FreePBX External/Remote Extensions

gjacobse

We are using a Hosted PBX, my phone is registered to that from home. It's is not using OpenVPN. NTG does hosted and On Premise PBX systems.

Tagging: @art_of_shred @Mike-Ralston

(edited OP to include tags)

Alex Sage

@RamblingBiped said:

With option #1 security is my primary concern. Have any of you worked with remote extensions in this way? If I am forced to go this route I eventually plan on restricting registration to the remote public IP address that the phone will be registering from, but I will not be able to do that until we know the public IP of the location that my employee will be working from.

Mine too. Do you know the the IP address will be fixed? You will still be sending information over over the internet in the clear.

scottalanmiller

@aaronstuder said in FreePBX External/Remote Extensions:

@RamblingBiped said:

Also, are there any gotchas involved with this type of registration happening from outside of North America? My employee is going to be spending several months in the UK.

None that I can think of.

We do this all the time (literally ALL the time) and no issues. I've been a European extension for eight years (not full time) and there is no issue. There can't be as IP is IP, there is no locality to the Internet.

scottalanmiller

Option #2 is definitely the most ideal. Option #1 will work and you can manage the security implications in a reasonable way. But #2 is way better.

Alex Sage

Will this be many users in different places, or many users in different places?

scottalanmiller

Another style of option is ZeroTier on the PBX and then use a softphone to connect to it.

RamblingBiped

@aaronstuder said in FreePBX External/Remote Extensions:

Will this be many users in different places, or many users in different places?

Single user in one place.

Alex Sage

@scottalanmiller said in FreePBX External/Remote Extensions:

Option #1 will work and you can manage the security implications in a reasonable way.

How does NTG handle that?

scottalanmiller

@aaronstuder said in FreePBX External/Remote Extensions:

Will this be many users in different places, or many users in different places?

I'm guessing many users in different places.

Alex Sage

@RamblingBiped How long will they be there? Have you considered just sending them a hardware device?

RamblingBiped

@scottalanmiller said in FreePBX External/Remote Extensions:

Another style of option is ZeroTier on the PBX and then use a softphone to connect to it.

Unfortunately softphone is not an option, the employee is the CEO and he wants an actual phone on his desk.

scottalanmiller

@aaronstuder said in FreePBX External/Remote Extensions:

@scottalanmiller said in FreePBX External/Remote Extensions:

Option #1 will work and you can manage the security implications in a reasonable way.

How does NTG handle that?

Firewall limits on one side and extension capabilities on the other. If you limit the usefulness of hacking an extension you can, for some companies, bring the risk to effectively zero. Only works reliably if you can do the latter.

Alex Sage

@scottalanmiller So @gjacobse has a fixed IP?

RamblingBiped

@scottalanmiller said in FreePBX External/Remote Extensions:

@aaronstuder said in FreePBX External/Remote Extensions:

@scottalanmiller said in FreePBX External/Remote Extensions:

Option #1 will work and you can manage the security implications in a reasonable way.

How does NTG handle that?

Firewall limits on one side and extension capabilities on the other. If you limit the usefulness of hacking an extension you can, for some companies, bring the risk to effectively zero. Only works reliably if you can do the latter.

So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?

Alex Sage

@RamblingBiped said:

So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?

Yes, but will you have a fixed IP?

RamblingBiped

@aaronstuder said in FreePBX External/Remote Extensions:

@RamblingBiped said:

So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?

Yes, but will you have a fixed IP?

Yes, the last time he did this trip that was the case.

Alex Sage

I still like option 2 the best

Doesn't seem too bad to do.

HOW TO GET YEALINK PHONES CONNECTING OVER VPN
http://www.jsimmons.co.uk/2012/12/05/how-to-get-yealink-phones-connecting-over-vpn/

OpenVPN road warrior installer for Debian, Ubuntu and CentOS
https://github.com/Nyr/openvpn-install

If you don't want to use linux you can use windows (Hint: Use Linux )

scottalanmiller

@aaronstuder said in FreePBX External/Remote Extensions:

@scottalanmiller So @gjacobse has a fixed IP?

No

scottalanmiller

@RamblingBiped said in FreePBX External/Remote Extensions:

@scottalanmiller said in FreePBX External/Remote Extensions:

@aaronstuder said in FreePBX External/Remote Extensions:

@scottalanmiller said in FreePBX External/Remote Extensions:

Option #1 will work and you can manage the security implications in a reasonable way.

How does NTG handle that?

Firewall limits on one side and extension capabilities on the other. If you limit the usefulness of hacking an extension you can, for some companies, bring the risk to effectively zero. Only works reliably if you can do the latter.

So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?

Never use non-standard ports. There is zero security there, but it does cause other problems for you. Security through obscurity doesn't slow down at attacker in any way, but it does flag you as someone who misunderstands security but has something worth protecting (a low hanging fruit target.) If you are going to expose things, expose them. Don't consider obscurity.

Limiting to a single IP address is normally plenty of security for normal use cases. Traffic is still unencrypted, but so is normal phone traffic and people don't complain there.

scottalanmiller

@RamblingBiped said in FreePBX External/Remote Extensions:

@aaronstuder said in FreePBX External/Remote Extensions:

@RamblingBiped said:

So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?

Yes, but will you have a fixed IP?

Yes, the last time he did this trip that was the case.

Yup, that will work just fine.