ramoncio said:
For remote extensions you should use OpenVPN.
You can do it either manually or you can use the webmin module to configure it, if you don't like the console.
Well, I'm not the OP, but here is the problem with that. It's a great idea in theory, but name me ONE VoIP adapter or IP phone that supports it. Go ahead, I'll wait while you try to find one...
For that matter, show me even one commercial VoIP provider (of the consumer variety, that sends VoIP adapters to their customers) that even offers the OPTION to use a VPN. None of them do (nor, as far as I know, do any of them support encryption, although that's another matter only somewhat related to this discussion).
Now, if ALL of your remote users are all at a single location where you control the networking AND you can figure out how to set up a VPN (I know, it's easy for people who cut their teeth on Linux, but I suspect most Elastix users are not Linux geeks, and I've yet to see a really simple how-to on the subject that doesn't make unwarranted assumptions about prior knowledge) AND none of your users will ever have a need to roam with their adapter/phone AND you are a bit on the paranoid side, you can set up a VPN. Of course you could probably get nearly the same level of security using fail2ban and/or the deny/permit fields in the Extension setup (deny/permit assuming the extension is always at the same fixed IP address). Alternately, if ALL your external users are using softphones on laptops (or desktop computers), then I suppose it's feasible to use a VPN (again, assuming you can figure out how to set it up), though as a practical matter I think really strong passwords plus fail2ban would offer nearly the same level of security (though a VPN would also offer encryption).
The sad part is that use of a VPN is something that could be added to the firmware or software of VoIP adapters/devices/phones, but I know why it never will be. The reason is there are several different "flavors" of VPN and none are compatible with each other. Cisco (which owns Linksys) would probably try to implement a solution that uses Cisco firewalls, which I've been told you pretty much have to take a college-level class to understand. But most users, especially the type who use likely to use Elastix or a similar distribution, would not be likely to run out and buy Cisco firewall equipment nor take a class to learn how to set it up. We'd want to use OpenVPN (if someone could explain how to set it up!). They probably realize that so they are not going to implement it. Maybe you could talk a smaller company like Grandstream into building OpenVPN capability into their adapters, but I'm not holding my breath.
I saw an idea in a
blog post a few weeks ago for an external device that would handle VPN duties for a VoIP adapter (actually it was for a pair of devices, but I would think you could make a device that uses OpenVPN on the far end). The blog post says, "Maybe a better idea would be to combine the units with a switch - you'd connect the switch to your router and, on the client side, you'd have four new tunneled ports (that connect to the distant network) and four new untunneled ports (that connect to the local network) - or something like that." I guess there are ways to do this now, but as the post points out, none are really simple to set up and use.
But the main point is that until someone proves otherwise, I don't think any of this is really necessary. Strong passwords and fail2ban should stop virtually all the bad guys from getting in. Granted it's not foolproof - after all, if they break into your Asterisk box they can see your sip/iax passwords in plain text! - but the risks would be so small that (assuming you have your Asterisk box properly secured) only the truly paranoid (or those paid big $$$ to worry about security) would lose any sleep over them. I might be proven wrong about that someday, but I certainly hope not.