Mobile Softphone over VPN

I’m new to FreePBX and am running a hosted server. My desk phones can be on a whitelisted IP for the office, but what about iPhones and Android phones?

It seems the most ideal is to VPN from the phone to the server then make a typical SIP call. Then my security risks are minimal. But how is that done? Has anyone done that here with success?

I can see in FreePBX the setup for enabling VPN Services, but the documentation is mostly geared towards Sangoma phones with end point management. What I need is iPhone and Android phone support.

There’s a cognitive dissonance that I’d like to talk about. WARNING: Theory stuff…

The FreePBX phone server uses OpenVPN for it’s “phone to server” VPN, but it relies on the calls going through an IP Network. There are lots of examples (here in the forums) of people setting up these services.

The problem with setting them up is that they aren’t “using the iPhone or Android” to make the calls. You have to install a new SIP Phone App on the phone (there are lots out there - some work better than others) that runs on your handheld device. Effectively, the phone becomes two phones - the regular Cell Phone interface and the new SIP Network Connected interface.

Most of the people I’ve talked to (not nerds like us, just regular civilians) don’t understand how that works. “I just want to make a call…” is their call to arms. They don’t want to have two (or more) different ways they can be contacted.

The other issue is that the IP networks that run under most cell phones aren’t really well suited to SIP phone operations. Some carriers deliberately mess with SIP signaling, others just don’t care, so they don’t give you the tools to not use their cell network.

Having said that, there is still some hope. There are several techniques that we can use and help you set up that should get you close to where you want to go.

  1. You can use a “DISA” phone line. Basically, you dial the number and get a dialtone on the PBX. When coupled with automated “call back” features, this creates a secure, very good connection system that works with any phone (iPhone, Android, Superman Booth, etc.). It gives the user the appearance of being “inside” the network even when outside.

  2. There is FM/FM (Find Me/Follow Me) which allows you to extend the reach of your extension on the desktop to phones external to your network.

There are actually lots of other ways to help enable your client’s phones without “integrating” them into the network.

So, in addition to the SIP way, there are other ways that work with the native “telephone-ness” of the devices you want to reach out to.

If you’re sure you want to test this out, start by searching the forum for “OpenVPN” and start looking at some of the discussions. One of them should point to a Wiki that gives you some meat that you can then use to make your phones do what you want. For example:

is one thread - there are lots more that go into lots of specific detail about different parts of setting up VPN connections.

I hope this doesn’t like a lot of doom and gloom - the way forward isn’t necessarily simple, but it is doable.

Thank you Dave.

Good point. Any cellular or residential ISP wanting to mess with SIP certainly can (some sadly do) but inside a VPN tunnel, they have no idea what’s inside the packets.

My purpose is to lock down the firewall and minimize unnecessary SIP hacking opportunities. A VPN tunnel seems to offers a safer connection to the server.

I do recall iOS allowing VPN tunnels setup per application. That could then be auto connected when the VoIP app is started.

Some VoIP apps do integrate with the iOS phone system and that works well.

Having this setup allows a person to travel internationally and be connected when on wifi. Mostly, it allows easy outbound calling from anywhere. The follow/me feature works brilliantly for some of my users as well.

I am not sure how to set that up. Maybe someone that has could post what they did.

An alternative is to rely on the freepbx reactive firewall and open SIP connection potentials to the internet. Not my preference.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.