I’m testing freepbx on AWS on a single machine, and almost all works fine. I’m wondering if there are architectural best practices for this deployment. In my case, I’d like to connect (i) physical devices from several sites, as well as (ii) mobile-based softphones.
For (i), could a site-to-site VPN from each site to AWS be the way? Or using the VPN server bundled with FreePBX? In both cases, I guess that Sangoma (and Digium) phones can natively connect to such a VPN. It’s great because it simplifies networking without exposing services to the Internet. Alternatively, you can even use some VPN Gateways on the sites side to do the same thing.
Regarding (ii) mobile softphones, they can’t rely on a VPN. I’m wondering if there is a way to protect this scenario, compatible with (i).
So this is unrelated to where your PBX is hosted but I have not come up with a simple way to not expose SIP ports to the internet if you need mobile apps/cell phones to connect to your system. The best you can do for protection is change the SIP port away from the standard 5060 UDP to something high/random and possibly using TCP if it’s feasible for your environment.
The rest you should be able to secure using the built in OpenVPN functionality of FreePBX, especially if you are using Sangoma phones as your endpoints.
Yes, my question is general to all the remote PBX scenarios, where endpoints need to reach the PBX over the internet.
Why do you advise SIP over TCP?
Yes, I’d like to use Sangoma Phones since they have a built-in VPN client. Just wondering how to make a VPN-based scenario play nicely with public SIP ports for mobile endpoints.
Attacks on SIP infrastructure are typically concentrated on the default 5060 over UDP default setup. Changing the SIP port to something random nondefault helps that a lot and then moving to TCP adds another layer of obscurity that typically is not touched by drive by attackers.
As far as I know VPN on mobile phones/through Sangoma Talk is not an option and the most security you’ll get if you’d like to support mobile phones is by changing the above SIP info to something non default and enabling Responsive firewall on the PBX.