Discussion in 'Open Discussion' started by wardmundy, Aug 15, 2008.
What do you need on the office end. Obviously you need a VPN peer of some description. Are you using Hamachi?
Yep. Thus far it's Hamachi, but we're still experimenting.
Sounds like you guys are going with Hamachi now and working towards OpenVPN?
I have made a few runs on OpenVPN without much success. Probably won't try again until Winter.
I like the idea of a small solid state device. The Astralink and Digium appliances are $1K and up. Under $600 sounds good.
The trouble with many VPN implementations is the amount of configuration that is necessary every time you change the IP address of the server. Hamachi kinda manages all of that for you.
You Can Run But You Can't Hide
Rumor has it that some of our competitors already are shakin' in their boots...
Kewl Idle screen
Can I package a version of that logo with the setup-grandstream script I've been working on?
Sure. And here's the .bmp as well. Special thanks to Damon Hoxworth for the terrific artwork!
Most of the hotels I stay at (I travel A LOT) require you to enter a Internet pass key or log into a home page and accept an agreement. This would cause issues with VPN in a flash (No presto). Do you have a work around for this?
yum install lynx (which actually will be included in the VPN in a Flash distribution) provides a text-mode browser that's adequate with most sites requiring a login. So then you'd ssh to the IP address of the box using your WiFi notebook or java-powered WiFi cellphone (there's an SSH client in FreePBX) and lynx fleebaghotel.com and go through the log in routine from the VPN in a Flash box.
And the Road Warrior's Best Friend...
Can this be used as the stand-alone main office pbx? Or is this only for remote use? I would love a solid state box like this for my SMB installs.
It's a good bit more robust than a WalMart Special. So long as the number of simultaneous calls is below 10 or so, it'll work like a champ. Depending upon the number of voicemails, you might want an 8GB SSD instead of a 4GB... for a few cents more. Of course, once the dual core, dual processor Intel Atom is released, The Sky's the Limit!
Another work-around for the "login page" issue
Another good way to allow people to log in to "fleabagmotel.com" to authorize themselves would be to install the squid proxy on the vpn-in-a-flash box.
With the right iptables rules configured, all outgoing web traffic through the box would appear to come from the box itself. Possibly just setting up NAT correctly would do the trick as well, if the wireless and wired interfaces are not set up as bridged.
Now your wifi laptop or cellphone can connect to the Wifi on the box, and handle the authorization procedure, then every client connected through the box would appear to be the same machine.
On a related note:
I have set up my home network and used iptables on my linux-enabled router (dd-wrt.com) to force all outgoing web traffic through squid on my pbxinaflash box. It works great, and you can optionally configure dansguardian for web filtering (makes me less nervous when my kids are online). It's a transparent proxy (for http, not https, however) so no configuration is necessary on the clients (nor is there a way to bypass the proxy on the clients =-).
I may be able to help out with this part of the project, as I've done quite a bit with OpenVPN for my home and office as well.
For anyone else out there running dd-wrt firmware in their router and using a pbxinaflash server, here are the firewall rules I'm using:
iptables -t nat -A PREROUTING -i br0 -p tcp --dport 80 -d 10.0.1.1 -j ACCEPT
iptables -t nat -A PREROUTING -i br0 -s ! 10.0.1.50 -p tcp --dport 80 -j DNAT --to 10.0.1.50:8080
iptables -t nat -A POSTROUTING -o br0 -s 10.0.1.0/24 -d 10.0.1.50 -j SNAT --to 10.0.1.1
iptables -I FORWARD -s 10.0.1.0/24 -d 10.0.1.50 -i br0 -p tcp --dport 8080 -j ACCEPT
The router's internal IP is 10.0.1.1.
The pbxinaflash server is 10.0.1.50
The dansguardian process listens on port 8080 (change this above if you go directly to squid on port 3128)
For squid and dansguardian configuration, do some googling.
All my web traffic goes through this box (it's a Wal-Mart special) and I haven't seen any performance hit on my phone traffic. The squid proxy is really nice for accelerating your web browsing, too.
I've got OpenVPN servers set up with dyndns.org names. Even when the IP changes, it works pretty well. You can set up the client config files to look for the name instead of the IP, and you only have to open one port on the server firewall to allow the UDP (or TCP) traffic to the server. It can even masquerade as HTTPS traffic for best portability. I'd be happy to share what I've learned with the project, Ward. Feel free to drop me a line.
Thanks. We'd love to have a look. The response and advance orders have been A-M-A-Z-I-N-G. Thanks. As we near a release date and initial production run, we are putting the finishing touches on the documentation and initial setup for VPN in a Flash. Comments, suggestions, questions, and identification of missing pieces are, of course, welcomed!! Just be aware that this still is a work in progress.
Can you post the OpenVPN how-to info
can you post the OpenVPN setup you are using for all of us?
This port opening would obviously be a deal breaker for those that wish to use a server in a network over which they have no control, e.g. public places, hotels, convention centers, cruise ships, office complexes with shared office space, etc.
Have I misunderstood the firewall port requirement with OpenVPN?
It should work......
I have a couple customers I set up with OpenVPN for them to use when they travel, and while I haven't tried it with a PBXiaF box yet I see no reason why it wouldn't work. The firewall at the mothership running the OpenVPN server has the port for OpenVPN open, and the remote user (typically a laptop, but a PBXiaF server should work too), runs the OpenVPN client which initiates the connection from the remote end. Since it's an outbound connection most firewalls let it out, and let the replies to it back in. I have had a connection open for hours on end and it has been very reliable, even NetBIOS network browsing on Windows clients starts working after 20-30 minutes
I have my clients set so that all their traffic is routed through the VPN once it is established so that any filters, policies etc. at the main end are enforced on the remote client.
Send us a little HOW-TO and we'll get Tom to work his magic. We'd love to use it. Thanks.
Nifty, post it up!
^^^ Not compiled I hope...
Separate names with a comma.