Uncategorized

Secure Communications with OpenBSD and Asterisk

UPDATE

Since I first stat writing this article down many things changed at the telephony world inside of OpenBSD, so in order to follow it I updated this article to match these changes.

– Asterisk was updated from version 1.4.22.2 to 1.6.0.19, this meand a LOT of changes*
– app_conference is gone now. Introducing appkonference.
– chan_unistim has being integrated into asterisk

These are great news!

2009/12/13 – [ports] New asterisk release and app_conference
The Asterisk package was updated to 1.6.0.x, you might need to make some configuration changes; please see /usr/local/share/doc/asterisk/UPGRADE-16.txt. The old app_conference plugin is incompatible with the new version, you must use appkonference instead.

What changes with this new Asterisk 1.6.0.19?

I wont list all of them here (see bellow for more information) but there are a few modifications that I would like to highlight:

* Added SIP Session Timers support (RFC 4028). This prevents stuck SIP sessions that
were not properly torn down due to network or endpoint failures during an established
SIP session.
* Added experimental TCP and TLS support for SIP. See doc/siptls.txt and
configs/sip.conf.sample for more information on how it is used.

Also:

– Major SDP problem fix.
– More details at their changelog.
– For the complete set of changes please visit this.

The main idea behind this series of articles is to provide the necessary information to setup an IP PBX solution using OpenBSD as the base OS for the job.

This is still a draft and I will be adding more and more pieces to it as time goes.

TODO

– Nokia cellphones configuration
– ATA configuration
– sip.conf and extension.con explanation

Why OpenBSD?

There are a lot of reasons of WHY one would pick OpenBSD right away but here follows my points:

  • Its well known for its proactive security
  • It has a clean and small install footprint
  • It runs on a great variety of hardware
  • Asterisk is ready available from packages and ports

For my purposes I’m running OpenBSD on an i386 Toshiba Tecra Notebook (dmesg).

NOTE: Please remember that in order to deliver a high quality software, the OpenBSD team needs to invest time and resources (electricity, air conditioning, hw gear, cables, etc) which usually boils down to the developers withdrawing money form their own savings. Truth to be said, a few large companies out there are showing their appreciation and donating as most of the donations itself comes in small amounts from users. So let’ gear up with their fine t-shirts, posters and CDs!

Place a visit to the OpenBSD project ordering page!

Where are we heading to?

This is the BIG PICTURE of our configuration.

In this scenario we have:

  • IP PBX running OpenBSD 4.6-current and asterisk-1.6.0.19
  • Linksys PAP2TNA with 1 FXS and 1 FXO interface
  • 2 Linksys PAP2T with 2 FXS interfaces each playing a role as our remote extensions
  • 4 Roadwarrior extensions based on Nokia’s E71, N95 and N86 phones.

As for our inbound and outbound routes we have:

  • 1 FREE DID number from Ipkall
  • Since our PAP2TNA has 1 FXO interface we will use that to reach the PSTN.
  • For long distance calls we will use Vitelity*. In my case for in country (Brazil) calls to cellphones and as an alternative to Vitelity I use GVT’s Vono.

Note: After experience some other providers I finally landed at Vitelity and for almost a straight year now I can say for sure that they have a very reliable service.

Well, what do you have in mind then?

For our initial PBX this is what I would like to suggest:

  • Blacklisting
  • Conference Rooms
  • Mobile and WAN phone extensions with g729.
  • IVR – Interactive Voice Response
  • DISA – Direct Inward System Access
  • Voicemail

Don’t worry if these acronyms sound a little alien to you, we will go over them.

Some more ideas can be added to this configuration such as gtalk integration. An interesting idea that I would like to cover here is the add on of a back to back IPsec tunnel between two OpenBSD nodes in order to securely expand and connect two remote offices or branches. If you are in a hurry and cant wait, a good place to start this is by reading the article “Zero to IPSec in 4 minutes” from Dragos Ruiu.  Yet another approach would be a SSH based VPN.

The install

With the basic ideas in mind we can now move on and install OpenBSD. Please remember that for this example I will be using an i386 plataform so bear in mind that for other architectures with install process differs. The entire process can be easily achieved by following the projects fine FAQ so I will not try to reinvent the wheel here ;).

However I would like to remind you about a few steps:

  • Please read and understand what’s being written here. Yes, for you to take advantage of Asterisk 1.6.0.19 you will have to follow -current or you could wait until 4.7 makes out.
  • Be sure to read and understand whats being written at the afterboot man page!
  • Make sure that the hardware that you are installing OpenBSD on is supported by the project so that you don’t find yourself in a cage created by some vendors.
  • It is always a good idea to check the i386 hardware information page and the misc list. Please do your homework BEFORE starting posting on this list. Most of the issues can be done with a visit to the our good ol’ Google 🙂
  • When setting the environment variable PKG_PATH try to use the closest FTP mirror, this should speed the install process and wont overload the main servers
  • Don’t just jump into the configurations without creating an user for yourself first. The reasons should be obvious but see why bellow:

For security reasons, it is bad practice to log in as root during regular
use and maintenance of the system.  Instead, administrators are encouraged to add a “regular” user, add said user to the “wheel” group, then use the su(1) and sudo(8) commands when root privileges are required.  This process is described in more detail later.

If you haven’t created an user during the install process please take a moment and do so now, as the old mantra goes: if you try to shoot yourself on the foot (as root) chances are you might take your leg off!

Asterisk and Pufferix!

Ok so now we have the base installation done! Congratulations! Lets fasten our seat belts and install Asterisk and its friends through the use of the ports collection and the packages binary system. A throughout description of the how to use the package infrastructure can be found here. As for Ports, the telephony softwares can be found at /usr/ṕorts/telephony/.

In order to install Asterisk on our system we will install the following packages:

asterisk-1.6.0.19.tgz
asterisk-openbsd-moh-4.6.tgz
asterisk-native-sounds-1.2p0.tgz
asterisk-sounds-1.2.1p3.tgz
appkonference-1.2.tgz

As a dry run example here is how one would install the asterisk-openbsd-moh-4.6.tgz package:

$ export PKG_PATH=ftp://your.ftp.mirror/pub/OpenBSD/snapshots/packages/i386
$ sudo pkg_add asterisk-openbsd-moh-4.6.tgz
asterisk-openbsd-moh-4.6.tgz: complete

Now, most of these applications we will be installing through the ports system, so please make sure you have updated yours! In order to install asterisk-1.6.0.19 these is what we need to do:

$ cd /usr/ports/telephony/
$ cd asterisk
$ make
$ make clean
Cleaning for asterisk-1.6.0.19p0
$ make
asterisk-1.6.0.19p0 depends on: metaauto-* - found
asterisk-1.6.0.19p0 depends on: autoconf-2.62 - found
asterisk-1.6.0.19p0 depends on: automake->=1.9, asterisk-1.6.0.19p0 depends on: gmake-* - found
asterisk-1.6.0.19p0 depends on: libtool-* - found
asterisk-1.6.0.19p0 depends on: gsm-* - found
asterisk-1.6.0.19p0 depends on: libogg-* - found
asterisk-1.6.0.19p0 depends on: libvorbis-* - found
asterisk-1.6.0.19p0 depends on: sqlite3-* - found
asterisk-1.6.0.19p0 depends on: libexecinfo-* - found
asterisk-1.6.0.19p0 depends on: popt-* - found
asterisk-1.6.0.19p0 depends on: iodbc-* - found
asterisk-1.6.0.19p0 depends on: net-snmp-* - found
asterisk-1.6.0.19p0 depends on: curl-* - found
asterisk-1.6.0.19p0 depends on: postgresql-client-* - found
asterisk-1.6.0.19p0 depends on: iksemel-* - found
asterisk-1.6.0.19p0 depends on: openldap-client-* - found
asterisk-1.6.0.19p0 depends on: spandsp-* - found
asterisk-1.6.0.19p0 depends on: tiff-* - found
Verifying specs: gsm ogg.=5 vorbis.=5 vorbisenc.=2 sqlite3.>=3 execinfo popt iodbc.3 netsnmp.7 netsnmpagent.>=7 netsnmphelpers.7 netsnmpmibs.7 curl.6 pq.=5 iksemel ldap spandsp tiff c crypto m pthread ssl stdc++ termcap z c m perl util crypto idn ssl z z
found gsm.1.0 ogg.6.0 vorbis.7.0 vorbisenc.3.0 sqlite3.13.3 execinfo.0.0 popt.0.3 iodbc.3.15 netsnmp.8.0 netsnmpagent.8.1 netsnmphelpers.8.0 netsnmpmibs.8.0 curl.14.1 pq.5.2 iksemel.0.1 ldap.9.1 spandsp.5.0 tiff.38.2 c.53.0 crypto.18.0 m.5.2 pthread.12.0 ssl.15.1 stdc++.49.0 termcap.10.0 z.4.1 perl.11.1 util.11.0 idn.16.30
Checking files for asterisk-1.6.0.19
`/usr/distfiles/asterisk-1.6.0.19.tar.gz' is up to date.
(SHA256) asterisk-1.6.0.19.tar.gz: OK
Extracting for asterisk-1.6.0.19
Patching for asterisk-1.6.0.19
cd /usr/obj/ports/asterisk-1.6.0.19/asterisk-1.6.0.19; AUTOMAKE_VERSION=1.9 AUTOCONF_VERSION=2.62 ./bootstrap.sh
Generating the configure script ...

[...] Many output of lines

$ sudo make install
Password:
Looking for asterisk-1.6.0.19p0.tgz in $PKG_PATH -

[...] More output

Installing asterisk-1.6.0.19p0 from /usr/packages/i386/all/
asterisk-1.6.0.19p0: ok

If all turns out good you should now have asterisk-1.6.0.19 installed on your system! Go ahead and try to connect to asterisk now!

$ asterisk -vvvr
Asterisk 1.6.0.19, Copyright (C) 1999 - 2009 Digium, Inc. and others.
Created by Mark Spencer
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'core show license' for details.
=========================================================================
Connected to Asterisk 1.6.0.19 currently running on matusalem (pid = 3937)
Verbosity is at least 4
matusalem*CLI>

Please proceed with the install of appkonferece, asterisk-native-sounds,asterisk-sounds and asterisk-openbsd-moh.

In the end you should have something like this:

$ pkg_info | grep asterisk
appkonference-1.2 conferencing application for asterisk
asterisk-1.6.0.19 open source multi-protocol PBX and telephony toolkit
asterisk-native-sounds-1.2p0 'native' (better) sound files for Asterisk open source PBX
$

WAIT A SECOND! HOLD ON! Keep reading

And lucky for us we can grab an electronic version of the book “Asterisk: The Future of Telephony, Second Edition” as easy as 1-2-3 through our beloved package systems. And this is how you do it:

$ sudo pkg_add AsteriskTFOT-2.0.tgz
Password:
AsteriskTFOT-2.0: complete
Voilà! 🙂

As a side note I would like to point out that an online version is also available at the Asterisk Documentation Project website.

Please notice that there are other options available as packages. Bellow there is a list of all of the packages related to Asterisk:

AsteriskTFOT-2.0
appkonference-1.2
asterisk-1.6.0.19p0
asterisk-odbc-1.6.0.19p0
asterisk-snmp-1.6.0.19p0
asterisk-curl-1.6.0.19p0
asterisk-pgsql-1.6.0.19p0
asterisk-jabber-1.6.0.19p0
asterisk-ldap-1.6.0.19p0
asterisk-fax-1.6.0.19p0
asterisk-1.6.0.19p0-h323
asterisk-odbc-1.6.0.19p0
asterisk-snmp-1.6.0.19p0
asterisk-curl-1.6.0.19p0
asterisk-pgsql-1.6.0.19p0
asterisk-jabber-1.6.0.19p0
asterisk-ldap-1.6.0.19p0
asterisk-fax-1.6.0.19p0
asterisk-native-sounds-1.2p0
asterisk-openbsd-moh-4.6
asterisk-sounds-1.2.1p3
astmanproxy-1.22pre081119
p5-asterisk-0.09p0

Holy smokes Batman! Why do we need these packages?

I was wondering that too! Hope the Joker is not listening to this! Well we better check out why I’ve selected these packages:

asterisk-1.6.0.19.tgz: This is the main package, it contains all of the necessary pieces required. For a very simple install you could always just stick on to this. As an extra note let’s take a look at what pkg_info brings us:

Information for inst:asterisk-1.6.0.19

Install notice:
Simplified sample configuration is provided in /etc/asterisk;
the full set is available in /usr/local/share/examples/asterisk/default.

To have Asterisk start at boot time, you may insert the following
into /etc/rc.local:

if [ -x /usr/local/sbin/safe_asterisk ]; then
echo -n ' asterisk'; /usr/local/sbin/safe_asterisk
fi

This uses safe_asterisk which monitors for abnormal termination
and restarts the daemon, and also creates the directory for the
control socket and pid file (by default, /var/run/asterisk).

If you prefer not to use safe_asterisk, you must create this
directory yourself since /var/run is cleared at boot.

This is all we needed! Stuart Henderson <sthen@openbsd.org> the maintainer of this port has done a terrific job keeping Asterisk as good as it gets and his guidelines here are to be followed. So first of all we need to insert the 3 lines that enable safe_asterisk into /etc/rc.local and after that a quick visit to /etc/asterisk, which by the way, is where all of our configurations are stored.

  • asterisk-openbsd-moh-4.6.tgz: This package contains all of the OpenBSD’s release themes to be used as Music on Hold.
  • asterisk-native-sounds-1.2p0.tgz and asterisk-sounds-1.2.1p3.tgz: These add better and extra sounds to your PBX, this is a must go.
  • appkonference-1.2.tgz: This is a conferencing application for asterisk.

This is it for part 1 of this series of small articles. Next we will see:

  • Configuring our ATAs and Cellphones
  • Assembly the last part of the puzzle: blacklisting, voicemail and other friends!
Standard

4 thoughts on “Secure Communications with OpenBSD and Asterisk

  1. Did you have any luck with the e71 VPN client connecting to OpenBSD’s IPsec? I never seem to get the phone to emit any proposal that OpenBSD will accept, looking at extended isakmpd output, it looks like the phone never sends any proposal at all. If you have a working setup, please tell the world!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s