Professional enterprise-grade VoIP telephony with home office and mobile phone support (free, open source)

BACK

Telephony has changed even further since I started using Voice over IP (VoIP) in the 1990s. VoIP telephone systems have meanwhile more or less completely replaced older ISDN and analog telephony. Asterisk, an open source VoIP server is clearly to be called number 1. Asterisk has set standards and is used as a telephone system, VoIP gateway and conference server by SMEs, Enterprises, call centers, carriers and governments worldwide.

My CTS GMBH (https://ctssupport.at) has been setting up VoIP telephone systems for customers of all sizes since 1999. Many also across countries and continents, with multiple encryption to protect the telephony against any eavesdropping. At the same time, all internal group calls over the Internet are free of charge and least-cost routing can be set up easily.

Due to the corona pandemic in particular, customers were forced to set up additional innovative requirements and thus have the full ability to act during the pandemic. In 2019 we renewed the last Asterisk installation, which has been updated cleanly for 13 years since 2006, with a new setup with the FreePBX solution. This enabled us to set up all the necessary features without having to change anything.

The requirements include:

  • Secure, encrypted telephony in the home office without connecting the VoIP server directly to the Internet
  • Secure, encrypted telephony on mobile devices (smartphones, tablets, laptops) without connecting the VoIP server directly to the Internet
  • Multi device capability of extensions, i.e. an employee can have an office phone, laptop and smartphone online and use them at the same time. This means that all follow-me and ring group solutions that are difficult to maintain are no longer necessary
  • Full protection of the VoIP server through VPN; This also means that telephony is fully encrypted at the same time. All internal group conversations worldwide can no longer be eavesdropped and are safe from third parties
  • Simple change of the telephone provider in order to be able to use cost savings in telephony easily and without changing the internal infrastructure.

The structure of the completely license-free open source solution consists of the following components:

PfSense Firewalls (bare install or virtualized with Proxmox (FOSS) or VMWare).

The PfSense firewall covers all the needs of SMEs and enterprises in the area of ​​firewall, VPN, as well as fail-safe (HA) setups with multiple PfSense. With the OpenVPN solution, the PfSense solution has integrated an extremely secure VPN solution used by millions. All settings can easily be made via the web interface. Net-to-Net connections are supported as well as Linux Mac, Windows, Android and IOS based devices. This makes it possible to secure the full functionality with certificates and passwords without connecting internal servers or dangerous ports (entrance doors on the server) directly to the Internet.

Asterisk / FreePBX setup.

We use the FreePBX solution in our setup, which can be easily downloaded as ISO. The setup is very easy and can be carried out directly on hardware or virtualized. FreePBX / Asterisk support an extremely large number of features that can be set up via the web interface. The server should be installed behind a firewall. This results in e.g. compared to cloud based telephone systems, massive advantages in communication, security and reduced bandwidth. If the telephone provider fails, the entire group-internal telephony will still work and changing the telephone provider, usually with cost savings, is extremely easy to carry out.

More and more softphones are being set up as end devices in order to be able to act more flexibly. Nevertheless, a telephone with features that are not always perfectly supported by a softphone must be installed at the workplace. Large-area LED displays for exchanges and the like are not necessarily the priorities of softphones. We use telephone hardware from various manufacturers in our setups and the open source telephone LinPhone is preferred as the softphone, which perfectly covers all end devices run on Windows, Linux. MaC, IOS and Android.

First the PfSense firewall is installed and all external access to the LAN is completely prohibited. Then a FreePBX Asterisk server is set up and connected to the telephone provider via a SIP trunk. In order to protect the Asterisk VoIP server accordingly, rules are required in the firewall that restrict the data traffic to the IP of the telephone provider. I do not go into the establishment of ring groups, queues and branches in the Asterisk in any more depth here, it may one day become its own blog entry.

PRO TIP Multi Device: It is very important to activate the PJSIP driver and ideally to deactivate the CHAN_SIP driver for new installations. The PJSIP driver can, for each extension, have a Max-Connections setting that specifies the maximum number of devices that can register on these extensions.

LinPhone is installed from the respective sources on the end devices. The settings are self-explanatory and different output devices for voice and ringtone can be set. Since we are not friends of video telephony, it will not be discussed here, but it should be noted that the combination of LinPhone and Asterisk also supports this.

PC’s and devices in the LAN can reach the Asterisk VoIP server immediately and telephony works immediately.

PROFIT TIP Terminal Server Info: Softphones require headsets (mostly USB), ringtone over loudspeakers and very intensive real-time UDP, TCP and TLS protocols for speech. It is not recommended to operate softphones on Windows and Linux terminal servers. Apart from the fact that the ringtone would be played on the mostly virtual server in the system room, the looping through of many USB devices is not necessarily stable in normal cases. In addition, the time slice, which is assigned to the users in turn by a terminal server, can lead to choppy calls. Here it is recommended to use a PC as the basis for the RDP Connect and to set up the softphone on this PC.

An OpenVPN server is set up on the PfSense to secure the mobile devices. This should be secured with certificates, TLS key and user plus password. The end devices can thus permanently connect to the VPN and then make encrypted calls, just like in the office. OpenVPN can run permanently in the background on the mobile device, so the connection is always active and calls can be received.

PRO TIP VPN: On the PfSense, rules should be set on the OpenVPN interface, which ONLY allow the VPN clients access to the Asterisk VoIP server and there to the SIP and RTP ports 5060 and 10000-20000. This means that if the end device is infected with malware, nothing can happen in the rest of the network.

PRO TIP VPN (2): The VPN should never be used as the “default gateway” on the PfSense or the end device. The routing into the VPN should contain the necessary networks, but the “default gateway” on the end device should remain unchanged. If the OpenVPN client allows the use to be restricted to apps that use the VPN, then restrict the use to the softphone.

So it is possible, without having to worry about which device is currently in range, to always be available and to make all calls with the phone number on the Asterisk Voip server instead of transmitting the mobile phone number. I currently have 3 devices on my extensions and all requirements are perfectly covered. Every device rings incoming, and several devices can make calls at the same time.

Extra professional setup for IT specialists (Easer Example)

Normal users can now scroll to the links at the end here. For IT professionals, however, the icing on the cake of the setup comes here, which can only be understood with a corresponding basic knowledge.

A setup for secure, privacy-respecting smartphones and tablets has already been presented on the blog (https://eurafri.com/projects/tutorials/tutorial-en-00004)

Without going into further detail here, it should be noted that with this setup for OpenVPN it is possible to reach the Asterisk VoIP purely with the custom script and no extra authorizations have to be set for incoming or outgoing Internet traffic.

However, the extra control for the VPN must be activated in the AFwall+ and LinPhone must then be allowed access to the VPN. (Check mark only for VPN!)

IT specialists operate in diverse networks and one of the things that excites you the most are routine activities that can be automated.

Easer, which is an open source automation tool for Android, was found to match this. As always preferred, the installation can be done via F-Droid.

Easer has a learning curve even for long-time specialists, but after that the tool is more than perfect.

Here is an example of one of the requirements for this project:

Automatic switching of the OpenVPN based on the connected network

Assumption: The IT specialist moves in a LAN that reaches the VoIP server directly and in other networks that require the VPN for access. The main problem with this routine activity, the activation and deactivation of the VPN is of course often forgotten and calls are lost.

Due to the internationality, the details are in English (The language can also be changed to English in the Easer):

Open settings

  • enable ‘Use root features’

  • Check ‘Activated skills’, where the minimum is: Wi-Fi, Connectivity Type, Wi-Fi Connection

Open data

  • Create Condition -> Choose a Condition -> WiFi Connection

Condition Title: At-Home

Match SSID: Your Home SSID

  • Create Event -> Choose an Event -> Connection Type

Event Title: HaveConnection

Selected Types: Wi-Fi and Mobile

READ UPDATES!

Create Profile: From plus(+) icon select ‘Launch App’

Profile Title: OpenVPN Connect APP: de.blinkt.openvpn Class Name: de.blinkt.openvpn.api.ConnectVPN Extras: Key: de.blinkt.openvpn.api.profileName Value: (e.g. Pihole)

UPDATE

There was problems with the above one. So we changed to

From plus(+) icon select ‘Run Command’

Profile Title: OpenVPN Connect command: am start -a android.intent.action.MAIN -n de.blinkt.openvpn/.LaunchVPN -e de.blinkt.openvpn.shortcutProfileName PROFILENAME

END

  • Create Profile -> + -> Launch App

Profile Title: OpenVPN Stop

APP: de.blinkt.openvpn

Class Name: de.blinkt.openvpn.api.DisconnectVPN

Am besten mit “Trigger this Profile” testen.

UPDATE

There was problems with the above one. So we changed to

From plus(+) icon select ‘Run Command’

Profile Title: OpenVPN Stop command: am start –user 0 -n de.blinkt.openvpn/.api.DisconnectVPN

END

 

Best to test with “Trigger this Profile”.

  • Create Pivot

Script Title: Online

Profiles:

Event: HaveConnection

  • Online-> Add child

Script title: Home WLAN

Profile: OpenVPN Stop

Condition: At-Home

Reverse scenario: disabled

  • Online-> Add child

Script title: Insecure Network

Profile: OpenVPN Start

Condition: At-Home

Reverse scenario: enabled

  • Finally

Start Rules

If everything was done correctly, OpenVPN starts automatically as soon as the home WLAN is no longer available and deactivates itself when you return. LinPhone logs on again immediately after the change and thus the functionality is always given without any manual intervention. A really cool solution!

Enterprise Support and Setup:

Links to the article:

EURAFRI Matrix Group Chat

We look forward to active participation in the EURAFRI project and ask you to also visit the EURAFRI reception in the matrix.

https://matrix.to/#/#eurafri-reception:matrix.ctseuro.com

Your EURAFRI TEAM

Author: Karl M. Joch

BACK