The Incredible PBX: Remote Phone Meets the Travelin’ Man

Ever wrestled with one of those thorny problems for weeks only to wake up in the middle of the night with the answer? Thus was born Travelin’ Man, a web- based, one-click Asterisk® application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone.

News Flash: Be sure to read our latest article introducing Travelin’ Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that’s lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

If you’ve read the Incredible PBX series of articles on Nerd Vittles, you already know what a thorny problem remote phone access is if you want to preserve the overall security of your server. Indeed, our recommendation has been to leave SIP access closed on your hardware-based firewall because of the dangers inherent in activating remote SIP access. Now we have a better idea!

Today’s new approach works like this. First, we’ll run a little script that secures all of your extensions with permit entries locking down all these connections to the IP address range within your private network. Then we’ll open the SIP and RTP ports on your hardware and software firewalls and map these ports to your Asterisk server’s private IP address. With this setup, no one can attempt remote SIP logins to your server because Asterisk blocks all SIP extension connection attempts except those originating inside your LAN. To manage external phone connections to your server, the install script creates a new virtual Apache web server on your Incredible PBX using port 83. We’ll enable and map TCP port 83 on your hardware and software firewalls to your server as well. Web access with port 83 is limited to running the Travelin’ Man app to activate external phones.

Now we’re ready to set up access to your server for remote devices. For each extension you wish to enable for remote access, we’ll create a special web directory using an obscure, random file name which will serve as the web link for the Travelin’ Man web app. For example, in the diagram above, directory 184778 manages extension 501, directory 2389957h manages extension 701, and directory 6993h5j manages extension 702. This is accomplished by simply changing the extension number in the index.php script stored in each directory.

When one of these web links is accessed remotely, the PHP script will automatically reconfigure Asterisk to enable access to the designated SIP extension on your server using the remote IP address from which the web page was accessed. And, of course, there’s an additional layer of SIP security as well. You still need your extension credentials to actually log in to your server with a softphone to place and receive calls. The Travelin’ Man installation process takes only a couple minutes, and the remote SIP activation procedure takes just a couple seconds each time you want remote access from a different location. Here’s a quick example of how it actually works.

Let’s assume we want to use the new $3.95 Bria SIP softphone on an iPad to connect as extension 501 on our Incredible PBX back at home. The problem is that the dynamic IP address of your iPad changes at each new site on your itinerary. Some locations have WiFi while others only have 3G connections.

First, we’ll generate an icon to run Travelin’ Man from your iPad desktop. Use the same procedure with an iPhone or iPod Touch, and there’s a similar procedure for Android devices.¹ You only have to do this once. Start up Safari on the iPad to access the new port 83 web server at the random web address the installer created to support extension 501. That web address is something like this using your own FQDN²: http://myserver.dyndns.org:83/184778. After establishing the link once, we’ll hit the + button in Safari and choose Add to Home Screen. This creates the TravelMan icon on the iPad. See the screenshot below of our demo iPad setup which used extension 221 instead of 501.

Once configured, it’s just two clicks to enable your remote phone anywhere: click once on the TravelMan icon. When your IP address is confirmed, return to your Home Screen and click the Bria softphone icon to establish a SIP connection back to your server. Behind the scenes, the Travelin’ Man application will generate the required permit entry for your remote IP address mapping it to the designated extension on your server, and then it will reload your SIP settings to make your Asterisk server accessible to the Bria softphone in your hotel room. The entire process takes only a couple seconds.

If your company happens to have a dozen traveling salesmen, then you’d simply assign a dedicated extension to each employee and create secure directory names for each person (e.g. 2389957h and 6993h5j in diagram above) with a copy of the Travelin’ Man app configured for that employee’s extension number. Now your entire mobile workforce has connectivity back to the home office from any location on the globe. And, when an employee leaves the company and another arrives, just create a new name for the old employee’s web directory to preserve the security of your system (e.g. 184778 in our example becomes 78hd773). Keep in mind that each time the Travelin’ Man app is run for any extension, it wipes out any previously authorized IP address entry for that extension. Thus, the security of your Incredible PBX is always preserved.

Prerequisites. Before proceeding with today’s install, you must be running a stock install of Incredible PBX with PBX in a Flash behind a properly-secured, hardware-based firewall³. We recommend the latest version of Asterisk 1.4 because it addresses a SIP vulnerability that might cause you problems if malformed SIP packets are targeted at your server. The current release of PBX in a Flash (1.7.5.5 Silver) is ideal, but any version of PBX in a Flash can be brought current with Asterisk using the update-source and update-fixes tools. Travelin’ Man assumes that you have the Incredible PBX base install of extensions: 501 plus 701-715. You can obviously add more or remove some, but you’ll need to manually adjust sip_custom_post.conf to reflect your actual extension list after the install completes.

The installer has been encrypted for your/our own protection. In source form, the script would allow anyone to defeat the Incredible PBX requirement. Doing so would mean the required IPtables security component would not be in place and properly configured to protect the underlying system from attack. So we’ve opted to play Big Brother to avoid potential security problems for all of us down the road. This article clearly explains all the necessary components if some folks want to roll their own version. We just don’t want the responsibility if something goes horribly wrong. As Forrest Gump would say, "Shit Happens." 🙂 If you don’t believe it, check out the latest security scramble in the trixbox forums.

Installation. Now we’re ready to get started. So log into your Incredible PBX as root and issue the following commands:

cd /root
wget http://incrediblepbx.com/travelinman.tar.gz
tar zxvf travelinman.tar.gz
./travelinman.x

NOTE: If you’re using PIAF2 with CentOS 6.2, you’ll need to use the updated version of Travelin’ Man because of a syntax change in the Apache config file:

cd /root
wget http://incrediblepbx.com/travelinman2.tar.gz
tar zxvf travelinman2.tar.gz
./travelinman2

The first step in the install procedure is to lock down access to all of your extensions to your private LAN subnet. In case you ever want to do this on another server not running the Incredible PBX, here’s a link to our privip.sh shell script that shows how to do it. This should work on most FreePBX-based Asterisk systems.

Once the extensions are locked down, the script will modify your IPtables and Apache configurations to permit web access on port 83. Next, it will adjust your Asterisk setup to support the Travelin’ Man permit scheme. This involves reworking of sip_custom_post.conf so that permit settings for individual extensions can be stored in files named 501.inc, 701.inc, etc. Finally, the installation procedure will set up a single web site to support extension 501 with a randomized directory name for remote access.⁴ This setup will be stored in /var/www/travelman. To activate support for additional extensions, you would simply copy the subdirectory giving it a new random name: cp -r dir1 dir2. Then edit config.php in the new subdirectory and change the $extension entry.

To complete the install, you must reconfigure your hardware-based firewall and map the following ports to the private IP address of your server:

TCP 83
UDP 5060
UDP 10000-20000

When the installation is completed, it will show you how to access the new web site for extension 501 using either a fully-qualified domain name or a public or private IP address. Now just follow the steps at the beginning of this article to set up your Android or iDevice, and test things out. Enjoy!

Reminders: Be sure to review the comments to this article and the related support forum thread for a week or two for late-breaking enhancements and issues. Also, Incredible PBX comes preconfigured with call forwarding activated for extension 501. Don’t forget to either disable it or set up a real call forwarding number for extension 501 if you want your cellphone to ring. From any extension on your server, just dial *72501 to set up call forwarding. To cancel call forwarding and pass calls directly to the registered 501 softphone, dial *74 and enter 501. Also be aware that the default RingAll ring group (700) configuration on Incredible PBX systems does not include extension 501. So add 501 if you want your remote extension to ring for incoming calls.

The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup… and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Adding Remotes, Preserving Security with Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.

Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
 

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
 

Some Recent Nerd Vittles Articles of Interest…

1. To create a desktop icon for Travelin’ Man on Android devices, navigate to the link with your browser. Then save the link as a Bookmark by clicking the Star icon in your browser then click Add. Return to the Home Screen and, from the screen on which you wish to add the icon, touch and hold your finger on the screen. When the Add to Home Screen menu appears, choose Shortcuts then Bookmarks and select the link you previously saved. As with iDevices, you only have to do this once. [↩]
2. FQDN = Fully-qualified domain name [↩]
3. We recommend the dLink Router/Firewall. Low Cost: $35 WBR-2310  Best: DGL-4500 [↩]
4. If you’d like to download the web site code independently from the Travelin’ Man install procedure, here’s the link. [↩]