I’ve had a few customers recently using the SysAdminMan VPN:PBX template with an existing on-site pfSense gateway. The VPN:PBX template has Asterisk, FreePBX and A2Billing installed, along with OpenVPN setup to allow secure connections to the VPS.
pfSense can be used as an OpenVPN client/gateway so this makes a great combination for a secure off-site PBX.
Here are some setup instructions for configuring pfSense with the SysAdminMan VPN:PBX template.
1 – Obtaining the OpenVPN client certificates
When your SysAdminMan server is created 3 files will be generated that are required to configure pfSense as an OpenVPN client. These files can be e-mailed to you or retrieved from the VPS using a program like WinSCP. The 3 files are –
These 3 files identify an individual OpenVPN client. If you are just connecting a single gateway this is all you will need. If you’d like instructions for creating more certificates please open a support ticket.
2 – Installing the Certificates on pfSense
Next we need to install the 3 certificates above in pfSense. The 3 files (ca.crt, tplink.key and tplink.crt) are text files which we can open with notepad, or something similar, and copy and paste the contents in to the correct place in pfSense.
First select “System/Cert Manager” from the pfSense menu. Then we click to add a CA –
Recently I had a VPS customer that was looking to get a GoIP GSM Gateway working with his Asterisk VPS. These little SIP/GSM gateways can be used to connect Asterisk to the GSM/mobile network. The single-sim models can be had for around £100 from e-bay.
They are not the easiest boxes in the world to set up, with the web GUI being rather confusing. Eventually though the GoIP was configured correctly but still calls we intermittent, with connection to the Asterisk server being lost.
As the GoIP box was being hosted behind a residential ADSL router the issues were typical of NAT/Firewall problems. They were probably being caused by a mixture NAT and a SIP ALG (application layer gateway) in the ADSL router.
The solution was to use the new SysAdminMan VPN:PBX template which uses OpenVPN to create a secure VPN tunnel to the Asterisk server. The customer purchased a TP-Link 1043 router, flashed the SysAdminMan firmware, and the GoIP was connected to the VPS over the VPN. This meant that private IP address ranges were used, with no NAT happening at all. This is a great example of how using VPN:PBX to provide a VPN connection to your Asterisk server is easy to deploy and works around any NAT/Firewall issues.
Here is a diagram showing the customers setup –
See here for more information – http://sysadminman.net/sysadminman-vpnpbx-hosting.html
VPN:PBX is the SysAdminMan virtual PBX template that includes Asterisk, FreePBX, A2Billing and OpenVPN. More information can be found here – http://sysadminman.net/sysadminman-vpnpbx-hosting.html
It is designed to work with the TP-Link TL-WR1043ND broadband router. A custom OpenWRT firmware is provided to simplify the connection of your network to your SysAdminMan VPS, securely and without the hassle of NAT.
STEP 1 – DOWNLOAD THE CUSTOM FIRMWARE
Download the custom firmware for your router from here – https://sysadminman.net/blog/firmware
STEP 2 – PLUG IN THE TP-LINK WR1043ND
- Plug a PC/Laptop in to the yellow port 1
- Plug the blue WAN port in to a spare port on your existing internet router
Dan Goodin has written an interesting article for theregister.co.uk about the benefits of using a personal VPN for your wireless internet traffic.
There are some downsides to running a VPN server at home. One of these is that all of your data must travel via your home PC/server and most peoples broadband connections will limit the speed that this will work at. The maximum speed of your VPN connection will be limited by the upload speed of your home broadband – which is normally quite slow. Also, dynamic IP addresses, port forwarding and NAT on your broadband router and having to leave your home PC powered on all the time could be a pain.
Another alternative could be to run OpenVPN on your own server (or vps) at a data center or, a cheaper alternative, to buy access to an OpenVPN server that has already been setup and configured.
I’ve been playing with OpenVPN for the past couple of weeks and I’m pretty impressed. OpenVPN allows you to create a private network between 2 computers. These could be 2 servers or a client and a server. A few of the reasons for wanting to do this are –
- bypassing your ISPs traffic shaping
- making your traffic appear to originate from a different country
- encrypting your laptop traffic over an insecure link – such as a coffee shop wifi connection
- anonymous web surfing
- bypassing a countries web access controls
Setup and configuration of the server component can be fairly complicated depending how you want to manage the certificates and networking on there. It’s possible to install it on Linux or Windows although I’ve only tested it on Linux. Running the server on Linux you also need to configure iptables to translate your private ‘vpn’ ip address to an external ip address on the vpn server.