Alternatives to OpenVPN for FreePBX on cell phone...



  • We use Android phones here along with Zoiper to tie into our FreePBX instance for when we're out of the office/on-site.
    Each device uses the OpenVPN client to connect to FreePBX but we've been experiencing massive battery drain issues using that client for months (today OpenVPN was responsible for 73% of my battery usage).
    Is there an alternate AND SECURE way for users to connect back in to FreePBX using their cell phones aside from using OpenVPN?
    I had tried using the responsive firewall but got locked out frequently.
    Also tried dyndns apps for android but they sucked as much battery as OpenVPN and, often times, we'd be banned via the firewall before dyndns updated.

    Any suggestions would be greatly appreciated.

    Thanks!



  • What are you trying to secure? The Voice? That is not secure anywhere else. Why does it matter?

    The SIP registration? That is not in the clear in the first place.



  • Secure voice is difficult, overrated, and pretty much always going to be a huge battery drain because encrypting streams of media takes a lot of processor power. I'm with Jared, before you try to solve this problem, really dig into it and see if it makes sense. Almost all people who request VPN for voice traffic do so without actually evaluating it. It's not the import thing that it sounds like. Nice, of course. If it was free and easy, then duh, more security trumps less security. But it's not easy or "free", there is a lot of cost involved (complexity, performance, battery, etc.) So almost always the evaluation says it doesn't really matter, and in over a century of telecommunications history it has never mattered, and should just be skipped.



  • I thought I was pretty clear in my OP but I suppose some clarification is in order: This is strictly so that we can connect Android phones to our FreePBX instance. I'm not at all concerned about encrypting / securing voice, just the successful registration of the Zoiper client.

    OpenVPN was the only consistent way of getting mobile devices to keep their registration as we can whitelist the VPN ip subnet.

    As mentioned, turning on the responsive firewall and using that instead of OpenVPN did not work out well as the IP addresses of the cell phones changes regularly and the firewall would randomly lock users out during re-registration. Perhaps there are some changes that we can make to either the client or FreePBX that will prevent this?

    EDIT: When I said "AND SECURE", I was speaking of ensuring that FreePBX itself was kept as secure from "rogue users" as possible while fulfilling our requirement of allowing our mobile devices to register with the service.



  • @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    I thought I was pretty clear in my OP but I suppose some clarification is in order: This is strictly so that we can connect Android phones to our FreePBX instance. I'm not at all concerned about encrypting / securing voice, just the successful registration of the Zoiper client.

    OpenVPN was the only consistent way of getting mobile devices to keep their registration as we can whitelist the VPN ip subnet.

    Oh, that's odd. We don't see that problem happening. Our mobile devices work very consistently with FreePBX (unless people are at a site that is blocking traffic, then I could see the VPN being used as a work around to a location's own security rules.) But in general, no VPN needed for consistent connections.

    But that makes more sense as an issue to overcome.



  • Are your Zoiper users primarily on like 4G or LTE connections rather than Wifi? Maybe that's causing it. We do that, but not most of the time.



  • This had come up in the past and @bigbear had recommended putting an SBC in front of FreePBX to handle the issue. Although that creates the issue of dealing with that security at a different point, so not a fix completely in and of itself.

    https://mangolassi.it/topic/15747/responsive-firewall-and-external-freepbx-users/



  • @scottalanmiller : If they're using their mobile phones it means that they're out of the office travelling or on-site at a client and, likely, not connected to WiFi.

    When using the responsive firewall, it was during network status changes where there would be a high likelihood that the device would get locked out (e.g. when transitioning WiFi -> LTE)



  • I have totally had an issue roaming around and the responsive firewall constantly locked me out as well.



  • @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    I have totally had an issue roaming around and the responsive firewall constantly locked me out as well.

    Exactly. To which the only "resolution" that worked for us at the time was OpenVPN but it's taking a massive toll on the batteries of the phones 😞



  • Okay that makes way more sense.

    I have also had issues with the responsive firewall and mobile phones.

    But not seemingly as bad as you are.



  • Yeah, unfortunately we're seeing at LEAST a 50% chance of being locked out during network connection change or IP address renewal.



  • I put ZeroTier on my PBX and on my devices. Never thought about using it for a SIP softphone.



  • A few ideas to try. Change openvpn tunnel to not use encryption (save cpu power) but keep authentication. Also extend the time for the keepalive packages (save battery by not having to wake up as often when there is no real traffic over the tunnel).

    Might also want to check that the sip client is actually using push notification so it isn't alive all the time when there are no calls. There are also at least two different openvpn clients so there might be a difference in power drain there as well.



  • @Pete-S : I've increased the default timeout from 10 120 to 300 900.
    We'll see if a) the connection remains stable b) if battery usage decreases.

    I don't want to disable encryption as FreePBX automatically generates the client config and I don't want to have to custom edit each.

    Unless this can be configured strictly on the server side like keepalive?



  • @manxam I found this while looking for alternative also. http://dsiprouter.org/



  • @Coreytay said in Alternatives to OpenVPN for VoiP on cell phone...:

    @manxam I found this while looking for alternative also. http://dsiprouter.org/

    Not a lot of info obvious on the page.



  • @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...



  • @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @Pete-S : I've increased the default timeout from 10 120 to 300 900.
    We'll see if a) the connection remains stable b) if battery usage decreases.

    I don't want to disable encryption as FreePBX automatically generates the client config and I don't want to have to custom edit each.

    Unless this can be configured strictly on the server side like keepalive?

    Any progress on this?

    I don't know how freepbx does the openvpn config files but you should have a setting on what cipher to run. That information ends up in both the client and server config files. To disable encryption you set the cipher to none.

    You should probably turn of compression too as voip is already compressed. Just takes more battery power to compress something that is compressed already.



  • @Pete-S : within the GUI there are no available options for tailoring OpenVPN unfortunately.

    The client config that it generates is :

    # Configuration automatically generated via Sysadmin RPM
    # MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
    # Generated at: Sun, 13 Jan 2019 03:33:14 +0000
    client
    dev tun
    proto udp
    resolv-retry 60
    nobind
    persist-key
    persist-tun
    remote-cert-tls server
    ca sysadmin_ca.crt
    cert sysadmin_client1.crt
    key sysadmin_client1.key
    comp-lzo
    verb 3
    remote x.x.x.x 1194
    remote x.x.x.x 1194
    

    The server config is :

    # Configuration automatically generated via Sysadmin RPM
    # MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
    # Generated at: Sun, 13 Jan 2019 03:33:14 +0000
    port 1194
    proto udp
    dev tun
    topology subnet
    ca sysadmin_ca.crt
    dh sysadmin_dh.pem
    crl-verify sysadmin_crl.pem
    cert sysadmin_server1.crt
    key sysadmin_server1.key
    ifconfig-pool-persist ipp.txt
    #keepalive 10 120
    keepalive 300 900
    comp-lzo
    persist-key
    persist-tun
    verb 3
    client-config-dir ccd
    ccd-exclusive
    status sysadmin_server1-status.log 10
    status-version 3
    script-security 2
    server 10.8.0.0 255.255.255.0
    

    Note the header stating that this file will be overritten so I'm not certain how "permanent" this will be nor do I see information regarding encryption type (though do see the compression).



  • @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

    that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.



  • @Pete-S said in Alternatives to OpenVPN for VoiP on cell phone...:

    You should probably turn of compression too as voip is already compressed. Just takes more battery power to compress something that is compressed already.

    Good point, watch for double compression.



  • @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

    that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

    Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?



  • @Dashrender : FreePBX uses a really stupid implementation IMO.
    The responsive firewall bans a user if they have connected but not registered in X time. This is sane.
    But fail2ban remains on with it and bans the IP before the responsive firewall is given time to check for registration.



  • @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

    that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

    Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

    But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.



  • @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

    that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

    Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

    But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.

    eh? I have no idea how it actually works.

    But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.

    But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).



  • From Sangoma a year ago. Still no progress made on this it seems...

    The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.
    To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered.



  • @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @manxam said in Alternatives to OpenVPN for VoiP on cell phone...:

    @scottalanmiller : Yeah, I'm not really certain what that software does..
    "dSIPRouter can be used to implement different use cases within minutes"

    Ummm, then this shows a few examples but I'm not certain of the use case for any of these...

    that's where I was. I get that it is a proxy, but I don't get what problem it is solving. It seems to just move the problem, not remove it.

    Well if the proxy can solve the firewall lockout issue on mobile devices and changing IPs... but then, if the Proxy can solve it - why can't the firewall in FreePBX?

    But how can it? Sounds like all it does is disable the firewall, right? You can do that by just... disabling it! Seems pretty silly to implement an entirely separate system just to work around a firewall that you can just turn off with a button.

    eh? I have no idea how it actually works.

    But assuming it takes more false hits to get something blocked in this proxy's firewall than it does in FreePBX's firewall, then that would solve the problem.

    Sure, but that's not even suggested as a possibility. If that's happening, then great, but that's like saying "why is this rock better than a car" and then responding "well if the rock goes faster, costs less and gets better gas mileage." Well sure, but why would we think that about a rock?



  • @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).

    No, I don't believe that it can be tuned in any way.



  • @scottalanmiller said in Alternatives to OpenVPN for VoiP on cell phone...:

    @Dashrender said in Alternatives to OpenVPN for VoiP on cell phone...:

    But then the question is can FreePBX's firewall be changed to make it wait say 30 second from connection to logon before blocking it (this is just a guess, I don't know why it's actually failing/blocking the remote phones other than of course it's coming from a new IP).

    No, I don't believe that it can be tuned in any way.

    Well, not by us anyway.