We are a small business located in a remote area with three different sub-optimal internet connections. Only one of them provides us with a public IP. Currently, our voip.domain.tld
resolves to the fixed public IP of this primary WAN connection for clients on the internet and to the private IP address of FreePBX for internal clients.
When this WAN goes down (which happens often), our FreePBX instance becomes unreachable from outside, for example, from the SangomaTalk app installed on staff smartphones, which apparently always connect from outside even when smartphones are on the local LAN.
Sadly we decided to self-host FreePBX to benefit from reliable staff communication, at least when on the local LAN.
I’m considering installing a service on a cloud VPS to better protect our network and our FreePBX server from attacks and to make our FreePBX instance always reachable.
Currently, I’m using Cloudflare tunnels, but this works only for HTTP(S) services and only with a very limited set of ports forwarded.
I would like something that works also for SIP/RTP and possibly add an extra layer to protect SIP/RTP protocols.
What is a simple way to accomplish this?
Some ideas come to mind:
- OPNsense on the VPS, open a wireguard tunnel from our gateway to OPNsense, make voip.domain.tld resolve to the VPS, and NAT incoming voip connections to the LAN ip of freepbx.
- Some reverse tunnel like Cloudflare but suitable also for generic TCP/UDP protocols like FRP?
- …