[How-to] Install Freepbx distro (with commercial modules) on Google (cloud) Compute Engine - Easier and Secure

My previous post [How-to] Install Freepbx distro (with commercial modules) on Google (cloud) Compute Engine used CloudEndure to import VM image which is now deprecated. Migrate to Virtual Machines documentation  |  Google Cloud

I believe this method is easier and consider VM security / privacy during installation.

• Download FreePBX from https://www.freepbx.org/downloads/freepbx-distro/ 75
• Download and install VirtualBox https://www.virtualbox.org/wiki/Downloads 43
• Create new virtual Machine:
  • Name:
  • Type: Linux
  • Version: Other Linux (64 bit)
• Set memory
• Create virtual hard drive now
• VHD
• Fixed size
• Set the size (I recommend at least 30 G)
• Select the VM, go to Setting >> Network >> Enable Network Adaptor >> Attach to NAT (not sure if it makes a difference but now PJSIP extensions seems to work)
• Select (attach) the iso and click start
• Set the (default) configuration, (or Enter, Enter, Enter)
• Wait for the installation to finish (also may set the root password while the installation is running)
• Reboot. Shutdown, remove the iso.
• While VM is selected and Powered Off go to setting > Storage and release the iso
• Go to console.cloud.google.com and create your first Project.
• Go to Storage. Create Bucket and upload the VirtualBox VHD. Will take up to few hours (in the meantime)
• Go to Compute Engine and create a VM instance of your choice (will be deleted) and select both checkboxes Allow HTTP traffic and Allow HTTPS traffic.
• Delete the just created VM instance.
• Go to VPC network >> Firewall rules. Restrict all rules with 0.0.0.0/0 to your trusted IPs by clicking on the rule then clicking Edit. Change Source IP ranges to your trusted IPs
• Create new Firewall Rule (sip). Under Target tags, type a tag name, e.g. sip. Under Specified protocols and ports enter “udp:5060; udp:5160; udp:10000-20000” (without the quotes and assuming default FreePBX settings). Under Source IP ranges, enter 0.0.0.0/0 (or a restricted range: your site(s), phones and SIP provider), then click Save.
• Once upload is done, go to Images, Create an Image
  • Name
  • Source: Virtual disk (VMDK,VHD)
  • Cloud Storage file: (select the uploaded VHD)
  • Operating system on virtual disk: CentOS 7
  • Install guest packages: Checked
  • Location: Select the zone best for your need
    • https://cloud.google.com/compute/docs/regions-zones/
    • Best practices for Compute Engine regions selection  |  Solutions  |  Google Cloud
    • http://www.gcping.com/
  • Create (may take 1-2 hours)
• Will get an error (OK). Go to Disks if things worked fine you will see one there. From the three dots create an instance.
• By default only (GCP) key login to SSH is enabled but SSH need to be open to all IPs (0.0.0.0/0). To log in from your prefered terminal of choice will need either allow root or create sudo user.
  • Go back to firewall and change the SSH rule to allow 0.0.0.0/0, save.
  • Go to GCP VM instance and click on the SSH
  • useradd example_user
  • passwd example_user
  • usermod -aG wheel example_user
  • sudo passwd root
  • If you want root login edit /etc/ssh/sshd_config to allow root login
  • Make sure to restrict SSH to your trusted IPs
  • Test if root / example_user are working.
• Go to VPC network > External IP addresses. For your instance, change the Type from Ephemeral to Static. Give it a name, e.g. mypbx. Click RESERVE.
• Go back to Compute Engine > VM instances. Select your instance, click EDIT. Under Network tags add sip or whatever tag you chose above. Click Save.
• Create a snapshot
• Go to your assigned external IP and start configuring your FreePBX

Additionally I recommend:

• Setting Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN).
• Whitelist your IPs in Fail2ban, and Firewall.
• Set email notification for when updates available.
• If you have HTTPS setup, consider HTTP >> HTTPS redirect:

nano /etc/httpd/conf.d/redirect-443.conf

<VirtualHost _default_:80>
ServerName mydomainname:443
ServerAlias mydomainname.com
ServerSignature Off
RewriteEngine On
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
ErrorLog /var/log/httpd/redirect.error.log
LogLevel warn
</VirtualHost>

• Monitoring access to your server. [HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server
• Logwatch (work best on new install).
• Tripwire (work best on new install).
• If you are planning to use cell phones, I recommend setting you own OpenVPN server and whitelist the IP in the Firewall rules and install OpenVPN app on the phones.
• Make sure Allow Anonymous Inbound SIP Calls and Allow SIP Guests (set to no) (Asterisk SIP Settings >> Security Settings).
• Make sure to disable unused Feature Codes (Admin >> Feature Code) with attention to In-Call Transfers.
• Make sure to blacklist offensive IP Addresses. Go to Firewall > Services > Blacklist > Add IP there.
• If you are not planning to make international calls >> create restricted route see Sangoma Documentation

Backup and Restore:

• Backup can be best done through Snapshots and can be done manually or on scheduled basis.
• In order to maintain your commercial modules, restored backup need to be attached to the original VM for the Zend ID / Deployment ID to stay the same.
• • Click on the Snapshot >> Create an instance. Try to keep the Region, Zone, Machine configuration, and Boot Disk type the same as the original VM.
• • After the new machine is created, go back to the new VM and turn it off >> Click Edit >> detach the Boot Disk by clicking on the x sign next to the Boot Disk.
• • Go to the original VM turn off, detach the Boot Disk by clicking on the x sign next to the boot disk >> then click add item and choose the disk just created >> Save >> Start the machine. You should have your same Zend ID / Deployment ID and all your modules.

My workflow is as follow: When I restricted GCP to my trusted IP with the Fail2ban, FreePBX Responsive Firewall, HTTPS, (and FreePBX VPN) I did not have issues people accessing my server. From time to time, I may need to allow 0.0.0.0/0. That is when I see the access script working. I will disallow 0.0.0.0/0, block the suspicious IP inside FreePBX, delete the suspicious IP from the logs to keep my logs ready to record any suspicious IP (including the blocked ones)

Logwatch is a neat way to look at when and who (user/IP) entered the server. I think will also tell if a USB connected to the server. Tripwire will tell me if there is any file that was added, deleted or modified. I review Logwatch and Tripwire from time to time and when I get an email alert about potential access. Logwatch and Tripwire can be setup to send daily emails if you do not mind alert fatigue and planning to reading them.

Enjoy. Do not forget to claim your $300 GCP credits.

I am planning to add the above steps to the freepbx wiki and would like feedback from anyone who tried these steps or use GCP in general: what works, what does not, and how can we improve it. Much appreciated.

Not to belittle your fine work here, but at this time, I am not sure why anyone would want to associate themselves with Google with the horrible reputation they have earn for themselves within the past couple of years.

I care about the service more and I had good experience, also sharing is caring . Here are some other reasons:

• Affordability: GCP is relatively less expensive than other cloud platforms. When VoIP cloud services charge per seat/user/extensions, I can have as many extensions as I like/need.
• Scalability: I started with small machine. I can upgrade the CPU, memory and disk size with clicks without worrying about old or new hardware.
• Security: I stand on the shoulder of a giant. Although early on I missed a hack attempt (crypto mining not easy to spot), I received an email from Google that my VM was compromised and I was able to act on that email.
• Easy Backups: that can be scheduled and restored within minutes.
• Durability: GCP has less disruption compared to a machine in my site (we loss electricity due to weather but I still can get calls on my cell phone because the GCP machine is up and running)

You can go more sophisticated by integrating your machine with other Google cloud services https://cloud.google.com/blog/products/gcp/transforming-the-contact-center-with-ai

Guess you have missed this clause in the Distro ToS. https://www.freepbx.org/about-us/freepbx-distro/

“ You can only use the ISO or USB image as it is distributed by Sangoma Technologies. Any modification to the FreePBX Distro itself is strictly prohibited. Copying or using the install scripts of the FreePBX Distro to build a similar product is strictly prohibited and is a Copyright Violation. Modifying the FreePBX Distro to work on other environments, such as VPS containers, is an explicit violation of these Terms of Service.”

That doesn’t apply here. The ISO/USB image, itself, was not modified or altered. None of the instructions require any changes or isolated use of the install scripts. The ISO/USB image was not alerted to work on a specific environment.

This was the ISO being installed on a VM instance of a VirtualBox host (something many have used to run the ISO on laptops and other devices) and then making a snapshot of that VM and restoring that VM to another host.

Hi Tony,
I am a business owner (nothing to do with IT) that found in FreePBX a good alternative to my traditional phone service. I respect the work placed on this software. I believe that the ToS is to protect the many years of hard work that was put in the FreePBX software. We are using a VM to run FreePBX as it was distributed by Sangoma. I hope to give back to the community another way of using the FreePBX distro. As you know, this community forum is full of posts on using VM to run freePBX and this is not any different https://community.freepbx.org/search?q=virtual%20machine

Who uses physical hardware nowadays?!
FreePBX should adapt to the modern world of the cloud and make this easier IMO. It’s the trend.

Who in their right mind relies on an unaccountable third party for their critical infrastructure?

Why are all these opinions needed? He posted a how-to, and if you don’t use that service, then just read something else?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.