Using Vultr for FreePBX 13

JaredBusch

@u2communications said in Using Vultr for FreePBX 13:

@jaredbusch, Awesome as usual Jared. Though mine looks very different - no zones button. I just went to the Networks tab and added my WAN subnet as Trusted (Excluded from Firewall) and I'm all set. I can't believe I didn't see that!

The delayed load of the pictures probably caused the scroll to not be in the right place. Post 2 of that thread shows the current FreePBX 14 view.

But it sounds like you found the right setting.

prabbide

@JaredBusch Hi, Jared. I appreciate this information on Vultr. I've got a hosted freePBX system up and running on Vultr now. Have you had trouble with tftp in a hosted environment? For the life of me I can't get it working. Works on a local install. Does not work on a hosted install. I've checked too many things to list here, but was wondering if you (or anybody else) has gotten it to work in a hosted environment. If yes, then it's back to lab for me. Thanks.

JaredBusch

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Hi, Jared. I appreciate this information on Vultr. I've got a hosted freePBX system up and running on Vultr now. Have you had trouble with tftp in a hosted environment? For the life of me I can't get it working. Works on a local install. Does not work on a hosted install. I've checked too many things to list here, but was wondering if you (or anybody else) has gotten it to work in a hosted environment. If yes, then it's back to lab for me. Thanks.

I would never use tftp over the internet. There is no security in it at all.

That said, assuming your system is setup properly it will work just fine. It is simply a setting in your DHCP server to tell the phone where to go.

You need to have the service open in the FreePBX firewall and make sure it is allowed out of your router.

Emad R

@JaredBusch

LET FREEEEDOM RING BABY

JaredBusch

@JaredBusch said in Using Vultr for FreePBX 13:

I would never use tftp over the internet. There is no security in it at all.

I was out at breakfast when I made the reply. Let me clarify.

Using tftp to pull configs over the internet have no possible method to encrypt the information in transit.

So if somewhere along the way, your traffic is sniffed (most likely is softphone on a mobile device on a public hotspot), the data inside the phone config files is 100% plain text. This is a super bad thing because these config files contain the SIP credentials for the device in question.

Once someone has your valid credentials, they have access to make calls on your dime.

Using http is no different. I recommend only using https on the public internet.

Now, you can mitigate by only allowing known IP addresses through the firewall. By doing that, there is no way for someone to get to your data form everywhere around the world.

To be clear this, is only about keeping the configuration files secret because they contain sensitive information. SIP registration is a totally different issue. That process has no need for encryption. The SIP protocol negotiates a nonce witht he PBX when it begins the registration process for an extension. The device never sends the registration password in the clear.

JaredBusch

@JaredBusch said in Using Vultr for FreePBX 13:

I recommend only using https on the public internet.

Now even tough I say that, there are potential problems with this on some devices.

/me glares at Yealink T4XG series devices

FreePBX's default Let's Encrypt certificate process on FreePBX 14 creates a Let's Encrypt certificate that Yealink T4XG series phones refuse to talk to. The exact same phone talking to FreePBX 13 with a LE cert generated by FreePBX works just fine.

So you have to decide to get some other certificate or use take the risk of using http for you device communication. I continue to hpe the Yealink will release a firmware update for this, but it is unlikely as that series of phones are no longer sold. They do not seem to consider them EoL yet, but they were replaced by the T4XS line.

prabbide

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

Emad R

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

JaredBusch

@Emad-R said in Using Vultr for FreePBX 13:

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

It assuredly is not. I use it daily. I do not use 13 daily any more, but when I did have active clients on both versions, I never had noticeably different speeds in the GUI.

scottalanmiller

@JaredBusch said in Using Vultr for FreePBX 13:

@Emad-R said in Using Vultr for FreePBX 13:

@JaredBusch

Hi,

Did you also notice that v14 is super slow compared to v13 ?

It assuredly is not. I use it daily. I do not use 13 daily any more, but when I did have active clients on both versions, I never had noticeably different speeds in the GUI.

We still have one client that won't upgrade (they make lots of excuses) and we don't notice a difference either.

Dashrender

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

JaredBusch

@Dashrender said in Using Vultr for FreePBX 13:

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

Vultr doesn't have a firewall unless you make one.
I mean it is possible they could. Let me test.

scottalanmiller

@JaredBusch said in Using Vultr for FreePBX 13:

@Dashrender said in Using Vultr for FreePBX 13:

@prabbide said in Using Vultr for FreePBX 13:

@JaredBusch Yep. tftp is not optimal for security reasons. Nevertheless, it actually does not seem to work in a hosted freepbx environment and I can't figure out (yet) why. I've turned off the IPFW (yes, I know...this is a test box). I've set the xinet service tftp to verbose logging and tracked the activity. The tftp client successfully talks with the server, requests files, but eventually times out with no data transmitted). I've set my local firewall wide open for the IP address. I'm able to tftp locally from another known good remote tftp server. I've checked the freepbx forums (there are similar complaints about tftp, but those are not on a hosted server and tend to be user error). Was hoping you had run across this issue and made it work (even though it's not recommended). Thanks for your feedback.

You sure Vultr firewall isn't blocking TFTP?

Vultr doesn't have a firewall unless you make one.
I mean it is possible they could. Let me test.

Lots of people put one in by default and don't even think about it.

JaredBusch

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

Dashrender

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

right - so why not?

JaredBusch

@Dashrender said in Using Vultr for FreePBX 13:

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

right - so why not?

Don't know and don't honestly care. As I said before. Don't use TFTP on the public internet.

scottalanmiller

I wonder if TFTP default bindings are LAN only.

JaredBusch

@scottalanmiller said in Using Vultr for FreePBX 13:

I wonder if TFTP default bindings are LAN only.

/shrug

It let me connect.

Note: it also does not work on my ZeroTier address.

Dashrender

@JaredBusch said in Using Vultr for FreePBX 13:

@scottalanmiller said in Using Vultr for FreePBX 13:

I wonder if TFTP default bindings are LAN only.

/shrug

It let me connect.

Note: it also does not work on my ZeroTier address.

Now that is weird!

prabbide

@JaredBusch said in Using Vultr for FreePBX 13:

My setup with FreePBX 14 on Vultr.

1. There is no firewall on Vultr blocking anything.
2. My home network is marked trusted in the FreePBX responsive firewall.
3. The tftp protocal is allowed in the FreePBX firewall to local connections.

I can connect to from my desktop with tftp but I cannot download anything.

Exactly my problem. But I concluded the same thing. Who cares? I do have a small reason to care, but I've got a workaround and moved on to other topics. Thanks for your 2 cents! Glad it wasn't just me.