This might be a dumb question but wondering how to do this. Let’s say my asterisk box has 4 analog phone lines and then all SIP IP Phones. If I was at home and not in the office and wanted to work from home using a softphone or SIP IP Phone, just wondering how I would do that. I have static IP, so is it just a matter of opening the correct port in my router for SIP, and then from my softphone or IP phone at home, entering the static IP for my internet connection vs the actual IP of my server?
You would configure your sip phone (at your home office) to point to your Asterisk’s public IP address or DNS name. This assumes you already have all the required ports configured on your firewall for your Asterisk server.
In case of SIP softphone app for Windows (Vista in my case),
right port is being opened during installation, accessible via firewall, as appls are installed by an administrator.
Something to be aware of, if you are going to open the SIP port to the world, is to make sure that you’re dial plan is secured. We have had an increasing number of “account enumeration” attacks against our system. We get one around every 3-4 weeks, up from one every 3 months at the start of the year.
If your asterisk is behind NAT, you’re safe, but you cant do anything from outside. If you open up, you really have to ensure your dial plan is locked down, or look at restricting the ranges where someone can make a SIP connnection.
If you were to use a VPN which was TCP based, it will work, but it is connection driven meanign that it will retransmit lost packets. SIP (Signalling) and RTP (audio) are time critical, and so use UDP a connectionless protocol. Its better to lose a few packets than to stall things while you retransmit the lost packets. If the conection is good, there won’t be any problems, but if the connection is marginal, you may have issues.
If I were you, I would look at either:
- use a nonstandard port for your SIP, unless of course you want enable anonymous SIP to SIP calls. At least you wont turn up on a SIP port scan (simple)
- USe a UDP friendly firewall such as OpenVPN. This will allow you to run UDP back to your server securly and without too much overhead (preferred)
OpenVPN is available on the OpenWRT and more commercial branch DD-WRT for Linux based hardware routers, otherwise you could run a server on the Asterisk box and port forward the OpenVPN port. Much safer.
Also, you could also look at fail2ban to manage blocking extension enumeration attacks, however, in some instances, while it works to stop the system reacting, as SIP is running over UDP, even though you block the traffic, the scanner continues to bombard the connection, as the protocol doesnt report back packet loss and the scanner keeps waiting for the SIP responses. So you may still have much of your bandwidth taken up, even though you have blocked the IP address.
Hope this makes sense. Keep us all posted.