ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Alternatives to OpenVPN for FreePBX on cell phone...

    IT Discussion
    freepbx openvpn android zoiper zulu linphone pbx telephony vpn responsive firewall sangoma voip
    7
    60
    5.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DashrenderD
      Dashrender
      last edited by

      I have totally had an issue roaming around and the responsive firewall constantly locked me out as well.

      M 1 Reply Last reply Reply Quote 0
      • M
        manxam @Dashrender
        last edited by

        @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

        I have totally had an issue roaming around and the responsive firewall constantly locked me out as well.

        Exactly. To which the only "resolution" that worked for us at the time was OpenVPN but it's taking a massive toll on the batteries of the phones 😞

        1 Reply Last reply Reply Quote 0
        • JaredBuschJ
          JaredBusch
          last edited by

          Okay that makes way more sense.

          I have also had issues with the responsive firewall and mobile phones.

          But not seemingly as bad as you are.

          1 Reply Last reply Reply Quote 0
          • M
            manxam
            last edited by

            Yeah, unfortunately we're seeing at LEAST a 50% chance of being locked out during network connection change or IP address renewal.

            1 Reply Last reply Reply Quote 1
            • JaredBuschJ
              JaredBusch
              last edited by

              I put ZeroTier on my PBX and on my devices. Never thought about using it for a SIP softphone.

              1 Reply Last reply Reply Quote 0
              • 1
                1337
                last edited by 1337

                A few ideas to try. Change openvpn tunnel to not use encryption (save cpu power) but keep authentication. Also extend the time for the keepalive packages (save battery by not having to wake up as often when there is no real traffic over the tunnel).

                Might also want to check that the sip client is actually using push notification so it isn't alive all the time when there are no calls. There are also at least two different openvpn clients so there might be a difference in power drain there as well.

                1 Reply Last reply Reply Quote 2
                • M
                  manxam
                  last edited by

                  @Pete-S : I've increased the default timeout from 10 120 to 300 900.
                  We'll see if a) the connection remains stable b) if battery usage decreases.

                  I don't want to disable encryption as FreePBX automatically generates the client config and I don't want to have to custom edit each.

                  Unless this can be configured strictly on the server side like keepalive?

                  1 1 Reply Last reply Reply Quote 0
                  • C
                    Coreytay @manxam
                    last edited by Coreytay

                    @manxam I found this while looking for alternative also. http://dsiprouter.org/

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Coreytay
                      last edited by

                      @Coreytay said in Alternatives to OpenVPN for VoiP on cell phone...:

                      @manxam I found this while looking for alternative also. http://dsiprouter.org/

                      Not a lot of info obvious on the page.

                      M 1 Reply Last reply Reply Quote 1
                      • M
                        manxam @scottalanmiller
                        last edited by

                        @scottalanmiller : Yeah, I'm not really certain what that software does..
                        "dSIPRouter can be used to implement different use cases within minutes"

                        Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • 1
                          1337 @manxam
                          last edited by

                          @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                          @Pete-S : I've increased the default timeout from 10 120 to 300 900.
                          We'll see if a) the connection remains stable b) if battery usage decreases.

                          I don't want to disable encryption as FreePBX automatically generates the client config and I don't want to have to custom edit each.

                          Unless this can be configured strictly on the server side like keepalive?

                          Any progress on this?

                          I don't know how freepbx does the openvpn config files but you should have a setting on what cipher to run. That information ends up in both the client and server config files. To disable encryption you set the cipher to none.

                          You should probably turn of compression too as voip is already compressed. Just takes more battery power to compress something that is compressed already.

                          M scottalanmillerS 2 Replies Last reply Reply Quote 1
                          • M
                            manxam @1337
                            last edited by manxam

                            @Pete-S : within the GUI there are no available options for tailoring OpenVPN unfortunately.

                            The client config that it generates is :

                            # Configuration automatically generated via Sysadmin RPM
                            # MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
                            # Generated at: Sun, 13 Jan 2019 03:33:14 +0000
                            client
                            dev tun
                            proto udp
                            resolv-retry 60
                            nobind
                            persist-key
                            persist-tun
                            remote-cert-tls server
                            ca sysadmin_ca.crt
                            cert sysadmin_client1.crt
                            key sysadmin_client1.key
                            comp-lzo
                            verb 3
                            remote x.x.x.x 1194
                            remote x.x.x.x 1194
                            

                            The server config is :

                            # Configuration automatically generated via Sysadmin RPM
                            # MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
                            # Generated at: Sun, 13 Jan 2019 03:33:14 +0000
                            port 1194
                            proto udp
                            dev tun
                            topology subnet
                            ca sysadmin_ca.crt
                            dh sysadmin_dh.pem
                            crl-verify sysadmin_crl.pem
                            cert sysadmin_server1.crt
                            key sysadmin_server1.key
                            ifconfig-pool-persist ipp.txt
                            #keepalive 10 120
                            keepalive 300 900
                            comp-lzo
                            persist-key
                            persist-tun
                            verb 3
                            client-config-dir ccd
                            ccd-exclusive
                            status sysadmin_server1-status.log 10
                            status-version 3
                            script-security 2
                            server 10.8.0.0 255.255.255.0
                            

                            Note the header stating that this file will be overritten so I'm not certain how "permanent" this will be nor do I see information regarding encryption type (though do see the compression).

                            1 Reply Last reply Reply Quote 0
                            • scottalanmillerS
                              scottalanmiller @manxam
                              last edited by

                              @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                              @scottalanmiller : Yeah, I'm not really certain what that software does..
                              "dSIPRouter can be used to implement different use cases within minutes"

                              Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                              that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

                              DashrenderD 1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller @1337
                                last edited by

                                @Pete-S said in Alternatives to OpenVPN for VoiP on cell phone...:

                                You should probably turn of compression too as voip is already compressed. Just takes more battery power to compress something that is compressed already.

                                Good point, watch for double compression.

                                1 Reply Last reply Reply Quote 0
                                • DashrenderD
                                  Dashrender @scottalanmiller
                                  last edited by

                                  @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                  @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                                  @scottalanmiller : Yeah, I'm not really certain what that software does..
                                  "dSIPRouter can be used to implement different use cases within minutes"

                                  Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                                  that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

                                  Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

                                  M scottalanmillerS 2 Replies Last reply Reply Quote 0
                                  • M
                                    manxam @Dashrender
                                    last edited by

                                    @Dashrender : FreePBX uses a really stupid implementation IMO.
                                    The responsive firewall bans a user if they have connected but not registered in X time. This is sane.
                                    But fail2ban remains on with it and bans the IP before the responsive firewall is given time to check for registration.

                                    1 Reply Last reply Reply Quote 0
                                    • scottalanmillerS
                                      scottalanmiller @Dashrender
                                      last edited by

                                      @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

                                      @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                      @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                                      @scottalanmiller : Yeah, I'm not really certain what that software does..
                                      "dSIPRouter can be used to implement different use cases within minutes"

                                      Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                                      that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

                                      Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

                                      But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.

                                      DashrenderD 1 Reply Last reply Reply Quote 0
                                      • DashrenderD
                                        Dashrender @scottalanmiller
                                        last edited by

                                        @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                        @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

                                        @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                        @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                                        @scottalanmiller : Yeah, I'm not really certain what that software does..
                                        "dSIPRouter can be used to implement different use cases within minutes"

                                        Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                                        that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

                                        Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

                                        But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.

                                        eh? I have no idea how it actually works.

                                        But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.

                                        But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).

                                        scottalanmillerS 2 Replies Last reply Reply Quote 0
                                        • M
                                          manxam
                                          last edited by manxam

                                          From Sangoma a year ago. Still no progress made on this it seems...

                                          The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
                                          To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered.

                                          DashrenderD 1 Reply Last reply Reply Quote 1
                                          • scottalanmillerS
                                            scottalanmiller @Dashrender
                                            last edited by

                                            @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

                                            @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                            @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

                                            @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

                                            @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

                                            @scottalanmiller : Yeah, I'm not really certain what that software does..
                                            "dSIPRouter can be used to implement different use cases within minutes"

                                            Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

                                            that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

                                            Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

                                            But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.

                                            eh? I have no idea how it actually works.

                                            But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.

                                            Sure, but that's not even suggested as a possibility. If that's happening, then great, but that's like saying "why is this rock better than a car" and then responding "well if the rock goes faster, costs less and gets better gas mileage." Well sure, but why would we think that about a rock?

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 1 / 3
                                            • First post
                                              Last post