FreePBX External/Remote Extensions
-
I'm getting ready to setup my first remote extension for FreePBX and thought I'd tap the community for any recommendations/suggestions. I'm going to be using a Yealink T23G phone.
Right now I've got three options for configuring this.
-
External extension registered directly with FreePBX (using NAT).
-
External extension connected over OpenVPN and registered directly with FreePBX.
-
External extension connected directly to our SIP provider (VOIP.MS) via a sub-account.
Ideally, I would like to have option #2 setup. However, I'm not an OpenVPN expert and getting everything setup just right might take more time than I currently have. If any of you have done this I'd appreciate any pointers or extra resources you can provide.
With option #1 security is my primary concern. Have any of you worked with remote extensions in this way? If I am forced to go this route I eventually plan on restricting registration to the remote public IP address that the phone will be registering from, but I will not be able to do that until we know the public IP of the location that my employee will be working from.
Also, are there any gotchas involved with this type of registration happening from outside of North America? My employee is going to be spending several months in the UK.
-
-
I like option 2.
-
You shouldn't need to be a OpenVPN expert. Maybe @JaredBusch can help.
-
@RamblingBiped said:
Also, are there any gotchas involved with this type of registration happening from outside of North America? My employee is going to be spending several months in the UK.
None that I can think of.
-
@aaronstuder said in FreePBX External/Remote Extensions:
You shouldn't need to be a OpenVPN expert. Maybe @JaredBusch can help.
From what little bit I've grasped from the Yealink documentation I've glanced at I think the constraints of the phone manufacturer are probably going to be the toughest part. There are some types of encryption that they don't support and possibly specific older versions of packages that are required to make it work...
Hopefully that's not the case and a current version of OpenVPN will get the job done without too much fuss.
-
@RamblingBiped said in FreePBX External/Remote Extensions:
@aaronstuder said in FreePBX External/Remote Extensions:
You shouldn't need to be a OpenVPN expert. Maybe @JaredBusch can help.
From what little bit I've grasped from the Yealink documentation I've glanced at I think the constraints of the phone manufacturer are probably going to be the toughest part. There are some types of encryption that they don't support and possibly specific older versions of packages that are required to make it work...
Hopefully that's not the case and a current version of OpenVPN will get the job done without too much fuss.
Well, if anyone can help, it's @JaredBusch - he is a Yealink expert
-
We are using a Hosted PBX, my phone is registered to that from home. It's is not using OpenVPN. NTG does hosted and On Premise PBX systems.
Tagging: @art_of_shred @Mike-Ralston
(edited OP to include tags)
-
@RamblingBiped said:
With option #1 security is my primary concern. Have any of you worked with remote extensions in this way? If I am forced to go this route I eventually plan on restricting registration to the remote public IP address that the phone will be registering from, but I will not be able to do that until we know the public IP of the location that my employee will be working from.
Mine too. Do you know the the IP address will be fixed? You will still be sending information over over the internet in the clear.
-
@aaronstuder said in FreePBX External/Remote Extensions:
@RamblingBiped said:
Also, are there any gotchas involved with this type of registration happening from outside of North America? My employee is going to be spending several months in the UK.
None that I can think of.
We do this all the time (literally ALL the time) and no issues. I've been a European extension for eight years (not full time) and there is no issue. There can't be as IP is IP, there is no locality to the Internet.
-
Option #2 is definitely the most ideal. Option #1 will work and you can manage the security implications in a reasonable way. But #2 is way better.
-
Will this be many users in different places, or many users in different places?
-
Another style of option is ZeroTier on the PBX and then use a softphone to connect to it.
-
@aaronstuder said in FreePBX External/Remote Extensions:
Will this be many users in different places, or many users in different places?
Single user in one place.
-
@scottalanmiller said in FreePBX External/Remote Extensions:
Option #1 will work and you can manage the security implications in a reasonable way.
How does NTG handle that?
-
@aaronstuder said in FreePBX External/Remote Extensions:
Will this be many users in different places, or many users in different places?
I'm guessing many users in different places.
-
@RamblingBiped How long will they be there? Have you considered just sending them a hardware device?
-
@scottalanmiller said in FreePBX External/Remote Extensions:
Another style of option is ZeroTier on the PBX and then use a softphone to connect to it.
Unfortunately softphone is not an option, the employee is the CEO and he wants an actual phone on his desk.
-
@aaronstuder said in FreePBX External/Remote Extensions:
@scottalanmiller said in FreePBX External/Remote Extensions:
Option #1 will work and you can manage the security implications in a reasonable way.
How does NTG handle that?
Firewall limits on one side and extension capabilities on the other. If you limit the usefulness of hacking an extension you can, for some companies, bring the risk to effectively zero. Only works reliably if you can do the latter.
-
@scottalanmiller So @gjacobse has a fixed IP?
-
@scottalanmiller said in FreePBX External/Remote Extensions:
@aaronstuder said in FreePBX External/Remote Extensions:
@scottalanmiller said in FreePBX External/Remote Extensions:
Option #1 will work and you can manage the security implications in a reasonable way.
How does NTG handle that?
Firewall limits on one side and extension capabilities on the other. If you limit the usefulness of hacking an extension you can, for some companies, bring the risk to effectively zero. Only works reliably if you can do the latter.
So for option #1 I'm looking at using a non-standard port number for SIP registration, credentials, and (eventually) limiting the registration to a single public IP address. With all of that in place, that should reasonably be secure correct?