Asterisk, FreePBX, and Endpoint Configuration

Overview

This tutorial will walk you through configuring FreePBX to configure extensions, create dial patterns, add in an external SIP trunk, and provision SIP phones.

Before beginning this tutorial you should have access to a DHCP server with configurable options, an instance of FreePBX running (physical or virtual) and a Cisco phone flashed to SIP (this write-up uses a 7941).

Configuring Up Your DHCP Server

Dependent on your home network, this part will either be super easy or a touch more complicated. When your phone picks up a DHCP lease it will be looking for option 150 to direct it to the TFTP server (in this case the FreePBX server). The precise mechanics of how you do it depends on your network, but configure DHCP to direct option 150 to the IP address of your FreePBX server.

Technically speaking option 150 is for a list of TFTP servers; option 66 can be used for a singular TFTP server. If you want to differentiate the TFTP server from the call manager, you can set option 120.

TFTP Server

If you're builidng out your server using the FreePBX ISO (discussed below) you can ignore this section. If you're configuring your server ontop of a vanilla CentOS installation, you may need to allow TFTP traffic (UDP port 69) through your firewall. To do so issue the following command:

firewall-cmd --permanent --zone=public --allow-port=69/udp

FreePBX

For this tutorial I used the pre-built FreePBX ISO, stable release 6.12.65 with FreePBX 12 and Asterisk 11. I had tried it with release 6.12.65 with FreePBX 13 and Asterisk 12 but had issues configuring the OSS EndPoint module we will use later in the tutorial.

Another option in getting FreePBX installed is to do it yourself through a vanilla CentOS (or other Linux) installation.

Post-installation, all of the FreePBX configuration will be done through the web GUI. You can directly access it through your web browser by heading to the server's IP address. Before we get started make sure you have logged in once to setup your username and password.

Free PBX Module Configuration

Before we start to configure anything, there are some module modifications that will need to be made. The order in which you do these steps matters, so pay attention.

1. Go to the Module Admin page (Admin > Module Admin)
2. Remove the REST Phone Applications module
3. Remove the End Point Manager module
4. Click the Unsupported button and then click the Check Online button
5. Under connectivity, install the OSS EndPoint module
• Expand the module's menu, click Download and Install
• At the bottom of the page click the Process button
6. Click the red Apply Config button at the top of the page

We're not doing anything with the OSS EndPoint module just yet, hang tight for a minute!

Extension Setup

To setup extensions for our phone system we're going to navigate to the extensions page (Applications > Extensions). Generic Chain SIP Device should be preselected in the dropdown menu, so go ahead and click the Submit button.

You'll notice that there are a TON of fields that populate. For the extent of this write-up we're only going to focus on the following fields:

• User Extension : The internal extension we're setting up
• Value : 1001 (or you can pick a different extension scheme)
• Display Name : Who this extension belongs to, what the internal called ID will say
• Value : Nathan
• NAT Mode : This is used if the phones are in a NAT environment and the Asterisk server is outside the network with a public IP
• Value : No (this tutorial assumes that all devices are in the same LAN)
• For more information on NAT Mode checkout this article.
• Secret : The Cisco 794Xs tend to be picky when it comes to long secret strings, I've had the best luck chopping down the randomly generated string to 9 characters. It isn't an exact science though.

Once all of these fields are configured, click Submit at the bottom of the page. You'll be redirected back to the main extensions page. Click the red Apply Config button at the top of the screen.

OSS EndPoint Template Configuration

You'll notice that if you were to plug your Cisco phone into the network at this point in our configuration, it would return a message that it hasn't been provisioned. The Cisco phones need an XML configuration file to learn the different settings it needs to communicate with our PBX.

While these files can be written by hand, it's much easier to use a tool to dynamically generate them. For that we'll be using OSS EndPoint Manager that we enabled a few sections ago.

Under Connectivity > OSS Endpoint Package Manager click the Check for Updates button. After it reloads you should get a page listing different phone vendors, click the Install button for Cisco/Linksys.

Again, when the page reloads scroll down to Cisco/Linksys and select the template for your phone model (I used a Cisco 7941G flashed with SIP firmware 9.N.N, so I enabled 7941-9.X)

Phone Provisioning

With everything setup it is time to provision the phone itself. Under Connectivity > OSS Endpoint Device List) input the phone's MAC address in the appropriate field, select Cisco/Linksys as the Brand, 7941-9.X as the Model of Phone, line 1 as the line we're setting up, 1001 as the extension number, and Custom... as the template. Click the Add button, and that's it.

Conclusion

With all of this up and configured you should now be able to plug your phone in and it should be registered with the FreePBX server. If you have any questions leave a comment below.

Over the next few weeks I'll be posting follow up tutorials on configuring a SIP trunk and other FreePBX/VoIP related topics.

DD-WRT OpenVPN server configuration

Overview

This tutorial will walk you through configuring an OpenVPN server on DD-WRT. 

For my configuration I used a Linksys WRT1900ACS which had already been flashed to run DD-WRT (DD-WRT v3.0-r28788 std (01/13/16)) and configured to act as my home router.

Server Configuration

The setup is fairly straight forward; the first portion to be configured is the OpenVPN server itself under the Services tab, VPN sub-tab.

For my server setup I chose a network of 192.168.2.0/24 for my subnet, AES256 for my encryption cipher, and SHA512 for my hash algorithm. Obviously these settings will vary for your individual configuration. Note that when you change certain server parameters, matching changes need to be made to the client configuration (see Client Configuration section).

Under Advanced Options I elected to enable Redirect default Gateway which pushes all traffic from the client PC through the VPN. An alternate configuration would be to use a split tunnel and push specific routes to the client PC. I also changed my Tunnel MTU setting to 1500.

Figure 1

The only OpenVPN server configuration required in the large text fields are going to be the addition of your Public Server Cert, CA Cert, Private Server Key, and DH PEM. There are several tutorials out there on how to generate these files (along with how to generate the necessary files for each of your clients).

This tutorial provides a great overview on how to generate the certificates using easy-rsa on Windows after installing OpenVPN client for Windows.

This link is a to Tunnelblick, an OpenVPN client for OS X with easy to access easy-rsa utilities included. You can follow the same steps for prepping and generating the certificates from the windows tutorial. 

Be sure to paste everything between (and including) the ---BEGIN--- and ---END--- lines in the cert/key files in the appropriate fields.

Figure 2

Be sure to click Save and/or Apply Changes when configuration is completed.

Firewall Changes

After the server portion is configured, some slight changes will need to be made to the DD-WRT router's firewall. These changes will be made under the Administration tab, Commands sub-tab. The following two rules will need to be added into the Commands box:

iptables -I FORWARD 1 -s 192.168.2.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING 2 -s 192.168.2.0/24 -o eth0 -j MASQUERADE

Figure 3

The first rule permits VPN traffic to interact with traffic on your LAN, the second rule NATs traffic from your VPN out to the public web using your routers WAN interface. Once the rules have been added click the Save Firewall button. Your router needs to reload the firewall, this process may take up to a minute.

Client Configuration

For a client to connect to the VPN server that was just configured four files are required:

• ca.crt
• client1.crt
• client1.key
• client1.ovpn

The ca.crt file is the same one that was pasted into the DD-WRT server during the initial configuration, the client1.crt and client1.key files are generated from the same toolset used to create the server certificates, and the client1.ovpn file will be created using a text editor (below).

The contents of the client1.ovpn file is below:

client

dev tun

proto udp

remote example.com 1194 # change this to your domain

resolv-retry infinite

nobind

persist-key

persist-tun

ca ca.crt

cert client1.crt # must match file name

key client1.key # must match file name

comp-lzo

remote-cert-tls server

cipher AES-256-CBC # must match server

auth SHA512 # must match server

auth-nocache

keysize 256 # must match server

tun-mtu 1500 # must match server

float

Conclusion

With all of this up and configured you should be able to import the client settings into your OpenVPN client and connect up. If you have any questions feel free to comment below.