We use Cisco 7960 IP phones in the office with Asterisk right now. I want to let users work from home once in awhile, but I want them to have a physical IP phone there, I don’t want them using cell phones etc. I’d rather have 1 IP phone that they can share and bring home. I know with the Cisco ones they only work if using VPN which confuses me since I have no idea how a phone can connect over VPN.
I’m completely fine though with opening the ports on my router so that the phones can just connect over the Internet without VPN using my Static IP. International calls are blocked on my phones, and I’m constantly checking CDRs so toll fraud doesn’t concern me.
Does anyone have any recommendation on a good home IP phone for this purpose? I don’t want any softphones. I was looking at the Polycom 330’s which are fairly inexpensive on eBay. There’s also the Linksys SPA922 IP phones as well which are similar priced. Just wondering if anyone has any feedback on what’s good or what I should avoid. I want something that’s easy to configure as well, so if a user requests to work from home the next day, I can simply change the phone to their extension without a huge hassle of having to edit tons of config files and so on. Would prefer that the extension can be logged into on the physical phone unlike the 7960s. Thanks so much!
Just a last stupid question then! My Netgear 100% supports it as per the site so I’m going to update to that. I just want to make sure I’m clear here. On the Netgear in the office I would have to go in and enable VPN on there with various settings. Then from my home, I would need a router here that supports VPN and I would enter my office static IP and VPN details and it would connect? I have an Apple Airport Extreme at home which I don’t think supports VPN so from what I understand, I’d need to purchase a VPN router? Just want to be clear on that! Thanks!
A great Firewall router for small office home office is the WRT54GL, the L is very important as it means Linux and has expanded flash.
You run DD-WRT Open Source firmware on this device at includes complete VPN.
The other solution on the cheap that is completely bulletproof is to pickup a PIX-506E on Ebay for about $100 for the main office and then PIX-501’s for the remote offices at $50.00. Make sure the ones you buy have 6.2 firmware. This gets you an enterprise class firewall for next to nothing.
Hey that’s great thanks! I’ll try to implement that right now anyway just to test it out and see how it goes. I guess it all comes down to what phones I end up using. If all my users work from home, I have Cisco 7960 phones right now which would require VPN. If I just have one phone for the odd time a user works from home then I might look at the Linksys SPA921 phones they’re pretty inexpensive and look easy to configure without requiring TFTP servers and so on.
I agree with Sky King that VPN is the best way to go, personally I use Mikrotik routers for VPN and firewalling but when there are financial constraints if you are careful you can put your phones reasonably securely on the Internet.
Fail2Ban does a great job of nipping server hack attempts in the bud and banning the offending IP’s. Its easy to implement, here are my notes:
2.Once done add the following line to /etc/fail2ban/filter.d/asterisk.conf under the failregex section:
NOTICE.* .: Registration from '.’ failed for ‘’ - Peer is not supposed to register
With that plus a good firewall in front of your PBX with only essential ports (SIP, IAX and RTP ports open) and different, really strong SIP passwords in each phone (I use 16 alpahanumeric upper/lower case passwords randomly generated with the Firefox password generator)you should be pretty safe. Also make sure you put a very strong password on the phones maintenance webserver if the phone is not behind a firewall with http ports closed.
Additionally everywhere else that needs a password use a randomly generated password and only use a VPN to do your root access and FreePBX maintenance from the internet or better still restrict that sort of stuff to the LAN only.
On average I find Fail2ban traps about one IP address a week trying to brute force register to asterisk but, touch wood, other than that I have been OK since getting caught a few years back in my very early days with asterisk.
However, remember nothing is fool proof and don’t let your guard drop.
Any computer connected to the remote network would have access to your work network unless you put access controls in place.
The phone your friend uses that he plugs in anywhere is some type of hosted phone that the server runs on the public Internet. Placing your server on the Internet and managing the remote connections is a security nightmare.
It’s not hosted that he’s using, I’m not really sure though. Some of the Avaya phones have built in VPN so maybe that’s it. When I view the settings, the server IP address is not a public one, it’s something like 10.0.1.54.
I found some routers by D-Link that do the network to network VPN which sounds right. The part I’m still missing is what I need at my office. I have a VPN server at my office right now which is part of Windows Server 2008 and uses Active Directory for authentication. I’m guessing that that isn’t what I need. It sounds like I need a hardware VPN that’s in my office and then the routers at the employee’s homes would connect via VPN to that? Just a pain since I have a Netgear router that cost around $200 that I’ve only had for 3 months. I checked the settings there’s nothing in there about VPN, just passthrough and so on.
You said routers are under $100, do you have any examples of models or brands to look at?
Thanks it does make sense. I know how VPN works was just more confused with how the phone uses it since I’m used to the VPN application where like you said it just is on your computer. So just to be clear, you’re saying that I need a special router that offers VPN in it from my office, and then remote users working from home also need a special router that’s configured to connect to the VPN at the office? I guess I was just hoping more for some sort of solution where they can just plug their ip phone into any ethernet jack and work from there. That’s hw one of my business partners IP phones works and he works for a major telecom company. He just plugs it in anywhere and it goes up, doesn’t matter what router is used on my end. I guess I’m just confused because any “VPN Routers” that i’ve ever seen before don’t sound like they do what you mean, they instead let you create user accounts on the router and then the client has to install the connection application on their PC.
One last thing too, how would the router know to only give VPN access to the phone or the phone and work laptop? Like what prevents someone from unplugging the phone, connecting a foreign laptop to the ethernet jack and being on my office network?
I don’t know what you mean by “server VPN”. I guess you could get confused as Microsoft supports PPTP on Windows server.
A VPN is a tunnel and it terminates between two devices. If you run a VPN client on the computer you will note it creates an interface or virtual adapter on the computer and an entry in the route table. That way the computer knows to use the VPN to reach the remote network.
Most of the time the client on your computer is not connecting to a server but some type of VPN concentrator that accepts many connections.
Most routers and almost all firewalls can also form a VPN connection to a remote site. The concept is the same, the router tunnels and encrypts traffic that is destined for the network attached to the other end of the VPN.
In practice you configure the VPN in your home router and work router. Let’s say your home network is 192.168.20.0/24 and your work network is 192.168.10.0/24. Once your router connects via the VPN it knows to reach 192.168.10.0/24 via the VPN. You can configure the phone with the address of your Asterisk/FreePBX server then take it home, plug it in, let it get an IP on the local network and the router will take care of the rest.
Does this make sense?
I am sure that you will find a million illustrated articles on VPN’s if you do a web search.
Thanks so much. That’s just where I’m still slightly confused though. Like I’m used to VPN like on my laptop where the VPN server runs on my company server, and when I’m at home my laptop clicks connect to VPN and it puts me on the office network. I guess I’m still just confused how the IP phone connects to the VPN. Just trying to understand the hardware requirements and if when you say VPN you mean separate from the server VPN?
You will be surprised at the amount of attempts to hack your server, it amounts to a denial of service attack. At a minimum you need to run BFD or fail to ban to lock out failed attempts.
You configure the VPN in your firewall or router so it is transparent to the phone.
You also need to use g.729 a high quality low bandwidth CODEC.
The Polycom phones do a wonderful job behind NAT. So do the Linksys (Cisco Small Business SPA series). SNOM’s have a built in VPN client.
Aastra’s don’t seem to do as well behind NAT. Never tried Grandstream as the quality is below junk IMHO.
Since firewalls/routers with VPN capabilities are less than $100 I personally try to use a VPN if at all possible.