Best way to secure connection to AWS FreePBX?

We’re developing a WebRTC app for our Amazon-hosted FreePBX. The FreePBX Amazon instance can be pinged at it’s internal IP (only from our LAN or VPN) or from the public IP (if we whitelist the user’s IP beforehand in the Amazon ACL).

We have a lot of remote workers, so I’m weighing multiple options to secure their connection:

(a) Require all remote PCs to be on VPN, and have the app point to the Amazon PBX internal IP. This would work securely for all users regardless of where they are, but it’d be a lot of administrative overhead to handle all the VPN logins and train people how to connect.

(b) Have the app point to the Amazon Public IP of the FreePBX port instead (WebRTC uses port 8088). We’ve have to manually whitelist each home worker’s IP, and they wouldn’t be able to access the PBX when traveling since they’d have a different IP.

© Use the public IP, but open the 8088 port to the world. This lets all workers access the system from anywhere, and it should be secure as long as 8088 doesn’t have any vulnerabilities and fail2ban is working correctly. But, it might be inviting for people to try to attack the port, and we’d still have to pay for the traffic and suffer and performance issues from being repeatedly poked or DDOSed.

(d) Use the public IP, open port 8088 to the world, but then secure it with Port Knocking and program the knock sequence into the click-to-call code. No idea how well this would work in practice or how difficult it would be to implement, but at least the port would be unresponsive to people scanning around.

Maybe there’s a better method than any of these, but these are what I’m aware of so far. I’m also not sure if authentication is sent securely or in plaintext when connecting to WebRTC on the public IP. Anyone have suggestions?

If you put your WebRTC app behind an authenticated HTTPS web site, and move the WSS port to something obscure, you can probably leave it public without worrying too much about scanning or attack.

Definitely do not use port 8088 and WS, which is unencrypted (and which browsers will now reject). Configure WSS (secure WS) and pick a strange port. FreePBX offers 8089 by default but since you are developing your own app you could choose anything else.

I see. Are you sure that FreePBX has WSS? I don’t see any mention of 8089 as a port in the Sangoma Firewall “Service Ports” list, and any Googling of “FreePBX WSS” suggested that it isn’t quite implemented yet, as seen in this post for example:

I can hold out a while for it though, or if you might know where to find the configuration steps I’ll give it a whirl.

When you said you were developing a WebRTC app I assumed it meant you weren’t using the WebRTC built into FreePBX. Indeed it is not supported in UCP (but probably will be soon because they are working on it), but that doesn’t mean you can’t enable WSS and interface to it with your own client, or hack the UCP client a little to make it work. (details found in other threads)

Enable WSS on port 8089 by going to Advanced Settings and turning on the internal HTTPS server component, bound to the network interface and port 8089. Provide a valid certificate chain and private key.

You probably have to restart (not just reload) Asterisk after this for it to start listening on WSS, then you should be good to go.

1 Like

Oh yeah, we’re developing our own WebRTC thing, and considering using the built-in UCP caller as well. Just wanted to keep my options open.

I found the SSL/8089 stuff right where you said it would be in advanced settings, thank you.