You could also send the calls to the user’s cell phone directly through Find Me/Follow Me by adding the cell phone number followed by # to the Follow-Me List. To tell the call is a business call, I changed External CID Configuration to Fixed CID Value and put the business phone number which I always answer.
Cell phones will change their IPs based on location and connected wifi. To avoid opening you PBX to the world, you can provide the user with a secure and fixed IP. To do that you will create a new AWS Instance and install openvpn server on it. Assign fixed IP to the openvpn server and install the client files from the installed openvpn server into the user’s phone. This way the user will have one secure IP (the openvpn server IP) no matter where the use is. The VPN server will change the cell phone IP into the server’s IP address when the phone is connected to the server.
This doesn’t solve the issue of the device (softphone) having a dynamic IP to source from when the firewall is deny all but allow this whitelist. The OP wants to not have to whitelist new IPs every time this device changes IP. Doesn’t matter the transport when the source IP is not fixed.
The solution is DDNS on the device or a VPN to guarantee the device is coming from the allowed source IP.
Yes, this is an alternate proposal to whitelisting. Allow all from Internet to SIP TLS. Add responsive firewall if desired…
The attack/risk surface is the same as with openvpn. With the vpn, you need to have a port open to the Internet anyway. In either case, everything is encrypted. He’s already got NAT working properly (assumed).