Re: [Astlinux-devel] Recommendations for my architecture moving forward

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

The custom firewall rules that I provided earlier in this thread has a flaw
in that they require DNS to be active to resolve the FQDN to IP addresses.
This works if you restart the firewall after initial boot, but on boot up
the firewall is started before DNS services are available and so it fails.
Thanks to a tip from Lonnie I have updated my custom rule script...

open_for_host_port()
{
  local host="$1"
  local port="$2"
  local type="$3"

  echo "[CUSTOM RULE] spawn background to open port $port/$type for $host"
  (
    RETRY=6

    while [ $RETRY -gt 0 ]; do
      RETRY=$((RETRY - 1))
      local IFS=$'\n'
      local IP=""
      local IPV4="$(host -t A $host | sed -n -r -e 's#^.* has address
([0-9.]+)$#\1#p')"
      if [ -n "$IPV4" ]; then
        for IP in $IPV4; do
          IP="${IP##* }"
          echo "[CUSTOM RULE] open port $port/$type for $host at $IP"
          ip4tables -I EXT_INPUT_CHAIN -s $IP -p $type -m $type --dport
$port -j ACCEPT
        done

        local IPV6="$(host -t AAAA $host)"
        for IP in $IPV6; do
          IP="${IP##* }"
          echo "[CUSTOM RULE] open port $port/$type for $host at $IP"
          ip6tables -I EXT_INPUT_CHAIN -s $IP -p $type -m $type --dport
$port -j ACCEPT
        done
        exit
      else
        echo "[CUSTOM RULE] DNS service not up, sleep for 5 seconds"
        logger -t CUSTOM_RULE -p user.info "DNS service not up, sleep for 5
seconds"
        sleep 5
      fi
    done
    echo "[CUSTOM RULE] Time out waiting for DNS service, ports not opened
for $host"
    logger -t CUSTOM_RULE -p user.error "Time out waiting for DNS service,
ports not opened for $host"
  ) &
}
open_for_host_port "all.sipis.acrobits.cz" "5061" "tcp"

On Sat, Nov 28, 2020 at 6:42 PM Michael Knill <
mic...@ip...> wrote:

> Thanks David
>
>
>
> Yes I have used Bria with Wireguard VPN and it works fine. Also fails over
> well when roaming between Wifi and 4G. Yes you need to manually activate it
> which is annoying and I think it may prevent the softphone from
> backgrounding so battery problems as well.
>
>
>
> Interestingly however, I did some testing this morning with my Acrobits
> portal and the Cloud Softphone product on a test account using TLS.
> Provisioning was a matter of pointing the phone to a QR code and it worked
> first time.
>
> There appeared to be no issues with re-registration between the push
> server and direct and I did a test driving down the road and there was a
> short break but it roamed successfully between Wifi and 4G. Bit annoying as
> the call only stays up for 1m so not really a long enough test but long
> enough to notice successful roaming.
>
>
>
> I think its time to test it for real now. I will keep you posted. Thanks
> all for the feedback.
>
>
>
> Regards
>
> Michael Knill
>
>
>
> *From: *David Kerr <da...@ke...>
> *Reply to: *AstLinux Developers Mailing List <
> ast...@li...>
> *Date: *Sunday, 29 November 2020 at 9:51 am
> *To: *AstLinux Developers Mailing List <
> ast...@li...>
> *Subject: *Re: [Astlinux-devel] Recommendations for my architecture
> moving forward
>
>
>
> Looking at
> https://developer.apple.com/documentation/networkextension/personal_vpn/vpn_on_demand_rules
> it seems that Wireguard have implemented very basic VPN on-demand (turn it
> on when on cellular or when on wifi).  What would be needed is much more
> granular control, at a minimum turn on for specific applications only.
> Even better would be connection specific rules.  That feels like a lot of
> work which would have to get implemented in the Wireguard iOS app.
>
>
>
> David
>
>
>
> On Sat, Nov 28, 2020 at 5:35 PM David Kerr <da...@ke...> wrote:
>
> I used to have 5061 open to anything, but I started to get attempts to
> login and make calls, so I now restrict it to the Acrobits servers.  For
> the iPhone itself I have to be connected to my home network either directly
> to the WiFi or by VPN (I use Wireguard).  Acrobits (afaik) has no built-in
> VPN.  I have not tried the Wireguard on-demand setting but it is possible
> that might work.
>
>
>
> I have not tried roaming between WiFi and Mobile.
>
>
>
> David
>
>
>
> On Sat, Nov 28, 2020 at 3:44 PM Michael Knill <
> mic...@ip...> wrote:
>
> Hi All
>
>
>
> Thanks for responding.
>
> Bria is certainly the gold standard however I have been down the Acrobits
> path and had a full demo of what they can provide. They have a full white
> labelling solution and there provisioning system is pretty cool. Just point
> your phone to a QR code.
>
>
>
> David are you only opening up 5061 to the push server? If so then your
> iPhone must never directly register to your system externally?
>
> Also another question; can you roam between Wi-Fi and 4G while on a call?
>
>
>
> Regards
>
> Michael Knill
>
>
>
> *From: *David Kerr <da...@ke...>
> *Reply to: *AstLinux Developers Mailing List <
> ast...@li...>
> *Date: *Sunday, 29 November 2020 at 2:48 am
> *To: *AstLinux Developers Mailing List <
> ast...@li...>
> *Subject: *Re: [Astlinux-devel] Recommendations for my architecture
> moving forward
>
>
>
> I have had Acrobits Softphone installed on my iPhone for several years.  I
> don't use it a whole lot but it works well.  It has push notification for
> when the softphone is "in the background."  The way that works is that they
> have their own server that registers to your SIP port and when a call comes
> in their server generates a push to your iPhone and on receipt of that you
> open up the Softphone and somehow a handoff is done from their server to
> your phone.  Just recently I contacted their tech support to find out what
> IP addresses I should use for their servers (they have multiple) so that I
> didn't have to open up 5061 to everyone.  This is what I have in my custom
> rules...
>
>
>
> open_for_host_port()
>
> {
>
>   local host="$1"
>
>   local port="$2"
>
>   local type="$3"
>
>   local IFS=$'\n'
>
>   local IPV4="$(host -t A $host)"
>
>   local IPV6="$(host -t AAAA $host)"
>
>   local IP=""
>
>
>
>   for IP in $IPV4; do
>
>     IP="${IP##* }"
>
>     echo "[CUSTOM RULE] open port $port/$type for $host at $IP"
>
>     ip4tables -A EXT_INPUT_CHAIN -s $IP -p $type -m $type --dport $port -j
> ACCEPT
>
>   done
>
>
>
>   for IP in $IPV6; do
>
>     IP="${IP##* }"
>
>     echo "[CUSTOM RULE] open port $port/$type for $host at $IP"
>
>     ip6tables -A EXT_INPUT_CHAIN -s $IP -p $type -m $type --dport $port -j
> ACCEPT
>
>   done
>
> }
>
> open_for_host_port "all.sipis.acrobits.cz" "5061" "tcp"
>
>
>
>
>
>
>
> On Sat, Nov 28, 2020 at 10:17 AM Lonnie Abelbeck <
> li...@lo...> wrote:
>
>
>
> > On Nov 28, 2020, at 5:17 AM, Michael Keuter <li...@mk...>
> wrote:
> >
> >>
> >> Am 27.11.2020 um 22:46 schrieb Michael Knill <
> mic...@ip...>:
> >>
> >> Hi Devs
> >>
> >> Hoping that I can get some advice from you in determining my
> development efforts moving forward.
> >> As driven by Covid, I have an increased number of customers that want
> mobile softphones and I have lost at least one customer and likely more
> because I have not been able to provide this functionality.
> >>
> >> I am looking to use Bria which I believe is the gold standard and I
> sort of have push notification working on it. The problem is that Push
> Notification work best with multiple registration which is not supported
> with chan_sip.
> >>
> >> So I have two options I believe:
> >>      • Migrate to PJSIP
> >>      • Add Kamailio to Astlinux to sip in front of Asterisk
> >>
> >> Now 1) will certainly be the easiest however 2) is something that I
> would love to do as its going to be more secure with external connecting
> clients.
> >>
> >> Any comments would be greatly appreciated?
> >>
> >> Regards
> >> Michael Knill
> >
> > Hi Michael,
> >
> > I have similar thoughts and would be interested in a more universal
> solution as well.
> >
> > I have one big customer, where I use WireGuard plus mostly Linphone
> without Push Notifications.
> > And the customer is quite happy with it, although they are not using it
> excessively.
> >
> > I created a (combined) template for an IP-phone plus a softphone under
> the same extension, same CLID, but with different SIP account names (with
> chan_sip).
> >
> > I generated the dialplan (in the template as well) so that both phones
> ring parallel.
> >
> > Most depends how the mobile OS handles priority for the SIP client on
> the phone and the the sleep functions.
> >
> > For Push Notifications I found this:
> >
> > https://www.zoiper.com/en/tutorials/push-notifications
> > https://github.com/balusreekanth/ios-asterisk-push
> >
> > BTW: For simple notifications (only for my own phone) I use Pushover
> (works also via email) or prepaid SMS via Voipbuster.
> >
> > https://pushover.net
> > https://www.voipbuster.com/sms_rates
> >
> > Michael
>
> Has anyone tested "Acrobits Groundwire" or "Acrobits Softphone" ?
>
> It looks like many "custom" mobile UC apps are based on the Acrobits SDK.
>
> Lonnie
>
>
>
>
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>
> _______________________________________________
> Astlinux-devel mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-devel
>