VPN:PBX is the SysAdminMan virtual PBX template that includes Asterisk, FreePBX, A2Billing and OpenVPN. More information can be found here - http://sysadminman.net/sysadminman-vpnpbx-hosting.html

It is designed to work with the TP-Link TL-WR1043ND broadband router. A custom OpenWRT firmware is provided to simplify the connection of your network to your SysAdminMan VPS, securely and without the hassle of NAT.

STEP 1 – DOWNLOAD THE CUSTOM FIRMWARE

Download the custom  TP-Link TL-WR1043ND firmware with OpenVPN client installed -

http://sysadminman.net/openwrt/tl-wr1043nd-sysadminman-v3.04.bin

STEP 2 – PLUG IN THE TP-LINK WR1043ND

1. Plug a PC/Laptop in to the yellow port 1
2. Plug the blue WAN port in to a spare port on your existing internet router

* While every effort is made to test the firmware provided no responsibility can be accepted if you use the firmware above and it renders your router unusable. This is always a risk that is taken when flashing any new firmware to a device *

You must log in from a computer connected to a yellow LAN port.

Default IP address : 192.168.1.1

Default username : admin

Default password : admin

Select System Tools / Firmware upgrade and then choose the firmware image you downloaded above -

Click upgrade and the new firmware will be loaded and the router restarted. Do not disconnect the power while this is happening!! -

STEP 4 – RESET YOUR COMPUTER OR RENEW YOUR DHCP LEASE

You will now need to get your computer to pick up a new DHCP address from the TP-Link TL-WR1043ND. This will be in the range 10.99.99.X. This can be done by either rebooting, pulling and reinserting the network cable or running the command to renew the IP address. Please note that the WiFi is disabled on the TP-Link TL-WR1043ND firmware so you must use a cabled connection.

SETEP 5 – LOG IN TO YOU TP-LINK ROUTER AGAIN

Default IP address : 10.99.99.1

Default username : root

Default password : sysadminman

STEP 6 – ENTER THE SYSADMINMAN VPS CONNECTION DETAILS IN TO YOUR TP-LINK ROUTER

For this step you will need the IP address of your SysAdminMan server plus the 3 files that will be sent to you separately. The 3 files are called  ca.crt, tplink.crt and tplink.key.

Click on Network / SysAdminMan and you will see the screen below. Enter your SysAdminMan VPS IP address in the box provided and upload the 3 files. Ensure you upload the correct file to the correct place. Then click Save & Apply -

Next reboot the router. There is an option to do this under System / Reboot -

Now if you log back in and select Network you should see that the ‘SYSADMINMAN’ interface has been assigned an IP address of 10.98.0.X -

STEP 7 – FINISHED!

And that should be everything. Now any device connected to your TP-Link should be given an IP address in the range 10.99.99.x and be able to connect to your SysAdminMan VPS server using the address 10.98.0.1 over the secure OpenVPN tunnel.

Also, any phone that is connected to your TP-Link that has auto provisioning set will be given a TFTP server address of 10.98.0.1, your SysAdminMan VPS address. This means that you can use the FreePBX EndPoint Manager module to configure your telephone handsets.

NETWORK DETAILS

• TP-Link LAN address : 10.99.99.X
• SysAdminMan VPS address : 10.98.0.1

VPN:PBX is a new offering from SysAdminMan combining Asterisk, FreePBX and OpenVPN. More details can be found here - http://sysadminman.net/sysadminman-vpnpbx-hosting.html

While using FreePBX Endpoint Manager is possible with a normal SysAdminMan system, using it with VPN:PBX is really simple as no firewall or router changes are required.

Endpoint Manager is a FreePBX module that allows you to configure VOIP handsets centrally – no settings are required to be entered on the handset itself – just plug it in!

Here is the way it works -

1. The phone is switched on and given a DHCP address by the TP-Link TL-WR1043ND router
2. It is also given the IP address of the Asterisk server as it’s TFTP server – in this case of a SysAdminMan VPN:VPS that’s 10.98.0.1
3. The phone contacts the TFTP server (10.98.0.1) and asks for it’s configuration settings. It gives the server its MAC address to identify itself
4. EPM manager identifies the handset based on its MAC address and configures the phone

Brilliantly simple and also makes it very easy to deploy new phones and make changes to deployed phones. Endpoint Manager supports lots of different manufacturers handsets including – Aastra, Grandstream, Polycom, Snom, Cisco and Yealink.

So, how does it work in practice? Here is a quick guide for deploying a new handset with Endpoint Manager -

First get the MAC address of the handset. In this case an Aastra 6755i -

Next create an extension as normal in FreePBX. The only settings required are User Extension, Display Name and Secret -

Next enable the required handset template in Endpoint Manager / Endpoint Configuration -

Finally add a device in Endpoint Manager End Point Device List -

#

and clink on Rebuild Configs for All Phones -

Now when you connect your handset to the network it should connect to Endpoint Manager and download it’s configuration. Here’s mine making an echo test call -

Because the TP-Link router creates a OpenVPN tunnel to the VPN:PBX server no NAT, firewall or router changes are required.

Recently I had a VPS customer that was looking to get a GoIP GSM Gateway working with his Asterisk VPS. These little SIP/GSM gateways can be used to connect Asterisk to the GSM/mobile network. The single-sim models can be had for around £100 from e-bay.

They are not the easiest boxes in the world to set up, with the web GUI being rather confusing. Eventually though the GoIP was configured correctly but still calls we intermittent, with connection to the Asterisk server being lost.

As the GoIP box was being hosted behind a residential ADSL router the issues were typical of NAT/Firewall problems. They were probably being caused by a mixture NAT and a SIP ALG (application layer gateway) in the ADSL router.

The solution was to use the new SysAdminMan VPN:PBX template which uses OpenVPN to create a secure VPN tunnel to the Asterisk server. The customer purchased a TP-Link 1043 router, flashed the SysAdminMan firmware, and the GoIP was connected to the VPS over the VPN. This meant that private IP address ranges were used, with no NAT happening at all. This is a great example of how using VPN:PBX to provide a VPN connection to your Asterisk server is easy to deploy and works around any NAT/Firewall issues.

Here is a diagram showing the customers setup -

See here for more information - http://sysadminman.net/sysadminman-vpnpbx-hosting.html

We’ve released an update to the firmware for the SysAdminMan VPNPBX template. This template includes OpenVPN, Asterisk, A2Billing and FreePBX and is designed for customers that want to have a secure VPN connection to their hosted PBX (without the worries of NAT).

The firmware is based on OpenWRT and works with the popular TP-Link 1043 router. The latest firmware release works with models v1.18 and v1.19.

These are the steps to having a hosted PBX with a secure VPN connection to it -

1. Order a SysAdminMan server specifying the VPNPBX template
2. Purchase a TP-Link 1043ND router (from any supplier)
3. Download the custom TP-Link 1043 firmware from the SysAdminMan site and install on the router
4. Enter the supplied OpenVPN connection details in to the router and you’re ready to go

• You could also use any other OpenVPN client to connect to the server if you prefer

For more details about the VPNPBX template see here – http://sysadminman.net/sysadminman-vpnpbx-hosting.html

For more information about installing the custom OpenVPN firmware see here – http://sysadminman.net/blog/2012/vpnpbx-getting-started-3890

The SysAdminMan template that includes OpenVPN, Asterisk, FreePBX and A2Billing has been updated with the following versions -

Asterisk : 11.3.0
FreePBX : 2.11
A2Billing : 2.0.1

This VPS template has OpenVPN installed with example certificates created. It’s a great solution for setting up a secure off-site PBX. You can use any OpenVPN client to connect, or there is a custom firmware available that turns a TP-Link 1043 in to an OpenVPN gateway.

For more information see - http://sysadminman.net/sysadminman-vpnpbx-hosting.html

I’ve had a few customers recently using the SysAdminMan VPN:PBX template with an existing on-site pfSense gateway. The VPN:PBX template has Asterisk, FreePBX and A2Billing installed, along with OpenVPN setup to allow secure connections to the VPS.

pfSense can be used as an OpenVPN client/gateway so this makes a great combination for a secure off-site PBX.

Here are some setup instructions for configuring pfSense with the SysAdminMan VPN:PBX template.

1 – Obtaining the OpenVPN client certificates

When your SysAdminMan server is created 3 files will be generated that are required to configure pfSense as an OpenVPN client. These files can be e-mailed to you or retrieved from the VPS using a program like WinSCP. The 3 files are -

These 3 files identify an individual OpenVPN client. If you are just connecting a single gateway this is all you will need. If you’d like instructions for creating more certificates please open a support ticket.

2 – Installing the Certificates on pfSense

Next we need to install the 3 certificates above in pfSense. The 3 files (ca.crt, tplink.key and tplink.crt) are text files which we can open with notepad, or something similar, and copy and paste the contents in to the correct place in pfSense.

First select “System/Cert Manager” from the pfSense menu. Then we click to add a CA -

Call the new CA ‘sysadminman’ and paste the contents of the file ca.crt in to the ‘Certificate data’ box -

After saving that go back to Cert Manager and click on the ‘Certificates’ tab. There will probably be a default one, but we need to add a new certificate -

Call the new certificate ‘sysadminman’ and paste the contents of tplink.crt in to the ‘Certificate data’ box and the contents of tplink.key in to the ‘Private key data’ box -

If we save that we should now be able to see our new certificate configured on the Certificates page -

3 – Configuring OpenVPN in pfSense

Now we can configure OpenVPN on pfSense. Select ‘VPN/OpenVPN’ from the pfSense menus and then click on the ‘Client’ tab. Then click to add a new OpenVPN client -

Now we need to enter our VPN connection details. Under General information the only thing you should need to change is the Server address. Here you should enter the IP address of your SysAdminMan VPS -

Under Cryptographic Settings you should ensure TLS Authentication is not selected, you select the 2 ‘sysadminman’ certificates we created and that the Encryption algorithm is set to ‘BF-CBC (128-bit)’ -

Once that’s done pfSense should connect to our VPS. We can see the status of the connection by going to OpenVPN Client and clicking on the ‘s’ button -

4 – Telling OpenVPN about our local LAN

By default OpenVPN on the SysAdminMan VPN:PBX template assumes that your local network is using 10.99.99.0/24. If you are setting up a new site and can use this then there is nothing more to change.

If you are using an existing numbering block then we need to tell OpenVPN on the VPS what that is. So let’s assume you are using 192.168.10.X at your site. There are 2 files we need to change on the VPS. If you’d like this doing for you please open a support ticket.

The first is /etc/openvpn/server.conf where we need to change -

to

The second file to change is  /etc/openvpn/ccd/tplink where we need to change -

to

And then just restart OpenVPN with -

5 – Testing!

Now from a local PC you should be able to ping your SysAdminMan VPS over the VPN. The IP address of the server is 10.98.0.1, so we can -

Now when you are connecting a phone to Asterisk over SIP, or managing the server over HTTPS you can use the VPN address of 10.98.0.1 instead of the servers public IP address.

6 – Troubleshooting 

If you are having problems getting this working then check the error log at /var/log/messages for OpenVPN system messages or open a support ticket for us to take a look.

When you rent a VPNPBX server from SysAdminMan you get a server with Asterisk/FreePBX/A2Billing and OpenVPN installed.

OpenVPN is a VPN system that works on many different clients. This guide will go through getting started with the Windows client, others will be very similar.

The first thing you need to do is install the Windows OpenVPN client. This can be downloaded at - http://openvpn.net/index.php/access-server/download-openvpn-as-sw/357.html

Once installed we need to get the certificates for our OpenVPN connection. By default 3 files are created on a new SysAdminMan VPNPBX system. These are -

(The fact that they are called tplink is unimportant. They will work with any OpenVPN client)

We want to copy these files to our OpenVPN config folder. We are going to use WinSCP for this. We need to start WinSCP as an Administrator so that it can write to the OpenVPN config folder -

Next log in to your VPS using the root password provided -

Now copy the 3 files above from “/etc/openvpn/keys” to “c:\program files\OpenVPN\config” -

Finally you need to edit the file “c:\program files\OpenVPN\config\client.ovpn”. I recommend using something like Notepad++ to retain the formatting. The file should contain the following settings -

You should change the ‘remote’ line to be the IP address of your VPS.

If all that worked OK we should now be able to connect to our VPS using OpenVPN -

and ping the IP of our VPS over the VPN -

Recent firmware versions for the Yealink T22P include the ability to connect to an OpenVPN server. This encrypts the traffic between the phone and Asterisk server. It also removes any NAT/SIP issues.

This guide was written using a SysAdminMan VPNPBX VPS and a Yealink T22P with firmware 7.70.23.2.

Different Yealink models, or the T22P with different firmware may behave differently!

The SysAdminMan VPNPBX comes with a script for creating the certificates and config file required to connect a Yealink T22P to an OpenVPN server. To create a certificate log in as root and then run …

Where yealink1 is the name of the phone you want create (you should create a new certificate for each phone) and my@email.com is your e-mail address. The config file, called openvpn.tar, will then be e-mailed to you.

Next we need to load this config file to the phone. I recommend performing a factory reset on the phone before doing this.

Log in to the GUI of the phone and select Network / Advanced -

Now scroll down to the VPN section and chose the file to import. My screenshot here shows VPN as Enabled but you will not be able to set this until you have imported a config file. Unfortunately there’s not really any feed back to say this has worked successfully!

Import the file, then set Active to Enabled, then select Confirm at the bottom of the screen -

Now restart the phone and if it connects successfully you should see “VPN” in the top right hand corner of the display. If you have any problems the error logs to check are /var/log/messages on the server or download the system logs from the phone.

Once connected via VPN you can setup your extension in FreePBX and also set the SIP account details on the phone. The SIP/Proxy address to use is 10.98.0.1, which is the VPS address when using the VPN.

Non SysAdminMan customers only

If you are not using the SysAdminMan VPNPBX then the script below may help with setting up your system. This is what is run above to create the OpenVPN config file for the phone -

Microtik RB750GL

For a while now SysAdminMan has been offering FreePBX/A2Billing hosting with OpenVPN server already installed on the server. What I really want to find is the perfect client/router that’s simple to configure and easy to deploy. We’ve been recommending OpenWRT for a while now but it can be a pain to flash the firmware and get OpenVPN configured.

I’ve also used Microtik routers for a while and they are very powerful routers in such a small, reasonably priced, package. This test was done using a Microtik RB750GL

I wasn’t sure how it would work though as Microtik routers only support OpenVPN over TCP, not UDP. This means all the VOIP traffic will be running over a TCP connection which, in theory, is not ideal.

This performance testing was done using -

• Virgin Media Broadband with 60mb down and 3mb up. The upload limit on your broadband connection will nearly always be the limiting factor for call quantity/quality
• Asterisk is running on a SysAdminMan VPS and is placing the incoming calls to music-on-hold
• sipp was used  at the remote site to generate test calls
• Linksys SPA941 was used at the remote site to test call quality
• G711/aLaw was used for all calls
• No other traffic was happening on the broadband connection

We start off with 10 concurrent calls, then 20 and finally 40.

10 CONCURRENT CALLS

Here you see we have sipp generating 9 G711 calls with audio

sipp 9 calls

and the traffic flowing through my Virgin Media broadband connection. Over the OpenVPN TCP link each G711 call is using around 110kb/s

9 concurrent calls

and here is the audio from a call placed from the Linksys physical phone

20 CONCURRENT CALLS

Here you see we have sipp generating 19 G711 calls with audio

19 concurrent calls

and the traffic flowing through my Virgin Media broadband connection

19 concurrent calls

and here is the audio from a call placed from the Linksys physical phone

40 CONCURRENT CALLS

Here you see we have sipp generating 39 G711 calls with audio

39 concurrent calls

The upload link on my broadband connection is being overwhelmed and sipp is starting to report call errors.

My broadband link is reporting traffic throughput wildly up and down as it struggles to limit the flow of traffic being sent to it

39 concurrent calls

and the audio from the call on the physical phone is breaking up and would likely be unintelligible. This is the audio that is being downloaded over the broadband link, the uploaded audio is likely much worse

CONCLUSION

Even though I found the limits of my broadband link and ended up with a poor quality call the results of running VOIP over a TCP OpenVPN tunnel were actually much better than I thought they would be. Twenty concurrent calls ran with no problems, and I think this would be much higher using a different codec.

There are a few things to consider though -

• Many routers will automatically prioritise UDP traffic. This is not going to be the case for OpenVPN traffic running over TCP. It’s likely that other traffic on the link (file downloads, web browsing …) would affect the audio calls. If you are going to be using the link for other traffic you will probably want to prioritise the OpenVPN traffic on the broadband router if possible
• These tests were done a a fast, stable broadband link. I’m unsure what the results would be on a slower link, or a link with poor jitter or packet loss.

In another post I’ll detail the steps involved in getting OpenVPN set up on a Microtik router

The post OpenVPN with Asterisk and FreePBX appeared first on SysAdminMan.

The post FreePBX with OpenVPN and End Point Manager appeared first on SysAdminMan.