Trunk between two FreePBX servers, one of them is behind Pfsense firewall


#21

I understand you correctly. Just install openvpn server on pfsense and install openvpn client on PBX server on site 2. That’s all.


(H Maznev) #22

Thanks Ali. I will export ovpn configuration today and tomorrow I will do the tests. I will let you know about the result.


(H Maznev) #23

The test is done … and several other isues apear.

  1. in the sangoma 13 distro there is no such a command as systemctl. I do not know how to tell the system that the openvpn service must be started permanently.

  2. If I say “lsof -i |grep openvpn” - I got nothing (nothing running)
    if I say chkconfig --list openvpn - I got “openvpn 0:off 1:off 2:off 3:off 4:off 5:off 6:off”
    If I say “/etc/init.d/openvpn start” the openvpn starts but lsof -i |grep openvpn again issuet nothing.

    I think I found some workaround

    If I say “chkconfig openvpn on” and after that “chkconfig --list openvpn” I got “openvpn 0:off 1:off 2:on 3:on 4:on 5:on 6:off” … I thing now the openvpn will start after reboot (not tested yet).

  3. But If I say “openvpn --config client.conf” it ask me for “Enter Auth Username” and “Password”.
    What should be the Enter Auth Username and Password??? Keep in mind I confugured the pfsense box for peer to peer (site to site) OVPN server with TLS/SSH certificate without any password authorizations.


#24

FreePBX 13 is based on centos 6 so you need to use chkconfig, as you already found out.
Regarding the username and password that you are being asked, it is because you exported a configuration with the xauth option, so pfsense is expecting your client to authenticate with username and password.


(H Maznev) #25

Thank you for your replay. Regarding the username and password - I found that the pfsense client export utility can export the client’s configuration only if some of “Remote access” protocols are choosen in the Server mode tab. If you choose “Peer to peer” - the server doesn’t appear in the client export utility … I do not know why.
So If I want to use site to site openvpn, on the freepbx site I have to find a way manualy to confugure the open vpnclient. If somebodi can pont me to the some centos 6 manual “how to do this” :slight_smile: I will be extremely thankful. And of course what (and how) I have to get from pfsense box in bot cases - if I use Peer to peer (tls/ssh) and if Y use Peer to peer (shared key). Thanks in advanse.


#26

I don’t know if commenting on another product constitutes a brake of the “laws” in the forum, but you can send me a private message and I can help you with the configuration of the pfsense openvpn server and client.


(H Maznev) #27

Just advise me how to send you a private message. I do not see such an option in the forum.


(H Maznev) #28

So the update:
By using “Remote access (SSL/TLS)” server mode on the pfsense box OpenVPN server, I successfully export the client configuration with certificates.
All this is implanted into the FreePBX box and … voala … tunel is up and running.
Intersting part is - let say I have a tunel network 192.168.1.0, the tunel supposes to interconnect site one with a network 192.168.2.0 and site 2 with network 192.168.3.0, the freepbx box IP is 192.168.3.10 .
From any f\of the machines in site 1 (192.168.2.0) I am able to see just the freepbx box and I am able to see it by the tunel network address (192.168.1.2), not by it’s original IP address (192.168.3.10.)
The experiment continues :slight_smile:


#29

Once you interconnect two endpoints with openvpn in tun mode, that is how it is supposed to work, you use the IPs that are part of the tunnel network, not the “original” IPs of the devices.


(H Maznev) #30

O.K. So now the IAX2 trunk between the two freePBX boxes is up and running.
But when I try to make a call from extension in the 1-th PBX locatio to the extension in the 2-nd PBX location I’m getting a voice message " ’ All Circuits are Busy '.
According to the log - the iax received the request.
Any idea?


(H Maznev) #31

I found a missconfiguration in my trunk settings. I fix it and now I think everything will work. I can test this after two weeks (vacations and other stupid circumstences :)).

BUT I found other issue.
Let say extensions in my office are 11xx(1101 to 1199), the extensions in the office 2 are 12xx(1201 to 1299).
I have an outbound route in which the pattern says all that mach pattern 12xx to be shuted to the trunk.
If deliberately or by the chanse I create an extension in site 1 which starts with 12 … let say 1299 and I have a phone configured to use this exact extension in my office - when I call 1299 the phone is ringing. Why the PBX doesn’t redirect the call to the office 2 ???


#32

Its the ‘order of precedence’ asterisk will follow the first matched dialstring in its ‘contexts’ and so finds 1299 in the ext-local context first


(H Maznev) #33

Is there any “workaround” either to prevent local PBX admins to build extensions from “foreign” locations? Or just the strict discipline :).
Or is there a way to change the “order of precedence”?
I fully understand that this is the main princip of “finding route” or e-mail servers - first to check the local directory and if the object they are looking for is not there to ask higher one in the tree.But any way I am curious if there is a way PBH to be told “Hey you are responsible only for extensions which start with 11 … iven if you have in your local directory extensions with leading digits diferent than 11 - ask for them trunks” ?


#34

I can’t answer to workarounds, I would comment that any person you choose to elevate to administrative level should be preconditioned to ‘know how it works and so not be an idiot’ :wink:

You can change the ‘order of precedence’ but it might be tricky to pre-empt ext-local for obvious reasons but as soon as you do any of that you will fail any gpg checks that FreePBX imposes by default.


(H Maznev) #35

Thank you #disko.
I especially like the sentence containing the word “idiot” :smile: . But you know the people who usualy elevate “person” to adminstrative level … some times tend to be deficient :wink:.


(H Maznev) #36

I was wondering Ari,
Now I have site to site VPN and hopefully everything works as I expected (I can tell the results after two weeks … for a reason I told you above.
If I build User remote access VPN … what would change?
And what is better decision - Peer to Peer (TLS/SSH) or Remote access (TLS/SSH) with or wothout paassword authentication?


#37

I would go with remote access tls ssl with authentication


#38

and I, your sentence containing the word disko, :wink:


(H Maznev) #39

Sorry!!! Please excuse me!!! The fingers are faster than the mind … and probably some unconsious desire for dansing :smile:.
Please excuse me again “dicko”


(H Maznev) #40

If for some reason electricity is cut doun or the pbx box is shut down for some reason - the autenticated user will have to enter the password manualy … won’t they?
So if there is a trick password to be automaticaly entered (and I know that there is a way, and I think I know how to do this) the main reason for autentication will be not fulfiled … at least this is my opinion.
And if somebody has to enter manualy password … this is a precondition for “man mistake”.