Hi all
I’m using webrtc extensions on Freepbx.
Currently they can connect only from trusted IPs
But I’m thinking of opening WSS 8089 to the internet so they can at least use webrtc softphone from everywhere and access web of freepbx only from trusted IPs.
Is it secure ? Please share your experience
You know it is not you are just looking here for a convenient excuse so you can be a lazy ass.
There are so many cheap/free VPN solutions out there today that there’s no excuse for this. Train your users to use VPN clients then run the phone over that. You can spin up a VPN server for free using an old PC you were going to Dumpsterize and a nic card from your junk pile and a copy of Untangle which wraps the OpenSSH server.
Providing phone services for money is about the only justification for exposing telephony services to the actual Internet and if you are doing that, you better have a guy on staff who’s full time job is to keep the attackers out, and he’s going to already know the answer to what you are asking.
Thanks for your opinion. However, you should understand that VPN is typically the last option in this scenario because of the additional latency it introduces. That’s exactly why I was asking about the specific security considerations when exposing WSS directly to the Internet.
For example, if Fail2Ban is monitoring WSS logs and blocking abusive IPs, what realistic attack vectors remain? On port 8089 there is nothing exposed other than secure WebSocket (WSS).
I’m not looking for generic advice like “just use a VPN.” I’m interested in deeper technical insight — things like threat modeling, attack surface analysis, and secure architecture design for exposing WSS in a controlled and hardened way.
If you have experience with securing publicly exposed WSS (especially in telephony environments), I’d appreciate more detailed input on architecture and defensive layers rather than high-level recommendations.
I don’t understand how a VPN, in the original sense, as used here, adds a lot of latency. Anonymising servers may well add latency, but you probably don’t want them for other reasons.
The experience I have with it all tells me not to do it.
Hate to say it but this forum isn’t the place for this. It is just too vast a subject area and too important. There are so many factors to consider that you couldn’t cover them all adequately in a forum post and any post that just skimmed the surface would setup the expectation that it is easier than it actually is.
I’ve run VoIP softphones on PCs and Android phones connected to the PBX network via VPN and there is no call degradation or issues at all.
Depending on fail2ban is foolish IMHO. fail2ban in fact is almost useless because it can cause problems on the inside and the need for it is obliviated if you have long passwords on the extensions as the Universe will run out of time before a remote cracker can brute-force guess a password.
The external crackers are going to attack remotes first. If you have a user running a softphone on a PC, the auth password is likely saved in cleartext on the PC in a config file and once they got it they are going to come in and start making their millions of long distance calls and running up your bill. That’s why a proper VPN with MFA is so important.
If your selling trunks commercially you can’t require a VPN and you may not even be able to require customers to have a static IP but you ARE going to have cyber insurance and a good lawyer who writes up a tight contract so when the customer inevitably gets pwned and the cracker runs up their bill with you - and the customer comes to you demanding credit for all the fraudulent charges - then your insurance pays out.
Otherwise, you are trying to get someone to tell you that doing it without a VPN is just as safe as with a VPN - and that someone won’t be me.