Alternatives to OpenVPN for FreePBX on cell phone...
-
@Dashrender : FreePBX uses a really stupid implementation IMO.
The responsive firewall bans a user if they have connected but not registered in X time. This is sane.
But fail2ban remains on with it and bans the IP before the responsive firewall is given time to check for registration. -
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller : Yeah, I'm not really certain what that software does..
"dSIPRouter can be used to implement different use cases within minutes"Ummm, then this shows a few examples but I'm not certain of the use case for any of these...
that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.
Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?
But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller : Yeah, I'm not really certain what that software does..
"dSIPRouter can be used to implement different use cases within minutes"Ummm, then this shows a few examples but I'm not certain of the use case for any of these...
that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.
Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?
But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.
eh? I have no idea how it actually works.
But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.
But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).
-
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered. -
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller : Yeah, I'm not really certain what that software does..
"dSIPRouter can be used to implement different use cases within minutes"Ummm, then this shows a few examples but I'm not certain of the use case for any of these...
that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.
Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?
But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.
eh? I have no idea how it actually works.
But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.
Sure, but that's not even suggested as a possibility. If that's happening, then great, but that's like saying "why is this rock better than a car" and then responding "well if the rock goes faster, costs less and gets better gas mileage." Well sure, but why would we think that about a rock?
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).
No, I don't believe that it can be tuned in any way.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).
No, I don't believe that it can be tuned in any way.
Well, not by us anyway.
-
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
-
@Dashrender : From reading their forum and reddit, it appears that most people give up and go the VPN route.
There's never been a clear and concise answer from Sangoma.There were a few mentions of Zulu as an alternative, but Zulu 3 is the only supported version currently and both iOS and Android in beta for (~6 months with only one-or-two updates each in that time) The android beta does not get notification of calls unless it's currently sitting open on the device.
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
I don't think that it really affects all that many people.
-
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender : From reading their forum and reddit, it appears that most people give up and go the VPN route.
There's never been a clear and concise answer from Sangoma.There were a few mentions of Zulu as an alternative, but Zulu 3 is the only supported version currently and both iOS and Android in beta for (~6 months with only one-or-two updates each in that time) The android beta does not get notification of calls unless it's currently sitting open on the device.
Maybe they are pushing Zulu?
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
I don't think that it really affects all that many people.
This just seems crazy to me. I would anticipate it to be highly desirable. For sales people and bench techs. My Docs would love to make calls as if coming from the office to protect their cellphone numbers, etc..
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
I don't think that it really affects all that many people.
This just seems crazy to me. I would anticipate it to be highly desirable. For sales people and bench techs. My Docs would love to make calls as if coming from the office to protect their cellphone numbers, etc..
Yeah, but in many cases those aren't affected. We do all of that and don't have this issue. We have a massive customer doing the same thing, no issues. It's not a universal issue.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
I don't think that it really affects all that many people.
This just seems crazy to me. I would anticipate it to be highly desirable. For sales people and bench techs. My Docs would love to make calls as if coming from the office to protect their cellphone numbers, etc..
Yeah, but in many cases those aren't affected. We do all of that and don't have this issue. We have a massive customer doing the same thing, no issues. It's not a universal issue.
What VOIP mobile client are they using?
-
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
From Sangoma a year ago. Still no progress made on this it seems...
The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered./sigh - so they know the problem - and still haven't solved it.
I know it could mean 1000 or 100,000 more hits, but if the lengthen the time before the ban wouldn't that solve it? What's the chance of hitting a correct password when randomly guessing 100,000 times versus (what is it today?)?
It would certainly help. But just fixing the mechanism is the better approach.
which mechanism? you mean the approach to look at the registration in real time, instead of every 15 seconds? I suppose - I have no idea what kind of load that would put on the system?
Right, that when there is a change it triggers a new registration which checks authentication. There are proposals for how to do it, but nothing done about it.
Trivial load, way, way, way less than running a VPN.
Yet, we still haven't seen a solution to this. thoughts as to why? No one is really using it? I find that hard to believe - perhaps people try and just give up instead of complaining/reporting it.
I don't think that it really affects all that many people.
This just seems crazy to me. I would anticipate it to be highly desirable. For sales people and bench techs. My Docs would love to make calls as if coming from the office to protect their cellphone numbers, etc..
Yeah, but in many cases those aren't affected. We do all of that and don't have this issue. We have a massive customer doing the same thing, no issues. It's not a universal issue.
What VOIP mobile client are they using?
Zoiper, Linphone and MicroSIP. Linphone mostly. MicroSIP is laptop, not mobile devices.
-
@scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:
@manxam said in Alternatives to OpenVPN for VoiP on cell phone...:
@Dashrender : From reading their forum and reddit, it appears that most people give up and go the VPN route.
There's never been a clear and concise answer from Sangoma.There were a few mentions of Zulu as an alternative, but Zulu 3 is the only supported version currently and both iOS and Android in beta for (~6 months with only one-or-two updates each in that time) The android beta does not get notification of calls unless it's currently sitting open on the device.
Maybe they are pushing Zulu?
They are for certain. It makes money.