piaf – Page 11 – Nerd Vittles

Practicing Safe SIP: Adding SIP URI Connectivity with a Zero Internet Footprint

Thursday, October 11, 2012 / 2 Comments on Practicing Safe SIP: Adding SIP URI Connectivity with a Zero Internet Footprint

PBX in a Flash™ has a long (safe) history in the VoIP community, and the major reason is that we constantly preach never directly exposing any ports on your Asterisk® server to the Internet without implementing a WhiteList of safe IP addresses. This Zero Internet Footprint™ design keeps everybody out except a trusted, defined group on your WhiteList. For everyone else, they never see your server. So how do you receive calls? You do it with phone numbers (DIDs) tied to registered Google Voice, SIP, and IAX trunks from reputable providers. Because these trunks have constant registrations with safe service providers on the Internet, calls to these DIDs can flow in and out of your server without exposing your server directly to the Internet.

The drawback of this design is that it rules out inbound SIP URI calls to your server, and these calls typically are free. If you do a lot of international business or have family in far away places, that matters. Using a SIP proxy with Asterisk means anybody with a SIP telephone or a SIP-enabled web app anywhere in the world can punch in a SIP URI such as 1234567@nerdvittles.com, and your phones start ringing.

Practice Safe SIP! Today we’ll show you how easy it is to set up a hybrid SIP URI facility for your server while totally preserving your server’s Zero Internet Footprint. It’s not quite free, but it’s close. If paying 6¢ an hour for incoming calls is too rich for your blood, then stop reading now. For us, it’s a small price to pay to sleep well and avoid a $100,000 phone bill because someone hacked your server through an anonymous SIP attack in the middle of the night. There’s more good news. You may not even be charged the 6¢ an hour tariff.

How It Works. Today’s design works like this. We’ll set up an account with VoIP.ms and then create a standard SIP subaccount. As part of that setup, you can create a random extension on their server and tie that extension to a SIP URI for your subaccount. On our server, we’ll create a new SIP trunk and register to the voip.ms SIP subaccount we just created. This gets us a safe tunnel to make and receive calls using this trunk OR the SIP URI we just created. With this 2-layer SIP design, we’re basically using voip.ms as our anonymous SIP firewall. They get to worry about anonymous SIP attacks, and we pay them 6¢ an hour for inbound SIP URI calls that they pass along and we choose to answer.

There are also some collateral benefits using the hybrid SIP URI approach. First, it means that, instead of paying $1 a month and a penny a minute for calls using an actual DID from voip.ms, you now can take advantage of IPkall’s free DIDs in Washington state. By signing up for one of these, you now have a regular phone number that people can call to reach your server without your having to pay a monthly fee for the DID. In this cellphone era, it doesn’t much matter what the area code of your number happens to be since nationwide cellphone calls are all priced the same. The only cost to you is 6¢ an hour for the inbound calls. Oddly enough, VoIP.ms hasn’t been charging for the calls at least during the last couple weeks of our testing. Don’t count on it forever, but it is good to see they are at least considering a different pricing structure for SIP URI calls.

There’s a security advantage with hybrid SIP URIs as well. By never activating auto-replenishment on a VoIP provider account, your maximum financial exposure if something goes horribly wrong is limited to the prepay balance in your account. Finally, for those that want multiple SIP URIs and multiple DIDs, nothing precludes your repeating this drill. Just add another subaccount to your voip.ms account. So let’s get started.

VoIP.ms Setup. Register for a new account at VoIP.ms if you don’t already have one. This gets you an account with an account number such as 1234567. Don’t ever use your main account. Instead, create a subaccount:

Create a username for this subaccount. It will be your account number, an underscore, and a name of your choosing (up to 12 characters). Make up a very secure password. These are the two pieces you will need to create a SIP trunk on your server so write them down. Leave CallerID Number blank. We can handle that on your Asterisk server. Be sure to select Asterisk for the Device Type. The remaining entries at the top of the form are self-explanatory. Just make your settings match ours.

The bottom section of the form needs to be filled out to create a SIP URI. Make up an extension number for this subaccount, 1010 in our example. Ignore the leading 10 which is only used to make calls between voip.ms subaccounts. This would mean your SIP URI for this subaccount is 12345671010@atlanta.voip.ms where 1234567 is your account number, 1010 is your extension, and atlanta.voip.ms is one of the voip.ms POPs. For the list of available POPs, go to Main Menu -> Account Settings -> Default DID Routing in your Customer Portal. Click Create Account when you’re finished and wait a minute for your settings to propagate to all of the voip.ms servers.

FreePBX 2.10 Setup. Using a web browser, log into FreePBX® on your server. We’ll need to create three items to get everything working. First, we’ll add a new SIP trunk with your voip.ms credentials. Second, we’ll add an Inbound Route to process incoming calls. Third, we’ll add an Outbound Route so that you can make calls using your voip.ms trunk.

Connectivity -> Trunks -> Add SIP Trunk
Connectivity -> Inbound Routes -> Add Incoming Route
Connectivity -> Outbound Routes -> Add Route

Adding VoIP.ms SIP Trunk. While logged into FreePBX 2.10, choose Connectivity -> Trunks -> Add SIP Trunk. Fill out the form like this using your correct subacctname, subacctpassword, desired VoIP.ms host, and whatever 10-digit number you’d like your server to use to identify inbound calls from this VoIP.ms subaccount (12345671010 in the example below). If you plan to use this trunk for outbound calls, enter a CallerID number. Legally, it must be a number that you own, i.e. don’t use the White House number or you may get a call you don’t want. Also be aware that for outbound calls, VoIP.ms rejects 10-digit numbers so you must prepend a 1 to 10-digit calls destined for the U.S. and Canada.

Trunk Name: VoIPms
Outbound Caller ID: any number you own
Dial Pattern: Prepend: 1 Match Pattern: NXXNXXXXXX
Trunk Name: voipms
Trunk Details:

canreinvite=nonat
nat=yes
context=from-trunk
host=atlanta.voip.ms
secret=yourpassword
type=friend
username=1234567_subacctname
disallow=all
allow=ulaw
fromuser=1234567_subacctname
trustrpid=yes
sendrpid=yes
insecure=port,invite
qualify=yes

Register String: 1234567_subacctname:yourpassword@atlanta.voip.ms/12345671010

Finally, in Settings:SIP Settings, add the following entry at the bottom in the Other SIP Settings field: match_auth_username=yes. Save your changes and reload your dialplan when prompted.

Adding VoIP.ms Inbound Route. While logged into FreePBX 2.10, choose Connectivity -> Inbound Routes -> Add Incoming Route. The only trick to this is the DID Number you enter must match the 10-digit number you chose for the end of the SIP registration string in the last step. The numbers really don’t matter, but they must match because this is what FreePBX uses to identify calls as originating from this SIP Trunk. You use the Inbound Route to tell FreePBX how to route the incoming calls once they hit your PBX. For example, you could ring an extension, a ring group, or route the call to an IVR where the caller was given a list of choices from which to pick their own call routing option. Don’t put your CallerID Number in here or only calls from your number would be accepted! Here’s a typical setup to route the calls to an IVR. Leave the other options at their defaults.

Description: VoIPms
DID Number: 12345671010
CallerID Number: leave blank
CID Source: Caller ID Superfecta
Destination:

IVR: nv-ivr

Adding VoIP.ms Outbound Route. How you set up the Outbound Route to handle outgoing calls depends upon what you already have in place. Unless you don’t already have outbound trunks on your PBX, our recommendation is to add a prefix to force certain calls to go out through your VoIP.ms trunk. For example, a caller might dial 9-1-404-555-1212 or 9-404-555-1212 to force the call out through VoIP.ms. We’ll strip off the 9 before passing the number to VoIP.ms, and our Trunk setup will take care of adding the 1 if only 10-digits are dialed. Here’s how to set that up. While logged into FreePBX 2.10, choose Connectivity -> Outbound Routes -> Add Route.

Route Name: VoIPms
Dial Pattern: Prefix: 9 Match Pattern: NXXNXXXXXX
Trunk Sequence: 0 VoIPms

If you have a default Outbound Route that already uses another Trunk such as Google Voice or Vitelity, then you can add a little redundancy to your system by adding VoIPms as an additional option at the end of the Default Trunk Sequence. Then, if the primary outbound route is out of service, the calls will automatically be routed out through VoIP.ms.

Adding an IPkall DID for Your SIP URI. We’ve now completed all the steps necessary to receive incoming SIP URI calls using our example VoIP.ms SIP URI: 12345671010@atlanta.voip.ms. Anyone in the world can dial that SIP URI from a SIP phone, and the calls will be answered by our sample IVR, nv-ivr. But suppose we’d also like folks to be able to pick up a Plain Old Telephone and call us using VoIP.ms to route the incoming call through our SIP URI at the 6¢ per hour calling rate. Here’s the easy way to do it. Just sign up for a free DID at www.ipkall.com. After choosing an area code for your free number, you’ll be prompted for the following information. Here’s what you’d enter using today’s example:

SIP Phone Number: 12345671010
SIP Proxy: atlanta.voip.ms
Email Address: your-email-address
Password: some-password-to-get-back-into-your-account

Once you’ve completed the form, submit it and wait for your new phone number to be delivered in your email. You should get it within a couple minutes so check your spam folder if you don’t see it. Congratulations! You’ve done everything you need to do for anyone to call you using either your SIP URI or your new DID number from IPkall.

It’s worth noting that IPkall recycles DIDs that aren’t used for 30 days. If you use Incredible PBX, the easiest way to assure that you don’t lose your number is to set up a recurring Telephone Reminder that calls your own number once a week.

Free iNum DID. There’s another important benefit from signing up for a VoIP.ms account. You’re also eligible for a free iNum DID. This lets people around the world call you by dialing a local number in most countries. And iNum calls are always free with Google Voice. You can read all about how it works and how to set up your free iNum DID in this Nerd Vittles article.

Test Drive. The proof is in the pudding, as they say. So we invite you to take our SIP URI, iNum DID, and IPkall DID for a test drive. They’re all running on a $35 Raspberry Pi with Incredible PBX 3.3 with its Applications AutoAttendant. You can try a news, weather, or stock report as well as checking the current East Coast time. Or you can try a text-to-speech call from the AsteriDex phone book by choosing option 5 and saying one of the airlines in the default install, e.g. American Airlines. Enjoy!

SIP URI: 10159521010@raspi.mundy.org
iNum DID: 883510009901997
IPkall DID: 1-425-998-2778
GVoice DID: 1-843-284-6844

Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.

Originally published: Thursday, 10/11/12

Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.

Need help with Asterisk? Visit the PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

Monday, October 1, 2012 / 1 Comment on Sleep Like a Baby: 20 Failsafe Tips to Enhance Asterisk PBX Security

We often tell the tale of the early Asterisk@Home days when almost every server was configured with no firewall, unlimited web access, and a 201 extension with a password of either 201 or 1234. What could possibly go wrong? Remember this Monday morning newspaper headline? "Small business gets $120,000 phone bill after hackers attack VoIP phone." News.com.au ran this story back in 2009: "Criminals hacked into an Internet phone system and used it to make 11,000 international calls in just 46 hours… 115,000 international mobile calls were made… over a six month period."

Much has changed over the past ten years in Asterisk® Land. And, to get everyone in the football mood, today we want to do a little sofa quarterbacking and take a fresh look at security applying some 20-20 hindsight to everything we’ve all learned over the years. Whether you’re running PBX in a Flash or Incredible PBX in your basement or on a virtual machine in the cloud somewhere, security matters and the checklist that follows hopefully will assist everyone in tightening up your systems so that you or your company aren’t the next headline waiting to happen.

PBX in a Flash Security Alert: Run upgrade-programs then upgrade-fixes to secure your server today!

1. Review PIAF Security Alerts Daily. We devote a lot of time to making sure PBX in a Flash and Incredible PBX are secure. But stuff happens! For privacy and security reasons, we don’t push fixes to your server. You have to go get them. If you never see the alerts, our attention to security is for naught. Here are 3 Easy Ways to Keep Informed:

Subscribe to the PBX in a Flash RSS Security Feed
Follow @NerdUno on Twitter
Review the RSS Feed in the PIAF Dashboard with a browser

Every security alert has a link to a solution. Finally, visit the PIAF Forums and click on the What’s New link. It only takes a minute to scan the list for security issues.

2. Hardware-Based Firewall Protection. Unless your PBX is operating on a shared server in the cloud, always run it on a private LAN behind a hardware-based firewall with no Internet port exposure. The one exception would be for those with remote telephone extensions, and we’ll get to that in a minute. The cheapest consumer grade router/firewall provides more security for your server than all of the other security mechanisms combined. Use it!

3. The Linux iptables Firewall. All PBX in a Flash and Incredible PBX servers have the iptables firewall in place. With PBX in a Flash, you have to configure it yourself unless you deploy Travelin’ Man 3. With Incredible PBX, iptables is preconfigured if you opt to install Travelin’ Man 3 as part of the installation process. It doesn’t do much good to have iptables if it’s not functioning. So check it regularly and especially after rebooting your server. On CentOS-based systems, issue the command: iptables -nL. On the Raspberry Pi, type: iptables-save. You should see a list with a lot of permitted IP addresses for preferred providers. If not, restart iptables and then check it again. To restart iptables on CentOS: service iptables restart. On the Raspberry Pi, issue the command: iptables-restore /etc/network/iptables. If you discover that your iptables firewall was not functioning and you’re running PBX in a Flash or Travelin’ Man 3, a security alert has been issued to address the problem. You can get the security fix here.

4. IP Address Filtering. Even with remote phones and dynamic IP addresses, it often is relatively easy to narrow down the range of permissible IP addresses that should have access to your server. With the Linux iptables firewall, you can implement dynamic DNS FQDNs for your remote users. With many hardware-based firewalls, you can’t. But often you can limit remote access to a range of IP addresses. A little protection is still better than none. With a hardware-based firewall, these IP address ranges usually can be changed via web access to your firewall. The minute it takes to make necessary changes is well worth the effort. Just make sure your hardware-based firewall has a long password with upper and lower case letters as well as numbers and non-alphanumeric characters if your firewall supports them.

5. Fail2Ban Access Monitoring. On PBX in a Flash and CentOS-based Incredible PBX servers, fail2ban is activated to limit access attempts to protected resources such as SIP extensions, SSH, and Apache. It is not infallible particularly in this age of megaservers such as Amazon’s S3 service. Because fail2ban reads your logs looking for failed login attempts, it can be defeated with powerful servers attempting thousands of access attempts simultaneously because fail2ban never gets sufficient Linux resources to read logs and block access. It’s better than nothing, but not by much.

6. Deploy WhiteLists for Remote Access. If your server is in the Cloud (meaning it is directly exposed to the Internet) or if you have remote extensions directly connected to your server, your primary line of defense against the bad guys is your iptables firewall. We’ve tried many designs with the objective of letting the good guys in while keeping the bad guys out. The one failsafe solution is IP address WhiteLists. What this means is, if an IP address is listed as safe in iptables, then connections to certain resources from that IP address are permitted. Otherwise, your server remains invisible to the outside world. We have a couple of tools to assist you in setting this up. Travelin’ Man 2 lets authorized users manage their remote IP addresses themselves through a simple browser interface to your server. Travelin’ Man 3 lets a system administrator manage remote IP addresses using both permitted IP addresses and fully-qualified domain names. In the case of remote users with dynamic IP addresses, DynDNS management tools can be deployed on Macs, Windows machines, and Android devices to automatically update FQDNs used in conjunction with Travelin’ Man 3. As noted previously, a security alert has been issued with Travelin’ Man 3. You can get the security fix here.

7. Remote Access with User Agent Knocking. A new approach to remote user access uses a derivative of the original Sunshine Networks port knock utility. With jeffmac’s new design, you define a customized "User Agent" string on your remote phones and then define iptables rules that permit access from SIP devices that attempt server connections using one of these obscure user agent strings. Here’s how to deploy it. To use this approach you’ll need remote phones that permit customization of the user agent string or that have sufficiently obscure, predefined user agent strings that wouldn’t lend themselves to dictionary-style, brute force hacking attempts by the bad guys.

8: Implement VPNs for PBX Systems. There are install scripts for PBX in a Flash to deploy a NeoRouter VPN or a PPTP VPN. Either or both of them can be installed and configured in minutes! VPNs provide an incredibly simple way to interconnect PBX systems worldwide and assure secure communications between these interconnected systems. Encourage remote users to deploy softphones on their Windows and Mac machines, and use secure, VPN access to connect to your server using these softphones.

9. Don’t Use ‘Normal Ports’ for Internet Access. Think of network and PBX security as a shell game. You want to do as many things differently as possible to make it as difficult as possible for the bad guys to figure out what you’ve done. Read that last sentence again. It’s important! With a hardware-based firewall, this is easy. dLink routers call them Virtual Servers. Other routers have similar functionality. Here is a typical entry:

HTTP 192.168.0.150 TCP 22/2319 Allow All Always
This entry redirects a specified port to a different port for Internet access. Don’t do this for SIP and IAX ports, but it works great for HTTP, FTP, and SSH access. WE STRONGLY DISCOURAGE EVER OPENING HTTP ACCESS TO YOUR SERVER FROM THE INTERNET. But you may need SSH access from remote locations. For example, port 22 typically is the default SSH port on Asterisk aggregations, and this port normally can be used on your internal LAN assuming you know and trust your users. For external (aka Internet) SSH access, simply remap TCP port 22 to some obscure port and change it periodically. For example, you might redirect TCP port 22 to port 2319. Once the setting is saved, you access SSH like this from the Internet: ssh -p 2319 root@pbx.mydomain.com. Then (and just as important!) next month, change the port to 4382, then 6109, and so on. Don’t use these numbers obviously! Make up your own.

The key here is that 2 minutes work every month will keep SSH access to your PBX much more secure than letting every Tom, Dick, and Ivan hammer away at port 22 every night while you’re sleeping. As previously mentioned, most of these routers also will let you block access to certain ports during certain hours of the day. If you’re sleeping, there’s really not much need to provide SSH access to your Asterisk server. At the risk of being labeled xenophobic, keep in mind that many of the world’s best crackers reside in countries where daytime happens to be nighttime in the U.S.

10. Really Secure Passwords Really Do Matter. While we have no hard evidence to back this up, our guess is that 90% of the security breaches in Asterisk systems have been the direct result of folks using passwords that matched the extension numbers on their phone systems. Since most Asterisk PBX systems are configured with extension numbers beginning in the 200, 700, or 800 range of numbers, it really wasn’t Rocket Science to remotely log into these servers and make unlimited SIP telephone calls. It may seem obvious but really secure passwords really do matter. And it’s more than having a secure root password. All of your passwords need to be secure including those on your phone extensions and voicemail accounts unless you are absolutely certain that you have blocked all access to your system from everyone except trusted users. If you use DISA, multiply this advice by 10. Part of having really secure passwords is regularly changing them. And our rule of thumb on Asterisk system passwords goes one step further. Never, ever use passwords on your PBX that you use for other important personal information (such as financial accounts). Remember, it’s your phone bill.

11: Minimize Web Access To Your PBX. Most of the Asterisk aggregations utilize FreePBX as the graphical user interface to configure your Asterisk PBX. Because FreePBX is web-based, it is extremely dangerous to leave it exposed on the Internet. As much as we love FreePBX, keep in mind that it was written by dozens and dozens of contributors of various skill levels over a very long period of time. Spaghetti code doesn’t begin to describe some of what lies under the FreePBX covers. While the FreePBX Dev Team is vigorously rewriting much of this old code, some of it still lingers. Our recommendation is to make absolutely certain that you have .htaccess password protection in place for all web directories in at least these directory trees: admin, maint, meetme, and panel.

Our rule of thumb on Internet web accessibility to any Asterisk PBX goes like this. Don’t! And, for FreePBX web access from the Internet. Never! If the bad guys ever get into FreePBX, the security of your PBX has been compromised… permanently! This means you need to start over with all-new passwords and install a fresh system. You can’t fix every possible hole that has been opened on a FreePBX-compromised system!

12. Choosing VoIP Providers. So long as you use reputable VoIP providers that support registration of your SIP and IAX accounts, NO INTERNET PORT EXPOSURE TO YOUR SERVER IS EVER REQUIRED! If a VoIP provider doesn’t support SIP/IAX account registration, don’t use them! Add your public and private IP addresses in FreePBX’s Asterisk SIP Settings module to eliminate one-way audio issues.

13. Never Activate Auto-Replenishment. If you’re using VoIP providers that you pay by the minute, do your wallet a favor. Never, ever activate auto-replenishment on your accounts. By manually controlling the money flow to your accounts, you automatically insulate yourself from a huge phone bill. If something does come unglued, your financial exposure is limited to the preauthorized amount in each of your VoIP provider accounts.

14. Tighten Up International Calling. Almost every VoIP provider gives you the option of restricting international calls. If you don’t make international calls, use it! If you do make international calls, implement Outbound Routes in your FreePBX® dial plan with designated country codes. If you never call Africa, China, or cruise ships in international waters, make sure your dialplan doesn’t allow these calls.

15. Time of Day Calling Restrictions. Whether your server is for business or home use, time of day restrictions can save you a bundle. If remote telephone extensions are a must have for your server, chances are that those extensions don’t place calls in the middle of the night. Almost every hardware-based router/firewall allows creation of time of day rules for access. Implement these restrictions to minimize exposure to those that are hacking while you’re sleeping.

16. Minimize Simultaneous Calls. Especially with pay-as-you-go VoIP providers, often there is no limit to the number of simultaneous calls that can be placed from a trunk on your server. If someone manages to gain access to your accounts or your server, that can be really bad news. Some providers offer tools to restrict the number of simultaneous calls that can be placed. Take advantage of it to limit your financial exposure. Similarly, FreePBX includes a Maximum Channels option when you configure a Trunk. Don’t leave it blank. Set it to what you need to meet your needs.

17. Outbound Route Passwords. For outbound routes to international numbers and 900 numbers, always take advantage of the FreePBX Outbound Route option to prompt for a password. Just enter a numeric Route Password when you configure these outbound routes, and FreePBX will handle the rest.

18. IP Address Filtering with Asterisk Extensions. With the number of Asterisk SIP vulnerabilities reported over the years, suffice it to say IP address filtering at the Asterisk extension level is not something you should rely upon exclusively to protect your server. But it’s better than nothing. And, when used in conjunction with the other security mechanisms we’ve outlined, it provides another layer of security for your server. The extension setup in FreePBX includes the permit field which can be used to limit connections to a particular extension based upon an IP address or range of IP addresses. In addition, Travelin’ Man 2 deploys additional permit tables using an include list in sip_custom_post.conf in conjunction with include files for specified extensions, e.g. 701.inc, to define additional authorized IP addresses.

To restrict an extension to a private LAN address with a FreePBX extension entry in permit like this: 192.168.0.0/255.255.255.0. Then you can broaden this restricted access with specified WhiteList addresses using an include file in /etc/asterisk that looks like this:

[701](+) permit=150.155.90.143/255.255.255.255

You, of course, would also have to authorize the specified IP address in your iptables configuration as well. That’s essentially how Travelin’ Man 2 works.

19: Check Your Logs Every Day. We’re still dumbfounded by the following quote from the article we cited above: "115,000 international mobile calls were made using the small business’s VoIP system over a six month period." Six months and they never checked their call logs? FreePBX provides an incredibly simple way to review your call logs. Click the CDR Reports link and look at your call log showing the number of calls each day and the combined length of those calls. Nothing could be easier. Do it every single day!

20: Do Some Reading… Regularly. No security implementation is complete without a little regular effort on your part: reading. If you’re going to manage your own network or PBX, then you need to keep abreast of what’s happening in the business. There are any number of ways to do this, none of which take much time. The simplest approach is just to scan the Open Discussion, Add-Ons, and Bug Reporting topics on the PBX in a Flash Forum, the FreePBX Forum, and Asterisk News. Aside from reviewing your call logs, it’s the best 15 minutes you could spend to safeguard your system.

Originally published: Monday, October 1, 2012

Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.

Need help with Asterisk? Visit the PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

R.I.P. Googlicious: Weather, Weather, Everywhere… Except From Google

Saturday, September 1, 2012 / 3 Comments on R.I.P. Googlicious: Weather, Weather, Everywhere… Except From Google

For at least the last four years, Google has maintained a not-so-secret Weather API that let hobbyists and people like us build weather applications for the rest of the world to use. Google never provided a word of documentation nor even a comment about the Weather API other than obscure mentions by a few Google employees. Google, of course, is not stupid. They know everything there is to know about analytics, and it was no secret that the Weather API had an enormous following worldwide. It was the one and only source of worldwide weather information that didn’t require an API key for access. Most API keys translate into restrictions and monthly fees.

Without a word of warning or comment, Google shut down the Weather API last week. Still no comment a week later despite the howls of righteous indignation from the developer community. Just for the record, this is no way to run a railroad. Of course, Google had no obligation to continue a service that cost them money except for the fact that it earned them enormous goodwill from those around the globe using their service. Earth to Google: these are the same people that have made your company one of the wealthiest in the technology industry! Some have argued that this was a "private service" that was never intended for use by the public. That, of course, is pure horse #2. Google was well aware of the usage by millions of people worldwide. Does anyone think for a moment that Google lacked the necessary skills to secure the Weather API if they had not wanted people to use it? So let’s get real. Like its fruity corporate neighbor, Google loves to introduce "almost secret" technology and rely upon Buzz (remember that one?) to make it a household word. The Weather API was no secret by any stretch.

And there’s another downside, Google. At a time when you’re supposedly encouraging the notion of Cloud Computing, it does the technology little good when you reaffirm how fragile an organization would be if it chose to actually put all its eggs in one basket and rely upon Google infrastructure. What company in its right mind would consider moving to a platform such as Google Apps for Business after observing this sort of corporate behavior? Electing to begin charging for a service is one thing. Phasing out a service after fair notice to those using it was also an option. But blowing a heavily-used service completely out of the water without warning to those relying upon the service is really unacceptable corporate conduct. Makes one wonder what lies just over the horizon with Google Voice, doesn’t it? We’re big fans of Google. But this time around, I’m sorry. Google gets a well-earned D- in our book.

So the question becomes how do we minimize the carnage and put Humpty back together again for those that foolishly relied upon the Nerd Vittles text-to-speech Worldwide Weather app and its underlying Google Weather API. Fortunately for all of us, there are other players in the Weather API marketplace. Here’s a list of 26 of them. One vendor really stands out from the pack. In fact, many believe that Google itself was using its services to power Google’s own weather API. That service is Weather Underground.

What we’ve done is rework the existing Worldwide Weather application in such a way as to minimize the upgrade hassle for those of you already using the broken one. If you’re just getting started, we’ll put all the working pieces in place so there is no patch required. So choose whether to upgrade or install from scratch from the options below, and we’ll have you up and running in a couple minutes.

Regardless of whether you’re just getting started or upgrading, what you will need (that’s new) is a free Weather Underground API key. This lets you issue up to 10 queries a minute and 500 queries a day against Weather Underground’s weather data. Because current conditions and forecasts are separated into separate queries, it means you can actually dial up 5 queries a minute and 250 queries a day without expense. If your needs are more extravagant, Weather Underground has very reasonable rates. Just follow this link to sign up for your Weather Underground API key. Write it down. You’ll need it in a minute.

Upgrading Existing Worldwide Weather App. If you’re currently using Nerd Vittles’ Google News, Weather, Stocks & Dictionary app or Incredible PBX 4, or Incredible Pi, you can upgrade the included Worldwide Weather component by logging into your server as root and issuing the following commands:

cd /var/lib/asterisk/agi-bin mv nv-weather-google.php nv-weather-google-old.php wget http://incrediblepbx.com/wunderground.tgz tar zxvf wunderground.tgz rm wunderground.tgz nano -w nv-weather-google.php nano -w nv-weather-wunderground.php

When the new weather script displays in the nano editor, cursor down to line 21 and replace 12345 with your actual Weather Underground API key. Be sure to preserve the quotes. Then save your change: Ctrl-X, Y, then Enter. That’s it. You’re back in business. Dial 9-4-9 to obtain a spoken weather report for almost any city in the world.

Installing the New Worldwide Weather App. If you’re new to all of this and would like to use either Incredible PBX 4.0 or just the News, Weather, Stocks & Dictionary app, start by reading all about them at the links above. Once you’ve installed either application, log into your server as root and issue the following commands to insert your new API key:

cd /var/lib/asterisk/agi-bin nano -w nv-weather-google.php

When the new Worldwide Weather script displays in the nano editor, cursor down to line 21 and replace 12345 with your actual Weather Underground API key. Be sure to preserve the quotes. Then save your change: Ctrl-X, Y, then Enter. Now you’re ready to go. Now you can dial 9-4-9 to obtain a spoken weather report for almost any city in the world.

Test Drive. Want to try the new service out for yourself? We’ve set up a Raspberry Pi with Incredible PBX to demonstrate how easy all of this can be with a $35 computer. Just place a call to 1-843-284-6844, choose option 2, and say the name of the city and state or country for an instantaneous Worldwide Weather Report. Enjoy!

Originally published: Tuesday, September 4, 2012

Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

SMS Dictator 2.0: Send SMS Messages Using Your Phonebook with Google Voice

Monday, August 13, 2012 / 4 Comments on SMS Dictator 2.0: Send SMS Messages Using Your Phonebook with Google Voice

Here’s an update of a terrific Google™ speech-to-text application for your Asterisk® goody bag. SMS Dictator 2.0 lets you pick up any phone on your Asterisk system, dictate a brief message, have it transcribed by Google, and then delivered as an SMS text message by entering either a 10-digit number of your choosing or by saying any name in your AsteriDex phonebook. The installation process on PBX in a Flash™ systems takes only a minute. And you’ll find Asterisk SMS Messaging to be a welcome addition to your VoIP Swiss Army Knife.

Prerequisites. For the installer to work seamlessly, you’ll need a PBX in a Flash 2 server with the PERL gvoice CLI tool. You can test whether this is working by logging into your server as root and issuing the command: gvoice. When prompted for your Google Voice account name, enter it and include @gmail.com. Then enter your password. If you get a gvoice prompt, all is well. Type quit to exit. If you get errors or the gvoice app doesn’t exist, click on the pygooglevoice link in this paragraph to get things squared away.

You’ll also need a Google Voice™ account that can be used to send the SMS messages. Today’s SMS installer will prompt you for your Google Voice account name in the format: myname@gmail.com. Then you’ll be prompted for your Google Voice password. Once you’ve entered your credentials, the rest is automagic. With a little manual tweaking of the installation script, you can get this working on any Asterisk-based server running under Linux.

As configured, SMS Dictator™ uses extension 767 (S-M-S) to generate SMS messages. If this conflicts with an extension on your server, you can edit the extensions_custom.conf dialplan in /etc/asterisk.

Legal Disclaimer. What we’re demonstrating today is how to use a publicly accessible web resource to respond to dictation requests generated by a phone connected to your Asterisk server. We’re assuming that Google has its legal bases covered and has a right to provide the public service they are offering. We are not vouching for Google or the services being offered in any way. By using our tutorial, YOU AGREE TO ASSUME ALL RISKS, LEGAL AND OTHERWISE, ASSOCIATED WITH USE OF THIS FREELY ACCESSIBLE WEB TOOL. NO WARRANTY EXPRESS OR IMPLIED IS BEING PROVIDED BY US INCLUDING ANY IMPLIED WARRANTY OF FITNESS FOR USE OR MERCHANTABILITY. You, of course, have an absolute right not to read our articles or implement our code if you have reservations of any kind or are unwilling to assume all risks associated with such use. Sorry for legalese, but it’s the time in which we live I’m afraid. Plain English: "Don’t Shoot the Messenger!"

Removing Previous SMS Dictator Code. If you installed our earlier version of SMS Dictator, then you have a little housekeeping to do before we begin. Log into your server as root and change to the /etc/asterisk directory. Then edit extensions_custom.conf. Search through the file until you find the lines beginning with exten => 767. Delete all of those lines. If you’re using nano, Ctrl-K will delete a line at a time. Once you’ve deleted all the 767 lines, save the file: Ctrl-X, Y, and press Enter. Now continue on…

Installation. To install SMS Dictator, log into your PBX in a Flash server as root and issue the following commands:

cd /root
wget http://nerdvittles.com/sms-dictator.tgz
tar zxvf sms-dictator.tgz
./sms-dictator.sh

Accept the license agreement and fill in your Google Voice credentials when prompted. In under a minute, you’ll be ready to test things out.

Taking SMS Dictator for a Spin. Now you’re ready to try it. Pick up any phone connected to your Asterisk server. Dial S-M-S (767). When prompted, dictate a brief message and press #. If the transcription played back is correct, press 1. Or hang up and try again. Now press 1 to enter a 10-digit phone number for the SMS recipient or press 2 to speak the name of someone in your AsteriDex database. When prompted, enter the 10-digit number or say the name of the SMS recipient. If the response read back to you is correct, press 1 to send the SMS message. It’s as simple as that.

AsteriDex Integration. If you’re using AsteriDex for your contacts, then it’s pretty simple to look up SMS contact numbers from there instead of having to remember them and manually key them in. The only trick is that you may need to adjust the names slightly if Google has difficulty understanding what you’re saying. For example, Google does not like Ward but is perfectly happy with Uncle Wardy. So are we. Here’s a hint. Multi-syllable words fare better than 3 and 4 letter words.

SMS Message Blasting. The SMS messaging possibilities, of course, are endless. A lively discussion is was underway on the PIAF Forum until The Great Trainwreck of 2013. This could include notifications to Little League teams about schedule changes, or alerts from a school about emergencies, or community alerts about tornados. You can probably think up a dozen more on your own. We’ve now released the first preview of a message blasting utility which you are welcome to download here. Enjoy!

3/2/2017 Update: A patched version of pygooglevoice to support SMS messaging is now available here.

Originally published: Monday, August 13, 2012

Need help with Asterisk? Visit the NEW PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

Asterisk TTS: Today in History 2.0 & Yesteryear’s Time of Day

Monday, August 6, 2012

If you’re a history buff and want a convenient way to find out everything that ever happened Today in History, then this week’s upgraded text to speech (TTS) application for Asterisk® should be just what you need. Pick up any phone connected to your Asterisk system and dial T-O-D-A-Y (86329 for the spelling-impaired). The script will retrieve today’s historical events of interest from HistoryOrb.com and play the results back to you over the phone using Google TTS. To speed up the retrieval process, you can also set this up as a cron job to download the latest events each day while you’re sleeping. Thereafter, when you dial T-O-D-A-Y, the results are played back instantaneously.

As a bonus, there’s TrimLine’s new Time of Day application for your Asterisk server that works just like it did in yesteryear. You can read all about it and install it from this link.

Prerequisites. If you’re using PBX in a Flash, then all of the tools you’ll need are already in place. And we have a script for you that will install Today in History 2.0 in just a few seconds. For other users, you’ll need an Asterisk server with PHP5 and Flite to handle portions of the text-to-speech. No extras are needed for the Time of Day application.

Overview. If you’ve previously installed other Nerd Vittles text to speech applications, then the drill this time around is quite similar. There’s a PHP/AGI script which gets stored in /var/lib/asterisk/agi-bin. In this script (nv-today.php), you can change the default Flite TTS engine to Cepstral by changing the $ttspick variable setting from 0 to 1. Then there is a snippet of dialplan code that needs to be added to the [from-internal-custom] context in extensions_custom.conf for FreePBX installations. Once you reload your dialplan, you’re ready to go. For a quick demo, dial 1-650-308-9946.

How It Works. The PHP/AGI script only does real work once a day. It always checks to see if there is an existing /tmp/today.txt file with today’s file stamp. If there is, it exits gracefully. If today’s file doesn’t exist or if the file’s time stamp is earlier than midnight, then the script downloads the latest information for today in history and creates a text file of the data. Then Google’s TTS engine is used to convert the text file into /tmp/today.wav. The dial plan code answer calls to extension 86329. Then it runs the PHP/AGI script, and finally it plays back /tmp/today.wav. Note: The PHP/AGI script, if run as a cron job or from the command prompt, should never be run as the root user, but only as the asterisk user. Otherwise, the today.txt and today.wav files cannot be replaced by the script when it subsequently is run from the dialplan.

Script Installation. If you’re using PBX in a Flash, log into your server as root and issue the following commands:

cd /root
wget http://bestof.nerdvittles.com/applications/today/today2.pbx
chmod +x today2.pbx
./today2.pbx

Automatic Updates Using crontab. If you’d like to automatically generate the Today in History files each day, add the following entry to the bottom of /etc/crontab:

01 0 * * * asterisk /var/lib/asterisk/agi-bin/nv-today.php

Manual Installation. For those using a different Asterisk aggregation that includes PHP5, FreePBX, and Flite, add this code to /etc/asterisk/extensions_custom.conf in the [from-internal-custom] context:

exten => 86329,1,Answer
exten => 86329,2,Wait(1)
exten => 86329,3,Set(TIMEOUT(digit)=7)
exten => 86329,4,Set(TIMEOUT(response)=10)
exten => 86329,5,Flite(Please stand bye while we retrieve: Today in History.)
exten => 86329,6,AGI(nv-today.php)
exten => 86329,7,Playback(/tmp/today)
exten => 86329,8,Wait(1)
exten => 86329,9,Hangup

Then issue the following commands from the command prompt after logging in as root:

cd /var/lib/asterisk/agi-bin wget http://bestof.nerdvittles.com/applications/today/today.tgz tar zxvf today.tgz rm -f today.tgz asterisk -rx "dialplan reload"

Upgrading from Today in History 1.0. If you used this script previously, a couple of ugly things have happened to make it stop working. First, Yahoo dropped support for their Today in History RSS feed. And then Cepstral released an upgrade which no longer lets you create .wav files from a text file without paying an additional $200 license fee. So the new release doesn’t use Cepstral. Everything is handled (and handled well) by the Google TTS engine… which is free to use.

If you have an older version of Cepstral that still permits the creation of .wav files, then you can upgrade just the original AGI script. Log into your server as root and issue the following commands:

cd /var/lib/asterisk/agi-bin
rm nv-today.php
wget http://bestof.nerdvittles.com/applications/today/today.zip
unzip today.zip
chown asterisk:asterisk nv-today.php
chmod +x nv-today.php

Running the Application. Now you’re ready for a test run. Pick up any phone connected to your Asterisk system and dial T-O-D-A-Y. After a brief pause to download the data, today’s events in history will be played back over your phone. To eliminate the pause the first time the application is run each day, simply add the crontab entry as outlined above. Enjoy!

Originally published: Monday, August 6, 2012

Astricon 2012. Astricon 2012 will be in Atlanta at the Sheraton beginning October 23 through October 25. We hope to see many of you there. We called Atlanta home for over 25 years so we’d love to show you around. Be sure to tug on my sleeve and mention you’d like a free PIAF Thumb Drive. We’ll have a bunch of them to pass out to our loyal supporters. Nerd Vittles readers also can save 20% on your registration by using coupon code: AC12VIT.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

YATE in a Flash: Rolling Your Own SIP to Google Voice Gateway for Asterisk

Monday, June 25, 2012 / 18 Comments on YATE in a Flash: Rolling Your Own SIP to Google Voice Gateway for Asterisk

A few weeks ago we introduced you to Bill Simon’s SIP to Google Voice Gateway featuring YATE. This let you set up a SIP connection to your Google Voice accounts in about 5 minutes by filling out a simple web form. Today, we take it to the next plateau for those who prefer to do it yourself. With a little assistance from Bill (about 99% of the brainpower behind what you’re about to read), we’re pleased to now offer you the alternative of creating your own SIP to Google Voice Gateway. You need not share your Google Voice credentials with anybody. Meet YATE in a Flash™.

Using today’s tutorial, we’ll show you how to create a YATE in a Flash server to which you can connect as many Asterisk® servers as you like using garden-variety SIP trunks. For those that have been using one of the last half-dozen Asterisk 10 releases in which Google Voice connectivity was totally broken and for those who have languished at Asterisk 10.0.x simply to preserve Google Voice connectivity, today’s YATE alternative is a godsend because it restores the ability to make free incoming and outgoing calls in the U.S. and Canada using any flavor of Asterisk with nothing more than a SIP trunk connection to your YATE in a Flash server. We also believe it is in everyone’s best interests to pursue other Google Voice alternatives given Digium’s recent position to no longer support Gtalk and Google Voice.

If you read Malcolm Davenport’s comment in a vacuum, you’d probably come away believing that Google Voice is just too unreliable to be a supported piece of Asterisk. Funny thing is that Google Voice still works flawlessly with Asterisk 1.8, Certified Asterisk, ObiHai devices, FreeSwitch, and, of course, YATE. We’ll let you draw your own conclusions about who is responsible for the mess with Asterisk 10. Suffice it to say, if "the community" hasn’t managed to address this in 90 days, it’s probably never going to be resolved satisfactorily… and Asterisk 11 is just around the corner. So, for once, we find ourselves in total agreement with Malcolm, "building a business based on Google Voice calling using Asterisk is not something that would be recommended." YATE appears to us to be a much more satisfactory long-term solution for those that actually rely upon Google Voice.

All of the scripts today are licensed as GPL2 code, by the way, so you’re free to embellish and enhance them to meet your own needs. Please share your improvements with us so we can pass them along to "the community."

Prerequisites. Today’s design assumes you have a server running under CentOS™ 6.2. A virtual machine works fine. While YATE runs on many other operating systems, we wanted a platform that matched our existing PBX in a Flash™ and VPN in a Flash™ environment. You will also need one or more dedicated Google Voice accounts to use in conjunction with Yate in a Flash. Do NOT use a Google Voice account with a Gmail address that you already use for email, messaging, or web phone calls!

Using the original install scripts won’t work to run YATE on an existing Asterisk server. But, if you’re a true pioneer and appreciate the risks, we’ve now included scripts for BOTH dedicated server and colocated server setups so you won’t need to make any manual adjustments. Be advised that we haven’t tested colocated YATE and Asterisk under a real-world load yet to determine what impact YATE will have on the performance of an existing Asterisk server so it’s probably not a good idea to try this on your production Asterisk machine just yet. With the low cost of virtual machine environments, there’s really no reason to run YATE and Asterisk on the same machine or virtual machine. Suffice it to say, there are many issues with conflicting port assignments for telnet, sip, and iax2 as well as listening ports. While YATE is very flexible, this colocated setup still is untested.

PBX in a Flash 2.0.6.2.5 should be on the street within the next few days or weeks. With its new all-in-one design, there will be an ISO menu option allowing you to install Yate in a Flash as a standalone server with one click. Until then, we recommend using the PIAF 2.0.6.2.4 ISO and selecting the VPN in a Flash server option. This provides an ideal platform for YATE in a Flash with the added bonus of a NeoRouter VPN server and client which happens to be the perfect way to securely interconnect your PIAF and YIAF platforms via SIP.

Overview. Yate in a Flash actually consists of several scripts. For dedicated servers (meaning Asterisk is running on a separate machine), you’ll use install-yate and add-yate-user. For colocated servers (meaning Asterisk is running on the same machine), you’ll use install-yate-on-piaf and add-piaf-yate-user. As the names imply, the first script is used to actually set up your YATE in a Flash server. The second script is used to add SIP/Google Voice accounts to the YATE server. As part of the installation process, YATE is actually compiled from source code that you’ll find in /usr/src/yate on your server. Never run install-yate more than once on the same server.

To begin, you’ll need to download and untar the YIAF tarball. Then you run install-yate or install-yate-on-piaf to get YATE installed and configured. After creating and testing your Google Voice accounts at google.com/voice, you add user accounts to YATE for each existing Google Voice account you wish to activate on your YATE in a Flash server. Each time you run add-yate-user (dedicated) or add-piaf-yate-user (colocated), the script will create a new YATE user account, Google Voice account, and SIP account on your YATE server based upon your 10-digit Google Voice number. Do yourself a favor and delete the two scripts that don’t pertain to your particular setup: dedicated or colocated. Then you won’t have to worry about using the wrong ones down the road.

Once you have YATE set up and at least one account configured, then we’ll switch to your dedicated Asterisk server and use FreePBX® to add a SIP trunk, outbound route, and inbound route for each YATE account that was created. For outbound calling, we think the easiest method to take advantage of multiple Google Voice trunks is to use a different dial prefix for each account you wish to set up.

To keep it simple, in our examples today we’ll use airport codes as prefixes so we know which Google Voice trunk is actually being used to place a call, e.g. dialing ATL-404-555-1212 (285-404-555-1212) will tell FreePBX to dial out through an Atlanta Google Voice trunk and MIA-305-555-1212 (642-305-555-1212) will tell FreePBX to dial out through a Miami Google Voice trunk. Of course, the free calls can be placed to anywhere in the U.S. and Canada regardless of the Google Voice trunk you use. However, the outbound CallerID will always be the CallerID number of the Google Voice trunk being used to place the call. Before the call is actually sent via SIP to YATE for processing via Google Voice, we’ll use FreePBX to strip off the dial prefix and add a leading 1 to match the dial string format that YATE expects to see: 1NXXNXXXXXX. If you happen to be a regex genius, this could all be done on the YATE side as well, but using FreePBX makes it easy to follow:

^285$1[0-9]\+$$=jingle/\1@voice.google.com;line=GV40412334567;ojingle_version=0;ojingle_flags=noping;...etc.

Installing YATE. As we mentioned, until the PIAF 2.0.6.2.5 ISO is released with the option to install YATE, we recommend you download the PIAF 2.0.6.2.4 ISO and install the VPN in a Flash server from the all-in-one menu. Once you have completed the installation of VIAF, log into your server as root and issue the following commands to install YATE:

cd /root
wget http://pbxinaflash.com/YIAF.tgz
tar zxvf YIAF.tgz

If you’re installing YATE on a separate server than your Asterisk server, then issue the following command to install YATE:

/root/install-yate

If you’re installing YATE on the same server as your Asterisk server, then issue the following command to install YATE:

/root/install-yate-on-piaf

It takes about 5 minutes for YATE to compile. Once YATE is up and running, you can monitor your YATE server using telnet. If it’s running on a dedicated server, use the command: telnet 127.0.0.1 5038. If YATE is colocated on the same server as your Asterisk machine, use this command: telnet 127.0.0.1 5039. 5038 is reserved for Asterisk. Issuing the status command will tell you what’s loaded. And we’ve found it especially handy to issue the command: debug on. This lets you track everything going on with YATE without referring to the log: /var/log/yate. To exit from your telnet session, type quit. We, of course, are barely scratching the surface of what you can do with YATE. It also can be used as a full-fledged telephony engine. Here are some examples:

Just a heads up that the version of YATE being installed comes from an svn checkout several weeks ago. We zipped it up into a tarball which is downloaded as part of install-yate. With more recent builds, we have had problems with audio and the RTP stream. Until someone can sort out the issue, you’re well advised to stick with our snapshot if you want your calls to complete successfully.

Hopefully, today’s article will bring some of the YATE gurus out of the woodwork and inspire them to share their knowledge with the rest of the VoIP community. We’d be delighted to publish further articles. It’s a truly awesome platform. As I have mentioned to some of my colleagues, it reminds me of where the Asterisk community was about seven years ago. Much of the information about YATE is buried in endless threads of mailing list messages. This is an extremely difficult way to learn about and deploy a new technology. But we’re more than willing to do our part to spread the word. We’d also be happy to add a YATE Forum to the PIAF Forums so that everyone would have a searchable collection of tips in using YATE. Let us know what you think.

Configuring Google Voice. As we mentioned, you’ll need a dedicated Google Voice account for this. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now.

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively for this new SIP gateway. Head over to the Google Voice site and register. If you’re living on another continent, see MisterQ’s posting for some tips on getting set up.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for the SIP gateway to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

Call Screening – OFF
Call Presentation – OFF
Caller ID (In) – Display Caller’s Number
Caller ID (Out) – Don’t Change Anything
Do Not Disturb – OFF
Call Options (Enable Recording) – OFF
Global Spam Filtering – ON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued.

Next, go into Gmail for this same account and place a test call using your new Google Voice number. You’ll find the Call Phone icon in the Chat and SMS section of Gmail in the left column. Once you complete this step, be sure to log out of both Gmail and Google Voice for this account, or inbound calling will never work.

Finally, a heads up. If you are planning to use a Google Voice account that you set up previously from a different IP address, be advised that Google has some sophisticated protection mechanisms in place to deter the bad guys. As Bill Simon discovered, this may result in your not being able to connect to Google Voice from your new YIAF server. If that happens to you, follow the steps in this Google article to unlock your account.

Adding Accounts to YATE. Now that you have your Google Voice account set up and tested, we’re ready to add an account to YATE to manage it. First, be sure you have logged out of Gmail and Google Voice for the account you plan to use, or inbound calls will never make it to YATE. You’re going to need the following information to set up a new account on your YATE server:

Google Voice account name (without @gmail.com)
Google Voice account domain (usually gmail.com)
Google Voice account password
Google Voice 10-digit phone number
YATE account name will be auto-generated
YATE account password (make it very secure!)
IP address of your YATE server (unless colocated)

If you care about security, we’d strongly recommend you consider installing a NeoRouter VPN Client on both your YATE server and Asterisk server. Use the 10.0.0.x addresses for communications between the servers, and everything will be encrypted between the machines. It also greatly simplifies the firewall and security issues. If you’ve taken our advice and installed your YATE server with VPN in a Flash, then the VPN client is already in place. Just run nrclientcmd and fill in the blanks to activate it. For tips on VPN in a Flash server setup, see this article. Be sure to write down the 10.0.0.x address of your YATE server once you get the VPN client running.

To add a new account to YATE for your new Google Voice number, log into your YATE in a Flash server as root and issue the command: /root/add-yate-user (dedicated) or /root/add-piaf-yate-user (colocated). Fill in the blanks as shown above. Be sure to write down the FreePBX Trunk settings when they are displayed. You’ll need them in the next step.

Configuring FreePBX. To finish the install, you’ll need to open the FreePBX GUI on your PBX in a Flash server using a web browser. Here are the steps. If your system doesn’t already have a default inbound route pointing to Hangup, do that first: Setup -> Inbound Routes -> Add Incoming Route.

After you have the Default Inbound Route pointing to Hangup in place, only then is it advisable to Allow Anonymous SIP Calls. Any Anonymous SIP Call not handled by an Inbound Route will immediately be disconnected. You’ll find the Allow Anonymous SIP Calls option under Setup -> General Settings or Settings -> General Settings for FreePBX 2.10:

Once you have those two pieces in place, then you’re ready to Add a new SIP trunk, Outbound Route, and Inbound Route for each new Google Voice account that you add to YATE.

1. Add SIP Trunk. Choose Connectivity -> Trunks -> Add SIP Trunk and plug in the credentials that were provided when you added your Google Voice account to YATE. We recommend numbering your SIP trunks for Yate in sequential order, e.g. YIAF1, YIAF2, etc. We’re assuming YIAF1 is your Miami Google Voice trunk in this example so ignore the 843 area code. You’re smart enough to figure out your Miami Google Voice DID for yourself. This 10-digit Google Voice DID also goes on the end of the Register String after the hash tag (/) and is not shown below:

2. Add Outbound Route. Choose Connectivity -> Outbound Routes -> Add Outbound Route. Assuming this is the Outbound Route for your Miami Google Voice trunk, fill in the form in every spot we’ve placed a pink mark like this:

These dialing rules tell PBX in a Flash to dial out through the YIAF1 SIP trunk to Google Voice whenever a user dials a 10-digit or 11-digit number with the M-I-A (642) prefix. And it tells FreePBX to strip off the 642 and add a 1 (if it is missing) before sending the call to YATE. The SIP trunk settings in YIAF1 will assure that YATE places the outbound call on the Miami Google Voice trunk when it receives 1NXXNXXXXX from Asterisk.

3. Add Inbound Route. Incoming calls from the Miami Google Voice trunk will come into Asterisk as Anonymous SIP calls with the DID of the Google Voice trunk. In order to avoid an automatic Hangup, we need to create an Inbound Route for this DID. This will be the 10-digit DID of your Google Voice trunk and will match the 10-digit number on the end of the YIAF1 trunk’s Registration String. You can route these calls in any way you like on your Asterisk system, e.g. to an Extension, a Ring Group, an IVR, or whatever. Here’s an example for you to follow. Again, please ignore the non-Miami area code. We were too lazy to fix it.

So there you have it. You’re now the proud owner of your own SIP-to-GoogleVoice Gateway courtesy of YATE and Bill Simon. You can add as many Google Voice trunks as you like. And you’ll have Google Voice connectivity with Asterisk 1.8, Asterisk 10, or Certified Asterisk without ever worrying about Asterisk "improvements" that break Google Voice down the road. To add additional trunks, do the following. On the YATE side, add-yate-user. And, on the PBX in a Flash side, complete FreePBX steps 1, 2, and 3 above using the credentials provided by add-yate-user. Enjoy!

NEWS FLASH: We are pleased to announce a new YATE Forum to provide support for YATE in a Flash as well as YATE. Come visit soon!

Originally published: Monday, June 25, 2012

Trials and Tribulations of a Service Provider. We have one of the best service providers in the business. WestNic has offered exemplary service and a secure computing platform to Nerd Vittles and PBX in a Flash for many years. We consume enormous computing resources for what we pay. But the last couple weeks have been painful. First, we were on vacation when WestNic made the transition (again) to PHP 5.3. These things usually happen in the middle of the night, and this was no exception. Unfortunately, we still were running a very old, highly customized (but very secure) version of WordPress. When morning came, Nerd Vittles died. We immediately knew why because we already had experienced PHP 5.3 a few months earlier, and WestNic graciously rolled it back… just for us. Unfortunately (for us), they didn’t tell us the new drop dead date. And, yes, we should have been updating WordPress. But it’s kinda like going to the dentist. You never quite get around to it until you have to. Well, now we had to. This involved backing up and restoring Nerd Vittles to another server still running the older version of PHP. So far, so good. It took about three hours to do the three WordPress updates, but all went well. Then we moved the site back to its home, and nothing worked again. Unfortunately, this hit on a weekend, and the weekend guys claimed it was a WordPress problem. It wasn’t this time, but it took until Monday morning to get the new php.ini file sorted out to accomodate PHP 5.3. Whew!

Then came the real fun. About 25% of the threads on the PBX in a Flash Forum could not be displayed. All you got was a blank screen when you clicked on a thread. As is customary with these types of issues, the XenForo developers blamed the provider. And the provider blamed XenForo. The provider uses mod_security to protect its web sites. But the provider assured us that nothing had changed. Well, nothing in mod_security anyway. After days and days of testing and back and forth, it turned out that the provider had added a new security mechanism, suhosin, which its developer touts as the "Guardian Angel" for PHP. That may be true for providers, but not so much for folks that actually depend upon their sites working. Welcome to a new can of worms!

Having been on both sides of this fence, we can readily appreciate the dilemma of the service providers. They don’t want their servers hacked. Denying access to all users would accomplish that goal but would reduce the number of paying customers pretty dramatically. So we all try to reach that happy medium trading off a little security for a bit more access. In this case, it turned out to be a couple of suhosin settings that monitor the length of URLs. We discovered that only after running literally hundreds of tests. Since XenForo’s forum software makes extensive use of lengthy URLs to maintain compatibility with older vBulletin posts, this caused a problem. HTML requests with URLs exceeding a certain length are simply thrown in the bit bucket by suhosin. The biggest hint was sitting in the service provider’s Apache log, but we had no access to that information, and they never looked until two and a half days after we first opened a trouble ticket. No errors appeared in our logs, and users got nothing but blank pages where the subject of a post on the forum exceeded 50 characters. Fortunately, that was enough of a hint to finally resolve the problem. The unfortunate part of this story is that, without 25 years of personal IT experience plus over 100 IT gurus that visit our sites regularly, it’s doubtful this ever would have gotten resolved other than by begging the provider to turn off mod_security and suhosin for our sites, something we were unwilling to do. If something similar ever happens to you, the command you need to know is php -v. This will tell you what’s running with PHP on your host. Our provider had implied that suhosin had not yet been activated. php -v suggested just the opposite. So did their error log once they looked. The other place to start searching for configuration information is /usr/local/lib/php.ini. This will tell you how your provider has PHP configured and whether your local php.ini file is even activated. Our provider suggested more than once that our local php.ini file had been misconfigured. We’d never touched it and, in our case, the server’s php.ini file indicated that it was never activated regardless of what its contents may have contained.

We’re glad everything is fixed. We all learned more than we ever wanted to know about suhosin. Still wishing there had been a little better communications with our provider. It would have made resolution a lot easier and quicker for all concerned. It’s especially difficult to resolve thorny issues like this using service tickets with response times of half a day per message. Did we mention there is virtually no documentation on suhosin and what each of its several dozen settings actually do. Our apologies to everyone that was impacted by the service disruptions. We’re glad it’s behind us.

Need help with Asterisk? Visit the NEW PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

VPN in a Flash Reborn: Meet the Dedicated Server Edition in PIAF 2.0.6.2.4

Wednesday, June 20, 2012

We’re dusting off our favorite old trademark to introduce the all-new VPN in a Flash™ featuring NeoRouter™ 1.7 Free Server Edition. Last month we showed how to install NeoRouter as an add-on for existing PBX in a Flash™ servers. In sites with 10 or fewer machines to interconnect, this works extremely well. However, for those with major collections of servers and PCs scattered across the universe (up to 256!), you’re going to want dedicated hardware to manage your virtual private network. Thanks to the terrific work of Tom King, you’ve got that choice. Meet VPN in a Flash.

As with PBX in a Flash, the Dedicated Server Edition of VPN in a Flash is offered in 32-bit or 64-bit flavors. How do you get it? It’s now an option in the PBX in a Flash 2.0.6.2.4 ISO featuring the CentOS 6.2 platform for the ultimate in reliability. Just download the new 2.0.6.2.4 ISO from SourceForge, burn it to a CD or DVD or, better yet, make yourself a bootable flash drive, and find some hardware to dedicate to the task of managing your virtual private network. Set up the server behind a dedicated firewall on any private LAN other than the 10.0.0.x network. Answer a few prompts to choose your timezone and set up your NeoRouter credentials. Then configure your hardware firewall to lock down the assigned DHCP address of your VPN in a Flash server and map TCP 32976 to the IP address of your VPN server, and you’re done. In 30 minutes, you get a rock-solid, preconfigured VPN. Not only is it SECURE, it’s also FREE!

After your VPN in a Flash server is installed, you can optionally go to the NeoRouter web site and register your new VPN by clicking Create Standalone Domain. Make up a name you can easily remember with no periods or spaces. You’ll be prompted for the IP address of your server in the second screen. FQDNs are NOT permitted.

When a VPN client attempts to login to your server, the server address is always checked against this NeoRouter database first before any attempt is made to resolve an IP address or FQDN using DNS. If no matching entry is found, it will register directly to your server using a DNS lookup of the FQDN. Whether to register your VPN is totally up to you. Logins obviously occur quicker using this registered VPN name, but logins won’t happen at all if your server’s dynamic IP address changes and you’ve hard-coded a different IP address into your registration at neorouter.com.

Setting Up a NeoRouter Client. There are NeoRouter clients available for almost every platform imaginable, except iPhones and iPads. Hopefully, they’re in the works. So Step #1 is to download whatever clients are appropriate to meet your requirements. The VPN in a Flash install automatically loads the Linux clients into the /usr/src/neorouter directory and installs the NeoRouter client for you. Here’s the NeoRouter Download Link for the other clients. Make sure you choose a client for the Free version of NeoRouter. And make sure it is a version 1.7 client! Obviously, the computing platform needs to match your client device. The clients can be installed in the traditional way with Windows machines, Macs, etc.

CentOS NeoRouter Client. As part of the installation above, we have automatically installed the NeoRouter client for your particular flavor of CentOS 6, 32-bit or 64-bit. In order to access resources on your NeoRouter server from other clients, you will need to activate the client on your server as well. This gets the server a private IP address in the 10.0.0.0 network.

To activate the client, type: nrclientcmd. You’ll be prompted for your Domain, Username, and Password. You can use the registered domain name from neorouter.com if you completed the optional registration step above. Or you can use the private IP address of your server. If your router supports hairpin NAT, you can use the public IP address or server’s FQDN, if you have one. After you complete the entries, you’ll get a display that looks something like this:

To exit from NeoRouter Explorer, type: quit. The NeoRouter client will continue to run so you can use the displayed private IP addresses to connect to any other online devices in your NeoRouter VPN. All traffic from connections to devices in the 10.0.0.0 network will flow through NeoRouter’s encrypted VPN tunnel. This includes inter-office SIP and IAX communications between Asterisk® endpoints.

Admin Tools for NeoRouter. Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

Browser access to NeoRouter Configuration Explorer (requires user with Admin privileges)

Browser access to NeoRouter Network Explorer (user with Admin or User privileges)

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

Test VPN access: http://www.neorouter.com/checkport.php

For a complete list of commands: nrserver –help

To change client name from default pbx.local¹:

Edit /etc/hosts

Edit /etc/sysconfig/network

Edit /etc/sysconfig/network-scripts/ifcfg-eth0

reboot

For the latest NeoRouter happenings, follow the NeoRouter blog on WordPress.com.

Eating Our Own Bear Food. We’ve actually been at our SOHO cabin this month "testing" VPN in a Flash. It’s provided instant access both to our desktop machines and servers in Charleston as well as Tom King’s Proxmox server in Florida where we’ve been developing Yate in a Flash™, a new, dedicated SIP to Google Voice Gateway for Asterisk. We’ll have more to say about it next week, or you can follow the link and get a head start. The bottom line on VPN in a Flash: It Just Works! VPN in a Flash frees you from ever having to stay in your home or office to get work done. And it’s been rock-solid reliable. Enjoy!

Originally published: Wednesday, June 20, 2012

Need help with Asterisk? Visit the NEW PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

We’ve built a script to rename your VPN in a Flash server in all the right places. You can download it here. [↩]

5-Minute VoIP: Deploying a SIP to Google Voice Gateway

Monday, June 11, 2012 / 14 Comments on 5-Minute VoIP: Deploying a SIP to Google Voice Gateway

We’ve been big fans of Google Voice since the outset. But, with the exception of one brief week, the piece Google has always refused to put in place is a SIP gateway to make connections from VoIP devices a no-brainer. You’d think they’d do it for no other reason than economics. SIP calls are free. PSTN calls are not. Well, never mind Google. Bill Simon has done it for you, and he leveraged the same Yate toolkit that Google originally deployed. Today, we’ll show you how to spend five minutes and take advantage of the Simon Telephonics gateway to interconnect a dedicated Google Voice account with any SIP device you’d like, whether it’s an Asterisk® server, a smartphone with a free SIP client from GrooVe IP or Zoiper, a free softphone from Zoiper or X-Lite 4, or any SIP telephone. Once we’re finished today, you can use any SIP client to call your 10-digit Google Voice number through the Simon Telephonics gateway: SIP/9991234567@gvgw1.simonics.com. And you can make and receive calls throughout the U.S. and Canada using your new Google Voice number the old fashioned way, using a Plain Old Telephone. Did we mention that everything is free: the Google Voice number, the Simon Telephonics gateway connection, all of the inbound calls, and outbound calls throughout the U.S. and Canada… at least in 2012. If you take advantage of Bill’s gateway, we would encourage you to at least donate one day’s lunch money to Bill’s site to help pay the light bill.

Getting Started. The drill for today goes like this. First, you’ll create a new Google Voice account with a new phone number at google.com/voice. Next, you’ll make a test call from that number using the Gmail account associated with that same account. Then, you’ll register the Google Voice number on the Simon Telephonics gateway. Next, we’ll set up a SIP trunk on your Asterisk server for this new DID. Finally, configure any SIP client with an extension number from your Asterisk PBX, and you can start making and receiving calls using your new Google Voice number.

A Word About Security. Google doesn’t (yet) support OAuth authentication for Google Voice accounts. What this means is that you’ll have to use your actual Google Voice credentials to set up your account on the Simon Telephonics gateway. Could Bill steal your credentials? Absolutely. Will he? Absolutely not. Why? First, there’s no money in your Google Voice account so all he could do is make free calls on Google’s nickel, the same thing he could do using his own Google Voice accounts. Second, Bill is better off setting up his own accounts where you don’t share his password and the Google Voice call logs won’t tell you who he’s calling. If you’re paranoid, don’t put money in your calling account, make the account name something that could not be associated with you, and then check your call logs several times every day. Better yet, spend $50 and use an OBi110 device to set up your own private gateway where Obihai knows your credentials instead of Bill. 😉

Configuring Google Voice. As we mentioned, you’ll need a dedicated Google Voice account for this. The more obscure the username (with some embedded numbers), the better off you will be. This will keep folks from bombarding you with unsolicited Gtalk chat messages, and who knows what nefarious scheme will be discovered using Google messaging six months from now.

We’ve tested this extensively using an existing Gmail account, and inbound calling is just not reliable. The reason seems to be that Google always chooses Gmail chat as the inbound call destination if there are multiple registrations from the same IP address. So, be reasonable. Do it our way! Set up a dedicated Gmail and Google Voice account, and use it exclusively for this new SIP gateway. Head over to the Google Voice site and register. If you’re living on another continent, see MisterQ’s posting for some tips on getting set up.

You must choose a telephone number (aka DID) for your new account, or Google Voice calling will not work… in either direction. You also have to tie your Google Voice account to at least one working phone number as part of the initial setup process. Your cellphone number will work just fine. Don’t skip this step either. Just enter the provided 2-digit confirmation code when you tell Google to place the test call to the phone number you entered. Once the number is registered, you can disable it if you’d like in Settings, Voice Setting, Phones. But…

IMPORTANT: Be sure to enable the Google Chat option as one of your phone destinations in Settings, Voice Setting, Phones. That’s the destination we need for the SIP gateway to work its magic! Otherwise, all inbound and outbound calls will fail. If you don’t see this option, you may need to call up Gmail and enable Google Chat there first. Then go back to the Google Voice Settings.

While you’re still in Google Voice Settings, click on the Calls tab. Make sure your settings match these:

Call Screening – OFF
Call Presentation – OFF
Caller ID (In) – Display Caller’s Number
Caller ID (Out) – Don’t Change Anything
Do Not Disturb – OFF
Call Options (Enable Recording) – OFF
Global Spam Filtering – ON

Click Save Changes once you adjust your settings. Under the Voicemail tab, plug in your email address so you get notified of new voicemails. Down the road, receipt of a Google Voice voicemail will be a big hint that something has come unglued.

Finally, go into Gmail for this same account and place a test call using your new Google Voice number. You’ll find the Call Phone icon in the Chat and SMS section of Gmail in the left column. Once you complete this step, be sure to log out of both Gmail and Google Voice for this account, or inbound calling will never work.

Registering on the Simon Telephonics Gateway. Now we’re ready to register your Google Voice account on the Simon Telephonics Gateway. Click on the link and fill in the blanks with your Google Voice account credentials and phone number. Be sure to include a 1 at the beginning of your Google Voice number! You’ll note that Google Apps email domains are supported as well as gmail.com addresses.

Google Voice Number – 19991234567
GV Username – joeschmo2468
GV Domain – gmail.com
GV Password – mightysecret
GV Password again – mightysecret
Email Address – joeschmo@yahoo.com

Check your entries carefully and then click the Add button. The only way to make changes if you screw things up is to delete the existing account by entering your original credentials to Delete the original account and then you Add a new one. So type carefully and check your work. Once your account is successfully registered, the Simon Telephonics Gateway will spit back your new SIP credentials. Write them down or take a screenshot and put them in a safe place. You’ll need them to set up your Asterisk SIP trunk. The Username will be your 11-digit Google Voice number with a GV prefix. The Secret will be a randomized string. The Registration String will be used in setting up your Asterisk SIP trunk and is in the proper format. The DID for your Inbound Route in FreePBX® will be your 11-digit Google Voice number.

Server – gvgw1.simonics.com
Username – GV19991234567
Secret – Xyzkk
Registration String – GV19991234567:Xyzkk@gvgw1.simonics.com/19991234567
Dialing Format – E.164 without + (for US calls, 11 digits starting with 1)

NOTE: Newer users may be provided an alternate gateway, e.g. gvgw2.simonics.com. You would obviously need to use whichever gateway FQDN is provided in all of the settings shown here.

Creating FreePBX SIP Trunk. Now we’re ready to create your new SIP trunk in FreePBX. Choose Add SIP Trunk and fill in the blanks as shown below with your new credentials. The Trunk Name can be any name you like. Don’t forget the 1 in Prepend for the Dialed Number Manipulation Rules! Leave the Incoming Settings blank. Be sure to add your Registration String from the credentials that were provided as part of the Simon Telephonics registration. Then Save Your Settings.

Creating FreePBX Inbound Route. Now you’ll need to add an Inbound Route to process incoming calls from the Simon Telephonics Gateway. The DID entry will be your 11-digit Google Voice number. The Destination for the incoming calls can be whatever you like: an extension, a ring group, an IVR, or any of the other available options on your server.

Creating FreePBX Outbound Route. If you want to send outbound calls out through your new Google Voice trunk, then you’ll need to add the SIP trunk to your outbound dialing rules. Just add the SIP Trunk Name you’ve defined to the Trunk Sequence for calls with the NXXNXXXXXX Dial Pattern, and you’re all set. Enjoy!

Originally published: Monday, June 11, 2012

Need help with Asterisk? Visit the PBX in a Flash Forum.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Some Recent Nerd Vittles Articles of Interest…

Tag Archives: piaf

The Most Versatile VoIP Provider: FREE PORTING

Links

Follow us

Recent Posts

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Special Thanks to Our Generous Sponsors

Post navigation

Support Nerd Vittles

Free Asterisk Solutions

Tags