 3. Here are the 5 tools that are included in the TM3 suite for VitalPBX:

  • add-ip some-label ip-address – Allows you to add an IP address to the WhiteList
  • add-fqdn some-label FQDN – Allows you to add an FQDN to the WhiteList
  • del-acct some-label.iptables – Deletes an IP address or FQDN from WhiteList
  • ipchecker – Runs every 10 minutes to synchronize FQDNs; do NOT run manually
  • iptables-restart – Restarts IPtables and adds TM3 WhiteListed IPs and FQDNs
  • iptables-boot – Loads TM3 WhiteListed IPs and FQDNs on boot only
  • show-whitelist – Displays contents of both VitalPBX and TM3 WhiteLists

Using Email to Manage Your WhiteList. We have one new addition to Travelin’ Man 3 for the VitalPBX platform. Now your authorized users can send an email to the VitalPBX server to whitelist an IP address and gain access. Two different passwords are supported and can be handed out to different classes of PBX users, e.g. administrators and ordinary users. Using the "permanent" password lets someone add an IP address to the VitalPBX whitelist permanently. Using the "temporary" password lets a user add an IP address to the whitelist until the next reboot or firewall restart. In both cases, the administrator gets an immediate email showing the whitelisted IP address, who requested it, and the type of whitelist entry that was requested. The syntax for the email request is straight-forward. Just send an email to the special email account set up to handle these requests and include a Subject for the message that looks exactly like this where 8.8.8.8 is the IP address to be whitelisted and some-password is one of the two passwords: WhiteList 8.8.8.8 PW some-password

As most of you know, we’re sticklers for security, and there’s plenty of it here. First, we recommend you use an obscure FQDN for your server so that it is not easily guessed by someone wanting to do harm. Second, we assume your IP address also won’t be published. Third, the email account name also should be obscure. Think of it as another password. For example, martin432 would be a good choice while whitelist would be pretty lousy. Keep in mind that the only people sending mail to this account will be folks that need immediate access to your PBX. Finally, BOTH of the passwords to use the email feature need to be long and difficult to decipher. A mix of alphanumeric characters and upper and lowercase letters is strongly recommended because it makes successful penetration nearly impossible.

To begin, we need to reconfigure your VitalPBX Firewall to accept incoming email on TCP port 25. In Admin:Security:Firewall:Services, Add a new service that looks like the following: Name: SMTP    Protocol: TCP    Port: 25. Then SAVE your entry.

Next, we need to add a VitalPBX Firewall Rule that allows incoming SMTP traffic. In Admin:Security:Firewall:Rules, Add a new rule: Service: SMTP    Action: Accept. Then SAVE.

Next, we need to log into the Linux CLI as root to do a couple of things. First, we need to reconfigure Postfix to accept emails from outside our server. Replace 8.8.8.8 with the actual IP address of your server. Replace smtp.myserver.com with the actual FQDN of your server. If you don’t have one, simply remove the FQDN from the command.

yum -y install mailx
postconf -e "mynetworks = 127.0.0.0/8, 8.8.8.8"
postconf -e "mydestination = smtp.myserver.com, localhost.localdomain, localhost"
postconf -e "inet_interfaces = all"
postconf -e "recipient_delimiter = +"
service postfix restart

Second, we need to add an email account to process the incoming emails. Replace someuser on each line with that obscure account name you plan to use for incoming emails. Then send yourself a test email and be sure it arrives. The last command cleans out the mail account.

adduser someuser --shell=/bin/false --no-create-home --system -U 
echo "test" | mail -s "Hello World" someuser
mail -u someuser
> /var/mail/someuser

Finally, we need to set up your passwords and admin email address in /root/mailcheck. To begin, insert your actual mail account name in the following command by replacing realuser and then execute the command:

sed -i 's|someuser|realuser|' /root/mailcheck

Now edit /root/mailcheck with nano or your favorite editor and change the TempPW, PermPW, and MyEMail entries. Then save the file and add the following entry to /etc/crontab:

*/3 5-22 * * * root /root/mailcheck > /dev/null 2>&1
 

CAUTION: Because of the bifurcated nature of the integration of TM3’s WhiteList into the VitalPBX firewall setup, be advised that you never want to make a change in the VitalPBX GUI’s firewall configuration without assuring that the desktop machine from which you are making that change is already included in the VitalPBX Whitelist (see #3.a., above). The same applies to issuing an iptables-restart from the Linux CLI. The reason is there are two separate whitelists and either of these actions would temporarily disable the TM3 WhiteList until the iptables-restart procedure was executed AND completed. In both situations, you most probably would be locked out of web and SSH access to your own server. A VitalPBX firewall reload only restarts firewalld with the VitalPBX WhiteList, and an iptables-restart from the CLI first restarts firewalld without the TM3 WhiteList rules and then adds the TM3 WhiteList rules after the firewalld reload is completed. We have added safeguards to some of the TM3 utilities to keep you from shooting yourself in the foot by requiring the VitalPBX WhiteList addition before you can use the TM3 iptables-restart and del-acct utilities; however, this is not the case with ipchecker which typically runs as a cron job from localhost. Because there is no safeguard mechanism, do NOT run it manually unless you’re sure you first have whitelisted your desktop PC’s IP address in the VitalPBX GUI (see #3.a., above). Without getting down in the weeds, we also have no ability to control the internal workings of the VitalPBX firewall. Should you get locked out of your server, there are three remedies. The first is the email solution documented above. The second is to use PortKnocker to regain access. The third is to use the localhost console in the Digital Ocean or Vultr control panel to issue the iptables-restart command. You might want to print this out for a rainy day. 🙂

PortKnocker Installation. You may not know the remote IP addresses of everyone using your PBX, and some of your users may travel to different sites and need a temporary IP address whitelisted while using a WiFi hotspot. And, not that it would happen to you, but once in a while an administrator locks himself out of his own server by changing IP addresses without first whitelisting the new address. The solution to all of these problems is easy with PortKnocker. The user simply sends three sequential pings to ports known only by you and your users using the machine or smartphone that needs access. You can read our original tutorial for more detail. For today, let’s get PortKnocker installed and configured with your three random ports. You can review the assignment at any time by displaying /root/knock.FAQ which also explains how to send the knocks using a desktop machine or a smartphone.

cd /root
wget http://incrediblepbx.com/knock-vitalpbx.sh
chmod +x knock-vitalpbx.sh
./knock-vitalpbx.sh

As with other Incredible PBX Travelin’ Man 3 implementations, IP addresses whitelisted using PortKnocker only last until the next reboot, or until you issue the following command firewall-cmd --reload (does not reload TM3 WhiteList), or until you execute a firewall update from within the VitalPBX GUI (does not reload TM3 WhiteList), or until you issue the command iptables-restart which restarts the firewall AND loads the TM3 WhiteList entries. To permanently WhiteList IP addresses, follow the procedure in Step #3 above or add the entries using the TM3 utilities documented in the previous section.

NeoRouter Installation. A virtual private network (VPN) is perhaps the safest way to access any server including VitalPBX. All of your communications is securely encrypted and you connect to the server through a network tunnel using a non-routable, private IP address. There are many VPNs from which to choose. Our personal favorite is NeoRouter because up to 256 devices can be interconnected at zero cost, and you can set the whole thing up in minutes with virtually no networking expertise. If you want all of the background on NeoRouter, see our latest tutorial.

NeoRouter uses a star topology which means you must run the NeoRouter Server application on a computer platform that is accessible over the Internet all the time. Then each of the remote devices or servers runs the NeoRouter Client application, connects to the server to obtain a private IP address, and then can communicate with all of the other devices connected to the VPN. If you already have a NeoRouter Server in place, then you can skip the server installation step and skip down to installing the NeoRouter Client on your VitalPBX server.

NeoRouter Server Setup. If you’re just getting started with NeoRouter, the first step is setting up the NeoRouter Server on a platform of your choice. If you’re using the Automatic Backup feature of Digital Ocean or Vultr, then your VitalPBX server is probably as good a site as any. NeoRouter Server uses minimal resources, and outages shouldn’t be a problem except for hurricanes, tornados, and bombs. But, just so you know, if the NeoRouter Server is down, none of the NeoRouter Clients can access the VPN or any other clients so you’d have to resort to public IP addresses for network access.

To install NeoRouter Server on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrserver-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm

Next, create at least one account with administrator privileges and one account with user privileges to your NeoRouter VPN:

nrserver -adduser admin-name admin-password admin
nrserver -adduser user-name user-password user

The commands to manage NeoRouter Server are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrserver.service
Check status: systemctl status nrserver.service
Restart server: systemctl restart nrserver.service
Change settings: nrserver -help

NeoRouter Client Setup. Whether you’re running NeoRouter Server on your VitalPBX platform or not, you’ll still need to install and configure the NeoRouter Client software in order to access the server through the VPN using a remote computer, smartphone, or tablet. NeoRouter Clients for Linux, Windows, Macs, FreeBSD, Mobile, OpenWRT, Tomato, and HTML5 are available here. Be sure to choose the NRFree V2 platform tab before downloading a client, or you’ll get the wrong client software and nothing will work! Ask us how we know.

To install NeoRouter Client on your VitalPBX platform, log into your server as root and issue the following commands:

cd /root
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrclient-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrclient-2.3.1.4360-free-centos-x86_64.rpm

As with NeoRouter Server, the commands to manage NeoRouter Client are a little different on the CentOS 7 platform. Here’s what you’ll need:

Start on boot: systemctl enable nrservice.service
Check status: systemctl status nrservice.service
Restart client: systemctl restart nrservice.service
Login to VPN: nrclientcmd

The main requirement after installing the software is to login to your VPN: nrclientcmd. You’ll be prompted for the FQDN or IP address of your NeoRouter Server and then the admin or user credentials. If successful, you’ll get a display of all the machines logged into the VPN, including the VitalPBX server.

NeoRouter Network Explorer – somebody@vultr.guest

> My Computers
10.0.0.2 vultr.guest

Available Commands: changeview, wakeonlan, setproxy, changepassword, quit
Enter command:

The next step is to download and install NeoRouter Client software on your desktop computer and smartphone. Then you can remotely connect to your VitalPBX server from those platforms. In our example above, you could login to 10.0.0.2 with either SSH or your web browser and never have to worry about whitelisting your remote machines with VitalPBX.

Checking VitalPBX Status. As with other Incredible PBX platforms, we have reworked the pbxstatus utility to support VitalPBX. Running it from the command prompt will display the status of all of the key services on your PBX. Note the addition of the VPN’s IP address which tells you that NeoRouter Client is alive and well:



Configuring Automatic Backups. When you’re ready to enable backups for a Digital Ocean droplet, navigate to the list of droplets for your account. Click the Droplet name for which you’d like to enable backups, and then click the Backups menu item. This will display the cost of backups for the given droplet. Click the Enable Backups button to enable backups.

The Vultr setup is similar. Automatic backup settings are managed through the Vultr control panel. Once you log into your account, visit the server’s management area, click on your server in the dialog, and then click on the "Backups" tab for your VPS. Click Enable Backups. On either platform, the backup option adds a $1 a month to the cost of the $5 server. That’s pretty cheap insurance.

Originally published: Monday, April 2, 2018





Need help with VitalPBX? Visit the VitalPBX Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Revolutionary VoIP: The Best (free) PBX Ever from 3CX

There are evolutions, and then there are revolutions. Today is another revolutionary day for free VoIP. The new 3CX v15.5 Update 3 is revolutionary on so many levels: price, feature set, flexibility, stability, and security for openers. For Nerd Vittles readers that want a free PBX for your home or business, here’s the latest and greatest. You get the 3CX Standard License features listed here with up to 16 simultaneous calls for one year. That setup easily supports about 50 extensions. At the expiration of the year, you can purchase the standard annual license OR your free license will automatically convert to a 4-simultaneous-call perpetual license with unlimited trunks for the duration of the installation, including DNS, email, SSL certs, webmeeting, etc. Nothing else to buy ever!1 This perpetual license includes unlimited SIP trunks and gateways, 25-participant conferencing, G.722 and G.729 support with HD Voice, custom FQDNs, BLF support, Call Parking, Call Queueing, Call Pickup, Call Recordings and Management, Call Reporting, Intercom/Paging, Integrated Fax Server and Office 365 Address Book/Microsoft Outlook integration plus all of the 3CX client software. Better hurry. This offer won’t last forever! Here’s the signup link. 2

Unlimited Trunks, 50 Extensions, 16 Simultaneous Calls… Free!

The 3CX development team not only heard but also heeded our suggestion to expand the number of trunks in the free edition by removing the limitation entirely. With small businesses and home users, the number of times you ever will need to make more than 16 simultaneous calls is probably NEVER. Based upon industry standards, this 16-call, 50-extension PBX with unlimited trunks can easily support several dozen people so it’s perfect for home use and small to medium-sized businesses. And, when your business grows, upgrading to a larger PBX is inexpensive and a one-minute key swap.

Cost savings, of course, are only part of the VoIP story. There’s a reason 3CX’s business is growing geometrically while others struggle. 3CX provides an unmatched feature set that’s easy to use and deploy. Version 15.5 Update 3 brings the Linux platform to full parity with 3CX’s previous Windows editions plus all-new 3CX clients for every desktop and mobile device. There’s also an awesome new web client providing users easy access to all key 3CX features without installing any software. Desktop call control including Click2Call now is based on uaCSTA technology. Snom, Yealink, and Granstream phones as well as 3CX clients can be controlled from any desktop client even if your phone system is running in the cloud. And we’ve got a whopper deal for you there as well today.

With 3CX’s powerful client software, your office and your PBX can literally be anywhere. Your desktop is always as close as your smartphone or the nearest WiFi hotspot. That’s what unified communications is all about. And, should you ever need support, 3CX has offices in the U.S., U.K., Germany, Hong Kong, South Africa, Russia and Australia. Review the 3CX feature comparison chart and you can judge the feature set for yourself. Whether you’re a homebody or world traveler, we think you’ll agree that 3CX’s new free edition for Nerd Vittles readers offers everything that a home or SOHO user will ever need in a PBX.

Getting Started with 3CX on Dedicated Hardware or a Virtual Machine. If your platform supports ISO installs, here are the simple steps to get 3CX up and running. Just follow this 3CX tutorial to download the ISO and begin your adventure. Boot your server from the ISO image and walk through the Debian 9 setup process. We recommend 2GB of RAM and a 20GB drive for 3CX. When the install is finished, make note of the IP address to access with a web browser to complete the setup. Enter your 3CX license key when prompted. Set up one or more SIP trunks with inbound and outbound call routes. Once you have the ISO and your license key in hand, the installation procedure takes less than 10 minutes.

Getting Started with 3CX in the Cloud. Begin by setting up a 64-bit Debian 9 platform. Obtain a free Nerd Vittles license key for 3CX. Once your Debian install is finished, log in as root using SSH or Putty and issue these commands. NOTE: What appears as the third line below needs to be added to line #2!

wget -O- http://downloads.3cx.com/downloads/3cxpbx/public.key | apt-key add -
echo "deb http://downloads.3cx.com/downloads/debian stretch main" | tee /etc/apt/sources.list.d/3cxpbx.list
apt-get update
apt-get install libcurl3=7.38.0-4+deb8u5
apt-get install net-tools
apt-get install 3cxpbx

When the initial setup finishes, choose the Web Interface Wizard and complete the install using your favorite web browser. Enter your 3CX license key when prompted. Set up one or more SIP trunks with inbound and outbound call routes. Done.

Beginning with this release, you have your choice of using a Google Cloud-hosted 3CX server at no cost for a year or many other cloud providers of your choice. The problem with the Google Cloud offering is what to do after the first year. Our personal preference is to set up your own cloud server where things stay the same as you move forward from year to year. At this time, 3CX does not support OpenVZ containers. However, Vultr offers a $2.50/month 512MB RAM plan that works just fine. 50 cents more buys you automatic backups that we highly recommend. And OVH offers quadruple the RAM for $4.49/month on a 12-month plan.

Configuring Gmail as SMTP RelayHost for 3CX. 3CX has a detailed tutorial explaining how to set up your Gmail account as the SMTP relay host for 3CX. Be advised that there is one additional step before Google will authorize access from an IP address it doesn’t already have for your GMail account. In addition to Enabling Less Secure Apps (as covered in the 3CX tutorial), you also will need to activate the Google Reset Procedure while logged into your Gmail account. Otherwise, Google will block access. Once you have configured Gmail as your relay host and performed the two enabling steps above, immediately test email delivery within the 3CX GUI while Google security is relaxed: Settings → Email → TEST.

Free Calling in the U.S. and Canada with 3CX. We know our more frugal U.S. residents are wondering if there’s a way to make free calls even with 3CX. You didn’t really think there would be a release of PBX in a Flash without Google Voice support, did you? It’s easy using the Simonics SIP to Google Voice gateway service. Setup time is about a minute, and the one-time cost is $4.99 using this Nerd Vittles link. Setup instructions for the 3CX side are straight-forward as well, and we’ve documented the procedure on the PIAF Forum.

Free Calling Worldwide with SIP URIs. There’s another free calling option as well. 3CX supports worldwide SIP URI calling at no cost. As part of the 3CX install procedure, 3CX registers an FQDN for you with one of the 3CX domains if you indicate that your server has a dynamic IP address. Unless you really know what you’re doing with DNS, it’s a good idea to tell 3CX you have a dynamic IP address whether you do or not. Here’s why. Once you have an assigned FQDN in the 3CX universe, one very slick feature is the ease with which you can publish a SIP URI address for any or all of your 3CX extensions thereby allowing 3CX users to receive calls from any SIP client worldwide at no cost. Setup takes less than a minute. It’s as easy as 1-2-3. Here’s how:

1. Login to the 3CX GUI and go to Settings → Network → FQDN. Tick "Allow calls from/to external SIP URIs" and make note of your FQDN, e.g. mypiaf5server.3cx.us. Click OK.

2. For an extension to enable (e.g. 001), go to Extensions → Edit 001 → Options → SIP ID and create any desired SIP URI alias for this extension, e.g. billybob. Click OK.

3. If your PBX is sitting behind a router/firewall, be sure the following UDP ports are forwarded to the local IP address of your PBX: 5001, 5060, 5090, and 9000-9255.

4. Anyone with a SIP client anywhere worldwide can now call extension 001 using SIP URI: billybob@mypiaf5server.3cx.us.

Originally published: Wednesday, June 7, 2017  Updated: Thursday, February 8, 2018



Need help with 3CX or VoIP? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. This offering applies to 3CX V15.5 Update 3 released on February 8, 2018. []
  2. Don’t confuse 3CX’s free PBX with Sangoma’s FreePBX® GUI. The former is a truly free PBX provided by a well-respected developer of commercial PBXs and used by many of the world’s largest companies including Boeing, McDonalds, Hugo Boss, Ramada Plaza Antwerp, Harley Davidson, Wilson Sporting Goods, and Pepsi. The latter is a code generator for Asterisk® that commingles free components with commercial NagWare, each of which requires payment of separate licensing and maintenance fees before and during subsequent use. []

Incredible PBX Backup & Restore for Cloud-Based Servers

One of the perplexing realities with VoIP-based servers is how few people actually back up their systems. For anyone who has ventured into the IT world over the past 40 years, there’s one maxim worth remembering: "It’s not a question of whether your server will fail. It’s only a question of when." Incredible PBX® always has provided a backup mechanism in standalone servers to recover from disasters. But then cloud-based computing came along. Two of our favorite providers, Digital Ocean and Vultr, offer a backup snapshot option for 20% of the monthly cost of your platform. But many others do not. And snapshots in the same facility only insulate you from catastrophic failures that don’t take down the entire facility. Think: DNS, bombs, floods, earthquakes, hurricanes, and disgruntled employees.

We obviously can’t solve all of the world’s problems. But what we can do is provide a generic backup mechanism that will work with most cloud implementations of Incredible PBX. It allows you to make a complete backup of your server, copy the image off site, and restore it at another cloud location or by deploying a virtual machine in your home or office with VirtualBox®. Today we’ll show you how.

Methodology. We’re assuming you are using the latest Incredible PBX 13-13 platform with either CentOS® or Scientific Linux™ 6 or 7 running Asterisk® 13. We’re also assuming your primary server is cloud-based. Your backup server can be cloud-based or a virtual machine running under VirtualBox on a desktop PC. The trick is to build the backup platform at or near the creation time of your primary server so that both are using nearly identical Linux components, the same version of Asterisk, the same version of Incredible PBX, and the same versions of the 1,000+ packages that comprise an Incredible PBX VoIP platform. This is easy at the time you create your primary server. It’s much more difficult 5 or 10 years down the road. So don’t be a procrastinator. Build your backup platform. And do it now! In the case of VirtualBox, you can create the virtual machine and turn it off until that rainy day occurs. It won’t cost you a dime other than a little disk storage space.

Overview. Here are the 5 Steps to put your backup implementation plan into place:

  1. Build & Configure Incredible PBX 13-13 Primary Server in the Cloud
  2. Build Barebones Incredible PBX 13-13 Server at Secondary Site
  3. Make a Backup of Your Primary Server Every Week
  4. Copy Weekly Backup Image to One or More Off-Site Locations
  5. Periodically Test Restoring Backup to Secondary Server

1. Build & Configure Primary Server

We’ve covered the procedure for building an Incredible PBX 13-13 server starting from a CentOS platform or from the Incredible PBX 13-13 ISO. We continue to recommend the CentOS or Scientific Linux 6.9 platform. Whether to create a Lean, Mean implementation or the Whole Enchilada is your call to make. Configure your Extensions, Trunks, and Routes, and you’re ready for business.

2. Build a Barebones Secondary Server

The hardest part of Step #2 is deciding where to build your secondary Incredible PBX 13-13 server. It doesn’t need to be in the cloud unless you prefer that option. Part of this decision may turn on how many servers you actually support. If you have a dozen primary servers, then it probably makes sense to add #13 as your backup server. Then it will be available in case of a failure of any of the other servers. Just make sure it’s in a location 1,000+ miles away from the primary server which should provide ample protection from North Korea’s Rocket Man. You can install the Lean, Mean version of Incredible PBX 13-13 with no additional configuration. Make sure the version of CentOS or Scientific Linux matches your primary server. As noted, VirtualBox is a perfectly adequate backup platform.

3. Make a Weekly Backup of Primary Server

We’re offering the following script for your use pursuant to the GPL2 license. By using the script at no cost, you agree to assume all risks and absolve us from any liability regarding bugs, performance, or any other failure in the code. If that’s acceptable to you, copy the commands below and create a backup-full script in the /root folder of your primary server. After saving the script, make it executable: chmod +x backup-full.

#!/bin/bash
# backup-full for Incredible PBX, Copyright (c) 2008-2018, Ward Mundy & Associates, LLC
# Licensed pursuant to GPL2. See /root/COPYING on any Incredible PBX server for details
amportal stop
service mysqld stop
service httpd stop
service sendmail stop
cd /
tar -cf /tmp/backup.tar /bin /etc /home /lib /lib64 /media /mnt /opt /root /sbin /usr /var
service sendmail start
service httpd start
service mysqld start
amportal start
tar --delete -f /tmp/backup.tar etc/udev/rules.d
tar --delete -f /tmp/backup.tar etc/sysconfig/network-scripts
tar --delete -f /tmp/backup.tar var/lib/dhclient
tar --delete -f /tmp/backup.tar etc/fstab
tar --delete -f /tmp/backup.tar etc/resolv.conf
tar --delete -f /tmp/backup.tar etc/hosts
tar --delete -f /tmp/backup.tar etc/hostname
gzip /tmp/backup.tar
echo "Your backup is available: /tmp/backup.tar.gz"
echo "Copy it and test it in a safe place OFF SITE"
echo " "


To run the script, execute the following command: /root/backup-full

We recommend running the backup-full script during hours when your PBX is not in active use since Asterisk and other services typically are shut down for 5-10 minutes. Depending upon the size and performance of your server, the backup typically takes 15-20 minutes. Once the backup script finishes, copy /tmp/backup.tar.gz to a safe place away from the primary server every week. You can automate the backup and the copying procedure with a cron job if desired. If your primary PBX doesn’t change regularly, alter the backup schedule.

UPDATE: As many of you appreciate, VMware platforms are a very different beast. The same is true of some cloud platforms which don’t play nicely with full backups from other environments. The telltale sign is abrupt reboots when you attempt to login to the web GUI using a browser. If you will be backing up FROM or restoring TO a VMware virtual machine or some other incompatible platform, here’s a workaround. The backup methodology needs to be adjusted to collect all of your PBX configuration data without messing with the underlying operating system configuration. This is similar to the original Incredible Backup methodology. You may also find it handy whenever you have a backup cloud server that is similarly configured to your main cloud server.

First, you need to assure that your versions of the major components are the same on both your primary and backup server. As noted before, the easiest way to do this is to build the two platforms simultaneously. If you plan to use either the Full Enchilada or Incredible Fax add-ons on your primary server, then they also need to be installed and configured on your backup server. Once the two servers are operational, you can shut down the backup server for the time being. Then make your customizations on the primary server and make a backup. The backup script above will work with the exception of the tar command line which should be replaced with the following (as a single line command):

tar -cf /tmp/backup.tar /var/www /var/lib/mysql /var/lib/asterisk /root /etc/asterisk /etc/crontab /etc/pbx /var/spool/asterisk /etc/freepbx.conf /etc/amportal.conf

The restore scenario outlined below will be the same for VMware-style backups except your passwords on the restored platform will be your original backup server passwords with the exception of your FreePBX® GUI and Apache web passwords which will be inherited from the primary server at the time of the backup image.

4. Copy Backup Image to Off-Site Location(s)

Once the backup script finishes, copy /tmp/backup.tar.gz to a safe place away from the primary server every week. You can automate the backup and the copying procedure with a cron job if desired. If your primary PBX doesn’t change regularly, alter the backup schedule.

5. How to Restore Backup to Secondary Server

Before patting yourself on the back from having made a successful backup, let’s try restoring it to your secondary server to be sure everything still works. Here are a couple of tips before we get started. First, in the event of an actual emergency, you will find recovery is simplified if you use fully-qualified domain names in registering extensions to your primary server. In this way, you can simply alter the IP address of the FQDN in your DNS server to point to the backup server without having to reconfigure every extension on your PBX. Second, trunks that are registered from your primary PBX will automatically be registered from your secondary PBX when you bring it on line. For that reason, test your secondary server during non-working hours and always be sure to shut down Asterisk on the primary server (amportal stop) before bringing up your secondary server. Finally, trunks that are supported by IP address configuration rather than registration will need to be manually reconfigured with the secondary IP address before they will be available for use.

We’re offering the following script for your use pursuant to the GPL2 license. By using the script at no cost, you agree to assume all risks and absolve us from any liability regarding bugs, performance, or any other failure in the code. If that’s acceptable to you, copy the commands below and create a restore-full script in the /root folder of your backup server(s). After saving the script, make it executable: chmod +x restore-full.

#!/bin/bash
# restore-full for Incredible PBX, Copyright (c) 2008-2018, Ward Mundy & Associates, LLC
# Licensed pursuant to GPL2. See /root/COPYING on any Incredible PBX server for details
amportal stop
service mysqld stop
service httpd stop
service sendmail stop
chattr +i /etc/resolv.conf
cd /
tar zxvf /tmp/backup.tar.gz
echo "Shut off Asterisk on primary server now."
read -p "Press any key to continue with reboot..."
reboot

To restore the backup, begin by copying the backup.tar.gz file to /tmp on your backup server. Then run the script you created above: /root/restore-full.

Once the restore is completed, your server will reboot. Log back in using the credentials from your primary server and make sure everything is working.

NOTE: If your primary server is using eth0 for its Ethernet connection and your backup server is using venet0, then you’ll need to modify /etc/sysconfig/knockd and then restart PortKnocker on the backup platform: service knockd restart. The command to add looks like this:

OPTIONS="-i venet0:0"

If you’re backing up from a venet0 platform and restoring to an eth0 platform, then you’d need to reverse the process by removing the above entry from /etc/sysconfig/knockd and restarting PortKnocker. Enjoy!

Published: Tuesday, January 23, 2018



NEW YEAR’S TREAT: If you could use one or more free DIDs in the U.S. with unlimited inbound calls and unlimited simultaneous channels, then today’s your lucky day. TelecomsXChange and Bluebird Communications have a few hundred thousand DIDs to give away so you better hurry. You have your choice of DID locations including New York, New Jersey, California, Texas, and Iowa. The DIDs support Voice, Fax, Video, and even Text Messaging (by request). The only requirement at your end is a dedicated IP address for your VoIP server. Once you receive your welcome email with your number, be sure to whitelist the provider’s IP address in your firewall. For Incredible PBX servers, use add-ip to whitelist the UDP SIP port, 5060, using the IP address provided in your welcoming email.

Here’s the link to order your DIDs.

Your DID Trunk Setup in your favorite GUI should look like this:

Trunk Name: IPC
Peer Details:
type=friend
qualify=yes
host={IP address provided in welcome email}
context=from-trunk

Your Inbound Route should specify the 10-digit DID. Enjoy!



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Twofer Tuesday: $1.50 Cloud Bargains for VoIP Deployments

We’ve been big fans of $5/month VPS offerings of Digital Ocean and Vultr for many years. When Vultr reduced their lowest tier to $2.50/month, we were ecstatic. These weren’t ideal VoIP platforms because of their 512MB memory constraint, but they were perfectly suitable as a sandbox for experimentation. And then along came OVH with a 2GB VPS that was nearly perfect for VoIP at $3.49/month. As we all know, the Earth does not stand still, and WootHosting now has once again changed the landscape with two different $1.50/month offerings that include 2GB of RAM. That’s cheaper than the cost of electricity to run a server in your home or office. Never mind that you also have to purchase a server.

As most of you know, we eat our own dog food before recommending products, and we’ve deployed both the Wazo and Issabel PBXs on the WootHosting platform being reviewed today. In addition, we’ve deployed a multi-purpose web server to host more than a dozen of our personal sites using an even better second offering that we also will cover today.

The first offering (pictured above) actually provides a platform for two separate VoIP servers. For each of the servers, you have a choice of sites: New York, Miami, or Los Angeles. Why would you want two servers? The most obvious answer is redundancy. Wazo already offers High Availability (HA) redundant servers with the click of a button. Our deployment tutorial is available here. By deploying identical servers in two cities, you have a failsafe VoIP platform that can survive almost any natural or man-made disaster. And the total cost for both cloud servers is just $3 a month. A similar implementation for other Incredible PBX platforms is now under development on the PIAF Forum. Compare these free options to HA solutions from other VoIP providers costing $3,000 plus maintenance.

If a New York-based cloud offering will meet your needs, the second WootHosting offer is even more impressive with 4 CPU core allocations, 2GB RAM and swap space, a whopping 150GB of storage, 3TB of monthly bandwidth, and advanced DDOS protection for $1.50/mo.:



As we mentioned, we actually use this second VPS offering to host more than a dozen of our personal web sites without a hiccup. But it is sufficiently robust to host very large VoIP implementations with support for dozens of simultaneous calls. A deployment guide for Wazo is available here. As with all cloud-based servers, we strongly recommend redundant system deployments in separate locations. Additional WootHosting specials in their various locations are documented on the New York ordering page. Enjoy!

Published: Tuesday, August 15, 2017  



Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

3CX in the Cloud: 8 Great Ways to Secure Your Server




Now that many of you have taken advantage of the opportunity to deploy a free 3CX server, it seemed like an opportune time to share what we’ve learned while deploying 3CX on hosted platforms in the cloud. If you’ve followed our Nerd Vittles adventures over the years, you already know that our number one consideration with any PBX deployment is security. Without that, you’re just paying somebody else’s phone bill. While 3CX is extremely secure as delivered, once you choose a cloud-based platform, it’s a new ballgame. There is no 3CX firewall sitting between your PBX and the Internet.

We hear some of you saying, "I love Asterisk. Why would I want to move to 3CX?" The short answer is don’t move, add a new 3CX server to supplement your existing Asterisk® infrastructure. Why? Because the 3CX Clients for Windows, Macs, iOS, and Android are incredibly compelling. You can make a connection from anywhere using WiFi or cellular infrastructure and make crystal clear calls with zero hassles. Better yet, folks can reach you on your mobile phone from anywhere in the world at zero cost by dialing your SIP URI using any SIP device including SIP softphones and other 3CX Clients. And the 3CX Client is literally plug-and-play. Send the welcome email for the extension you wish to activate on the 3CX Client, and in one-click your 3CX Client is automatically configured and on line. By interconnecting your 3CX server with your existing Asterisk infrastructure, you get the best of both worlds without the messy NAT and firewall problems that were daily fare using Asterisk alone. But we’re getting ahead of ourselves, let’s get your 3CX server in the Cloud properly secured before moving on to the fun stuff.

Five years ago, we first introduced our Failsafe PBX Security Tips to Sleep Like a Baby. That’s well worth a careful read before we begin. For today, we’ll be implementing most of the Travelin’ Man 3 Security Model with a few tweaks to take advantage of existing 3CX security features. We’ll walk you through (1) choosing a cloud platform, (2) deploying the IPtables Linux firewall, (3) implementing a WhiteList to hide your server from those that don’t need access, (4) installing PortKnocker to make it easy for end-users to give themselves access to your PBX, (5) configuring FQDNs and implementing dynamic DNS updates for remote users, (6) setting up a BlackList to complement 3CX’s existing Anti-Hacking mechanisms, (7) deploying IPset to facilitate blocking entire countries from accessing your server, and (8) protecting SSH by setting up Fail2Ban and changing ports.

Let’s spend a moment considering the best security methodology for your cloud-based server. The short answer is IT DEPENDS. If all of your users are situated in the same location and never travel and you don’t care to enable SIP URI calling from anywhere in the world to save on phone costs, then the solution is pretty easy. We can lock your server down to the public IP address of your private LAN, and nobody else will ever see your server. Once you add users outside your home office, things get more complicated. If they are all sitting behind local routers with public IP addresses that are static, things are still fairly straightforward. We can whitelist all of the static IP addresses, and again nobody else will see your 3CX server. If you have users that travel for a living or need 3CX Client connectivity from their smartphones or from PCs at various locations that only have dynamic IP addresses, then things get more complicated. You can take your chances and expose SIP communications ports while locking down other access, or you can lock down everything, assign FQDNs to each user, and use dynamic DNS clients running on Android or iOS devices or local PCs to regularly update IP addresses of users in the firewall whitelist.

Another option that we use when traveling is PortKnocker which will be installed as part of our Travelin’ Man 3 security suite. The way this works is you send a single packet to three different TCP ports on your server using a predefined sequence of 3 port numbers. When there is a match, the server will automatically whitelist your IP address. Then you can log into SSH or the Web portal or use a 3CX Client in the usual way. There are PortKnocker clients for smartphones (Android’s DroidKnocker and iOS PortKnock), or you can use the command line from a Linux server to immediately authorize remote access from any IP address. No firewall modification is required. By default, Travelin’ Man 3 temporarily authorizes IP address access until the next server reboot. But you can elect to permanently whitelist the IP addresses if desired. Again, all of this can be performed remotely by end-users without ever touching your server or calling upon assistance from an administrator.

Finally, we’ve provided utilities in /root to assist an administrator in whitelisting IP addresses (add-ip) or FQDNs (add-fqdn) as well as removing whitelisted entries (del-acct). In addition, if you prefer to leave your server exposed, we’ve included tools to blacklist IP addresses (add-blacklist), and our discussion below will provide some alternatives to secure SSH access. Whichever path you choose, just be aware that server security it totally your responsibility, not ours and not 3CX’s. We strongly recommend that you regularly monitor the Event Log in the 3CX Dashboard for security issues and attempted breaches. You then can make firewall adjustments to address the problems or to further lock down your server.

LEGAL DISCLAIMER: ALL OF THE SECURITY CODE WHICH FOLLOWS IS DISTRIBUTED AS IS AND PURSUANT TO THE GPL2 LICENSE. YOU AGREE TO ASSUME ALL RISKS BY USING THIS SOFTWARE. YOU ARE FREE TO MODIFY IT TO MEET YOUR REQUIREMENTS SO LONG AS YOU COMPLY WITH THE GPL LICENSE TERMS AVAILABLE HERE.

For today’s tutorial, we will cover both the WhiteList 3CX firewall methodology and the less secure BlackList alternative. We’ll walk you through exposing the necessary ports if you elect to use this relaxed security configuration for your server. Just be aware that it’s your phone bill at stake particularly if you have authorized calls to countries outside the location of your server as part of your 3CX setup.

1. Choosing a 3CX Cloud Platform

Here are a few things to consider when choosing a cloud platform for your 3CX server. Keep in mind that the cloud giants like Amazon charge for data bandwidth usage AND data storage AND processing cycles. Even though Amazon uses what are traditionally considered non-routable IP addresses internally, be advised that Amazon internally routes these private LAN addresses. What that means is that, if you have whitelisted private LAN addresses in the 172.16.0.0/12 range, you will expose your server to hacking attempts from anyone with an Amazon S3 account. For that reason coupled with the pricing structure, we recommend against using Amazon as your 3CX cloud platform.

We also recommend you stick with VPS hosting plans using the KVM architecture and avoid OpenVZ unless it’s hosted with Virtuozzo 7. The traditional shared kernel architecture of OpenVZ means you will forfeit the ability to use powerful tools such as IPset to blacklist country-wide IP addresses from countries such as China and Russia. Over 90% of the attacks we see on our web sites originate from IP addresses in just those two countries. Fortunately, the new Virtuozzo 7 implementations of OpenVZ support ipset. SSDnodes in Montreal is the provider we use.

The rest of the cloud platform equation comes down to balancing the feature set and performance against the cost. At the bottom of the barrel is CloudAtCost which offers lifetime cloud services for a one-time charge PLUS an annual maintenance charge. Performance and reliability range from awful to tolerable. As an experimental platform, it’s worth considering. For anything beyond that, don’t waste your time or money.

Our preferences in low-cost, moderate performance cloud platforms include OVH virtual private servers ($3.49/mo. for 2GB RAM, 10GB SSD, 100Mbps unlimited bandwidth, and DDoS protection), Vultr VPS ($5/mo. for 1GB RAM, 25GB SSD, 1TB bandwidth), and Digital Ocean ($5/mo. for 512MB RAM, 20GB SSD, 1TB bandwidth plus $10 usage credit). For high performance, long-term use, nobody beats our corporate sponsor, RentPBX.com, at $15/mo. with referral code: NOGOTCHAS.1

2. Deploying the IPtables Linux Firewall

We’ve taken the pain out of deploying IPtables as a 3CX firewall. Our Travelin’ Man 3 script for 3CX does the heavy lifting for you by installing and preconfiguring IPtables and a collection of other security components. There are two alternatives when running the installer. You can completely lock down your server and use a firewall whitelist to enable access from specified IP addresses or FQDNs. There are utilities to allow administrators and end-users to add their own addresses to the whitelist. The other option is to run 3CX without the whitelist functionality and employ blacklisting to reduce the exposure of your server. This obviously increases the security risks but reduces the administrative burden on administrators and end-users. And, as you probably know, 3CX includes some security mechanisms to block or reduce attacks on your server. A third option using 3CX Clients or SBCs in networks that prevent VoIP calls is to deploy 3CX’s VPN-like Tunnel. This is well documented in this server tutorial and this client tutorial. It’s worth a careful look if you’re in a country that blocks VoIP calls, and it works with either TM3 firewall configuration. A fourth option which we will save for another day is to employ virtual private networks such as OpenVPN and NeoRouter. With VPNs, there’s more work on the front end but less day-to-day administration once properly configured.

If you don’t have widely scattered users and traveling users that need to employ 3CX Clients, the WhiteList option is far preferable. It sets up a WhiteList of devices that are authorized to access your PBX. Nobody else can even see the server on the Internet. To get started, log into your server as root using SSH or Putty. Be sure to login from a computer that will be used to manage your server so that this computer’s IP address gets whitelisted. You don’t want to lock yourself out of your own server! Then issue the following commands at the Linux prompt to run the TM3 installer, accept the license agreement, and choose either the WhiteList or BlackList option when prompted:

cd /
wget http://incrediblepbx.com/tm3-3cx.tar.gz
tar zxvf tm3-3cx.tar.gz
rm -f tm3-3cx.tar.gz
cd /root
./tm3-3cx.sh

When the installer finishes, press ENTER. You now have a functioning 3CX firewall with IPtables and Fail2Ban functionality to protect SSH logins from hacking attempts, IPset to block server access from certain countries, PortKnocker to facilitate remote user access to servers employing a WhiteList, and a collection of utilities in /root to facilitate WhiteListing and BlackListing of IP addresses and FQDNs by administrators.

3. Implementing the 3CX Firewall WhiteList

For the more technical types, here’s an overview of how the IPtables firewall is configured and functions. Currently, only IPv4 is protected. The basic setup is handled in /etc/iptables/rules.v4 by making a copy of rules.v4.tm3 and whitelisting 3 IP addresses: your server, your user PC from which you logged into SSH, and your public IP address. Additional whitelist entries are added using add-ip or add-fqdn in /root. Or end users can whitelist themselves using the PortKnocker credentials stored in /root/knock.FAQ. IPtables ALWAYS must be restarted/reloaded using the command: iptables-restart. This assures that all necessary components are reloaded including the base rules.v4 IPtables config plus the custom config in /usr/local/sbin/iptables-custom plus Fail2Ban. An administrator can remove whitelisted entries using /root/del-acct using the *.iptables filename associated with the entry to be removed. PortKnocker whitelist entries are stored by creation date.

Two templates for the TM3 custom configuration are stored in /usr/local/sbin. The WhiteList is iptables-custom.secure. The BlackList is iptables-custom.insecure. As part of the install, one or the other is copied into iptables-custom for use with your IPtables firewall. The code is well documented so that administrators can easily make modifications to support your own requirements. Simply rerun the tm3-3cx.sh installer once you have made changes, and your server will be reconfigured. Be advised that any previously added whitelist entries should be removed (/root/*.iptables) BEFORE rerunning the installer as these entries will not be replicated.

4. Using PortKnocker with the TM3 Firewall

There are two ways to use PortKnocker for end user management of the WhiteList. The default methodology is to temporarily WhiteList qualifying IP addresses whenever a successful port knock is performed from any remote site. This WhiteList addition to the firewall lasts only until the firewall is restarted with iptables-restart or the server is rebooted. For a mobile workforce, this is probably the preferable alternative with frequently updated remote IP addresses. The other alternative is to permanently add successful PortKnock IP addresses to the iptables-custom whitelist. The administrator can activate this by running the following command: iptables-knock activate. As with other WhiteList additions, these are stored in /root as *.iptables. To use PortKnocker, remote users will need the secret knock credentials stored in /root/knock.FAQ. Should you ever need to modify these codes when an employee is fired, simply edit /etc/knockd.conf and change the codes. Remember to revise /root/knock.FAQ with the new codes. Then restart PortKnocker: /root/knock-tester.sh.

5. Configuring Dynamic DNS for End Users

Here’s an easier way to set up remote users whose IP addresses regularly change either because of an ISP’s dynamic IP addressing scheme or because the user travels or frequently uses 3CX Clients from a smartphone. The trick here is to assign a fully-qualified domain name (FQDN) to each remote user’s device and then deploy a dynamic DNS update application on their device to keep the user’s current IP address in sync with their FQDN. As part of the TM3 implementation on 3CX, we included the /root/ipchecker script which checks for IP address changes every 10 minutes and updates the firewall whitelist accordingly. All that is required from the administrator is running /root/add-fqdn once for each remote user. Everything else is automatic on the 3CX server and the end user device.

There are a number of Dynamic DNS providers. Some are free and others have a modest annual fee. When it comes to DNS service, you get what you pay for. And our favorite remains dyndns.com. There are hundreds of domain names from which to choose, and there are update clients for most client platforms: Windows, Mac, Linux, iOS, and Android.

The setup procedure is straight-forward. (1) Choose a FQDN for each of your users on the dynamic DNS provider site. (2) Install and configure the DNS updater on each client device. (3) Run /root/add-fqdn on your 3CX server to add the FQDNs of each user to the TM3 WhiteList. (4) Restart IPtables: iptables-restart.

6. Implementing BlackLists with the TM3 Firewall

If an administrator elects NOT to deploy the 3CX firewall with a WhiteList and opts for the open 3CX firewall, then there are some additional steps to assure that your server remains secure. First, you’ll want to carefully monitor the 3CX Event Log in the 3CX web dashboard. When you spot hacking attempts that are being temporarily blocked by your 3CX server, immediately add them to your IPtables BlackList: /root/add-blacklist ipaddress. Thereafter, those users will no longer be able to access your server. After adding less than a handful of entries, our exposed server has not seen any further hacking attempts. YMMV!

7. Configuring Country Blocking with IPtables

The primary reason individual blacklist entries are unnecessary is because the TM3 installer automatically configures IPset to block access from a number of problematic countries. You can review these in /etc/block-china.sh and make modifications based upon your own requirements. Keep in mind that, if you add or remove countries from the script, you will need to add/remove the same entries in /usr/local/sbin/iptables-custom to assure that all of the countries you intend to block are assimilated into your firewall’s blacklist. Then reload the IPset tables and restart IPtables with this command: /etc/block-china.sh. To begin, you’ll need to decipher the country code for additional countries you wish to block. The country listing with codes is available here. The IPset country zones are available here.

The syntax for a new country addition in /etc/block-china.sh looks like this with the country name inserted in lines 1 & 4 and the country code inserted in lines 2 & 3:

/sbin/ipset -N china hash:net
rm cn.zone
/usr/bin/wget -P . http://www.ipdeny.com/ipblocks/data/countries/cn.zone
for i in ; do /sbin/ipset -A china ; done

The blacklist entries in /usr/local/sbin/iptables-custom look like this using the country name from above:

/sbin/iptables -A INPUT -p tcp -m set --match-set china src -j DROP
/sbin/iptables -A INPUT -p udp -m set --match-set china src -j DROP

None of the country modifications take effect until you reload the IPset tables and restart IPtables. Both are accomplished by running /etc/block-china.sh.

8. Hardening SSH with 3CX in the Cloud

If you chose to implement the TM3 WhiteList option, SSH on your 3CX server is insulated from SSH attacks because the bad guys can’t see or access port 22 on your server. However, if you’re using the non-WhiteList approach with IPtables, then some additional safeguards to secure SSH are appropriate. As part of the TM3 security suite, Fail2Ban was installed to block repeated attempts to login to SSH. While this offers some protection, be advised that Fail2Ban scans logs and, as such, requires a sufficient time slice of processing power to complete the task regularly. Some of the more vicious hacking attempts originate from extremely powerful server platforms that can monopolize processor resources thereby depriving Fail2Ban of the necessary horsepower to adequately protect your server from brute force SSH attacks. The most important thing you can do to protect SSH on your server is to regularly review /var/log/auth.log for hacking attempts and block those IP addresses using the add-blacklist script.

The most effective way to configure SSH access is to deploy key-based authentication using cryptographically secure keys. Once enabled and tested, be sure to remove the ability to login using your root password. But be aware that removing root password access will mean that you cannot login to your server from multiple devices without copying your private key to every device from which you wish to obtain access. An excellent tutorial that will walk you through the basic implementation procedure is available from Digital Ocean.

The other effective way to minimize SSH attacks is to change the default access port on your server from port 22 to some other TCP port above 1024. While there are arguments against this approach, if you have a dedicated IP address assigned to your server, the likelihood of a bad guy hijacking your IP address and setting up a script to fake SSH behavior and surreptitiously collect your passwords is extremely remote. Most of the bad guys use toolkits that target port 22 for brute force SSH attacks. By changing the port, you cut your vulnerability by about 99 per cent. Here’s how. First, edit /etc/ssh/sshd_config. Change the line near the top of the file from Port 22 to some port number above 1024. If the line is commented out with #, remove the #. Second, edit /etc/iptables/rules.v4. On or about line 27, change 22 to the port number you assigned in the first step. Third, edit /etc/fail2ban/jail.conf. Scroll down to the [ssh] section of the file and change the port entry to: port = ssh,1234 where 1234 is the port number you assigned in step one. Save the file. Fourth, restart SSH: /etc/init.d/ssh restart. Finally, restart IPtables: iptables-restart.

When using an SSH client to login to your server, the new syntax should look something like this: ssh -p 1234 root@ipaddress where 1234 is the port you assigned for SSH access to your server and ipaddress is the IP address or FQDN of your server. When using putty, be sure to change the port to match the SSH port you assigned for SSH access to your server.

Nerd Vittles Exclusive: Grab your new (free) 3CX perpetual license with unlimited SIP trunks, 10 extensions, 4 simultaneous calls, and 10-user conferencing here.

Originally published: Friday, June 23, 2017



Need help with 3CX or VoIP? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. Some of our links refer users to providers that support Nerd Vittles through referral fees or advertising. These funds help cover the costs of our blog. We never recommend particular products solely to generate revenue. However, when pricing is comparable or particular features warrant our recommendation, we support these vendors and deeply appreciate their financial support of our software development efforts. []

The World Traveler and 3CX: A Match Made in Heaven

Last week we introduced the new (free) version of PIAF5 powered by 3CX v15.5 supporting four simultaneous calls, unlimited trunks, 10 extensions, and 10-user conference calls. And today we’re torture-testing our new 3CX server in the Bahamas aboard one of Carnival’s 3,000-passenger floating cities. Somebody’s gotta do it, right? What makes this such a challenging test for any PBX are several things. First, we’re using a free Google Voice trunk on a free 3CX PBX that we configured in under 10 minutes at CloudAtCost for a one-time cloud server charge of $17.50. Second, we’re sharing a satellite Internet connection with 3,000 other people in the middle of the Caribbean. The weekly charge is about $100 so every Internet junkie subscribes. Third, we’re using a 3CX Client on an iPhone in Airplane Mode. And, finally, we’re sitting behind the most Draconian firewall you can imagine because Carnival assumes everyone is a bad guy trying to bring their Internet service to its knees.

For those coming from the Asterisk® world, I don’t have to remind you how challenging this NAT-based setup would be even assuming you had a flawless Internet connection. Believe me. We don’t. And the secret sauce that makes all of this seem like child’s play is the latest collection of 3CX Clients for PCs, Macs, Android devices, and iPhones/iPads. Simply download the client for your platform, log into your 3CX portal and send the welcome email from a configured extension to your phone, open the email on your phone and double-click on the attachment, and boom. Your 3CX Client is automatically configured in seconds and ready to make your first call. A monkey could do it. It’s that easy!

So our torture-test for today looks more like a final exam in VoIP telephony. We’ll be using Carnival’s WiFi connection from our iPhone with its iOS 3CX Client. We’ll dial into the Incredible PBX™ at our office in Charleston. The office number is configured with a Stealth AutoAttendant which we’ll use to make an outbound call to our Demo IVR in Marbella, Spain using DISA and a FreeVoipDeal trunk. For the techies, it’s the NAT Trifecta with DTMF hurdles that are virtually impossible to traverse using Asterisk and any SIP client.

Guess what? It not only works, but it sounds like you’re sitting in the adjoining office. No echo, no DTMF problems, no missing audio, and no detectable problems in voice quality with either the Charleston IVR or the Marbella IVR. If cost matters and traveling is a key component in your telephony requirements, you owe it to yourself to set up a free 3CX PBX and take it for a spin. Whether you use it to supplement an existing Asterisk setup or as a standalone PBX, we think you’ll be thrilled with the results.

Continue reading about the new, free PIAF5 server powered by 3CX v.15.5

Originally published: Monday, June 12, 2017



Need help with 3CX or VoIP? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

Best of Both Worlds: Marrying Asterisk to 3CX’s Free PBX with a $35 Raspberry Pi


One of the real beauties of Asterisk® has always been its flexibility in talking to other PBXs, both commercial and open source. There are numerous reasons why you might want to try this. First, it makes it easy to migrate to a commercial platform where you can get support for mission critical telephony requirements. Second, you may want a hybrid setup where servers with on-site support personnel can run Asterisk while remote satellite offices can take advantage of a commercial PBX and the support options it offers. Third, you may want to take advantage of specific features that are only available by relying upon multiple PBX solutions. In the case of 3CX, their integrated softphone clients with one-click setup simplicity, conferencing and WebRTC apps, and Call Center offerings are the best in the business while providing unmatched VoIP security. Asterisk on the other hand is light-years ahead of almost everybody in the text-to-speech and voice recognition fields while offering the most powerful VoIP toolkit to build any custom VoIP application imaginable.

Today we thought it would be fun to walk you through the easy way to tie an Incredible PBX server with all its features to a powerful (free) 3CX platform with its virtually flawless softphone clients.1 When we’re finished, you’ll have a free 3CX server in the Cloud at a one-time total cost of $17.50. And you’ll be able to place and receive free U.S./Canada calls from any iPhone, Android phone, or PC using the 3CX client from anywhere in the world with nothing more than a WiFi connection. The Google Voice trunk supporting the calls will reside on Incredible PBX for the Raspberry Pi. When you’re sold on the power of the 3CX platform, you can upgrade to the 3CX 4-simultaneous call commercial offering with unlimited users and trunks at an annual cost of just $149. Maintenance and upgrades are included. Large organizations have relied upon back office servers for custom applications forever. And now you can take advantage of the same flexibility using a tiny $35 Raspberry Pi and our free (as in really free) Incredible PBX software. No Gotchas!

Initial Raspberry Pi Platform Setup

Before we can interconnect 3CX’s Free PBX with a Raspberry Pi, you obviously have to set up both PBX platforms. For the Raspberry Pi, our recent Nerd Vittles tutorial will walk you through the setup process. In lieu of a Raspberry Pi, you can use any legacy FreePBX®-based Asterisk platform including Incredible PBX 13, PIAF3, Elastix®, AsteriskNOW®, or FreePBX Distro®. The setup procedure is exactly the same.

Building a 3CX Server in the Cloud

Building a 3CX server in the Cloud is equally easy. Let’s go through the process once again. If you’re just experimenting, a lifetime Cloud-based server at CloudAtCost for a one-time charge of $17.50 cannot be beat. We would hasten to add that we don’t recommend this platform for production use, but it’s a terrific proof-of-concept option. When you’re actually ready to deploy 3CX for production use, the least costly Cloud solution is the $3.49 per month OVH RAID offering with 2GB of RAM and 10GB storage. The $5 per month offerings from Digital Ocean and Vultr are other alternatives worth a look. Both of these platforms come with free credits ($10 and $20, respectively) to let you try things out.

To get started, sign up for a $17.50 server at Cloud at Cost. They will send you credentials to log into the Cloud at Cost Management Portal. Change your password IMMEDIATELY after logging in. Just go to SETTINGS and follow your nose.

To build your free 3CX PBX, create a virtual machine by clicking on the CLOUDPRO button in the CloudAtCost control panel. Then click Add New Server. Choose 1 CPU, 512MB RAM, and 10GB storage for your server. Choose Debian 8 64bit as the OS Type and click Complete.

While CloudAtCost is building your server platform, obtain a free license key for 3CX.

Once the Debian 8 server appears in your Control Panel, it will look something like what’s shown above, not CentOS obviously. The red arrow points to the i button you’ll need to click to decipher the password for your new virtual machine. You’ll need both the IP address and the password for your new virtual machine in order to log into the server which is now up and running with a barebones Debian 8 operating system. Note the yellow caution flag. That’s telling you that Cloud at Cost will automatically shut down your server in a week to save (them) computing resources. You can change the setting to keep your server running 24/7. Click Modify, Change Run Mode, and select Normal – Leave Powered On. Click Continue and OK to save your new settings.

Finally, you’ll want to change the Host Name for your server to something more descriptive than c7…cloudpro.92… Click the Modify button again and click Rename Server to make the change. Your management portal then will show the new server name as shown above.

Next, log in to your new Debian server as root using SSH or Putty and issue the commands below. Step #1 is to change your root password. What appears as the fourth line below is actually part of the third line and needs to be run as a single command. The last line to install SendMail will actually be run after you elect to use the Web Interface Wizard to configure 3CX. Just run it from the SSH command line before you switch to a browser to complete the 3CX setup.

passwd
wget -O- http://downloads.3cx.com/downloads/3cxpbx/public.key | apt-key add -
echo "deb http://downloads.3cx.com/downloads/3cxpbx/ /" | tee /etc/apt/sources.list.d/3cxpbx.list
apt-get update
rm -f /zang-debian.sh
apt-get -y install 3cxpbx
apt-get -y install sendmail sendmail-bin

When the initial setup finishes, choose the Web Interface Wizard and complete the install using your favorite web browser. Enter your 3CX license key when prompted. Make up a very secure Username and Password to access your 3CX portal. Specify that your IP address is Dynamic when prompted (even though it isn’t). This tells 3CX to generate an FQDN for your server. Accept the default ports for HTTP (5000) and HTTPS (5001) access to your server. We recommend choosing 4-digit extensions numbers which will make it easy to distinguish 3CX extension numbers from 3-digit extension numbers of the RasPi platform. While logged into the 3CX management portal, adjust Settings → Email to Mail Server → 127.0.0.1 and Reply to → noreply@YourActual3CX-FQDN. Leave the other settings blank and click TEST then OK. Now download your favorite 3CX smartphone client, send yourself the Welcome Email for your default extension, and your 3CX initial setup is complete.

Server Interconnection Overview

Now we’re ready to interconnect the two servers. What we’ll be doing is creating Trunks on both the Raspberry Pi and the 3CX server and tying them together. We’ll use this trunk to handle the call traffic between the two PBXs. Then we’ll add incoming and outgoing call routes on both servers to specify how the individual calls should be routed. Because the free version of 3CX limits the administrator to a single trunk, we’ll offload all of the provider trunks to the Raspberry Pi and reserve the one available 3CX trunk as the interconnect path to the Raspberry Pi. For today’s setup, we’ll use 3CX’s free softphone clients as the actual phone devices for end-users. Of course, you could also use your favorite SIP phones, and 3CX provides automatic configuration for dozens of devices. But we want to introduce the 3CX smartphone clients because they provide an incredibly easy way to get users connected without having to worry about punching holes in firewalls.

To place outbound calls on the 3CX side, 3CX provides enormous flexibility in call routing. Because we chose 4-digit local extensions when we set up the 3CX server, it will make it easy to route other calls through the outbound trunk to the Raspberry Pi using nothing more than the length of the dial string. For example, 3-digit calls line up perfectly with extension numbers on the Incredible PBX for RasPi platform. So 3CX users can easily reach extensions connected directly to the Raspberry Pi. And 10-digit 3CX calls will be forwarded to the Raspberry Pi as traditional outbound calls. They will be processed just as if you had dialed a 10-digit call from a Raspberry Pi extension. For example, if you have a registered Google Voice trunk to handle 10-digit calls on the Raspberry Pi, then the same call path would be used for calls originating from 3CX extensions. And, yes, calls to the U.S. and Canada would still be free and would display the CallerID associated with the Raspberry Pi’s Google Voice trunk. You could get more creative and add an additional dialing prefix on the 3CX side to route specific types of calls to a designated outbound trunk on the Raspberry Pi side based upon the dialing prefix, but we’ll leave that as a homework project for you.

For incoming calls on the 3CX side, in addition to 4-digit local extension-to-extension calling, we can define the destination for incoming calls that originate from either a Raspberry Pi extension or from outside calls coming in from one of the Raspberry Pi’s provider trunks. These are managed by assigning one or more DIDs in the 3CX trunk configuration and then creating 3CX Inbound DID Rules that tell 3CX where to route calls to each defined DID. For 3CX softphone clients registered to extensions, it means your cellphone will ring whenever a call is routed to that particular extension. On the Raspberry Pi side, we create Incoming Call Routes for each DID to be routed to 3CX and specify our defined 3CX trunk as the destination for incoming calls from those DIDs. Not all DIDs on the Raspberry Pi have to be routed to the 3CX server obviously. That is merely one of many call destination options available to the administrator on the Raspberry Pi server.

Here’s a typical call path for an outside call that is placed to a Google Voice number registered with your Raspberry Pi. The Asterisk server running on the Raspberry Pi would answer the call placed to the Google Voice Trunk. Asterisk then would check for an Incoming Route on the Raspberry Pi with a DID matching the number of your Google Voice trunk. Finding a match, Asterisk would check for the desired destination of the call and would note that it is listed as the registered 3CX trunk. Asterisk would pass the call through this trunk to the 3CX server including its associated DID and CallerID info. The 3CX server would answer the incoming call and would check for an Incoming Route matching the DID passed from Asterisk. Finding a match, it would pass the call to the Extension specified in the Incoming Route. When 3CX rings the extension, it would also detect that a softphone was registered to that extension and would also ring the 3CX client on the user’s smartphone. The user answers the call on the 3CX client of their smartphone and begins a conversation. The free version of the 3CX server supports 8 simultaneous calls so you are unlikely to ever run out of call paths for calls in the home and small office environment.

Firewall Setup for Server Interconnection

Because the 3CX server is sitting in the Cloud, its firewall is configured automatically as part of the setup process. If your Raspberry Pi is sitting behind a NAT-based firewall, then you would need to map port UDP 5060 from the router on your public IP address to the private IP address of your Raspberry Pi. In addition, login to your Raspberry Pi as root using SSH and run /root/add-ip to whitelist the public IP address of your 3CX server in the cloud. Otherwise, the 3CX server cannot establish a connection to your Raspberry Pi.

Raspberry Pi Trunk Configuration

Using a browser, login to the web interface for FreePBX on your Raspberry Pi and choose Connectivity → Trunks → Add SIP (chan_sip) Trunk. Name the trunk remote. In the Outgoing Settings, make the entries shown below naming the trunk remote and using a secure secret that will be used to interconnect the two servers. The Register String looks like the following: main:secret@3CX-IP-Address where main is the 3CX server trunk name, secret is your secure secret, and 3CX-IP-Address is the 3CX public IP address.

3CX Trunk Configuration

Using a browser, login to your 3CX server: https://3CX-IP-Address:5001 or http://3CX-IP-Address:5000. From your Dashboard, choose SIP Trunks → Add SIP Trunk. Create a Generic SIP Trunk and then fill in the blanks as shown below. For Registrar/Server/Gateway Hostname or IP, use the public IP address or FQDN of your Raspberry Pi. For Type of Authentication choose Outbound. The authentication credentials should be remote and the secure secret you chose, and the Main Trunk No should match the DID of the Google Voice trunk you set up on your Raspberry Pi. Then pick a default Destination for incoming calls.

3CX Outbound Rules Configuration

Next, we need to tell 3CX which outgoing calls to send out through the Raspberry Pi trunk we just set up. In our example today, we’re going to send all 10-digit calls and 3-digit calls. The 10-digit calls will be routed out the Google Voice trunk on the Raspberry Pi side. And the 3-digit calls will be sent directly to Raspberry Pi extensions. So we’ll need two Outbound Rules.

For the first rule, choose Outbound Rules → Add. For the Rule Name, specify StandardOut. Apply the rule to Calls to Numbers with a length: 10. For Route 1, choose Generic SIP Trunk as the Destination. Click OK to save the new rule.

For the second rule, choose Outbound Rules → Add. For Rule Name, specify StandardInt. Apply the rule to Calls to Numbers with a length: 3. For Route 1, choose Generic SIP Trunk as the Destination. Click OK to save the new rule.

If you already have configured a 3CX smartphone client for one of your 3CX extensions, you now should be able to dial any 3-digit or 10-digit number and have the call processed through your new 3CX→RasPi trunk without any further setup assuming you’ve created a Google Voice trunk on the Raspberry Pi side. That wasn’t too hard, was it?

Routing Incoming Google Voice Calls to 3CX

Depending upon your own requirements, you may want to route incoming Google Voice calls or other trunks directly to an extension and/or softphone on your 3CX server. You obviously could set up multiple trunks of any type on the Raspberry Pi side and have the calls to each trunk routed to a different extension or softphone on the 3CX side. To enable this on the 3CX side, edit your Generic SIP Trunk and click the DIDs tab. Then Add each of the 10-digit DIDs of the Raspberry Pi trunks you wish to redirect. Next, create an Inbound Rule for every DID and tell 3CX where to route the calls.

On the Raspberry Pi side, add each of your Google Voice Trunks. Then create an Inbound Route for each DID and specify the Destination as Trunks → Remote (sip). The 3CX server will take care of routing the various incoming calls to each of the Google Voice trunks to its predefined extension and/or softphone. Enjoy!

Originally published: Monday, March 6, 2017





Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Special Thanks to Our Generous Sponsors


FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 



Some Recent Nerd Vittles Articles of Interest…

  1. A simpler Bridge setup is available in the paid versions of 3CX. []