Whether it’s a satellite medical office, or a remote construction site, or a regional branch of your favorite bank, or a temporary broadcast studio in Beijing, or a home office or hotel room of an architect, lawyer, or candlestick maker, VPN in a Flash provides a turnkey solution for instant communications. Plug it in, turn it on, connect to the Internet wired or wirelessly, and you've got a full-featured Asterisk PBX with a VPN-encrypted tunnel back to your home office server or any collection of up to 16 servers scattered across the globe. Phone extensions and voicemail are preconfigured for added versatility. And the bundle comes with the Zoiper® softphone preconfigured to make your first call in seconds.
As anyone in the Internet Telephony business would tell you, successful VoIP implementations are nine parts networking and one part telephony. VPN in a Flash is designed to manage all of that complexity for you so that systems can be deployed quickly with minimal configuration. As Apple Computers learned long ago, software solutions are much less complex when you have complete control of the hardware platform. In our case, the hardware platform consists of the VPN in a Flash box and one or dozens of telephone instruments and softphones. For permanent installations, we recommend Aastra 57i SIP telephones because they provide the most functionality, but any SIP phone will do. For softphones, you can't beat Zoiper which is preconfigured and ready to go on your KDE desktop. Additional options are available here.
Initial Setup of VPN in a Flash As delivered, your new system will boot into non-graphics mode (mode3) to simplify the initial configuration. In non-graphics mode3, you will need to initially connect to a wired network which hands out DHCP addresses. So plug in a network cable, and fire up your machine. This will only take a few minutes! Once you complete the configuration, simply type mode5 while logged in as root and then reboot to start up the KDE GUI. Both wired and wireless connectivity are supported in graphics mode. Once you save your WiFi password within the KDE GUI, you also can use wireless connectivity in non-graphics mode as well.
In non-graphics mode, we recommend you log in as root with the default password which is password. It should immediately be changed to a very secure password. Just type passwd to change it. We also recommend you change ALL of the other passwords on the system using these commands: passwd-maint, passwd-amp, passwd-meetme, and passwd-webmin. In graphics mode using the KDE interface, we recommend you log in with the piafuser account which also is preconfigured. The default password is password. Change this password also! While logged in as root, type the following command: passwd piafuser. For late-breaking information about your new system as well as trademark and copyright notices, take a minute to review the README file in the root folder. Type the following command: cat /root/README.
Voicemail is a critical component in any modern telecommunications system. The Asterisk-based voicemail system in VPN in a Flash is rock-solid reliable. While VPN in a Flash includes a 120GB hard drive, storage space still is finite. And voicemail consumes lots of space. We strongly recommend that incoming voicemail messages be automatically deleted after transmission to an email address you trust. Your new system comes preconfigured to serve as an SMTP server to distribute emails to destinations of your choosing. But we strongly recommend that you use an email delivery system for VPN in a Flash that reduces the hassle factor of getting emails to intended recipients. We recommend Gmail from Google. If you want to know why, read the next paragraph. Otherwise, you can skip down to Suggestion #1.
As hosting providers have wrestled with SPAM, they have taken a number of steps to reduce their volume of mail traffic. These steps change regularly. Some providers (including many hotels) block SMTP mail traffic from downstream servers. Your VPN in a Flash box qualifies. By using gMail as the delivery mechanism, you don't have to worry about this. Most, if not all, hosting providers also block forwarding of email messages initiated from outside of their networks. This means that, while Comcast or Time Warner might deliver your email messages when you're sitting in your home or office, sending an email message from a Hilton Hotel in Paris or even from a satellite office using these providers might not make it. By using Gmail as the delivery mechanism, you don't have to worry about this either. There's a third reason for using Gmail. It almost always works! Finally, it's FREE!
Set Up a Free gMail Account
1. Set up a gMail account for yourself before your VPN in a Flash system arrives. Your new VPN in a Flash system is preconfigured to support it for sending outbound emails. Do you have to use it for incoming mail? No! Would you be crazy not to? Probably. Google has the best SPAM filters in the business. And you get almost unlimited storage space for your messages which are fully searchable. Remember, it's Google Mail.2. Once your server arrives, configure gMail for delivery of email messages from your system. Log into your server as root and perform the following steps:
cd /etc/mail/auth
nano -w client-info
# In both lines of this file, replace user_id with your gMail account name
# In both lines of this file, replace password with your actual password
# Save your changes by pressing Ctrl-X, then Y, then press the Enter key
makemap -r hash client-info.db < client-info
cd ..
cp sendmail.mc sendmail.mc.original
cp sendmail.mc.gmail sendmail.mc
make
service sendmail restart
3. Now test the system by sending a sample email message to one of your email addresses:
echo "test" | mail -s testmessage YourNameGoesHere@gmail.com
Purchase a USB Flash Drive for Backups
1. Buy a 4GB or 8GB Flash Drive Now. Your VPN in a Flash system comes preconfigured with a way to make regular system backups of everything onto your solid state drive. For under $20, you can't afford not to make backups! Purchase at least a 4GB USB flash drive from your favorite supplier. When your USB drive arrives, plug it in to a USB slot on the back of the VPN in a Flash system and follow the simple steps below to properly format it and make an initial backup. Then you can sleep well knowing you'll always have a backup of your entire system in ISO format. 2. Format your USB flash drive for use in your VPN in a Flash system. You only have to do this once. Log into your server as root and issue the following command: usbformat.
/etc/cron.weekly/disk-backup.cron4. Check the backup dates and sizes regularly. Log into your server as root and type: /root/usbcheck.sh
Set Up Hamachi VPN For Your Servers
Overview. Hamachi is a managed, zero-configuration virtual private network (VPN) meaning your servers have to phone home to Hamachi Central to retrieve certain information about the participants and locations of servers in your VPN. The beauty of this design is you don't have to worry about certificates and private and public IP addresses and fully-qualified domain names for all of your servers. The downside is that a private company stores your passwords and theoretically could access your VPN. With the Internet, hundreds (if not thousands) of people can intercept your data without detection. At least with the Hamachi VPN, you've reduced the potential intruder pool to one. The trade off is incredible ease of use. But, if this design offends your sensibilities, then exercise your constitutional rights and don't use it. However, it's really no different than Wachovia knowing what your bank account number and password are if you think about it. We think it is the ideal solution for mobile systems and systems with dynamic IP addresses. And that's the VPN in a Flash universe as we see it.To use Hamachi, you need to know a little about its design. In a nutshell, your private "VPN cloud" is known as a "network" in Hamachi Land, and your identity is known as a "nickname." Every network has a password. Without the password, you don't get in. Hamachi manages all of the remaining VPN complexity to provide a seamless, encrypted VPN tunnel between all of the servers in your Hamachi network. All you need is a network name, a password, and a nickname. You can create a new network, or you can join an existing one... if you know the password. Once you are logged in, you get a private IP address that can be used to communicate with other machines in your private network. In the case of the free version of Hamachi, every network is limited to 16 participants (i.e. nicknames or machines). But you can belong to more than one network. If you need to accommodate more machines, then you'll need to pay the piper. Hamachi supports Linux machines as well as PCs and Macs, but not telephones. So you need to establish a VPN tunnel between at least two servers before the phones connected to those two servers can communicate securely. We'll do this with Hamachi and then we'll create an IAX trunk on each server to interconnect the two boxes using the private VPN addresses of the systems.
Setting Up Your Primary Server. VPN in a Flash comes with Hamachi VPN preinstalled. However, before we can establish secure communications between your servers, we have to have Hamachi VPN running on each server which will be part of your network. To begin, you'll need a name for your network. If you care about security, then don't name it something like WachoviaSecureFinancials. Instead, choose a name such as wsf437yt. Keep in mind that no registration information is passed to Hamachi servers other than this network name, a password which you make up, your IP address, and the nickname for each of your servers. The more obtuse you can make all of these entries the better... if security is a concern. Remember that there are tens of thousands of Hamachi VPNs around the world so obfuscation matters.
Once you have decided upon a secure network name and password as well as nicknames for all of your servers, write them down and store them in a secure place. Now you're ready to set up your primary server. Log into your PBX in a Flash server as root and type the following commands (depending upon the version of Asterisk running on your server):
For systems running Asterisk 1.4 (including VPN in a Flash boxes):
cd /root
wget http://pbxinaflash.org/ast14/scripts/install-hamachi.x.gzgunzip install-hamachi.x.gz
chmod +x install-hamachi.x./install-hamachi.x
For systems running Asterisk 1.6:
cd /root
wget http://pbxinaflash.org/ast14/scripts/install-hamachi16.x.gzgunzip install-hamachi16.x.gz
chmod +x install-hamachi16.x./install-hamachi16.x
If this is your first machine in the new virtual private network, type N to create a new Hamachi network. If you are adding a machine to an existing network you previously have created, type J to join the existing network. When prompted, enter the network name (twice) and then the network password (twice)... just to be sure you know what you are doing. Finally, enter a nickname (twice) for this machine that is unique.
That completes the VPN setup on your primary server. Once we enter the same network name and password as well as a unique nickname on your VPN in a Flash server, you will have a working virtual private network between the two systems. Each machine then will have a new VPN private network address that looks like 5.x.x.x.
Initial Hamachi VPN Setup
Assuming you've gotten Hamachi installed on your system, but you have not yet set up your VPN network, here's the step-by-step process. None of the first 6 setup steps which follow should be necessary if you've just installed the software using the installation script above.
- Start up Hamachi on your server: hampiaf start
- Assign your machine a unique nickname: hampiaf set-nick server1
- Log in to the network: hampiaf login
- To create a new VPN network: hampiaf create network-name network-password (network-name MUST be unique!!)
- To join an existing (or your new) VPN network: hampiaf join network-name network-password
- Bring your server on line in the new VPN network: hampiaf go-online network-name
- Check to be sure you're on line: cat /etc/hamachi/state
Repeat the above steps on your remaining servers (except step 4 obviously). And then...
- Check to be sure your machine is on line: cat /etc/hamachi/state
- Get the nicknames of the other servers in your Hamachi VPN network: hampiaf get-nicks
- List the nicknames of the other servers in your network: hampiaf list
NOTE: The server on which you run the list command will NOT be included in the list. That's what the on line check above does for you: cat /etc/hamachi/state. You may find it helpful to include the above 3 commands in a bash script. HINT: Sometimes you'll need to run the script twice to fully populate the list.
- To log out of the VPN network: hampiaf logout
- To leave a VPN network: hampiaf leave network-name
- To stop Hamachi on your server: hampiaf stop
If you get a "login failed" message when you attempt to log in to the VPN network, you may need to reinitialize Hamachi on your server. Simply reinstall the software as outlined above. We've only seen this happen when a system restore from another system got Hamachi confused as to server identity.
Adding Windows, Mac, and Linux Desktops to Your Hamachi VPN
Once you have all of your VPN in a Flash and PBX in a Flash servers interconnected with your new Hamachi VPN, you may wish to add your desktop systems to your virtual private network as well. The only restriction is that the free version of Hamachi VPN only supports 16 machines. For most, that won't be a limitation. To download the software for your desktop PCs, go to this link and follow the instructions. It's a 5-minute setup.To be continued...
Set Up An Extension Design for Your Servers
VPN in a Flash comes preconfigured with a number of extensions set up in the 71xx range of numbers. When you begin connecting PBX in a Flash systems together for free communications between the phones on all of your servers, it's important that each server have its own range of extension numbers. This makes the system totally transparent to end-users regardless of which server their phones happen to be attached to. They can simply dial any extension number and the Asterisk servers will take care of finding a path to the actual telephone regardless of its location. This avoids having to dial prefixes to reach certain cities or extensions and greatly simplifies use of your phone system.Before getting into the technical design, it's important to sketch out how your new system will be used. If the design is intended to support employees that regularly travel, that needs to be considered. If the design is intended to support static regional offices, then that suggests slightly different design criteria. For example, with a regional office, you probably would want voicemail account for local users on the local server.
For mobile users or mobile VPN in a Flash boxes, a remote extension can be added to a newly created ring group for each user in the home office so that the remote extension also rings whenever the user gets a call. This requires no change of extension numbers on your main system. Instead, just create new ring groups on the main server for mobile users and forward calls from each user's main extension number to the new ring group number. In the ring group, include the user's local extension as well as their mobile extension. The user can actually pick up calls in either location. With this design, no voicemail is actually necessary on the remote system, and each remote extension can be configured to not only ring but also to announce when voicemails arrive on the home extension. This is advantageous when a user is a frequent traveler and may be out of phone contact during certain times of the day. Indeed, the remote VPN in a Flash server may be out of operation from time to time. When the traveler arrives at a destination, the VPN in a Flash box can be reconnected. And the phone linked to that server can be used to retrieve existing voicemails from the home office voicemail system.
1. Make the range of extension numbers unique on each of your servers. If the 7100 range of numbers isn't unique on your new VPN in a Flash system, then change the extension numbers to make them unique. This is easily accomplished through the FreePBX web interface by editing each extension and changing its number throughout the form. For example, search for 7101 and replace every entry with the new number you have chosen. Similarly, if you are deploying multiple VPN in a Flash servers at numerous locations, make each server's extension numbers unique to your overall system, e.g. 71xx on System 1, 72xx on System 2, etc.
2. Determine where each user's voicemail should be stored to assure 24x7 access. Such access includes pickup of unanswered calls for callers to leave messages and the ability to retrieve incoming voicemail messages.
If your new VPN in a Flash system will be used strictly for a Road Warrior, then disable the Voicemail option for each extension and set the Mailbox option for each extension to match the home office extension for each user.
3. Make certain your extension passwords and voicemail passwords are changed and secure! Once your server is exposed to the Internet, the SIP and IAX ports are opened to permit communications between your server and the rest of the world. That's the good news. The bad news is that the world is full of some creeps who immediately will attempt to break into your system or begin making calls on your nickel. The easiest system to hack is one where the extension passwords match the extension numbers or where extension passwords are all the same and something simple such as 1234. Secure your passwords as if your phone bill depended upon it. It does! We provide the latest fail2ban software which will block IP addresses for a period of time after three unsuccessful attempts to guess a SIP, IAX, HTTPS, or SSH password. But that offers no protection if your passwords are easily guessed.
Using IAX Trunks with VPN To Interconnect Servers
Now that your VPN is up and running, it's time to interconnect your Asterisk servers so that secure calls can be initiated between extensions on the servers. Keep in mind that each server will now potentially have three different IP addresses: a private IP address, a public IP address, and a VPN IP address. The private IP address is the typical IP address that would be assigned by your firewall/router which sits between your server and the Internet (e.g. 192.168.0.123). The public IP address is usually the public Internet address where your router connects to the Internet. If your server is directly connected to the Internet, then these two addresses would be the same.
Before creating the actual trunks using FreePBX, we'll need to decipher the VPN IP addresses for each of the servers. These are the only IP addresses that provide secure communications between your servers! For ease of explanation, we're going to assume that the nicknames for your two servers are server-main and server-remote. Log into both servers as root. We recommend you use SSH to do all of this so that separate windows can be used to enter commands into both servers. On both servers, issue the following commands:
hampiaf get-nicks
hampiaf list
On server-main, you should see a response like this where wsf437yt is the name of your network:
Retrieving peers' nicknames ..
* [wsf437yt]
* 5.202.1.2 server-remote 292.128.10.22:33272
On server-remote, you should see a response like this where wsf437yt is the name of your network:
Retrieving peers' nicknames ..
* [wsf437yt]
* 5.202.1.1 server-main 24.88.12.237:33272
You will note that the VPN address of the server on which you issue the commands is not included in the listing. If you ever need to retrieve the VPN address of the physical server you're using, type the following command:
cat /etc/hamachi/state
For our purposes in creating the IAX trunks to interconnect the servers, just write down the server names and their corresponding VPN private IP addresses and fill in the chart below with your actual VPN addresses and nicknames. All communications on the 5.x.x.x network is encrypted as it is part of the VPN tunnel so these are the IP addresses we need to use in creating our links between the servers:
VPN IP Addr VPN Nickname 5.202.1.1 server-main ____________ ____________________
5.202.1.2 server-remote ____________ ____________________
VPN Trunk Setup on server-main. Using a web browser, connect to server-main and go to the FreePBX main screen. Click the Setup tab and then Trunks. Now click Add Trunk and choose Add IAX2 trunk. Fill out the form replacing the entries in blue with your actual data for server-main and replacing the entries in red with your actual data for server-remote. Make up a new password and enter it instead of password. For now leave the General Settings and Outgoing Dial Rules and skip down to the next section of the form. Fill in the next two sections of the form like this using the information you wrote down above. Leave the Registration String blank.
Outgoing Settings
| Trunk Name: | server-remote |
| PEER Details: | |
secret=password
type=peer
username=server-remote
Incoming Settings
| USER Context: | server-main |
| USER Details: | |
host=5.202.1.1
secret=password
type=friend
user=server-main
Click the Submit button when you finish making all the substitutions and then reload the FreePBX dialplan when prompted. Now let's make the corresponding entries on server-remote.
VPN Trunk Setup on server-remote. Using a web browser, connect to server-remote and go to the FreePBX main screen. Click the Setup tab and then Trunks. Now click Add Trunk and choose Add IAX2 trunk. Fill out the form replacing the entries in blue with your actual data for server-main and replacing the entries in red with your actual data for server-remote. Use the same password you created for your server-main entries and enter it instead of password. For now leave the General Settings and Outgoing Dial Rules and skip down to the next section of the form. Fill in the next two sections of the form like this using the information you wrote down above. Leave the Registration String blank.
Outgoing Settings
| Trunk Name: | server-main |
| PEER Details: | |
secret=password
type=peer
username=server-main
Incoming Settings
| USER Context: | server-remote |
| USER Details: | |
host=5.202.1.2
secret=password
type=friend
user=server-remote
Click the Submit button when you finish making all the substitutions and then reload the FreePBX dialplan when prompted.
VPN Outbound Route Setup on server-main. Before free calls can actually be made between phones connected to the different servers, we first need to use FreePBX to set up an Outbound Route on each server. This tells each system how to process calls destined for extensions on the other server. Assuming you structured your extensions as we suggested above, here's how the form should be filled in to Add an Outbound Route on server-main:
Add Route
Route Name: server-remote
Dial Patterns: 71xx
Trunk Sequence: iax2/server-remote
This tells server-main to route any number called from a phone connected to server-main which consists of a 4-digit number beginning with 7 to the appropriate extension on server-remote using IAX through the VPN tunnel connection between the servers.
VPN Outbound Route Setup on server-remote. If the extensions on server-main are numbered with another 7xxx series of numbers, you would simply repeat the above setup on server-remote using the new number sequence. Chances are that you already have another numbering scheme in place for your main server so here's another alternative. If your main server has a host of varying numbers of different lengths, then it may be more appropriate to prefix calls destined for server-main with a digit such as 9. Here's how you would set up the outbound route on server-remote to send all calls starting with a 9 to server-main for processing:
Add Route
Route Name: server-main
Dial Patterns: 9|.
Trunk Sequence: iax2/server-main
This tells server-remote to strip off the 9 prefix and then route the number to server-main for processing. If, however, you also have other trunks on server-remote configured to dial out calls through an external VoIP provider that look something like NXXNXXXXXX, then the 9|. syntax above won't work. The reason is that traditional calls to numbers such as 904-232-1234
The final gotcha with Outbound Routing is to make certain that routes that should take precedence or that require special processing be moved to the top of your list of Outbound Routes. Outbound calls are routed through the routes in the top-down order in which they appear in the list. The first successful match on digits sends the call to that route whether or not it can be completed successfully. By adjusting the routing order, outbound calls won't inadvertently be processed by an inappropriate or catch-all outbound route. To adjust the sequencing of routes, click on the arrow (
) beside the route to be moved up the FreePBX list in the right column displaying available routes. Be sure to save your changes and reload your dialplan once you have the routes properly positioned.Where To Go Next
For security reasons, VPN in a Flash systems are delivered with Samba networking and WebMin disabled; however, both applications are installed and ready to use if you desire. There also are more than a dozen Nerd Vittles applications that are preconfigured and ready to use. Complete documentation for the Nerd Vittles apps is available here. For additional documentation on PBX in a Flash, start with the knol and then take a look at the numerous other pieces of documentation which are available here. Because all VPN in a Flash system incorporate the latest Nerd Vittles Orgasmatron II build, you also should carefully review that documentation here. Last, but not least, join the PBX in a Flash forums today for unlimited free support from our user community. When all else fails, we provide a Help Desk for VPN in a Flash systems which are enrolled in the SUSHI (Software Update Service) program. Your first 90 days are free. For the link to the help desk, log into your server as root and type: cat /root/sushi.txt.*** This document is still a work in progress. ***
Comments
Write New Comment ▼
Write New Comment
Sorry! This knol's owner(s) have blocked you from editing, making suggestions, or commenting here.