Using Haproxy to Redirects Calls to FreePBX
-
Tls yes, and srtp too.
But tcp? for sip/voip?It can be done, but is certainly NOT a common/recommended way
-
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
Tls yes, and srtp too.
But tcp? for sip/voip?It can be done, but is certainly NOT a common/recommended way
So, therefore, I would need an ACL like Server name Indication like in the pic below...how would I take care of the SRTP part? Would it all travels with TLS? Port 443? Two folks on FreePBX had mentioned SNI and TLS; however, only one of the two mentioned using Haproxy and claimed it would solve almost all security issues...but then, I needed to do the homework.
Thanks Netblues for help me doing my homework indirectly. From TLS Wiki: https://en.wikipedia.org/wiki/Transport_Layer_Security
Transport Layer Security (TLS), the successor of the now-deprecated Secure Sockets Layer (SSL), is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securing HTTPS remains the most publicly visible.The TLS protocol aims primarily to provide cryptography, including privacy (confidentiality), integrity, and authenticity through the use of certificates, between two or more communicating computer applications. It runs in the application layer and is itself composed of two layers: the TLS record and the TLS handshake protocols.
So, in essence Haproxy's reverse proxy would be acting as well as vouching for each calls before present to the voip server limiting the exposure between the DMZ and the voip server (FreePBX).
-
@nollipfsense Please finish your homework.
sni is related to https and has nothing to do with srtp or tls per se.As you already said, tls works at the application layer.
Haproxy works at the transport layer
in transport layer we have tcp or udp or icmp
( there are more but these are the most known ones)
tls can run on top of udp or tcp
same goes for srtp
( its the voice we need to protect in the end , and voice in sip IS rtp)
Unfortunately srtp in voip uses udp and since haproxy cannot handle udp, you need something else to handle UDP packets.
The industry standard for this is an sbc.
Can you spell kamailio? -
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
@nollipfsense Please finish your homework.
sni is related to https and has nothing to do with srtp or tls per se.As you already said, tls works at the application layer.
Haproxy works at the transport layer
in transport layer we have tcp or udp or icmp
( there are more but these are the most known ones)
tls can run on top of udp or tcp
same goes for srtp
( its the voice we need to protect in the end , and voice in sip IS rtp)
Unfortunately srtp in voip uses udp and since haproxy cannot handle udp, you need something else to handle UDP packets.
The industry standard for this is an sbc.
Can you spell kamailio?Kamaillo seems would be taking me in another direction though, and I have already committed to FreePBX since I invested in a Lenovo M93 SFF 250SSD 16GB RAM and Htek enterprise phones admittedly overkill for my home office-lab with at most three extensions.
You seem to have intimate knowledge of voip setup; I must admit. I am waiting for the member of FreePBX forum to respond. I have decided to try Voip.MS SIP Trunk provider and most likely contact them tomorrow or over the weekend.
-
@netblues Okay, I got a reply and it seems that the member on FreePBX doesn't use UDP on or through Haproxy...I am pressing for details as it seems that member use SNI to validate SIP Trunk provider through Haproxy with the voip server (FreePBX) then, route the media (voice) regularly and separately. I am seeing why the member said the method is disruptive and I am intrigued despite the feeding one line at a time
-
@nollipfsense Again, an sbc won't replace freepbx
And no, you don't need an sbc for your home office.Freepbx will work great with any decent sip trunk provider.
You don't need to open any inbound ports, and don't need any plugins
Obviously you don't need redundancy with two fbx hosts too.
As for security you can always put freepbx in a dmz and filter traffic to the phones as needed.You will have to trust your sip provider. If the setup provides srtp, then you will have to go by the security standards of the provider.
Which brings us to the next level. Do you have external voip users?
Do they use sip mobile phones to connect to your home office?
Do they also need to receive incoming calls ?As for the hardware, its way more than you need.
2 cores and 3 gigs of ram is more than enough for fpbx
I would put a hypervisor and run pfsense on the same box too, -
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
As for the hardware, its way more than you need.
2 cores and 3 gigs of ram is more than enough for fpbx
I would put a hypervisor and run pfsense on the same box too,I know its overkill but I am kind of like that. The latest Raspberry Pi all dressed up for voip would have been around the same cost of what I got the Lenovo with 8GB, and no hard-drive for $60 and I added the SSD as well as the other 8GB RAM I already had. At first, I had put ESXI on with FreePBX 14 and Ubuntu server but last weekend I removed Ubuntu and ESXI and reinstalled FreePBX 16 bare metal. I already have pfSense on a Lenovo M93 with 32GB RAM...another overkill as expected of me. I have two Mac Mini servers internally.
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
As for security you can always put freepbx in a dmz and filter traffic to the phones as needed.
I already have FreePBX in a DMZ...I was just looking to tighten security before getting a SIP Trunk provider.
I also heard from the member of FreePBX forum who explain that his setup is a separate box that in not behind a firewall and NAT as in my case. Just for fun and experimenting, I see what exploring a setup with HAproxy does after checking with Voip.ms...seems their system would cooperate since they're using port 5004 srtp based on my reading. I also in my research I found this voip paper: https://www.govinfo.gov/content/pkg/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51/pdf/GOVPUB-C13-3cee6719f04b98ad3d753a966b662c51.pdf
-
@nollipfsense I wouldn't be bothered with anything being written in 2005 for todays systems, unless it is for historical reasons.
As for voip.ms, yes, they offer tls for sip, (over tcp) which would work with haproxy, as far as signaling is concerned, but when the call start it would be srtp over udp again, and you calls will be audioless.
There is 0 benefit into using haproxy in this scenario.
Srtp and sip/tls will make your calls secure on the Internet.
And you don't have to open ANY ports to the internet too.
freepbx will be originating all registration requests
If voip,ms decides to attack you via sip registration replies, it can still do it.
Haproxy will never be used, since there are NO incoming connectionsIf you really want to be paranoid, then use and sbc,
Its the only thing in your setup that can add an extra level of isolation at
the sip level. -
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
I wouldn't be bothered with anything being written in 2005 for todays systems, unless it is for historical reasons.
It was more for how we got were we are today.
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
There is 0 benefit into using haproxy in this scenario.
Srtp and sip/tls will make your calls secure on the Internet.Well, I signed up with Voip.ms today (demo) and was looking through the various setting without configuring anything and it appears you maybe correct that incorporating HAproxy, as rosy as the learning experience was, as well as my burning desire to experiment with the package, may actually prove counterproductive. Still, it wouldn't hurt to speak with Voip.ms support on the matter before finally giving up. I will however run Snort IDS on the DMZ.
-
@nollipfsense Making srtp to work properly isn't always straight forward.
But its certainly worth investigating.Are you hosting anything? Any open ports to the Internet? Why do you need a dmz in a home office scenario?
-
@netblues said in Using Haproxy to Redirects Calls to FreePBX:
@nollipfsense Making srtp to work properly isn't always straight forward.
But its certainly worth investigating.Are you hosting anything? Any open ports to the Internet? Why do you need a dmz in a home office scenario?
Well, my setup has two firewalls: pfSense as edge and Mikrotik as LAN guard. I had tried using FreePBX that way and that was too much limitation. Then, I saw Jimp's video (Netgate hangout) on DMZ: https://www.youtube.com/watch?v=QFk5jX-oeSo
That convinced me that was the way to go and had started using FreePBX with the same Lenovo but with a Mac Mini running pfSense. I used Twillio for a short while but had problems with inbound calls. Then I had to abandon the project for a year. No, I am not host anything internally so not ports open. I have been using Namecheap for domain hosting for six years now, and I stay with them only because I have a kick ass Cpanel suite.Voip.ms responded today saying there should not be a problem using HAproxy and sent links to their document wiki. Of course, support would say that to get me to commit to using their service ; so, I am taking it with a grain of salt. Most of the time one isn't dealing with a real knowledgeable support person; so who knows, I certainly trying. inbound calls is usually the troublesome part. I am checking this Jimp's firewall best practice for VOIP video (Nategate hangout) as final refresher preparation: https://www.youtube.com/watch?v=C0JgrzxXIBY
