Access PBX From Internet – Best Practice

Home » Asterisk Users » Access PBX From Internet – Best Practice
Asterisk Users 5 Comments


I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet.

This is what I was thinking of implementing:
1. Use OpenSips for the SBC, enable SRTP and TLS
2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips

Is there anything that I am missing that probably should be implemented?



5 thoughts on - Access PBX From Internet – Best Practice

  • The endpoints do not have a fixed IP, and a VPN tunnel wouldn’t work under this scenario. Basically this setup is for people who are traveling, and may be using a smart phone at an airport (or something similar). The idea is that our system can be used to reduce toll costs, and provide access to internal resources. Thank you for the recommendations on fail2ban, IPtables, and the device naming scheme… I am not overly found of having a device name (ex: 101) that corresponds to the extension being used, so I will be using user and devices under freebpbx to name them differently.

    —–Original Message—–
    From: “Administrator TOOTAI”
    Sent: Thursday, October 17, 2013 6:56am To: Subject: Re: [asterisk-users] Access PBX from internet – best practice

    Le 17/10/2013 12:30, a écrit :


    Registrations from Internet is vague:

    – are EP with fixed IP: define the extension in SIP.conf with host = . You can even add an iptables rule to allow the to connect to port 5060 in udp (if your setup is this one)
    – are EP travellers => fail2ban or through VPN. OpenVPN is a good solution.

    All clients doesn’t support SRTP

    In all cases I would recommend:

    – a strong extension definition eg [MyFav0Rite-prefiX_123] instead of [123]
    – always use fail2ban



  • A VPN would be perfect for this situation – you certainly don’t need fixed IPs on the endpoints. I quite happily pass calls over my VPN from my smartphone.

  • If remote users *only* need to call contacts *within the office*, then whatever other precautions you take, make sure they land in a context which does not allow outside calls.

    If you’re feeling sufficiently evil, use Audacity to create a file with a few seconds of ringing-out tone followed by a deathly silence; and play this to remote users calling numbers they shouldn’t, before doing a Hangup().

  • Yes, but this is not sufficient. When transfers are allowed, the outside channel will operate in the local context (typically from-internal). You also need to set the transfer options properly, or this could be abused.