Asterisk's built-in encryption is only just starting to work in 1.8, and it would require you to open ports to your Asterisk server from the Internet. Enter OpenVPN, an open-source user-space VPN that's lighter weight than IPSec. Better yet, no per-client licensing fees like Cisco. (Unless you want commercially supported OpenVPN @ $10/client.) Asterisk itself isn't quite ready for the enterprise, but we're all hoping Asterisk 10 is ready for prime time.

Using the built-in OpenVPN server in pfSense 2.0, you can connect your Snom phone across the internet to your internal network, and Asterisk securely. (Although it does not do end-to-end encryption, even if you run OpenVPN on your Asterisk server.)

Part 1: pfSense OpenVPN config

In the pfSense OpenVPN server page, choose the following parameters: (DISCLAIMER: this is certainly not the only way to do this, nor the most secure.) I'm also going to assume you've already used the pfSense Cert Manager to create a CA and issue a client certificate for the your Snom phone.

OpenVPN | Server

General
Disabled: Not checked.
Server Mode: Remote Access (SSL/TLS).
Protocol: UDP
Device Mode: tun
Interface: WAN
Local Port: 1194 (default)
Description: SnomPhoneVPN

Crypto Settings:
TLS Authentication: Checked (pfSense should populate the box with an OpenVPN Static Key.)
Peer Certificate Authority: InternalCA (What you set up in pfSense's CA Page.)
Peer Certificate Revocation List: (leave default for now.)
Server Certificate: OpenVPNServer (CA: InternalCA)
DH Params Length: 1024
Encryption Algorithm: AES-256-CBC (256-bit)
Hardware Crypto: No Hardware Crypto (Unless you've got a card...)

Tunnel Settings:
Tunnel Network: Choose a private IP space that's not 192.168.x.x, so it doesn't conflict with every NAT home network. (10.1.0.0/24) should work most places.
Redirect gateway: Checked if you want it to be more secure, but you'll lose local access to the phone.
Local Network: Enter yor local LAN IP space here, e.g. the one you Asterisk server is on.
Concurrent connections: 1 or more.
Compression: unchecked.
Inter-client Communications: not checked.
Duplicate connections: leave this checked for testing only.

Client Settings: The only one that needs to be checked is "Provide a virtual adapater IP addresss to clients."

Advanced: Nothing is required here.

Part 2: Client OpenVPN config

Use the OpenVPN client export utility (0.9.6). Export the Configuration Archive. Unzip the files. Rename the x.ovpn file to vpn.cnf and edit it to add /openvpn/ in front of the cert and key file names. Then place it in a dir/folder called openvpn and tar it from within the folder, per SNOM.

Keep in mind that the two other files in there, the personal certificate (x-.p12) and the OpenVPN TLS key (x-tls.key) are the keys to your network, so protect them. When we selected Remote Access (SSL/TLS) in step one, that means certificate only, and then added the TLS key. So no username and password required. (You can try adding them, but you'll need to hard-code them in another file in the config tarball, so it won't make much difference.)

vpn.cnf after editing:

dev tun

persist-tun

persist-key

proto udp

cipher AES-256-CBC

tls-client

client

resolv-retry infinite

remote x.x.x.x 1194

tls-remote OpenVPNServer

pkcs12 /openvpn/pfsense-udp-1194.p12

tls-auth /openvpn/pfsense-udp-1194-tls.key 1

where x.x.x.x is your WAN IP Address, or preferably, your dynamically updated DNS name if your IP is subject to change.

Once you have the tarball, follow SNOM's instructions to get it onto the phone. (Hint: you'll need to place it on a webserver, but preferably not one that's publicly available or unauthenticated.)

Gotchas:

1. The phone's NTP server needs to be available on whatever network you plug in to.
2. You need to follow Snom's instructions on how to create the tar file, which may be different than what you're used to.
3. You need netcat running to see OpenVPN logs. They don't go to the phone's syslog server.
4. If you blow up your Snom phone (can't connect to it any more), be sure to have the firmware image available on a local tftp server so you can start all over.
5. Don't forget to add your OpenVPN network to Asterisk's sip_nat.conf or you'll drop calls.
6. Be aware that the Snom phones can also route packets from devices behind it via the PC port. You'll need to consider how to secure your internal network from the vpn phones.
7. If your Snom phone doesn't grab the tarball after boot, you'll need to put a dummy file on the webserver that's referenced on the advanced | update | Setting URL: parameter called "snom370.htm". Then the phone should start grabbing the tarball again. This may be a bug in snom370-SIP 8.4.32, the version tested.

So what are you to do if you need to collect file details and hashes for every folder within the subfolders of a directory? If you're doing it with VBScript, you'll need a free library available from XStandard. Once you register, you'll get a dll that you'll need to register. (It's 32-bit only, so if you're on a 64-bit box, you'll need to do this:
C:\WINDOWS\SysWOW64\regsvr32.exe XMD5.dll
and then to execute the script:
c:\windows\SysWOW64\cscript.exe FolderReportMD5.vbs )

Anyhow, this script is derived from the Sapien sample scripts. (While there are many free editors out there, I think Sapien's PrimalScript is worth every penny if you'll be doing a lot of Windows scripting.)

And since my MT template doesn't handle code well, here's a link to the text file.

'**************************************************************************

'	File:  FileListMD5.vbs

'

'	Comments: This script uses the MD5 library available here: 

'   http://www.xstandard.com/en/documentation/xmd5/#api1

'   This script runs through a directory tree and writes file attributes to a csv file.

'   To run on x64 use C:\WINDOWS\SysWOW64\regsvr32.exe XMD5.dll and then execute via 

'   c:\windows\SysWOW64\cscript.exe FolderReportMD5.vbs

'   Based on Sapien's sample script for FolderProperties.

'**************************************************************************

 Set objFSO2 = createobject("scripting.filesystemobject")

 'where to put the file list?

Set objFile = objFSO2.createtextfile("c:\scripts\" & "FileList" & ".csv")

q = """"

'write the header line of the CSV file.

objFile.WriteLine(q & "FilePath" & q & "," & q & "FileName" & q & "," & q & "DateCreated" & q _

 & "," & q & "DateLastAccessed" & q & "," & q & "DateLastModified" & q & "," & q & "FileSize" & q &_

  "," & q & "MD5Hash" & q & "," & q & "FileAttributes" & q)


'where to start

strSource="C:\folder"

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objFolder=objFSO.GetFolder(strSource)

Call ProcessFiles(objFolder)

Sub ProcessFiles(objFolder)

Set colFiles=objFolder.Files



For Each file In colFiles

   'it's a good idea to clear out the vars on each loop

   strFingerPrint = "blank"

   strPath = File.Path

   Set objMD5 = CreateObject("XStandard.MD5")

   strFingerPrint = objMD5.GetCheckSumFromFile(strPath)

   Set objMD5 = Nothing

   wscript.Echo strFingerPrint

   wscript.Echo "File Name:" & vbTab & File.Name

wscript.Echo "Short File Name:" & vbtab & File.ShortName

wscript.Echo "File Path:" & vbtab & File.Path

wscript.Echo "Date Created:" & vbtab & File.DateCreated

wscript.Echo "Date Last Accessed:" & vbtab & File.DateLastAccessed

wscript.Echo "Date Last Modified:" & vbtab & File.DateLastModified

wscript.Echo "File Size:" & vbtab & File.Size

wscript.Echo "File Attributes:"

strFileAttributes = " "

if File.Attributes AND 0 Then wscript.Echo " Normal"

If File.Attributes And 0 Then strFileAttributes = strFileAttributes & " Normal"

if File.Attributes AND 1 then wscript.Echo " Read-only"

If File.Attributes And 1 Then strFileAttributes = strFileAttributes & " Read-only"

if File.Attributes AND 2 then wscript.Echo " Hidden"

If File.Attributes And 2 Then strFileAttributes = strFileAttributes & " Hidden"

if File.Attributes AND 4 then wscript.Echo " System"

If File.Attributes And 4 Then strFileAttributes = strFileAttributes & " System"

if File.Attributes And 8 Then wscript.Echo " Volume"

If File.Attributes And 8 Then strFileAttributes = strFileAttributes & " Volume"

if File.Attributes AND 16 then wscript.Echo " Directory"

If File.Attributes And 16 Then strFileAttributes = strFileAttributes & " Directory"

if File.Attributes And 32 Then wscript.Echo " Archive Bit is set"

If File.Attributes And 32 Then strFileAttributes = strFileAttributes & " Archive Bit is set"

If File.Attributes AND 1024 then wscript.Echo " Alias"

If File.Attributes And 1024 Then strFileAttributes = strFileAttributes & " Alias"

if File.Attributes AND 2048 then wscript.Echo " Compressed"

If File.Attributes And 2048 Then strFileAttributes = strFileAttributes & " Compressed"

'finally, write the line to the csv file

objFile.WriteLine(q & File.Path & _

			q & "," & q & File.Name & q & "," & _

			q & File.DateCreated & q & "," & q & File.DateLastAccessed & q & "," & q _

			 & File.DateLastModified & q & "," & q & File.Size & q & "," & q & strFingerPrint & q & "," & q & strFileAttributes & q)

Next

'process Subfolders

Call ProcessSubFolders(objFolder)

End Sub

Sub ProcessSubFolders(objFolder)

Set colSubs=objFolder.SubFolders

For Each folder In colSubs

    ProcessFiles(folder)

Next

End Sub

Still tough: mod_rewrite rules to make search engines happy. It also requires a PHP pagination code update, and navigation is still broken on one return link.

All in all, I've done far less syncing of directories and hand-editing of files to upgrade from 2 to 3 than I did from 1 to 2. Then again, I'm not all there yet.

I love the data views that wview provides. It shows trends at a glance that weather.com, NOAA, and NWS don't. Even online weather airport stations have no view that will let you see a trend -- they're all snapshots. With wview, I can tell when the temperature-dewpoint spread is closing.

The best part -- I can collect the data. I can export to MySQL. I can collect solar radiation stats to see if solar panels make sense at my location.

Next: Dial-in weather with Asterisk and Cepstral.

So a few days ago, PBXInAFlash, releases a new version that includes support for video calls using discounted hardware video phones. Video calls have been available forever using software and computer cams. The availability of an affordable hardware phone means that there's a chance I can give one to my mom. What's the big deal with a hardware phone? My mom already knows how to use it. Everybody knows how to answer a hard phone.

Upgrading. The "supported " procedure is to upgrade to the same version of FreePBX that you'll be restoring to, and then do a backup. (Upgrade using module admin, then use the backup module...) So I installed the new release on top of my old Atom D510 server and wiped out all the old data. Restore. Restart Asterisk. Asterisk seg fault crash loop. FreePBX 2.8 doesn't validate every piece of input perfectly, so it can crash. You've been warned. I reinstalled and built from scratch, which is a great thing to be able to do, but not so great from a time perspective.

After installing the base phone system, it was up and running. My custom apps were not. The PBXinaFlash cust app scripts don't all support Asterisk 1.8 or x64. I run a few, and this is how I fixed them.

1. xtide. I go to the beach and I love xtide. PBXIAF tries to install the 386 rpms. Just go to Flaterco, down load the source and compile. Follow the instructions to the letter. ./configure will work but make will fail because you are missing headers. Install the following packages with yum install xxx:
   libXt-devel-1.0.2-3.2.el5.x86_64
   libICE-devel-1.0.1-2.1.x86_64
   libXaw-1.0.2-8.1.i386
   libXt-devel-1.0.2-3.2.el5.i386
   libXaw-devel-1.0.2-8.1.i386
   libXpm-devel-3.5.5-3.x86_64
   libXpm-3.5.5-3.i386
   libXmu-1.0.2-5.i386
   libSM-devel-1.0.1-3.1.x86_64
   libXmu-devel-1.0.2-5.x86_64
   xorg-x11-util-macros-1.0.2-4.fc6.x86_64
   libXaw-devel-1.0.2-8.1.x86_64
   Then make and make install. Then you'll get another error from bad linking, which will look something like this: error while loading shared libraries: xxx.so.1: cannot open shared object file: No such file or directory. Use ldd on the tide command to see what's missing, then find that file and copy it to where the other ones are. It should look something like this:
   ldd /usr/local/bin/tide
   
   libtcd.so.1 => /usr/lib64/libtcd.so.1
   libpng12.so.0 => /usr/lib64/libpng12.so.0
   libz.so.1 => /usr/lib64/libz.so.1
   libstdc++.so.6 => /usr/lib64/libstdc++.so.6
   libm.so.6 => /lib64/libm.so.6
   libgcc_s.so.1 => /lib64/libgcc_s.so.1
   libc.so.6 => /lib64/libc.so.6
   /lib64/ld-linux-x86-64.so.2
   I think my command was copying libtcd.so.1 to /usr/lib64, where it was expected. Now xtide works. I also have an updated harmonics file.
   


2. Swift. I love Allison-8kHz. All my licenses were gone -- g729 as well as Cepstral. Thanks to gmail, I could recover them all, and got a free upgrade to the latest Cepstral Allison: Allison-8kHz for Linux (v5.x), which installed fine. The missing part was swift-app for Asterisk. There's a beta for that that's working.


3. That darn analog cards. I light up my home's antique POTS lines with a Digium 410 and a couple of FXO modules. These were a pain to set up in the initial version, too. Since then, Asterisk has moved from the ZAP architecture to DAHDI, and I though that was where my problem was. Wrong. My problem was the same one that I had the first time. Default settings are for KewlStart instead of LoopStart. Once I changed all the configs to FXO_LS instead of FXO_KS it worked again. This means I can use my antique rotary-dial phone with mechanical bells to dial out my SIP trunk.


4. The IAX trunk to my Mom's house stopped working. I run this over a vpn link. (IPSec ESP w/AES256 so noone can listen in....) FreePBX has a new interface for configuring trunks, inbound and outbound in separate sections. (User and Peer). Keep you configs straight with ServerA/UserA at one end and ServerB/UserB at the other. Then I could dial my mom, but she couldn't dial me. My version of Asterisk requires CallTokens by default. Turned that off in the trunk config and it worked again. (I'd have to implement CallTokens if it wasn't running over a VPN and I wanted to resist DOS attacks.)


5. Video Calls. No problems here -- just enable h.263 and configure the phones.I can even do video calls between the Nortel IP 1535 and the Bria Softphone.

Intel has since released the Atom D510. The processor is up to a 13-watt draw, runs at about the same speed, and still runs 64-bit. What makes these chipsets better is that they max out at 4 GB of RAM and use genuine Intel Gig NICs that are widely supported and can run jumbo frames. This is a big leap, because the configured price of a fully-built mini-server around the platform remains the same. Supermicro has some great Atom motherboards that can support a home or small office doing various things. (The D525 has since come out. Compare the two here.)

Newegg has some good deals on the Supermicro Atom Rack Server and the tower server for about $70 less. Or you can just buy a motherboard and roll your own. My tower server with D510 runs just under 40 watts with 4 GB of RAM, CD, and hard disk.

What can you do with it? There are a number of Linux and BSD appliances that are free.

1) Run your own telephone switch. FreePBX is an awesome, OS-included version of Asterisk that has a clean web GUI. PBX-In-a-flash is based on FreePBX but has a few extras (nonstandard enhancements like dial weather by airport code and dial your local tide schedule) thrown in. Why would you want to run your own PBX? You can do stupid phone tricks, like really cheap phone service at $.01/minute and $1.50/month per number with Vitelity, for one. Or your own conference line. Or your own trunks over VPNs to other offices. Or just blacklist phone numbers and send telemarketers to their own voice-mail hell.

Keep in mind that to light up your home phone lines, you may need an additional analog card from Sangoma or Digium. (FXS and FXO are different, but can run on the same card.) Once you figure out how cool SIP is, you'll want to replace your house phones with SIP phones. However, you can get started with SIP free using the Xlite soft phone. The iPhone/iPod/iPad version is $7.99. It's perfectly true that you can make phone calls cheap with a Linksys PAP2T or Vonage, but if you're a telephone control freak and want to wage war on telemarketers, Asterisk is for you.

2) Run a great firewall like pfSense. It's based on FreeBSD but has a great Web GUI so you can avoid learning the subtle differences between BSD and Linux. pfSense comes in embedded and full. For the Atom server, running the full version is no sweat. And I run SNORT inline on two interfaces with no issues. A full SNORT IPS signature subscription for home use is just $30/year. And pfSense does not just IPSEC point-to-point VPNs, but also WebVPN. Try that on your Cisco ASA 5505, and you'll be paying a couple grand for the equipment, licenses, and subscription. Check out the plugins for pfSense and you'll see how much you can do with one small box. pfSense 2.0 is almost out of beta and there's a 64-bit version. (Plugins include FreeSwitch, an open-source competitor to (open-source) Asterisk, so if you want, you can even run a PBX on your firewall.)

3) Storage: Run FreeNAS and you'll be able to scale reasonably out of the box. The Atom Motherboard has six SATA slots and two GB NICs that do jumbo frames. Hello iSCSI. With 2TB disks, that's 12 TB of storage. FreeNAS offers CIFS (Windows), Apple (AFP), iSCSI, and NFS mount points. Add a serious SATA RAID card to get even more disk IO performance out of your little Atom box. Obviously, I would recommend the tower server case for FreeNAS because it has room for more disks.

4) Run Apache/PHP/MySQL applications. Run Fedora, CentOS, whatever. You can run your own apps at home on top of your favorite flavor of Linux/BSD. One of my favorites is Gallery2. There's even semi-free apps (free for no enterprise features) like Movable Type (you're reading this on an MT platform), and even run more than one on the same mini-Server.

5) Collect data. Run a weather station. Run a log server. Run a crazy blog and see who hits it with which keywords. Collect IPS events from multiple firewalls and correlate them.

Also, when you use FAA data, be sure to escape special SQL characters in the names. I think there's an O'Brien restricted area. Be aware, there are single quotes in special use area names.

This file uses the airport's latitute and longitude rather than the AWOS' latitude and longitude, which is missing in some cases in the FAA's file.

Also, the FAA files seem to have arbitrary layout changes from release to release, as well as some data quality issues. (Missing data, data out of alignment, etc.) I'm glad I don't have to produce this stuff on deadline.

I have also enabled SSL with a self-signed cert, so if you're shy about signing in to comment via http, just switch it to https by typing the s in your link bar. And no, I have not found a way to globally change signins to SSL in MT 5.

<Directory> </Directory> 

What this does is make browsers do
TLSv1 DHE-RSA-CAMELLIA256-SHA only.

You can then watch your SSL handshakes fail from IE and Chrome. If you want to require strong encryption across browsers, edit ssl.conf to look like this:

SSLProtocol TLSv1
SSLCipherSuite AES256-SHA

Then you'll have reasonably strong encryption.

First: my ride. On days that I ride (I'm not a 5-day-a-week rider yet), I ride seven miles (mostly downhill) into work in 35 minutes. That same ride home (mostly uphill) takes about 45 minutes. I carry a laptop and a full set of work clothes each way in panniers on a rack.

Overall, the Breezer Uptown 8 is a great bicycle. However, there are some things to nit-pick about, mostly because commuter bicycles are relatively new in the United States. Nobody reviews them because they're not sexy.

First off, the Uptown is comfortable. I ride in an upright position. The seatpost is suspended, and overall it's a pleasure to ride. However, it's not a fast bike. It's got full fenders and a fully-enclosed chaincase. The only place I get splashed in rain is my feet.

The built-in Shimano front hub generator and lights are great. The headlight is pretty bright. I did get a Niterider light because the trail is not lit and pitch black. The rear light connections are weak and the light failed after going over a few bumps. Some new wire fixed that. The generator does add a little drag when it turns itself on. It's great having lights without ever having to worry about a charger or batteries. I have two Planet Bike flashies (one works consisently) mounted on my panniers. That worked out especially well after I wrecked and my black laptop pannier fell off and onto the dark, unlit trail at night.

The stock tires, Schwalbe City, are heavy. I replaced the front with a Conti 1" which works fine. The rear tire I haven't replaced because the rear wheel is a pain to take off. You need to shift to 4th gear, remove the tiny screws in the chaincase, and then use a 15mm wrench. Not something to do on the trail after dark.

You can see photos of my nitpicks here.

I bought the bike at Bikes at Vienna in Vienna, and get some help with maintenance from Griffin Cycle in Bethesda. There's nothing wrong with the service at Bikes at Viennna, it's just that Griffin Cycles is close to home.

That may seem expensive, but it's far cheaper than getting that much server capacity at Rackspace. However, I don't need that much capacity. I can trade processor power for power savings, keep the disk space and RAID card, and switch to an Atom-based server. My current FreePBX Atom server runs at 40 watts with an analog card powering two FXS modules. I bet I can match that on a new server. I'd get the new Supermicro Atom Server, but it has space for only one 3.5 inch hard drive. I need two. Thus I'll be using another miniITX case. In the meantime, everything's running on another old Dell tower box.

How did I move it? First I though reinstalling all the software from scratch would be a good idea. I'd get a nice clean, efficient build. But that took way too long, and I'd have to re-customize my templates and tweaks. I had MySQL backups running for a while, why not start testing the restores? I used rsync:

rsync -avz /var/www/ -e ssh:user@mynewserver /var/www/

Then I restored the databases:

mysql -u root -p

mysql> create database mynewdb

mysql> quit;

$ mysql -u root -p [mynewdb] < [backupfile.sql]

mysql -u root -p

mysql> use mynewdb;

mysql> GRANT ALL PRIVILEGES ON *.* TO 'myuser'@'localhost' 

IDENTIFIED BY 'pAssW0rd' WITH GRANT OPTION;

mysql> flush privileges;

mysql> quit;

Then double check that the user and pass from above match your config files.

Finally, test your applications. Gallery2 and MovableType worked fine. Your milage may vary. My office is almost silent now.