Remote extension questions

[ptyalor]

I think this is the right area to ask: (if not please move mod)

Currently running Tribox in a small office environment for several reason (most of them well articulated here) looking to move to Elastix. Here is our situation. Most staff spend little time at home base and spend most of their time on the road. So the notion of remote extensions is very attractive. Here are my questions:

1. What security concerns are there regarding the remote extensions?

2. I assume that it does not matter what OS the laptop (in our case) is using, when using the remote extension (either for receiving or sending calls) Is that correct?

3. Anything I should be aware of when setting up the remote extensions that may trip me up?

Thanks for all your ideas and I am sure this is not the last of my questions

Thanks

PTaylor

 

[Chilling_Silence]

Hi ptyalor,

Welcome to the Elastix forums.

You'll likely run into the same issues regardless of which distro you use. That said, here's my 2c worth on your questions:
1) Make sure they have long passwords for the Ext's, having an Ext of 700 and a password of 700 is not a good idea
2) OS doesnt matter, can be windows, linux, mac
3) Port-forwarding is crucial, and make sure you either have a static IP Address, or you have something like a no-ip.com address. This will need setting in sip_nat.conf (Search the forums for further info)

Cheers, and good luck


Chill.

 

[wiseoldowl]

I think this is the right area to ask: (if not please move mod)

Currently running Tribox in a small office environment for several reason (most of them well articulated here) looking to move to Elastix. Here is our situation. Most staff spend little time at home base and spend most of their time on the road. So the notion of remote extensions is very attractive. Here are my questions:

1. What security concerns are there regarding the remote extensions?

Your users can run up your phone bill. But also, hackers (the bad kind) can run up your phone bill, by impersonating one of your extensions. Using very strong passwords (many characters, random mix of letters and numbers, NO dictionary words or names, etc.) can help but if someone breaks into the computer of one of your users and somehow manages to see their password, you could still be compromised. Note that your users do NOT have to type the password ("secret" in Asterisk-speak) in each time, it's stored in the client or adapter or phone, so there is no reason not to use a REALLY strong password.

2. I assume that it does not matter what OS the laptop (in our case) is using, when using the remote extension (either for receiving or sending calls) Is that correct?

Nope, it shouldn't. Even if you are using softphones there are cross-platform ones (e.g. Zoiper lite, you probably don't need the paid version to start with).

3. Anything I should be aware of when setting up the remote extensions that may trip me up?

Just be extra aware of security. You really don't want one of the bad guys impersonating one of your users and making a few thousand calls before you figure out what they are doing. I don't mean to scare you, but this has happened to an unlucky few. One other thing you can do is install Fail2ban (see Fail2Ban (with iptables) And Asterisk). This only allows a few attempts to guess a password before the IP address is locked out for several hours or days. That coupled with strong, unguessable passwords SHOULD make it nearly impossible for the bad guys to break in, but as I say, if one of your remote users gets rooted or something then all bets are off (of course, if their passwords are stored encrypted and display only as asterisks or dots when typed in then you still might be okay).

Also, if your remote extensions are behind a NAT router (or might be) then you need to set nat to yes in the extension configuration. You may also have issues with one-way audio but we can help you with that if it comes to that (or see HOWTO: Resolving Audio Problems). A lot of that can be avoided if your extensions use the IAX protocol rather than SIP (the aforementioned Zoiper software permits that, but precious little else does).

Thanks for all your ideas and I am sure this is not the last of my questions

You've got questions, we've got dumb looks! (Just kidding)

 

[donhwyo]

A vpn can help your remote users get around some of the nat issues. Basically they are inside your network. And the hackers aren't hopefully.

Don

 

[ramoncio]

For remote extensions you should use OpenVPN.
You can do it either manually or you can use the webmin module to configure it, if you don't like the console.

 

[wiseoldowl]

For remote extensions you should use OpenVPN.
You can do it either manually or you can use the webmin module to configure it, if you don't like the console.

Well, I'm not the OP, but here is the problem with that. It's a great idea in theory, but name me ONE VoIP adapter or IP phone that supports it. Go ahead, I'll wait while you try to find one...

For that matter, show me even one commercial VoIP provider (of the consumer variety, that sends VoIP adapters to their customers) that even offers the OPTION to use a VPN. None of them do (nor, as far as I know, do any of them support encryption, although that's another matter only somewhat related to this discussion).

Now, if ALL of your remote users are all at a single location where you control the networking AND you can figure out how to set up a VPN (I know, it's easy for people who cut their teeth on Linux, but I suspect most Elastix users are not Linux geeks, and I've yet to see a really simple how-to on the subject that doesn't make unwarranted assumptions about prior knowledge) AND none of your users will ever have a need to roam with their adapter/phone AND you are a bit on the paranoid side, you can set up a VPN. Of course you could probably get nearly the same level of security using fail2ban and/or the deny/permit fields in the Extension setup (deny/permit assuming the extension is always at the same fixed IP address). Alternately, if ALL your external users are using softphones on laptops (or desktop computers), then I suppose it's feasible to use a VPN (again, assuming you can figure out how to set it up), though as a practical matter I think really strong passwords plus fail2ban would offer nearly the same level of security (though a VPN would also offer encryption).

The sad part is that use of a VPN is something that could be added to the firmware or software of VoIP adapters/devices/phones, but I know why it never will be. The reason is there are several different "flavors" of VPN and none are compatible with each other. Cisco (which owns Linksys) would probably try to implement a solution that uses Cisco firewalls, which I've been told you pretty much have to take a college-level class to understand. But most users, especially the type who use likely to use Elastix or a similar distribution, would not be likely to run out and buy Cisco firewall equipment nor take a class to learn how to set it up. We'd want to use OpenVPN (if someone could explain how to set it up!). They probably realize that so they are not going to implement it. Maybe you could talk a smaller company like Grandstream into building OpenVPN capability into their adapters, but I'm not holding my breath.

I saw an idea in a blog post a few weeks ago for an external device that would handle VPN duties for a VoIP adapter (actually it was for a pair of devices, but I would think you could make a device that uses OpenVPN on the far end). The blog post says, "Maybe a better idea would be to combine the units with a switch - you'd connect the switch to your router and, on the client side, you'd have four new tunneled ports (that connect to the distant network) and four new untunneled ports (that connect to the local network) - or something like that." I guess there are ways to do this now, but as the post points out, none are really simple to set up and use.

But the main point is that until someone proves otherwise, I don't think any of this is really necessary. Strong passwords and fail2ban should stop virtually all the bad guys from getting in. Granted it's not foolproof - after all, if they break into your Asterisk box they can see your sip/iax passwords in plain text! - but the risks would be so small that (assuming you have your Asterisk box properly secured) only the truly paranoid (or those paid big $$$ to worry about security) would lose any sleep over them. I might be proven wrong about that someday, but I certainly hope not.

 

[donhwyo]

I use Untangle.com free version at my office and home. It has an openvpn vpn module. My home office phone works well through the vpn. It was a pain to get the office end working as far as voip in general but the vpn just worked from day one. The connection to the office is marginal at best but the voice quality is as good as if you are at the office. You can't tell if I am there or at home unless the dog barks. I will be putting both ends on the same isp after they upgrade the cable in town. The business plan on cable sucks for 1/5 the speed of adsl at the same price. Last time I checked adsl at the house was very slow so, I cant win. The price you have to pay for living in rural america. Tracert from office to home 6 miles away goes threw Dallas and Chicago. Go figure but it is around 200ms. Usable and better than going to the office:cheer:

I also use a softphone on my laptop with the vpn client running outside my networks. I think you could probably connect a dd-wrt hached linksys for a real phone if needed. If I have the need down the road I may try that.

The linux skill levels required are not null. You do need to at least understand concepts. There is no idiot proof computer or software out there. If they ever do claim that some body will build a better idiot.

And yes you will find me complaining all over there boards too. But at least the dont have smileys:woohoo:

Don

 

[ramoncio]

I thought you meant a remote software extension in a laptop.
Anyway, many Snom phones support OpenVPN.
Have a look here:
http://www.objectworld.com/support/Docu ... 0Guide.pdf

 

[ramoncio]

And OpenVPN with certificates is quite easy to configure using the webmin OpenVPN module, as I told you.

 

[ramoncio]

Here is my script to install OpenVPN in Elastix:

cd /usr/src/
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
wget http://packages.sw.be/rpmforge-release/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
rpm -ivh rpmforge-release-0.3.6-1.el5.rf.i386.rpm
yum check-update
yum install -y openvpn
mv /etc/yum.repos.d/rpmforge.repo /etc/yum.repos.d/rpmforge.repo.backup
sed "s/enabled=1/enabled=0/g" /etc/yum.repos.d/rpmforge.repo.backup > /etc/yum.repos.d/rpmforge.repo
chkconfig openvpn on
/etc/init.d/openvpn start

 

[ramoncio]

And here is the webmin module:

http://freshmeat.net/redir/webmin-openv ... 2.5.wbm.gz

 

[wiseoldowl]

The Untangle.com software looks interesting although it's probably overkill for many users, especially if all you really want is OpenVPN. Of course, if you are already planning on dedicating a computer for use as a firewall (as opposed to just using a hardware router/firewall) then perhaps the untangle.com software would make it easier to set up the firewall, OpenVPN and a bunch of other stuff - it's definitely an interesting package.

Where this always breaks down is on the client side. If you are using a softphone that's one thing, in that case you have to have a computer running anyway. But if you are using an IP phone or VoIP adapter, you probably don't want to set up a power-hungry computer just to run a VPN client. What's really needed is a small, low-powered "green" computer on the client side, but with multiple (at least two) NICs - which is a problem since many of the lowest-power computers don't have any card slots. But if such a thing existed, you could run the OpenYPN client software there, and fumnnel some or all of your IP traffic through that.

The very LAST thing I'd ever consider doing is running a Windows-based computer just to run the VPN client. Not only does Windows tend to require more power-hungry computers, but if Windows crashes (or during the inevitable reboots) you lose all your connectivity.

Still, for some users in certain specific situations, the Untangle stuff might be worth a look.

Actually, it occurs to me that if you are going to have a Windows computer online 24/7 and use two NIC cards, OR if you are using a softphone client on a Windows box, you could probably set up an SSH tunnel back to the Asterisk server (using SSH for port forwarding). I'm not familiar enough with that to give instructions for doing it but if someone (that's a bit smarter than I) were to Google "SSH port forwarding" or something similar, I'll bet they could figure it out. That would probably work especially well for IAX protocol (e.g. using the Zoiper softphone) because IAX only uses a single port, whereas SIP uses a range of ports.

 

[ramoncio]

Untangle is ok. But if you already have an Elastix server, you don't need any other computer to run openvpn, you can do it in the same server. And you hace Openvpn clients for windows, linux and macosx, maybe others I don't know.

 

[wiseoldowl]

I thought you meant a remote software extension in a laptop.
Anyway, many Snom phones support OpenVPN.
Have a look here:
http://www.objectworld.com/support/Docu ... 0Guide.pdf

The original poster didn't say whether he planned to use softphones or hardware phones. I personally hate softphones so I tend to assume a VoIP adapter or IP phone will be connected, though I know that's a totally invalid assumption for some people.

I was not aware that the Snom phones have that capability, that's good to know. I wish that there were VoIP adapters (something on the order of a Linksys PAP2-NA or SPA2102) that had that capability also (for the time being, adapters plus real phones seem to be a lot less expensive than most IP phones, plus you can have multiple analog phones connected to the same VoIP line port, which is good in certain situations).

Thank you for posting your script and the information on the Webmin module, I'm sure that will be useful to those who feel they need this level of security.

By the way, I'll just throw this out - suppose you were put in a position where you HAD to install a VoIP adapter at a remote location (say someone will only part with their 1960's era Western Electric Touch Tone phone when they pry it from his/her cold, dead fingers). And suppose it was at somebody's home and they REALLY objected to having a(nother) "computer" running 24/7 just to act as a VPN client (note, it's not a "computer" if it doesn't LOOK like a desktop or notebook computer - really the main issue is it shouldn't have the power usage of a typical desktop or notebook). Would you still attempt to set up a VPN, or would you just rely on a really good password and maybe something like fail2ban? If the VPN, how would you do it? I'll assume OpenVPN on the server side (and you've already described how to do that), what I'm asking is how you'd handle the client side - what would you put between the VoIP adapter and the hardware router to provide VPN (assume the router is a standard NON-wireless home/SOHO grade Linksys/Netgear/D-Link etc. hardware router such as you can buy at Best Buy, Staples, OfficeMax, etc.)?

 

[ramoncio]

You can setup a WRT54g with dd-wrt as openvpn client, and you don't need an extra computer.
OpenVPN is a lot easier that peeple think. The webmin module is very easy to work with for those who fear console. Try it and you'll see it is quite easy.
The advantage of OpenVPN is that the rtp is encrypted, and nobody can hear your conversations.
It is not very difficult to do a man in the middle attack and capture all your rtp traffic. Wireshark can do it an Cain & Abel in Windows too.

 

[ramoncio]

The really good password prevents crackers to register extensions and make calls using your pbx. But the rtp is unencrypted. This is a very BAD security issue. Until we have TCP and TLS support in asterisk and srtp (this will be about asterisk 1.6.3 or something like that) I would not think about remote extensions without vpn.

 

[Chilling_Silence]

However in reality the chances of the stuff being captured is so small, yet nobody has any issues with phreaking do they?

Anyways, we setup DD-WRT on an Asus WL-520GU using the -vpn firmware build, then chucked that at the client premises along with a Linksys SPA2102. It was so dead simple to follow the OpenVPN websites HowTo!

 

[wiseoldowl]

You can setup a WRT54g with dd-wrt as openvpn client, and you don't need an extra computer.

I would have bet money you were going to say that. That is always the solution that people throw out. It's also the totally wrong solution if you don't want to replace your existing router or (especially) if you don't want a wireless device on your network (I can never understand why people who are so security conscious are nonetheless willing to allow wireless devices on their network even when wireless capability isn't strictly needed. To me, having a wireless device when you don't need one is a far larger security risk than not using VPN between an extension and a server, although I suppose that all depends on how you look at it).

Seriously, I wish the WRT54g did not exist sometimes because then someone might come up with a better solution to this problem (if it is a problem at all).

Here are the reasons I don't like the WRT54g "solution":

1) As stated above, it's a wireless device, hence a security risk (assuming you don't need wireless capability).

2) You have to buy a new piece of equipment. Not entirely objectionable, EXCEPT...

3) You then have to immediately void the warranty by installing non-factory firmware!

4) And, there is a certain "geek factor" inherent in this solution. You're not just running a router with OpenVPN, you're running a defacto Linux box but without benefit of the type of support we are accustomed to with Elastix. If you don't know what you are doing you can "brick" the router!

5) And finally, to the best of my knowledge there are no really good instructions that take you from start to finish on how to set this up (again, probably because they assume that if you are doing this you are a Linux geek and can figure it out for yourself).

Balance that against the things that this solution has going for it:

1) It doesn't use as much power as a regular computer.

2) It can replace your existing router, if you want it to.

3) If you manage to figure out how to set it up, you are entitled to wear a pocket protector and a propeller-head beanie!

Okay, just kidding about that last point... sort of...

 

[wiseoldowl]

The really good password prevents crackers to register extensions and make calls using your pbx. But the rtp is unencrypted. This is a very BAD security issue. Until we have TCP and TLS support in asterisk and srtp (this will be about asterisk 1.6.3 or something like that) I would not think about remote extensions without vpn.

And yet NO commercial (residential/small business) VoIP providers support VPN (or any other form of encryption), at least to the best of my knowledge. Chances are, once your traffic leaves your Asterisk server, it's wide open anyway, unless you are dealing with an exceptional provider. I'm not saying this isn't an issue, just that using a VPN on an extension to server connection might be like sticking your finger in the dike when there's already a major breach upstream!

 

[wiseoldowl]

Anyways, we setup DD-WRT on an Asus WL-520GU using the -vpn firmware build, then chucked that at the client premises along with a Linksys SPA2102. It was so dead simple to follow the OpenVPN websites HowTo!

*Sigh* Another wireless router! Aaarrrrrrgggghhh!