FreePBX + OpenVPN LAN restrictions best practices

ctorress · October 7, 2023, 12:34pm

Hi,

I was able to configure OpenVPN with FreePBX using SysAdmin. I was able also to configure my remote GrandStream GXP2130 to register to FreePBX and the calls are working fine, so up to this point i’m a happy camper.

Now, i decided to test downloading the OpenVPN client and use the same configuration files i use for the phone to configure it and, yes, it works fine and i can even register a soft phone on my computer.

The OpenVPN server is running on the default address 10.8.0.1 (255.255.255.0) and my FreePBX/Asterisk is running on my LAN on 10.0.0.14 (255.255.255.0).

So then i tried to SSH into 10.0.0.14 and it didn’t work, but i noticed it was just because there was no route for 10.0.0.0/24. I added the route and now, not only i can SSH and web into 10.0.0.14, but i can also access othe servers on that subnet like 10.0.0.15

Even if the chances of somebody getting the configuration off the phone and connecting to the VPN and creating the missing routes, connecting to the servers and hacking the passwords is slim… i don’t feel comfortable having a VPN for phones, having access to all my network.

So my question is: what is the best practice to restrict the traffic from 10.8.0.x to anything on the 10.0.0.x? – i could live with it having access to the 10.0.0.14 (FreePBX), but ideally, it would be only the 5060 and RTP ports.

Currently, my VPN client gets assigned the 10.8.0.2 address.

I’m not sure if this is a missing configuration on OpenVPN or if it is meant to be accomplished by using iptables – which i don’t have experience with.

Below some relavant configuration for your reference.

Thanks for any guidance.

Camilo

/etc/openvpn/sysadmin_server1.conf

# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Sat, 07 Oct 2023 11:21:27 +0000
port 1194
proto udp
dev tun
topology subnet
ca sysadmin_ca.crt
dh sysadmin_dh.pem
crl-verify sysadmin_crl.pem
cert sysadmin_server1.crt
key sysadmin_server1.key
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3
client-config-dir ccd
ccd-exclusive
status sysadmin_server1-status.log 10
status-version 3
script-security 2
reneg-sec 3600
server 10.8.0.0 255.255.255.0

sudo iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-PBX-GUI  all  --  anywhere             anywhere
fail2ban-SSH  tcp  --  anywhere             anywhere             multiport dports ssh
fail2ban-apache-auth  all  --  anywhere             anywhere
fail2ban-FTP  tcp  --  anywhere             anywhere             multiport dports ftp
fail2ban-BadBots  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-api  tcp  --  anywhere             anywhere             multiport dports http,https
fail2ban-zulu  tcp  --  anywhere             anywhere
fail2ban-recidive  all  --  anywhere             anywhere
fail2ban-SIP  all  --  anywhere             anywhere
fpbxfirewall  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-BadBots (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-FTP (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-PBX-GUI (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SIP (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-SSH (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-apache-auth (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-api (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-recidive (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fail2ban-zulu (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain fpbx-rtp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpts:ndmp:dnp
ACCEPT     udp  --  anywhere             anywhere             udp dpts:terabase:hfcs-manager

Chain fpbxattacker (6 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: ATTACKER side: source mask: 255.255.255.255
DROP       all  --  anywhere             anywhere

Chain fpbxblacklist (1 references)
target     prot opt source               destination

Chain fpbxchecktempwhitelist (1 references)
target     prot opt source               destination
fpbxtempwhitelist  all  --  anywhere             anywhere             ! recent: CHECK name: REPEAT side: source mask: 255.255.255.255

Chain fpbxfirewall (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             connmark match ! 0x20 state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             255.255.255.255
ACCEPT     all  --  anywhere             anywhere             PKTTYPE = multicast
ACCEPT     udp  --  anywhere             anywhere             udp spts:bootps:bootpc dpts:bootps:bootpc
fpbx-rtp   all  --  anywhere             anywhere
fpbxblacklist  all  --  anywhere             anywhere
fpbxsignalling  all  --  anywhere             anywhere
fpbxsmarthosts  all  --  anywhere             anywhere
fpbxregistrations  all  --  anywhere             anywhere
fpbxnets   all  --  anywhere             anywhere
fpbxhosts  all  --  anywhere             anywhere
fpbxinterfaces  all  --  anywhere             anywhere
fpbxreject  all  --  anywhere             anywhere
fpbxrfw    all  --  anywhere             anywhere             mark match 0x2/0x2
ACCEPT     udp  --  anywhere             anywhere             state RELATED,ESTABLISHED
lefilter   tcp  --  anywhere             anywhere             match-set lefilter dst
fpbxlogdrop  all  --  anywhere             anywhere

Chain fpbxhosts (1 references)
target     prot opt source               destination
zone-trusted  all  --  localhost            anywhere

Chain fpbxinterfaces (1 references)
target     prot opt source               destination
zone-external  all  --  anywhere             anywhere
zone-internal  all  --  anywhere             anywhere

Chain fpbxknownreg (3 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: REMOVE name: REPEAT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: ATTACKER side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: WHITELIST side: source mask: 255.255.255.255
MARK       all  --  anywhere             anywhere             MARK or 0x4
ACCEPT     all  --  anywhere             anywhere             mark match 0x1/0x1
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-zulu  all  --  anywhere             anywhere
fpbxsvc-restapps  all  --  anywhere             anywhere
fpbxsvc-restapps_ssl  all  --  anywhere             anywhere
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-provis_ssl  all  --  anywhere             anywhere
fpbxsvc-api  all  --  anywhere             anywhere
fpbxsvc-api_ssl  all  --  anywhere             anywhere

Chain fpbxlogdrop (1 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere

Chain fpbxnets (1 references)
target     prot opt source               destination
zone-trusted  all  --  10.0.0.0/24          anywhere
zone-internal  all  --  10.8.0.0/24          anywhere

Chain fpbxratelimit (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             mark match 0x4/0x4
ACCEPT     all  --  anywhere             anywhere             recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: REPEAT side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             state NEW recent: SET name: DISCOVERED side: source mask: 255.255.255.255
LOG        all  --  anywhere             anywhere             LOG level warning
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 200 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 300 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
fpbxshortblock  all  --  anywhere             anywhere             recent: CHECK seconds: 60 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere

Chain fpbxregistrations (1 references)
target     prot opt source               destination
fpbxknownreg  all  --  10.8.0.2             anywhere

Chain fpbxreject (1 references)
target     prot opt source               destination
rejsvc-nfs  all  --  anywhere             anywhere
rejsvc-smb  all  --  anywhere             anywhere

Chain fpbxrfw (1 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: DISCOVERED side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             recent: CHECK seconds: 90 hit_count: 1 name: WHITELIST side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere             recent: CHECK seconds: 90 hit_count: 1 name: TEMPWHITELIST side: source mask: 255.255.255.255
fpbxchecktempwhitelist  all  --  anywhere             anywhere             ! recent: CHECK seconds: 86400 name: TEMPWHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: REMOVE name: TEMPWHITELIST side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: SET name: REPEAT side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 10 hit_count: 50 name: REPEAT side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 1 name: ATTACKER side: source mask: 255.255.255.255
fpbxshortblock  all  --  anywhere             anywhere             recent: CHECK seconds: 60 hit_count: 10 name: SIGNALLING side: source mask: 255.255.255.255
           all  --  anywhere             anywhere             recent: SET name: SIGNALLING side: source mask: 255.255.255.255
fpbxattacker  all  --  anywhere             anywhere             recent: CHECK seconds: 86400 hit_count: 100 name: REPEAT side: source mask: 255.255.255.255
ACCEPT     all  --  anywhere             anywhere

Chain fpbxshortblock (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere             recent: SET name: CLAMPED side: source mask: 255.255.255.255
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain fpbxsignalling (1 references)
target     prot opt source               destination
MARK       udp  --  anywhere             anywhere             udp dpt:5160 MARK set 0x3
MARK       udp  --  anywhere             anywhere             udp dpt:sip MARK set 0x3

Chain fpbxsmarthosts (1 references)
target     prot opt source               destination

Chain fpbxsvc-api (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:85

Chain fpbxsvc-api_ssl (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:powerclientcsf

Chain fpbxsvc-chansip (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:5160

Chain fpbxsvc-ftp (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ftp

Chain fpbxsvc-http (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain fpbxsvc-https (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https

Chain fpbxsvc-iax (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:iax

Chain fpbxsvc-isymphony (0 references)
target     prot opt source               destination

Chain fpbxsvc-letsencrypt (0 references)
target     prot opt source               destination

Chain fpbxsvc-nfs (0 references)
target     prot opt source               destination

Chain fpbxsvc-ntp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp

Chain fpbxsvc-pjsip (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sip

Chain fpbxsvc-provis (3 references)
target     prot opt source               destination
fpbxratelimit  tcp  --  anywhere             anywhere             tcp dpt:mit-ml-dev

Chain fpbxsvc-provis_ssl (1 references)
target     prot opt source               destination

Chain fpbxsvc-restapps (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ctf

Chain fpbxsvc-restapps_ssl (1 references)
target     prot opt source               destination

Chain fpbxsvc-smb (0 references)
target     prot opt source               destination

Chain fpbxsvc-sng_phone_svc (1 references)
target     prot opt source               destination

Chain fpbxsvc-ssh (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh

Chain fpbxsvc-tftp (1 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:tftp

Chain fpbxsvc-ucp (4 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:81
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:vcom-tunnel

Chain fpbxsvc-ucp_ssl (2 references)
target     prot opt source               destination

Chain fpbxsvc-vpn (3 references)
target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:openvpn

Chain fpbxsvc-webrtc (1 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:radan-http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:8089

Chain fpbxsvc-xmpp (3 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:xmpp-client

Chain fpbxsvc-zulu (1 references)
target     prot opt source               destination

Chain fpbxtempwhitelist (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             recent: SET name: TEMPWHITELIST side: source mask: 255.255.255.255

Chain lefilter (1 references)
target     prot opt source               destination
CONNMARK   all  --  anywhere             anywhere             state NEW CONNMARK set 0x20
ACCEPT     all  --  anywhere             anywhere             state NEW
ACCEPT     all  --  anywhere             anywhere             STRING match  "GET /.well-known/acme-challenge/" ALGO name kmp FROM 52 TO 53
ACCEPT     all  --  anywhere             anywhere             STRING match  "GET /.freepbx-known/" ALGO name kmp FROM 52 TO 53
RETURN     all  --  anywhere             anywhere

Chain rejsvc-nfs (1 references)
target     prot opt source               destination

Chain rejsvc-smb (1 references)
target     prot opt source               destination

Chain zone-external (1 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x10
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-vpn  all  --  anywhere             anywhere
fpbxsvc-xmpp  all  --  anywhere             anywhere

Chain zone-internal (2 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x4
fpbxsvc-ssh  all  --  anywhere             anywhere
fpbxsvc-http  all  --  anywhere             anywhere
fpbxsvc-https  all  --  anywhere             anywhere
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-ucp_ssl  all  --  anywhere             anywhere
fpbxsvc-pjsip  all  --  anywhere             anywhere
fpbxsvc-chansip  all  --  anywhere             anywhere
fpbxsvc-iax  all  --  anywhere             anywhere
fpbxsvc-webrtc  all  --  anywhere             anywhere
fpbxsvc-api  all  --  anywhere             anywhere
fpbxsvc-api_ssl  all  --  anywhere             anywhere
fpbxsvc-ntp  all  --  anywhere             anywhere
fpbxsvc-sng_phone_svc  all  --  anywhere             anywhere
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-vpn  all  --  anywhere             anywhere
fpbxsvc-restapps  all  --  anywhere             anywhere
fpbxsvc-xmpp  all  --  anywhere             anywhere
fpbxsvc-ftp  all  --  anywhere             anywhere
fpbxsvc-tftp  all  --  anywhere             anywhere

Chain zone-other (0 references)
target     prot opt source               destination
MARK       all  --  anywhere             anywhere             MARK or 0x8
fpbxsvc-ucp  all  --  anywhere             anywhere
fpbxsvc-ucp_ssl  all  --  anywhere             anywhere
fpbxsvc-provis  all  --  anywhere             anywhere
fpbxsvc-vpn  all  --  anywhere             anywhere
fpbxsvc-xmpp  all  --  anywhere             anywhere

Chain zone-trusted (8 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Stewart1 · October 7, 2023, 4:24pm

I am not familiar with the features of SysAdmin Pro, though I have manually configured the OpenVPN server that is pre-installed in FreePBX (even without SysAdmin Pro). By default Sangoma Linux (like most Linux distributions) is not configured as a router.

But yours apparently is. I’d bet that the output of
cat /proc/sys/net/ipv4/ip_forward
is 1. If so, you can try temporarily turning it off and see whether that gives you the isolation you want without breaking any desired functionality. See

Note that with it off, you should still be able to SSH and web into 10.8.0.1 over the VPN.

If the above is OK, check whether setting all the Routes for the VPN to No in SysAdmin accomplishes the same thing. If so, you should be good to go. If not, please report results.

You shouldn’t need that, provided that the phone is registering to 10.8.0.1 and not 10.0.0.14 .

OpenVPN is normally pretty secure – you can’t get access without having an authorized private key.
You should make sure that the provisioning path is protected by at least a strong password (an attacker should not be able to access provisioning data by merely guessing the MAC address).
On most desk phones, you can’t read back the private key even with access to the web admin interface.
Of course, someone stealing the phone may be able to find the key in flash memory.
If you give VPN credentials to remote workers to use with softphones, this isn’t very secure. Even an honest worker could fall victim to a phishing attack.

dicko · October 7, 2023, 4:58pm

OpenVPN encourages you to use a different client.conf for every client. Each one is better secured with a different key/cert pair

Stewart1 · October 7, 2023, 5:05pm

Of course. However, I understand that there are gotchas in SysAdmin Pro and/or EPM that make it very difficult or impossible to have multiple devices on the same pjsip extension number, but with different VPN credentials. And I have heard that using the same credentials also doesn’t work, because each credential has a static tunnel address assignment.

ctorress · October 7, 2023, 5:13pm

Thanks Stewart. You were right, the value for ip_forward was “1”, i set it up to “0” permanently and rebooted and it works like you mentioned: i can SSH and Web to 10.8.0.1 and if i add the route in Windows, i can also SSH and Web to 10.0.0.14, but i cannot longer connect to any of the other servers in the 10.0.0.0/24 subnet.

Right now, this is isolated enough for me since the FreePBX server is hardned anyway.

As i said, ideally, i can also block SSH and HTTP for a VPN user, so any ideas are welcomed.

Thanks again.

system · November 6, 2023, 5:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.