Freepbx exposed via internet


#1

So I have been looking at the Zulu UC app for android. It is complicated to have an always on vpn with Android and the Freepbx certificate manager let’s encrypt options expect http auth to work. Which means the FreePBX website needs to be accessible from the general web.

So my question… is it now recommended that FreePBX is exposed over the internet?

I am looking at a lot of trouble to get android vpns working for Zulu and there isn’t an easy way to have auto on/off based on the phone having a local wifi connection or not. Letting clients access FreePBX via internet would certainly simplify things. But it’s always been my understanding that the pbx should only offer local access.


#2

I use UCP/WebRTC phone over the Internet, something similar to Zulu.

It seems to me that the expectation (by FreePBX designers/developers) is that these tools are accessed over the Internet. VPN adds a lot of complexity, to what end?

Where is/was the recommendation that FreePBX not be used over the Internet?

FreePBX comes with authentication, authorization, encryption, firewall, intrusion detection (signature checking system), and fail2ban. This is a pretty complete toolbox for deploying a server on the Internet.


(Moussa) #3

I use the android build in SIP (free) and Zoiper app (free/paid) in android. You can manage your VPN server (will give you unlimited users). I suggest looking at OpenVPN and their official app. https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-android/

This way no matter where the phone, you only have to whitelist one IP (your VPN IP address). This setting has been working for us.


#4

Hey Bill,

Thanks for the reply. I do not have specific references anymore. It has been quite a few years since I looked at this. But I remember reading about companies having large SIP bills from compromised pbx servers and the takeaway was do not directly place the pbx server on the internet. And I believe I had read that recommendation in several places… but my memory could be wrong?

Perhaps that is no longer relevant.


#5

My current plan was to proxy http traffic to the local pbx and require vpn for all other traffic. But I was curious if the effort was wasted with newer versions of freepbx


#6

That is one take-away. Another would be understand what the weak point was that caused the compromise and solve that.

I admit to playing dumb a little. I know a few folks who say hide your PBX from the internet. I say it’s not necessary if you secure your server with the aforementioned included tools. Comes down to your comfort level and willingness to endure inconvenience and technical complexity. Your HTTPS proxy seems good as long as you are able to proxy websockets through it too, as you’ll need that for the webrtc component.


(Joshua C. Colp) #7

These comments reflect my personal opinion, etc etc. :smiley:

I think a lot of deployers and users don’t have security in mind at all which is problematic. You can say “secure your system” but it’s an afterthought.

I’ve seen (and continue to see) deployments with just poor security practices. Extension = password, passwords of 1234, anonymous calling allowing outbound calling.

If you treat security as a first class requirement and practice, then being public is fine.


#8

Appreciate the feedback everyone


(TheJames) #9

image


(system) closed #10

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.