When Amazon started offering free virtual machines, I jumped and started setting up Asterisk from scratch. You can't just upload an ISO and boot from that. (That would be WAY too easy for an IaaS provider like Amazon to offer free.)
After getting all the prequisites in, (there are only really two you need to build by hand, iksemel and libSRTP. sox is optional. The rest are RPMs.), I started the ./configure. Success. Then make. Halfway through, the machine shuts down because I'm consuming too many resources. The first time I thought it was a fluke, but after the second time, I gave up.
But I was still intrigued to see if I could do it, so I moved to the Rackspace cloud and set up a CentOS 6 virtual machine with 20 GB of virtual drive and 512 MB of RAM. Again, no uploading a boot ISO. This isn't VMWare. The build went a lot faster when installing required RPMs. On CentOS, sox is available in the repo. On Amazon's AMI box, it was not.
However, FreePBX 2.10 won't install with Asterisk 10. You can install Asterisk 1.8, then install FreePBX, and then upgrade Asterisk to 10. So far, it works. I can't do testing of every feature, but it is easier to test in the cloud than building yet another box in my basement. (With the exception of DAHDI, of course.)
Rackspace is nice and conservative with its default CentOS build. Iptables is left open to everyone for one port -- 22 tcp -- for ssh. It responds to ping, too, but you can fix that. There's no way I was going to open up much more to everyone, like https (which works fine for FreePBX 2.10), or SIP, or RTP ephemeral ports.
How I did that: Use iptables to limit SSH to my own IP addresses, including a backup address or two. Then install OpenVPN. Given that I'm already managing certificates for https and Asterisk it's not a stretch. It's a lot easier if you have your own certificate server rather than using the scripts provided with each component. (Rant: Everyone who needs to configure https, ssl, tls, or OpenVPN on live Internet-connected machines should be required to complete a tutorial on the CONCEPTS of PKI before being allowed get access to CA and certificate creation scripts for live Internet boxes. Both Asterisk and OpenVPN ship with them.)
OpenVPN runs on port 1194 udp. So what's the other open port? 5222 for Gtalk. I just wish Google had a list of its public IPs for me to enter into iptables.
To access the box, I dial in to the OpenVPN with my certificate that has a password-protected encrypted key. Then I connect to the web interface via https. Snom phones connect via OpenVPN with a certificate and cleartext key. For backup and remote logging, the Cloud server also connects back to my basement via OpenVPN. OpenVPN is easier to configure and seems to have better uptime than my IPSec tunnels. I just hope it's as secure as IPSec.
Total cost so far: $5. It's running under a dollar a day, which is fine for a test box for a little while. I'm a little worried that I won't be able to let go after tweaking it out just the way I want it.
Downside: if iptables stops, my box is getting hacked. I'm afraid to ask how much a dedicated firewall (virtual or real) would cost.
Bug I haven't been able to fix yet: sometimes Snom can't connect via TLS or TCP after getting there through OpenSSL. UDP always works. I'm still working to figure out why.
I'd like to do an selinux policy, too, but that's going to take some time.
Update: Video calls seem to be working between extensions between a Nortel 1535 and the Bria softphone. Since the Nortel doesn't support TLS/SRTP, I can't test video encryption yet.
No comments:
Post a Comment