This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Over the years, many people have used DynDNS as a way to get a free domain name that will “track” their actual IP address, even if their ISP changes it. Apparently that free ride has all but come to an end. If you read the instructions that How-To Geek posted in their article How To Easily Access Your Home Network From Anywhere With DDNS, you will note that when you go to the DynDNS site now, it looks nothing like it did then, and the totally free option seems to have disappeared.
Apparently if you have an existing DynDNS account you can keep it as long as you don’t let it expire, but if you do let it expire or if you are trying to set up a new DynDNS account for yourself or someone else, the free option is no longer shown. It appears that now the only way to get a free DynDNS account is to sign up for a 14-day DynDNS Pro Free Trial and then cancel it before the free trial period is up. Then, “You may keep one hostname free of charge for trying the Pro Trial.” The problem with this is that you have to provide a major credit card to sign up for the trial. This will be a show stopper for many users (it definitely takes DynDNS off my list of recommended services).
Some home routers support several Dynamic DNS services, and one of the most popular is No-IP. My guess is that they will be the main beneficiary of the decision by DynDNS to make their free service less accessible. I think they have been around nearly as long as DynDNS (if not longer) and I’ve not heard anything negative about them, so I now recommend you check out No-IP in preference to DynDNS, unless you enjoy having to give up your credit card information and then having to remember to cancel a “free trial” within an allotted timeframe.
To those router manufacturers that only offer DynDNS as a DDNS option, please consider adding No-IP (and maybe a few others) as a DDNS option in your next firmware upgrade. Those that have replaced their router’s firmware with DD-WRT have the option to use DynDNS.org, freedns.afraid.org, ZoneEdit.com, No-IP.com, 3322.org, easyDNS.com, TZO.com, and DynSIP.org (or you can use another “custom” service). I do not know if all of those have a free service offering but I believe that most of them do. So, commercial router manufacturers could offer options other than DynDNS, and I hope they’ll consider doing so.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
If you run Asterisk you may have encountered this issue: Your Internet connection goes down, and so does your ability to call from extension to extension, even between extensions on your local network. This is a long-standing bug in Asterisk (exactly the sort of bug that drives people to try alternatives such as FreeSWITCH) but let’s say that for whatever reason you need to stick with Asterisk, so you’d like to find a way to make that bug go away. Without going into all the technical details, the reason that calls fail is that Asterisk can’t access a DNS server. I’ve read several reports that say the easiest solution is to install the BIND DNS server on the same machine as your Asterisk server. If you are also running Webmin on the server, installing and configuring BIND is a relative piece of cake. So here’s how it’s done. Please note that most of the images below can be enlarged by clicking on them, and that I have installed the StressFree theme in Webmin, so if it looks a little different from what you’re used to seeing, that’s probably why.
To start with, log into Webmin, click on “Servers”, then click on “BIND DNS Server” (if you don’t find it there, try looking in “Un-used Modules”):
Webmin Servers page — click on "BIND DNS Server"
Assuming you have not previously installed BIND, you’ll get a screen like this. Just click where it says “Click here”:
Webmin BIND DNS Server error page — click where it says "Click here"
You will then see this screen come up as BIND is installed. Just let it run to completion and (assuming it installs successfully) click on “Return to BIND DNS Server” at the bottom of the page:
Webmin "Install Package" page — click on "Return to BIND DNS Server"
Next, because you don’t yet have an /etc/named.conf file, you’ll see this page. Click the button for “Setup nameserver for internal non-internet use only” (don’t worry, we’ll fix it in the next steps), then click the bar that says “Create Primary Configuration File and Start Nameserver”:
Webmin — click "Setup nameserver for internal non-internet use only"
At this point BIND is installed and running, but it probably isn’t doing what you want it to, and your system isn’t using it. So the first thing we need to do is tell it where to go when it needs to do a DNS lookup. You should be seeing a page that looks like this — click on “Forwarding and Transfers”:
Webmin BIND DNS Server page — click on "Forwarding and Transfers"
When you get to the following screen, check “Yes” next to “Lookup directly if forwarders cannot?” You also need to enter one or more addresses of DNS servers that BIND can access when it needs to pull a DNS record. You might want to give some thought to which DNS servers you want to use, and in what order, before you start entering them. You can enter up to three IP addresses of DNS servers, and then click “Save”. This will throw you out to the previous screen, and if by some chance you want to enter even more DNS servers, you can click on “Forwarding and Transfers” again to come back and enter up to three more servers, until you are finished. In this example, I have already entered the IP addresses of my router’s DNS Server as the top priority pick, followed by two Google DNS Server addresses.
Webmin — BIND DNS Server — Forwarding and Transfers page
Once you have done this, you are through configuring BIND directly, but there are two more things we need to do. The first is to make sure that the BIND server starts each time we restart the machine. To do that, go to Webmin’s “System” page and then click on “Bootup and Shutdown”:
Webmin System page — click on "Bootup and Shutdown"
This is a long page so I’m not showing all of it — what you have to do is find the entry for named and check the box next to it:
Webmin Bootup and Shutdown page — check the box next to "named"
Then go to the bottom of the page and click “Start on Boot”:
Bottom of Webmin Bootup and Shutdown page — click "Start on Boot"
At this point BIND is running, and should be using the correct DNS servers, and is set to start at bootup, but your server still isn’t using it for its DNS queries. To get it to do that, go to Webmin’s “Networking” page and click on “Network Configuration”:
Webmin Networking page — click on "Network Configuration"
Once on the Network Configuration page, click on “Hostname and DNS Client”:
Webmin Network Configuration page — click on "Hostname and DNS Client"
Once on the Hostname and DNS Client page, what you need to do is make the first entry in the DNS Servers list 127.0.0.1. If you trust BIND to always be operating, that’s the only entry you need. I didn’t quite trust BIND that much (actually, what I didn’t trust was my ability to set this up correctly) so I set the DNS server in the router as the secondary DNS address. You could use any DNS server as the secondary, or you could choose to just enter the 127.0.0.1 address to use BIND and let it go at that. Personally, I feel a lot more comfortable having a “fallback” DNS. Don’t forget to click “Save” when you are finished making changes here:
Webmin Hostname and DNS Client page - 127.0.0.1 must be first DNS server
That’s all there is to it, as far as I know (if you think I’ve missed anything or done something wrong, the comment section is open!). If you’re like me, the next question you will have is, “How do I know it’s working?” And the easiest way to do that is to go to a Linux command prompt and “dig” some site you have not been to recently twice in a row. Here’s an example, using cnn.com — the part we are interested in is in red:
;; ANSWER SECTION: cnn.com. 287 IN A 157.166.224.25 cnn.com. 287 IN A 157.166.224.26 cnn.com. 287 IN A 157.166.226.25 cnn.com. 287 IN A 157.166.226.26 cnn.com. 287 IN A 157.166.255.18 cnn.com. 287 IN A 157.166.255.19
;; AUTHORITY SECTION: . 76691 IN NS i.root-servers.net. . 76691 IN NS j.root-servers.net. . 76691 IN NS k.root-servers.net. . 76691 IN NS l.root-servers.net. . 76691 IN NS m.root-servers.net. . 76691 IN NS a.root-servers.net. . 76691 IN NS b.root-servers.net. . 76691 IN NS c.root-servers.net. . 76691 IN NS d.root-servers.net. . 76691 IN NS e.root-servers.net. . 76691 IN NS f.root-servers.net. . 76691 IN NS g.root-servers.net. . 76691 IN NS h.root-servers.net.
;; ADDITIONAL SECTION: b.root-servers.net. 386178 IN A 192.228.79.201 d.root-servers.net. 402826 IN A 128.8.10.90 d.root-servers.net. 230000 IN AAAA 2001:500:2d::d f.root-servers.net. 370827 IN A 192.5.5.241 g.root-servers.net. 463754 IN A 192.112.36.4 h.root-servers.net. 374116 IN A 128.63.2.53 h.root-servers.net. 517382 IN AAAA 2001:500:1::803f:235 j.root-servers.net. 185528 IN A 192.58.128.30 j.root-servers.net. 578747 IN AAAA 2001:503:c27::2:30
;; ANSWER SECTION: cnn.com. 223 IN A 157.166.255.19 cnn.com. 223 IN A 157.166.224.25 cnn.com. 223 IN A 157.166.224.26 cnn.com. 223 IN A 157.166.226.25 cnn.com. 223 IN A 157.166.226.26 cnn.com. 223 IN A 157.166.255.18
;; AUTHORITY SECTION: . 76627 IN NS c.root-servers.net. . 76627 IN NS d.root-servers.net. . 76627 IN NS e.root-servers.net. . 76627 IN NS f.root-servers.net. . 76627 IN NS g.root-servers.net. . 76627 IN NS h.root-servers.net. . 76627 IN NS i.root-servers.net. . 76627 IN NS j.root-servers.net. . 76627 IN NS k.root-servers.net. . 76627 IN NS l.root-servers.net. . 76627 IN NS m.root-servers.net. . 76627 IN NS a.root-servers.net. . 76627 IN NS b.root-servers.net.
;; ADDITIONAL SECTION: b.root-servers.net. 386114 IN A 192.228.79.201 d.root-servers.net. 402762 IN A 128.8.10.90 d.root-servers.net. 229936 IN AAAA 2001:500:2d::d f.root-servers.net. 370763 IN A 192.5.5.241 g.root-servers.net. 463690 IN A 192.112.36.4 h.root-servers.net. 374052 IN A 128.63.2.53 h.root-servers.net. 517318 IN AAAA 2001:500:1::803f:235 j.root-servers.net. 185464 IN A 192.58.128.30 j.root-servers.net. 578683 IN AAAA 2001:503:c27::2:30
Notice how on the first run, it takes 26 msec to do the lookup, because BIND doesn’t have that address cached yet, whereas on the second run it only takes 1 msec to do the lookup! Could that perhaps improve system performance? I’ll bet it could! And the SERVER line tells us that it is indeed using our BIND server (127.0.0.1) – if it were using, say, our router’s DNS server then that line would show this:
;; SERVER: 192.168.0.1#53(192.168.0.1)
The idea here is that when your Internet connection takes a dive, Asterisk will still be finding a working DNS server and therefore won’t tank. That, at least, is the theory I’ve seen on several web sites. The ONLY thing I am showing here is how to set up BIND using Webmin, and I won’t even guarantee that I’m doing that 100% correctly. I definitely do not guarantee that it will actually work as intended — you’ll have to test that yourself. Doing a real test would mean disconnecting your cable or DSL modem, etc. from your router for several hours or days to see if the phones continue to work, and in most households or businesses that idea will go over like a lead balloon. However, feel free to give it a good test if you like and report the results in the comments.
You may wonder why I selected “Setup nameserver for internal non-internet use only” in the fourth screenshot. Obviously, that description is not entirely accurate. The real difference is that if you select that instead of the default “Setup as an internet name server, and download root server information”, it won’t create a “root” DNS zone, which you simply don’t need for this application. You can use the other option if you want to, but it will download additional information and increase the complexity of your setup. Either way, you should be able to access the Internet, because we set up DNS forwarding. If by some chance this BIND server is going to act as a nameserver for your entire network, and you don’t mind the additional traffic and complexity (and it’s the additional traffic that scares me the most, since I have no idea what it’s actually downloading nor how often it’s doing it), then by all means feel free to use the second option. All I will say is that I used the first. and it works fine, and I’ve seen at least one instance where this same thing is set up using a method other than Webmin, and except for the order of statements it uses an /etc/named.conf file that is identical to what Webmin produces when configured as I have shown here (in other words, no “zones” at all). I’m just waiting for some Linux purist to say this isn’t the “right” way to do this but keep the goal in mind here — all we are trying to do is work around a bug in Asterisk that should have been fixed years ago, not set up a DNS server to feed an entire subnet. But again, you can feel free to use whichever of the options you like — it should work either way.
(By the way, if after reading the above you have “setup remorse” — you know, that feeling you get after you’ve installed something that you should have picked a different option — you can get a “do-over” by simply deleting or moving/renaming /etc/named.conf. If you then exit Webmin’s BIND module and come back in, it should see that named.conf doesn’t exist and start you over at the fourth screen shown above. Of course, you will lose anything you have already configured from within that module. If you originally selected the option to download the root server information, I think that’s at least partly stored in the file /etc/db.cache, so you could move or remove that file to make sure it’s not used, however I’m not sure if any other files are or were also downloaded. That particular file is very small so I’m not worried about that one per se, it’s just that the way things are worded on a couple of pages I read, I don’t know if that’s all it downloads, or if at some point in the middle of the night it rises up and tried to cache all the DNS information for the Internet, or just exactly what it does. Sometimes I wish people would just give a sentence or two of additional information, so you have a better idea of what’s the right thing to do when you’re setting up something like this.)
Now, if you are a True Linux Geek who somehow stumbled across this article, and are disappointed that it isn’t much more complicated, I’ll refer you to this page. If you can figure all THAT out, you should be getting paid the big bucks as the networking expert that you are! 🙂
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
I was recently asked how to solve a particular problem and I came up with what I think is an interesting solution, especially given my overall rather limited knowledge of networking. The issue was this: In the home in question, they have cable broadband and a router that feeds jacks throughout the house. For security reasons, the homeowner never installed any kind of wireless networking (even though his primary router supports it, he keeps it turned off). Also his primary router is down in the basement.
Recently he got his wife a Motorola XOOM table computer and wouldn’t you know, it requires Wi-Fi access to connect to the Internet. In order to extend the range, and so that he or his wife could easily turn off the Wi-Fi when the XOOM isn’t in use, he bought a second Wi-Fi router and put it upstairs. Note that this router is connected BEHIND the original router in the basement. In other words, the sequence of connection is as follows:
Now, as I said, he is very security conscious. So the question he asked me is, if someone managed to break into his Wi-Fi, is there a way to set it up so that they could ONLY get to the Internet, and not to any other system on his local network. I said I didn’t know, but to first try accessing other machines on his network (the ones that had web interfaces, anyway) from the XOOM. Turned out that he could do so without any problem. Because the Wi-Fi router used a different network segment from the original (addresses in the 192.168.2.x range, whereas the original router handed out address in the 192.168.0.x range), as far as anything connected to the Wi-Fi router was concerned, anything on the primary router might as well have been on the Internet (please forgive the non-technical explanation, I’m probably missing several technical details here, but that’s the gist of the problem).
I didn’t think it would be a good idea to try to make the Wi-Fi router use the same address space for both WAN and LAN, and while I could assign it a static IP address on the WAN side, it had to be able to reach the router/gateway at 192.168.0.1. So here is what we did.
On the PRIMARY router, we took a look at the LAN settings and found that its DHCP server was assigning addresses starting at 192.168.0.2. We changed that to start at 192.168.0.5 (probably could have used 192.168.0.4 in retrospect).
This way, we could change the WAN address of the Wi-Fi router to use a STATIC IP address of 192.168.0.2, and (this is the important part) a NETMASK of 255.255.255.252.
This means that as far as the Wi-Fi router is concerned, there are only four valid IP addresses in the 192.168.0.x range:
192.168.0.0 (not used)
192.168.0.1 (primary router/gateway)
192.168.0.2 (Wi-Fi router)
192.168.0.3 (Reserved for “broadcast” as far as Wi-Fi router is concerned)
One thing to remember is that after changing the DHCP assignment on the PRIMARY router is that computers already using IP address 192.168.0.2 and 192.168.0.3 will not automatically vacate those addresses until their DHCP lease comes up for renewal. So if you change the second router’s WAN address to 192.168.0.2, it may not actually be able to connect until the computer or device currently on 192.168.0.2 “loses its lease”. Rebooting the primary router may help, but in some cases you may have to track down the computer with the conflicting address and shut it off, or if you know how, renew its IP address assignment (this can usually be done from within the network settings panel). Eventually, though, it should work, and at that point you should find that devices connected to the secondary router cannot connect to any addresses in the 192.168.0.x range outside the three mentioned above, which means they won’t be able to “see” anything else on your network that’s been assigned a DHCP address.
This tip falls into the category of “it worked in this particular situation, but I don’t guarantee it will work for you”. So if you try this, be sure to test to make sure that the other machines on your primary network are actually unreachable from the secondary router.
Now let the comments begin, telling me how there’s a better way to do this, or why it won’t work, or something to that effect…
This is a heavily edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
This was originally posted in August, 2011. Unless you are deeply in love with Perl, I suggest you also take a look at the newer article, A Bash script to rewrite the "static" IP address in the FreePBX Asterisk SIP Settings when it is changed by your ISP. Although it is still considered experimental, it is simpler than the script shown here, does not require the installation of additional modules, and the text has been updated somewhat to reflect the changes in FreePBX since this article was written.
This post is going to be a bit long because I first need to explain the “why” behind this script, then how to obtain the prerequisite Perl modules, then the script itself and how to test it after installation.
If you are using a recent version of Asterisk and FreePBX you may be using the Asterisk SIP Settings module (under the “Tools” tab) to automatically set various SIP parameters. This module is a great help to those who don’t know what they are doing, but there is a trap for the unwary (and in this case it’s NOT the fault of FreePBX – it’s a longstanding bug in Asterisk that’s the problem).
At the top of the Asterisk SIP Settings configuration page, in the NAT Settings section, there are two options that can be set. The first is NAT and there are four possible choices:
yes = Always ignore info and assume NAT
no = Use NAT mode only according to RFC3581
never = Never attempt NAT mode or RFC3581
route = Assume NAT, don’t send rport
In theory, if you have a fixed IP address AND your Asterisk server is not behind an external router that does NAT translation, you should use “no” (and most of the rest of this article will not be relevant to you). This article is intended more for home and SOHO users that both have their Asterisk server behind a hardware router of some kind, and that get their broadband service from a company that occasionally changes their IP address without warning. For such users, the preferred setting is “yes”. I’m not enough of a networking guru to tell you under what circumstances one of the other settings might be appropriate (if you understand this stuff, feel free to leave a comment and enlighten us).
FreePBX: Asterisk SIP Settings page, NAT Settings (Public IP Option)
It’s the next set of settings that can get us into trouble. This is the IP Configuration and there are three possible choices:
Public IP
Static IP
Dynamic IP
If your IP address never changes AND you aren’t behind a hardware firewall then you can usually just set this to “Public IP” and let it go at that. You will not be asked to fill in any other values. But most users that are not in that situation will pick one of the other two choices, and this is where the problem arises. Conventional wisdom has it that if your ISP ever changes your IP address without advance warning (which is the case for most cable broadband and DSL users), you should use the Dynamic IP setting. In this case there is an auto-configure button that will fill out the fields for you, although you may need to fill in the Dynamic Host field yourself. This is the “External FQDN as seen on the WAN side of the router and updated dynamically, e.g. mydomain.dyndns.com” (as explained if you mouse over the words “Dynamic Host”). You can use a DynDNS address (or an address from a similar service) or an address you have purchased. But the problem is that for some users, THIS METHOD SIMPLY DOES NOT WORK.
FreePBX: Asterisk SIP Settings page, NAT Settings (Dynamic IP Option)
If you try to use Dynamic IP and it won’t work for you, what happens is you will get all sorts of weird errors. You may get one way audio, some calls may disconnect for no apparent reason after about five seconds, and you will see other weird errors in your CLI. If you change this setting to “Static IP” and click the auto-configure button and then submit the changes, the problems magically go away – UNTIL your ISP changes your IP address, at which point you suddenly have no connectivity to the outside world. If you ask for help, everybody and their brother will tell you to use the Dynamic IP setting, and the minute you try that you’ll get all the weird errors again.
FreePBX: Asterisk SIP Settings page, NAT Settings (Static IP Option)
So if that’s your situation, you need this Perl script. Coupled with a cron job, it goes out and checks your IP address every five minutes and if it notices it has changed, it changes it in the MySQL database (same as if you entered it into the External IP text box on the Asterisk SIP Settings configuration page) and then reloads Asterisk. Therefore, you can use the Static IP method and it hopefully it will work reliably. If and when your IP address changes, you should only be down for about five to ten minutes at most (hopefully your broadband provider usually does such changes in the middle of the night!).
Prerequisites:
You still have to use a Dynamic DNS service to keep track of your IP address if you want external extensions to be able to find your server on the Internet. It’s not required for this script to work, though, so I won’t say any more about that except to note that if you use a recent vintage hardware router, it probably has DDNS support built in.
You may have to install some Perl modules on your system. This script uses two or three: WWW::Mechanize (only if you use the first variation of the script shown below), Data::Validate::IP, and DBD::mysql. There are typically two ways to install any missing Perl modules on your system. One is to do this from the Linux command prompt:
perl -MCPAN -e shell
This will put you into a Perl CPAN shell and if it’s the very first time you’ve ever run this, it may ask you to do some configuration first. Go ahead and do it. If you don’t know how to answer a particular question, accepting the default is usually a pretty safe bet (if you disagree with me on this, then you know enough to know how to answer the questions, so you don’t need my help). However there are a couple questions related to buffers where you have the option to not create one, and I usually don’t because I don’t spend much time in the Perl shell. Just read the questions and either use the default answer, or another suggested answer that fits your preferences. When it comes time to pick servers (from which you will download modules), just pick two or three that are close to you.
After you’ve done the configuration, just install each module (if you already have it, it may say “nothing to do” and stop). Alternately, if you configured Perl to ask before downloading dependencies, you may need to answer “yes” a few times to allow dependencies to be downloaded and installed. To install the required modules from within the CPAN shell, just do these, one at a time:
install WWW::Mechanize (only if you use the first variation of the script) install Data::Validate::IP install DBD::mysql (you might already have this).
To quit the CPAN shell, just type quit and press Enter.
Alternately, in some distributions you can get certain Perl modules from the distribution’s repository. For example, in Centos you may be able to use:
yum install perl-WWW-Mechanize.noarch (only if you use the first variation of the script) yum install perl-Data-Validate-IP.noarch yum install perl-DBD-MySQL.noarch
Or in any Debian-based Linux, including Ubuntu Server, try these:
sudo apt install libwww-mechanize-perl (only if you use the first variation of the script) sudo apt install libdata-validate-ip-perl sudo apt install libdbd-mysql-perl
It’s likely you already have the Mysql module. Depending on your distro you may have to leave off the .noarch, or find a specific version in an appropriate repository. Installing from the CPAN shell make take a bit more time for the initial configuration, and some people find the CPAN shell difficult to use, but you will always get the correct version of the module.
Note that if you use Webmin, there is a third way – you can install modules from the Other | Perl Modules | Install Module page. BUT, that may not work correctly until you have configured CPAN as mentioned above. Don’t let that stop you from trying it, though!
The Script:
There are now two versions of this script. One uses WWW::Mechanize to get your IP address from a web site that returns only your IP address, while the second uses a dig command to get your IP address. We recommend the second one, since public sites that return only your IP address have a nasty habit of disappearing. Note that as always, these WILL overflow the lines in WordPress, so you will want to cut and paste your preferred script into a text editor. Also note that WordPress MAY change apostrophes and quotes into “prettified” versions, and if it does that will totally mess up Perl. I’m going to put this in a preformatted text block so hopefully WordPress won’t change anything (it doesn’t appear that it has), but you never know. One final note, don’t confuse backticks (`) with apostrophes (‘) – backticks are used to run a command that would normally be run from a Linux command prompt.
These scripts were written for use with FreePBX 2.11; there are a couple of lines that need to be changed for FreePBX 12 and above which will be posted below the main scripts:
#!/usr/bin/perl
# This program gets the current IP address (as assigned by the ISP) from
# a web page and modifies the FreePBX Asterisk SIP settings if the
# external IP address has changed. Invoke it as cron job that runs every 5 minutes.
use strict;
use warnings;
use WWW::Mechanize;
use Data::Validate::IP qw(is_public_ipv4);
# GET CURRENT IP ADDRESS
my $mech = WWW::Mechanize->new( autocheck => 1 );
# NOTE THE http QUERY IN THE NEXT LINE - PLEASE PASTE THIS INTO YOUR WEB
# BROWSER AND MAKE SURE IT RETURNS YOUR IP ADDRESS AND NOTHING ELSE.
$mech->get('http://some_web_site_that_returns_your_IP_address');
$mech->success or die 'Cannot connect to web site';
my ($ip) = ($mech->content() =~ /(d+.d+.d+.d+)/);
# VALIDATE RESULT RECEIVED
if (is_public_ipv4($ip)) {
# SET UP TO CONNECT TO MySQL DATABASE
use DBI();
# CONNECT TO DATABASE
my $connect = DBI->connect("DBI:mysql:database=asterisk;host=localhost", "user", "pw", {'RaiseError' => 1});
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT data FROM sipsettings WHERE keyword like ?", undef, "externip_val");
# COMPARE IP ADDRESSES
if ($externip ne $ip) {
# WAIT 5 SECONDS AND RECHECK IP TO AVOID FALSE POSITIVES
sleep 5;
$mech->get('http://some_web_site_that_returns_your_IP_address');
$mech->success or die 'Cannot connect to web site';
my ($ip) = ($mech->content() =~ /(d+.d+.d+.d+)/);
if ($externip ne $ip) {
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE sipsettings SET data = ? WHERE keyword = ?", undef, "$ip", "externip_val");
# WRITE CONFIG FILES AND RELOAD ASTERISK
`/var/lib/asterisk/bin/module_admin reload`;
# OPTIONAL SEND EMAIL TO SYSTEM ADMINISTRATOR(S)
# my $mailstring = 'echo "This is an automated message - please do not reply. Either we had a power or Internet outage (in which case there is a slight chance you may receive this message even if our IP address is unchanged), or our Internet Service Provider has changed the IP address of our phone server to ' . $ip . '" | mail -s "ISP may have changed our IP address" someaddress@gmail.com,anotheraddress@somewhere.com';
# system($mailstring);
};
};
};
Variation #2 (recommended) – note, do NOT confuse backticks and apostrophes, since both are used in this script and they are NOT interchangeable!
#!/usr/bin/perl
# This program gets the current IP address (as assigned by the ISP) from
# OpenDNS and modifies the FreePBX Asterisk SIP settings if the external IP
# address has changed. Invoke it as cron job that runs every 5 minutes.
use strict;
use warnings;
use Data::Validate::IP qw(is_public_ipv4);
my $dig = 'dig +short myip.opendns.com @resolver1.opendns.com';
my $ip=`$dig`;
chomp $ip;
if ($ip=~/((\d){1,3}\.){3}(\d){1,3}/) {
if (is_public_ipv4($ip)) {
# SET UP TO CONNECT TO MySQL DATABASE
use DBI();
# CONNECT TO DATABASE
my $connect = DBI->connect("DBI:mysql:database=asterisk;host=localhost", "user", "pw", {'RaiseError' => 1});
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT data FROM sipsettings WHERE keyword like ?", undef, "externip_val");
# COMPARE IP ADDRESSES
if ($externip ne $ip) {
# WAIT 5 SECONDS AND RECHECK IP TO AVOID FALSE POSITIVES
sleep 5;
$ip=`$dig`;
chomp $ip;
if ($ip=~/((\d){1,3}\.){3}(\d){1,3}/) {
if (is_public_ipv4($ip)) {
if ($externip ne $ip) {
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE sipsettings SET data = ? WHERE keyword = ?", undef, "$ip", "externip_val");
# WRITE CONFIG FILES AND RELOAD ASTERISK
`/var/lib/asterisk/bin/module_admin reload`;
# OPTIONAL SEND EMAIL TO SYSTEM ADMINISTRATOR(S)
# my $mailstring = 'echo "This is an automated message - please do not reply. Either we had a power or Internet outage (in which case there is a slight chance you may receive this message even if our IP address is unchanged), or our Internet Service Provider has changed the IP address of our phone server to ' . $ip . '" | mail -s "ISP may have changed our IP address" someaddress@gmail.com,anotheraddress@somewhere.com';
# system($mailstring);
};
};
};
};
};
};
NOTES on the above scripts, including THINGS YOU MUST CHANGE:
In the first script, change both occurrences of http://some_web_site_that_returns_your_IP_address to a web address that returns only your IP address and nothing else. Enter the link into a web browser to make sure you get the expected result — it should show your external IP address and nothing else. These services tend to come and go, and you’ll need to find one that returns your IP address, and ONLY your IP address, with no extraneous HTML formatting or text. If you don’t know of such a source, then try the second variation.
These rest of this applies to both scripts:
Note the two bolded variables user and pw. These must be changed to the correct values for YOUR system. You will usually find these in one of two places. You can look in /etc/amportal.conf and look for the variables AMPDBUSER and AMPDBPASS — these will usually be near the bottom of the file in newer installs, in a “— CATEGORY: Bootstrapped or Legacy Settings —” section, but they can be anywhere in the file.
Another place they may be found is in the file /etc/freepbx.conf — in that file, look for lines similar to:
Those will give you the values to insert into the user and pw variables in the script. YOU MUST INSERT THE CORRECT VALUES OR THE SCRIPT WILL NOT WORK! By the way, if you have both of the above-mentioned files, make sure that the AMPDBUSER and AMPDBPASS variables are set to the same respective values in both files, otherwise your CDR Reports page may not work.
Finally, if you want an e-mail notification when your IP address has changed, uncomment the two lines under “# OPTIONAL SEND EMAIL TO SYSTEM ADMINISTRATOR(S)” and modify the first line appropriately (make sure you use one or more valid e-mail addresses!). BE CAREFUL NOT TO DELETE THE TRAILING APOSTROPHE (just before the semicolon). Yeah, I did that once. 🙁
IF YOUR ARE RUNNING FREEPBX 12 (NOT FreePBX 14, see below), it appears they have changed the location where the IP address is stored in the database. In that case, two sections of the script need to be changed:
Change this:
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT data FROM sipsettings WHERE keyword like ?", undef, "externip_val");
To this:
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT val FROM kvstore WHERE `key` = ?", undef, "externip");
Change this:
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE sipsettings SET data = ? WHERE keyword = ?", undef, "$ip", "externip_val");
To this:
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE kvstore SET val = ? WHERE `key` = ?", undef, "$ip", "externip");
IF YOU ARE RUNNING FREEPBX 14, it appears they have changed the location again where the IP address is stored in the database. In that case, two sections of the script need to be changed:
Change this:
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT data FROM sipsettings WHERE keyword like ?", undef, "externip_val");
To this:
# GET IP ADDRESS FROM DATABASE
my ($externip) = $connect->selectrow_array("SELECT val FROM kvstore_Sipsettings WHERE `key` = ?", undef, "externip");
Change this:
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE sipsettings SET data = ? WHERE keyword = ?", undef, "$ip", "externip_val");
To this:
# IP HAS CHANGED SO UPDATE IP ADDRESS IN DATABASE
$connect->do("UPDATE kvstore_Sipsettings SET val = ? WHERE `key` = ?", undef, "$ip", "externip");
(Thanks to “Tony” for posing the FreePBX 14 changes in the comment section.)
Regardless of which version you are running (12 or 14), BE CAREFUL, in both of the above lines the word keyword (without quotes) is changed to `key` (with backtick quotes). If you leave out the backticks, or change them to something else such as apostrophes, IT WILL NOT WORK.
Save your script to either the /root directory or the /var/lib/asterisk/agi-bin directory, or to another location of your choosing. I named it checkip.pl, solely because that was the name of a previous script I had run and I had already created a cron job for it. You must make the script executable, for example:
chmod u+rx /var/lib/asterisk/agi-bin/checkip.pl
Of course you will specify the correct filename and directory. Now it’s time to test the script. From the Linux command prompt, navigate to the directory where you stored the script:
cd /var/lib/asterisk/agi-bin
Now run the script from the command prompt:
./checkip.pl
Hopefully you won’t see any error messages. Remember it’s going out to do a query to get your external IP address, so don’t get concerned if it takes a second or two. If you had an incorrect address stored in your FreePBX Asterisk SIP Settings configuration, it will take longer because it will reload the FreePBX configuration. The script has a couple of different checks to make sure it only stores a real IP address (and not something invalid like an error message) in the database, so if it appears to not be working, make sure the underlying call to the web server or the dig command (depending on which variation you use) is returning a valid IP address.
Usually if you do see errors they will fall into one of two categories. The first is a missing Perl module, which you will need to obtain as described above. The second is a syntax error, which you should not get if you cut and pasted the script, and made the changes noted above. If you get a permissions error, you probably forgot to make the script executable!
Setting up a cron job:
Once it runs without errors, you will want to create a cron job so it runs automatically every five minutes. Do NOT run it more often than that, or the lookup service may ban your IP address, and you don’t want that to happen (whatismyip.com would do that, which is another reason not to use them), and besides, it’s not polite to hog the resources of someone else’s server! And if you are running it on multiple servers at the same IP address, then adjust the polling speed so that the total polling from all servers doesn’t exceed once every five minutes. An occasional additional test is probably not an issue, but if you try to poll every minute you just might get banned!
The usual way to add a cron job is to run this command:
crontab -e
(If you’re not currently running as root use sudo crontab -e instead)
This will open a text editor showing your current cron jobs. Just add a new line to the bottom of the file with your new cron job. To run the script every five minutes, you could use something like this:
*/5 * * * * /var/lib/asterisk/agi-bin/checkip.pl
Or to be more specific as to when the script runs (this will run it exactly on the hour, at five minutes after the hour, at ten minutes after the hour, and so on):
Just save the changed file when you are finished. The alternate method is to use Webmin’s System | Scheduled Cron Jobs module to set up your cron job.
Final testing:
The easiest way to test to make sure this is all working is to wait until a time that there are no active calls on the system, then go to the Asterisk SIP Settings configuration page and change the External IP address to something invalid (just change the last digit of the current address and Submit Changes, then do the usual orange bar reload). On the next five minute interval, the script should detect that the external IP address doesn’t match the one stored in the database, and it will write the correct value to the database and reload Asterisk. If you watch the Asterisk CLI during this time, you should actually see the reload take place. After that, if you go back to the Asterisk SIP Settings configuration page, the correct IP address should be there. To be extra safe, you should also view the contents of the file /etc/asterisk/sip_general_additional.conf and make sure that the externip= line shows the correct IP address.
Now you don’t have to worry about frantic calls from users at inopportune times because your ISP changed your IP address and none of the phones are working, and you also won’t have any of the problems associated with the Dynamic IP method!
I want to thank Moshe Brevda for giving me the information I needed to do the MySQL database write, after a particularly frustrating middle of the night session (not helped by bumping into a truly arrogant bastard on an IRC channel), and also for one correction to this article (see my comment in the comments section below). If any “Perl purists” are reading this and you want to offer a constructive comment without giving me any attitude, I’m fine with that. But if you are like some of your I-know-it-all-and-your-coding-sucks brethren in the IRC channel, don’t even waste your time posting a comment, because I won’t approve it. No, you really DON’T need to use any other Perl database modules to do this simple task, and no, I DON’T want to learn your philosophy of writing Perl code (there are some really sucky mom’s-basement-dwellers inhabiting the #perl IRC channel — some of those folks really need to get professional help, and that is all I will say about that). EDIT: Credit to the article Quickly Get an External IP Address from the Command Line (OS X Daily) for revealing the method of using dig with OpenDNS to get your IP address.
NOTE: As usual, there are no warranties — we’re experimenters here, and sometimes we don’t catch all the bugs, especially on the first go around! However, I would assume that anyone who is running a “professional” installation would pay their ISP for a true static IP address (one that never changes), and therefore wouldn’t need one of these scripts in the first place.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
I wanted to find a way to send Caller ID popups to a Ubuntu Linux box, and in the process I discovered a different method of sending such notifications. There are pros and cons to using the new method, so let me explain those first:
Pros:
Can send notifications to any computer that supports command line generated notifications (so it could also be used with Growl, if you can use growlnotify from a command prompt to generate a notification).
Can send notifications to any computer that you can SSH into, provided you have it set up to use public/private key authentication rather than password authentication.
Cons:
Notifications typically display a couple of seconds later than under the previous method. I suspect this is due to the SSH authentication taking a second or two.
It’s a little bit more complicated to set this up, though not horribly so.
Because this uses SSH and requires that Asterisk be granted permission to establish an SSH connection as the super user (by using sudo), there may be unforeseen security risks.
Read that last point again, and please understand that as with all projects on this site, I offer this for experimental purposes only. I explicitly do not warrant this method as being 100% secure, nor will I tell you that it could not be exploited to do bad things on your system. I don’t think it can (and feel free to leave a comment if you think I’m wrong), but I just don’t know that for sure. So, if you decide to use anything in this article, you agree to assume all risks. If you’re the type that likes to sue other people when something goes wrong, then you do not have permission to use this code. We’re all experimenters here, so no guarantees!
As with the previous method, you must have the Perl language installed on your Asterisk server, and you must have the Asterisk::AGI module installed (I’m going to assume you know how to install a Perl module from the CPAN repository – if you have Webmin installed, it can be done from within Webmin). Chances are you already have Asterisk::AGI installed, unless you built your Asterisk server “from scratch” and never installed it.
There’s one additional thing you must do on the Asterisk server before this will run, and that’s allow Asterisk to run the ssh command as root. So, add this to your /etc/sudoers file (probably at the very end, but in any case it should be obvious where to add this because it will be in a section where Asterisk is granted similar privileges with regard to other programs):
asterisk ALL = NOPASSWD: /usr/bin/ssh
Next you want to copy and paste the following Perl script to the filename /var/lib/asterisk/agi-bin/notifysend.agi on your Asterisk server (to create a non-existent file, you can use the touch command, and after that you can edit it in Midnight Commander or by using the text editor of your choice). If this code looks somewhat familiar, it’s because it’s adapted from some code that originally appeared in a FreePBX How-To, which I have modified.
#!/usr/bin/perl
use strict;
use warnings;
use Asterisk::AGI;
my $agi = new Asterisk::AGI;
my %input = $agi->ReadParse();
# Next two lines fork the process so Asterisk can get on with handling the call
open STDOUT, '>/dev/null';
fork and exit;
my $num = $input{'callerid'};
my $name = $input{'calleridname'};
my $ext = $input{'extension'};
my $user = $ARGV[0];
my $ip = $ARGV[1];
if ( $ip =~ /^([0-9a-f]{2}(:|$)){6}$/i ) {
$ip = $agi->database_get('growlsend',uc($ip));
}
# OMIT this section if you don't want IP address
# checking (e.g. you want to use foo.bar.com)
unless ( $ip =~ /^(d+).(d+).(d+).(d+)$/ ) {
exit;
}
if ( $ARGV[2] ne "" ) {
$ext = $ARGV[2];
}
my @months = (
"January", "February", "March", "April", "May", "June",
"July", "August", "September", "October", "November", "December"
);
my @weekdays = (
"Sunday", "Monday", "Tuesday", "Wednesday",
"Thursday", "Friday", "Saturday"
);
my (
$sec, $min, $hour, $mday, $mon,
$year, $wday, $yday, $isdst
) = localtime(time);
my $ampm = "AM";
if ( $hour > 12 ) {
$ampm = "PM";
$hour = ( $hour - 12 );
}
elsif ( $hour eq 12 ) { $ampm = "PM"; }
elsif ( $hour eq 0 ) { $hour = "12"; }
if ( $min < 10 ) { $min = "0" . $min; }
$year += 1900;
my $fulldate =
"$hour:$min $ampm on $weekdays[$wday], $months[$mon] $mday, $year";
# Next two lines normalize NANP numbers, probably not wanted outside of U.S.A./Canada/other NANP places
$num =~ s/^([2-9])(d{2})([2-9])(d{2})(d{4})$/$1$2-$3$4-$5/;
$num =~ s/^(1)([2-9])(d{2})([2-9])(d{2})(d{4})$/$1-$2$3-$4$5-$6/;
my $cmd = qq(./remotenotify.sh "$name" "$num calling $ext at $fulldate");
$cmd = "sudo ssh $user@$ip '$cmd'";
exec "$cmd";
Also, if you want to be able to specify computers that you wish to send notifications to using MAC addresses rather than IP addresses (in case computers on your network get their addresses via DHCP, and therefore the IP address of the target computer can change from time to time), then you must in addition install the following Perl script (if you have not already done so when using the previous method). Note that if you have a mix of computers on your network and you are using both the new and old methods, you only need to do this once — it works with both methods (hence the reference to “growlsend” in the database and “gshelper” as the name of this script). Call it /var/lib/asterisk/agi-bin/gshelper.agi and note that there is a line within it that you may need to change to reflect the scope of your local network:
#!/usr/bin/perl
use strict;
use warnings;
my ($prev, @mac, @ip);
# Change the 192.168.0.0/24 in the following line to reflect the scope of your local network, if necessary
my @nmap = `nmap -sP 192.168.0.0/24|grep -B 1 MAC`;
foreach (@nmap) {
if (index($_, "MAC Address:") >= 0) {
@mac = split(" ");
@ip = split(" ",$prev);
`/usr/sbin/asterisk -rx "database put growlsend $mac[2] $ip[1]"`;
}
$prev=$_;
}
Make sure to modify the permissions on both scripts to make them the same as other scripts in that directory (owner and group should be asterisk, and the file should be executable), and if you use the gshelper script, make sure to set up a cron job to run it every so often (I would suggest once per hour, but it’s up to you).
Now go to this page and search for the paragraph starting with, “After you have created that file, check the ownership and permissions” (it’s right under a code block, just a bit more than halfway down the page) and if you are using FreePBX follow the instructions from there on out (if you are not using FreePBX then just read that section of the page so you understand how this works, and in any case ignore the top half of the page, it’s talking about a different notification system entirely). However, note that the syntax used in extensions_custom.conf differs from what is shown there, depending on whether you are specifying an IP address or a MAC address to identify the target computer.
First, if you are specifying the IP address of the target computer, then instead of using this syntax:
Note that username is the account name you use when doing an ssh login into the destination system, and it should also be the desktop user on the system (not root!). Let’s say that the system is currently at IP address 192.168.0.123. In order for this to work, you need to be able to ssh into your Ubuntu box from your Asterisk server, using the following command from the Asterisk server’s command line:
It’s probably easiest to configure each computer that is to receive notifications to use a static IP address. But note that if you use the above code and have the gshelper.agi program running as a cron job, then after the first time it has run while the computer to receive the notifications is online you should be able to use a computer’s MAC address instead of the IP address. This only works if you’ve used the modified script on this page, not the one shown in the FreePBX How-To. As an example, instead of
(the above is all one line) where 01:23:45:AB:CD:EF is the MAC address of the computer you want to send the notification to. Once again, just in case you missed it the first time I said it, this won’t work until the gshelper.agi script has been run at least once while the computer to receive the notifications was online. If for some reason it still doesn’t appear to work, run the nmap command (from gshelper.agi) including everything between the two backticks (`) directly from a Linux command prompt and see if it’s finding the computer (depending on the size of your network, it might be several seconds before you see any output, which is why I don’t try to run this in real time while a call is coming in).
If you are NOT running FreePBX, but instead writing your Asterisk dial plans by hand, then you will have to insert a line similar to one of the above examples into your dial plan, except that you don’t need the four asterisks (****) in front of the extension number, and if it’s not the first line in the context, you’ll probably want to use n rather than 1 for the line designator (and, you won’t be putting the line into extensions_custom.conf because you probably don’t have such a file; instead you’ll just put it right in the appropriate section of your dial plan). In other words, something like this (using extension 525 as an example):
This line should go before the line that actually connects the call through to extension 525. I do not write Asterisk dial plans by hand, so that’s about all the help I can give you. And if you don’t write your dial plans by hand, but you aren’t using FreePBX, then I’m afraid you’ll have to ask for help in whatever forum you use for advice on the particular software that you do use to generate dial plans, because I can’t tell you how to insert the above line (or something like it) into your dial plan.
Now is where it gets just a bit more complicated than in the original method. If you have followed the above instructions, you’ll be able to send the notifications to the remote system using SSH, but there will be nothing there to receive them. So we have to create a small script on the receiving system to do something with the received notifications. That script will vary depending on the receiving system, but it must be named remotenotify.sh and it must be placed in the destination user’s home directory, and don’t forget to make it executable! Here’s one that will work in most Ubuntu installations that have Notify OSD installed:
Those two lines are all you need. On a different type of system (or if you have multiple displays) you may need to or wish to do something different. For example, as I mentioned above, if the destination system is running Growl then your remotenotify.sh script will need to call growlnotify, but beyond that I wouldn’t know what to use there (EDIT: But if the target system is a Mac that is running OS X, a pretty good guess would probably be that you’d only need one line, something like this:
growlnotify -s -p 1 -a Telephone -m "$2" $1
In this case it should make the notification sticky until dismissed by the user, give it a priority of 1 — the default is 0 — and use the application icon from the “Telephone” application if you have it installed. Instead of -a to specify an application’s icon you could use -I followed by a path to an .icns file that contains an icon you want to use. Type growlnotify –help to see all the growlnotify options. Oh, and before you can make an SSH connection to a Mac you have to go into System Preferences | Sharing and turn on Remote Login).
The beauty of this approach is that you can make the remotenotify.sh script as simple or as complicated as you need — you could even make it forward a notification to other devices if you wish, but figuring out how to do that is up to you (if you come up with something good, please leave a comment and tell us about it!).
If you’re running Ubuntu on the target system, here’s a few articles you may wish to use to help you get your notifications to look the way you want them to appear:
If you want to be able to review missed notifications, you may be able to use this (as a side note, why don’t they have something like this for Growl?):
The idea behind the shell script that runs on the target system was found in a comment on the following article, which may be of special interest to MythTV users:
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Many of today’s commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems, the fact is that many routers’ ALG implementations are wrong and break SIP.
The article goes on to explain why the implementation is broken, and how to disable it in several brands of routers. Certain VoIP adapter manufacturers also recommend disabling this feature if you are having problems with SIP registration, not being able to receive a call or one-way audio. But note that this issue can affect any type of SIP-based communications, regardless of hardware or software used.
EDIT (May, 2018): For information on another issue that may cause problems when you switch routers, see this DSLReports thread: SIP registration times.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Notice
EDIT March, 2014 and August 2020: If you are running OS X Mavericks or later, or any version of MacOS we recommend that you do NOT use the script shown here, but instead send notifications to a XMPP/Jabber account and use either Apple’s Messages app (formerly iChat) or a third party messaging program such as Adium to receive them, since the message will then display in the Notifications Center and you do not need Growl. See How to send various types of notifications on an incoming call in FreePBX for more information. You may also find this thread on the RasPBX forum useful.
What follows will probably not work on ANY currently supported version of MacOS and is left here as a historical reference only.
Quite some time ago, I wrote a post explaining how you could poll a Linksys or Sipura VoIP adapter or phone once per second, and whenever there was an incoming call, generate a notification popup on your computer, if you have the Growl notification service installed. However, that method doesn’t work if you’re not using a Linksys or Sipura phone or device.
If you are running Asterisk, there’s another way to do it, and that’s to get Asterisk to send the notifications directly. In order for this to work, the computer on which you want to receive the notifications has to be running Growl (under Mac OS X) or Growl for Windows. You must also configure Growl to receive network notifications. I will note here that if you are using a Mac and have never done that before, you may want to make sure that Growl network notifications work before proceeding, because it appears that under OS X, it’s pretty much a crap shoot whether Growl network notifications will work at all, and when they don’t the Growl folks apparently have no clue as to why they don’t. It seems to be a machine-specific thing – on some Macs they work fine, while on others they don’t work at all.
You must have the Perl language installed on your Asterisk server, and you must have the Net::Growl and Asterisk::AGI modules installed (I’m going to assume you know how to install a Perl module from the CPAN repository – if you have Webmin installed, it can be done from within Webmin). Chances are you already have Asterisk::AGI installed, unless you built your Asterisk server “from scratch” and never installed it, but if you’ve never installed Net::Growl you’ll need to do that first.
Next you want to copy and paste the following Perl script to the filename /var/lib/asterisk/agi-bin/growlsend.agi on your Asterisk server (to create a non-existent file, you can use the touch command, and after that you can edit it in Midnight Commander or by using the text editor of your choice). If this code looks somewhat familiar, it’s because it’s adapted from some code that originally appeared in a FreePBX How-To, which I modified.
#!/usr/bin/perl
use strict;
use warnings;
use Net::Growl;
use Asterisk::AGI;
my $agi = new Asterisk::AGI;
my %input = $agi->ReadParse();
my $num = $input{'callerid'};
my $name = $input{'calleridname'};
my $ext = $input{'extension'};
my $ip = $ARGV[0];
if ( $ip =~ /^([0-9a-f]{2}(:|$)){6}$/i ) {
$ip = $agi->database_get('growlsend',uc($ip));
}
unless ( $ip =~ /^(d+).(d+).(d+).(d+)$/ ) {
exit;
}
open STDOUT, '>/dev/null';
fork and exit;
if ( $ARGV[2] ne "" ) {
$ext = $ARGV[2];
}
# Define months and weekdays in English
my @months = (
"January", "February", "March", "April", "May", "June",
"July", "August", "September", "October", "November", "December"
);
my @weekdays = (
"Sunday", "Monday", "Tuesday", "Wednesday",
"Thursday", "Friday", "Saturday"
);
# Construct date/time string
my (
$sec, $min, $hour, $mday, $mon,
$year, $wday, $yday, $isdst
) = localtime(time);
my $ampm = "AM";
if ( $hour > 12 ) {
$ampm = "PM";
$hour = ( $hour - 12 );
}
elsif ( $hour eq 12 ) { $ampm = "PM"; }
elsif ( $hour eq 0 ) { $hour = "12"; }
if ( $min < 10 ) { $min = "0" . $min; }
$year += 1900;
my $fulldate =
"$hour:$min $ampm on $weekdays[$wday], $months[$mon] $mday, $year";
# Next two lines normalize NANP numbers, probably not wanted outside of U.S.A./Canada/other NANP places
$num =~ s/^([2-9])(d{2})([2-9])(d{2})(d{4})$/$1$2-$3$4-$5/;
$num =~ s/^(1)([2-9])(d{2})([2-9])(d{2})(d{4})$/$1-$2$3-$4$5-$6/;
register(host => "$ip",
application=>"Incoming Call",
password=>"$ARGV[1]", );
notify(host => "$ip",
application=>"Incoming Call",
title=>"$name",
description=>"$numnfor $extn$fulldate",
priority=>1,
sticky=>'True',
password=>"$ARGV[1]",
);
Also, if you want to be able to specify computers that you wish to send notifications to using MAC addresses rather than IP addresses (in case computers on your network get their addresses via DHCP, and therefore the IP address of the target computer can change from time to time), then you must in addition install the following Perl script. It requires a command-line utility caller arp-scan so install that if you need to – I used to use nmap for this but they changed the output format, making it harder to parse, and arp-scan is much faster anyway. Call it /var/lib/asterisk/agi-bin/gshelper.agi and note that there are two references to 192.168.0… within it that you may need to change to reflect the scope of your local network, if your network’s IP addresses don’t start with 192.168.0.:
#!/usr/bin/perl
use strict;
use warnings;
my @mac;
# Change the following lines to reflect the scope of your local network, if necessary
my @arp = `arp-scan --quiet --interface=eth0 192.168.0.0/24`;
foreach (@arp) {
if (index($_, "192.168.0.") == 0) {
@mac = split(" ");
`/usr/sbin/asterisk -rx "database put growlsend \U$mac[1] $mac[0]"`;
}
}
Make sure to modify the permissions on both scripts to make them the same as other scripts in that directory (owner and group should be asterisk, and the file should be executable), and also, if you use the gshelper script, make sure to set up a cron job to run it every so often (I would suggest once per hour, but it’s up to you).
Now go to this page and search for the paragraph starting with, “After you have created that file, check the ownership and permissions” (it’s right under a code block, just a bit more than halfway down the page) and if you are using FreePBX follow the instructions from there on out (if you are not using FreePBX then just read that section of the page so you understand how this works, and in any case ignore the top half of the page, it’s talking about a different notification system entirely). But note that if you use the above code and have the gshelper.agi program running as a cron job, then after the first time it has run while the computer to receive the notifications is online you should be able to use a computer’s MAC address instead of the IP address. This only works if you’ve used the modified script on this page, not the one shown in the FreePBX How-To. As an example, instead of
(the above is all one line) where 01:23:45:AB:CD:EF is the MAC address of the computer you want to send the notification to. Once again, just in case you missed it the first time I said it, this won’t work until the gshelper.agi script has been run at least once while the computer to receive the notifications was online. If for some reason it still doesn’t appear to work, run the nmap command including everything between the two backticks (`) directly from a Linux command prompt and see if it’s finding the computer (depending on the size of your network, it might be several seconds before you see any output, which is why I don’t try to run this in real time while a call is coming in).
If you are NOT running FreePBX, but instead writing your Asterisk dial plans by hand, then you will have to insert a line similar to one of the above examples into your dial plan, except that you don’t need the four asterisks (****) in front of the extension number, and if it’s not the first line in the context, you’ll probably want to use n rather than 1 for the line designator (and, you won’t be putting the line into extensions_custom.conf because you probably don’t have such a file; instead you’ll just put it right in the appropriate section of your dial plan). In other words, something like this (using extension 525 as an example):
This line should go before the line that actually connects the call through to extension 525. I do not write Asterisk dial plans by hand, so that’s about all the help I can give you. And if you don’t write your dial plans by hand, but you aren’t using FreePBX, then I’m afraid you’ll have to ask for help in whatever forum you use for advice on the particular software that you do use to generate dial plans, because I can’t tell you how to insert the above line (or something like it) into your dial plan.
Virtually everything in this article has already been published in one place or another, but I wanted to get it into an article with a relevant title and cut out some of the extraneous explanations and such. There are links to all the original sources throughout the article, so feel free to follow those if you want more in-depth commentary.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. In order to comply with Federal Trade Commission regulations, I am disclosing that he received a free product sample of the item under review prior to writing the review, and that any links to Amazon.com in this article are affiliate links, and if you make a purchase through one of those links I will receive a small commission on the sale.
Here’s what the publisher wants you to know about the book (my comments will follow):
In Detail
OpenVPN is a powerful, open source SSL VPN application. It can secure site-to-site connections, WiFi, and enterprise-scale remote connections. While being a full-featured VPN solution, OpenVPN is easy to use and does not suffer from the complexity that characterizes other IPsec VPN implementations. It uses the secure and stable TLS/SSL mechanisms for authentication and encryption. This book is an easy introduction to this popular VPN application. After introducing the basics of security and VPN, it moves on to cover using OpenVPN, from installing it on various platforms, through configuring basic tunnels, to more advanced features, such as using the application with firewalls, routers, proxy servers, and OpenVPN scripting.
This is a practical guide to using OpenVPN for building both basic and complex Virtual Private Networks. It will save you a lot of time and help you build better VPNs that suit your requirements. While providing only necessary theoretical background, the book takes a practical approach, presenting plenty of examples. It starts with an introduction into the theory of VPNs and OpenVPN, followed by a simple installation example on almost every available platform. After a concise and ordered list of OpenVPN’s parameters, we dive into connecting several machines in a safe way. The last third of the book deals with professional and high-end scenarios, and also mobile integration. After having read the whole book and followed and understood all the examples, you will be an expert in VPN, Security, and especially in OpenVPN Technology. This book was written for version 2.0.9 of OpenVPN, but all examples have been tested and run smoothly on version 2.1 too. Read the full Table of Contents for Beginning OpenVPN 2.0.9
What you will learn from this book
Install OpenVPN on Windows Server, Vista, and Mac OS X and also on different Linux versions and FreeBSD
Learn basic security concepts necessary to understand VPNs and OpenVPN in particular
Take a look at encryption matters, symmetric and asymmetric keying, and certificates
Connect Windows and Linux systems and safely transfer the necessary encryption keys using WinSCP
Learn about OpenVPN, its development, features, resources, advantages, and disadvantages compared to other VPN solutions, especially IPsec
Discuss non-standard and advanced methods of installing OpenVPN by compiling the source code provided by the OpenVPN project
Create an encryption key for OpenVPN and use it to set up an OpenVPN tunnel between two Windows systems in the same network
Create X.509 server and client certificates for use with OpenVPN and learn how to use tools to debug and monitor VPN tunnels
Create and administer certificates that have to be transferred to the machines that are supposed to take part in the VPN
Configure two different firewall networks that connect to each other through the secure OpenVPN tunnel
Install and use XCA and TinyCA2 to generate certificate revocation lists that are used to block unwanted connections by formerly authorized clients
Install OpenVPN on Windows Mobile and Smartphones running embedded Linux, like Nokia’s Maemo platform
Analyze the flow of datagrams between the VPN servers and the connected networks with tools like ifconfig, ping, traceroute, and mtr
Approach
This book is an easy introduction to OpenVPN. While providing only necessary theoretical background, it takes a practical approach, presenting plenty of examples. It is written in a friendly style making this complex topic easy and a joy to read. It first covers basic VPN concepts, then moves to introduce basic OpenVPN configurations, before covering advanced uses of OpenVPN.
Who this book is written for
This book is for both experienced and new OpenVPN users. If you are interested in security and privacy in the internet, or want to have your notebook or mobile phone connected safely to the internet, the server in your company, or at home, you will find this book useful. It presumes basic knowledge of Linux, but no knowledge of VPNs is required.
Now back to my mini-review. If you read my original review (which explains why I think a VPN can be an important part of securing private VoIP networks, among other uses), you know that I found Mr. Feilner’s original book quite helpful in giving me a grasp on VPNs, a subject I’d known very little about prior to that point. There were a few things I thought could have been covered better, though, so I was interested to see if those things had been addressed in this updated edition.
As I had more or less noted, the author seemed to slightly prefer SuSE Linux over other versions of Linux, and the Shorewall firewall over other Linux firewall solutions, and (in my opinion) the new book still uses more pages than are really necessary talking about how to set up and configure Shorewall, but at least now the authors do provide some minimal information about the far more popular iptables firewall tool (a little over three pages). It would have been nice to see a more in-depth treatment of this subject, because sometimes setting up iptables correctly is one key to getting your VPN to work as you want it to, particularly if you need or want to do anything more complicated than a simple VPN tunnel. It’s a minor nit, to be sure, because there’s plenty of information on the web about how to set up and configure iptables, but I personally would have given that topic more than three pages.
Then I discovered they’d made one addition that I really wanted to see: A totally new chapter on OpenVPN GUI tools, and in particular, a section on Webmin’s OpenVPN plugin. My disappointment again was that this was not a more exhaustive treatment of the subject. Actually, it’s little more than a mention that the plugin exists, and a few screenshots. Granted that this was more than appeared in the original volume, and just informing readers of the existence of that plugin is no small thing, but when I did my series on Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client, it took me twoparts to explain how to configure the Webmin plugin. That same chapter also talks about some client GUI’s for Linux, but doesn’t spend more than a page or two on any of them.
I’m not really faulting the authors here — it’s very apparent that they write about what they know, and they definitely know their stuff when it comes to OpenVPN, whereas they may not be quite as familiar with Webmin or iptables. That said, Windows users should find all the information they need to set up an OpenVPN tunnel and then some, and Linux newbies get enough information to at least point them in the right direction. As for Mac users, the coverage there is about the same as in the previous edition, which is to say that there’s about three pages on how to install Tunnelblick. However, much of the information in the book is not OS specific, and those with some experience with Linux or OS X should have no trouble at all following along.
On a positive note, there are many examples and screenshots in the book, and in this one the screenshots are actually readable (well, I did need my reading glasses for a few of them, but then I’m getting to the point where I need my reading glasses to read the cooking directions on a frozen dinner!). And, the authors’ writing style is clear and easy to understand. Also, there’s a totally new (albeit relatively short) chapter on Mobile Security, which may be of interest to some of the “road warriors” out there.
So, my recommendation is this: If you read Markus Feilner’s previous book on OpenVPN and liked it, you’re almost certainly going to want to read this one, just to get up to date. If you didn’t read the previous edition but just want to get up to speed on OpenVPN, this really is one of the better books on the subject, provided that you understand that at times you may have to supplement the book with a bit of additional research on the Web, particularly if you are running OS X or Linux as your operating system (but at least you’ll have a much better handle on topics for additional research).
The reason this is a mini-review and not a full review is because due to personal/family issues I haven’t had time to do much more than skim through the new book, rather than give it a complete read as I normally prefer to do. But since Packt Publishing kindly sent me the book over a month ago, I feel as though it’s a disservice to both them and to the readers of this blog to delay mentioning it any longer. Despite my comments about the paucity of additional pages on the particular topics I’d hoped to read more about, this is still a great book for those who need to set up and secure an OpenVPN tunnel, particularly if you’re just starting out and know next to nothing about VPNs and/or OpenVPN.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog.
Have you ever been in a situation where you want to extend a local network (or maybe an Internet connection) from one building to another that’s separated by some distance, say anywhere from several feet to a few hundred feet? Many people use wireless in this situation, and that’s a perfectly acceptable solution if it works, but it also brings with it a host of security issues. Any signal that is put into the airwaves is one that can potentially be intercepted, particularly if you’re not really familiar with wireless security. I’m not saying you should or should not use wireless, but I do know that some folks aren’t crazy about the idea. Also, there are distance limits on wireless links that can mean that no useable signal will be available where you want it.
Unfortunately, the only alternative to a wireless link between buildings is a physical link (if you ignore more esoteric alternatives that depend on both buildings getting their electrical service from the same power transformer) and there you have two choices, copper or fiber. Assuming you are going to bury a line between the two buildings, how do you know which to use?
I know there are people who would never recommend copper under any circumstances. The reason is that during electrical storms, there can be a difference in electrical potential between two buildings. This can cause serious amounts of current to flow, especially if lightning strikes nearby, damaging equipment (and in an extreme case, possibly even starting a fire). Even in cases where the equipment at the endpoints doesn’t seem damaged, the connection can turn very flakey after a lightning strike, with very high packet loss.
The only situation where you might get away with running underground Cat5e (or Cat 6, if you can find it) is to a very nearby building, and then only if you put very good approved lightning protection at both ends of the cable. The further away the building, the more important that the lightning protectors become (and if the buildings get electrical power from different sources, such as different electrical transformers, then the lightning protection becomes even more essential), and of course good lightning protection costs money. And even then, if lightning hits very close, it can fry the lightning protectors, meaning the Internet connection will likely be out of service until you can obtain and install replacement protectors.
One other problem to note: You have probably heard that the theoretical maximum distance for a run of Cat5e/6 cable on a wired network is 100 meters. That may be true indoors, in a dry environment. It’s not always true when the cable runs underground and/or is partially exposed to outdoor climatic conditions. On a run that’s close to the theoretical maximum in length, you may find that a connection that works beautifully during the cold winter months suddenly starts showing high packet loss during the heat and humidity of summer.
The alternative to Cat 5e/6 cable is fiber optic cable. Fiber is a great alternative because it uses glass fibers rather than copper wire to carry the signals. Since glass doesn’t conduct electricity, the only way lightning could ever affect it is in a direct strike, where it heats the ground so hot that the glass melts (this actually occasionally happens in areas with sand dunes, where the lightning creates glass sculptures by melting the sand into glass, but it’s very unlikely to happen on regular flat land).
The trouble with trying to use fiber is that just about everyone with any networking experience knows how to use Cat 5e or Cat 6 — you just plug it in to your equipment at each end, or if it doesn’t have plugs then you either use a tool to attach them, or your bring the wire to a modular jack and use a punchdown tool to make the connections (some lightning protectors have punchdown terminals as well). You can cut the cat 5e or 6 cable to the exact length you need. It’s something many people are familiar with, whereas fiber may as well have been pulled out of an alien spacecraft for all anyone (outside of those in the telecommunications industry) seems to know about it. If you go searching for pages on the Internet explaining how to install a fiber link between two buildings, good luck in finding anything useful!
Part of the probable reason there aren’t too many general how-tos on the subject is that there are so many variables — there are many types of fiber available, each of which is good for certain specific uses, with many different types of end connectors. And then you need equipment at each end to connect the fiber to the wired network, and you can’t just run down to the local office supply or big box electronics store to find that. But don’t despair, because I’m going to tell you one way to set up a short range fiber optic link. The caveat here is that I am by no means an expert on this — I’ve been involved in an installation ONCE, but I learned a lot in the process. Still, if you have questions that aren’t answered on this page, I’m probably not the guy to ask. But I figure that if you’re searching for online information on the subject, any information is better than none!
So let me start by telling you some things you need to know about fiber optic cable:
This fiber still worked! (Photo credit: Paul Timmins)
It comes in two varieties (that you are likely to encounter), singlemode and multimode. Singlemode fiber usually has a yellow jacket (plastic coating, like the insulation on a copper wire) whereas multimode cable generally has an orange jacket. For most short run applications (by that I mean distances measured in meters or feet, not kilometers or miles) you’ll use a paired multimode fiber (two fibers side by side, in a jacket that looks a bit like the type of electrical cord used with a table lamp, except the jacket is bright orange and it’s a lot smaller). If you’re a phone or cable company (or connecting to one) then you might have occasion to work with singlemode, but that’s not what we are talking about here. Singlemode is a lot more fragile than multimode – you can do this (photo at right) with multimode and it will probably still work (although anything remotely close to this tight of a bend is definitely NOT recommended – remember this is glass fiber that you’re bending, and if it breaks the cable becomes worthless!)
EDIT by TechNotes editor (March, 2021): Although the above paragraph was true when it was originally written, times change and now the orange jacketed cable, technically designated as OM, OM1, or OM2 cable, is basically obsolete. Nowadays you should probably be buying at least OM3 cable, or OM4 cable or OM5 cable if you can get it, which comes in different colors. More on that in a bit.
You can’t cut and splice fiber (unless you buy some really expen$ive supplies and equipment, and learn how to use them). You buy the length you need, with the connectors at each end already attached. If it’s too long, you coil up the excess (not TOO tightly) but you never cut it nor try to splice it, unless you have the specialized equipment that allows you to do so. If a cable is too short and you need to extend it, you can use a device called a fiber optic coupler (instead of “coupler” it may also be referred to as an “adapter” or “joiner”) which is a small plastic device that simply joins two fiber cables together so that the light from one travels into the other. These contain no electronics and therefore are very inexpensive, and can be used in just about any dry location, but there is a small amount of insertion loss that generally won’t matter unless you have an exceptionally long run of fiber or you use too many of them in one fiber run. There are both singlemode and multimode versions of these devices.
At each end, the fiber plugs into a device called a media converter. The media converter (or the SFP module that plugs into the converter — more on that in a moment) contains a laser, and a receiver. It transmits on one fiber of a pair, and receives on the other. The one thing you must never do, if you value your eyesight, is look into the laser while the unit is operating. That also means you can’t plug a fiber cable into the media converter, then look into the other end of the fiber to see if it’s working. If you think you might forget this important safety precaution, just try to remember that not looking into the laser is as important as not touching a live electrical line — and if that doesn’t scare you, take a course in reading Braille, because you’re probably going to need it.
It’s also possible to buy gigabit switches that can directly accept fiber. This eliminates the need for a separate media converter at one or both ends, but such switches tend to be a bit on the expensive side, although they also tend to offer more ports than most typical home switches (24 ports, for example). But there is sometimes a cost in terms of power consumption – for whatever reason, standalone media converters often tend to draw far less power than switches that have fiber ports.
Fiber is somewhat fragile, and it can break (and be rendered useless) if it is subjected to too much strain. You can’t just pull it over a very long length without taping it to something else (that you’ll also be pulling) at regular intervals to relieve the strain. You can buy special, relatively inexpensive network pull string for the purpose, or if you don’t have any of that you can use any high tensile strength string (not twine, it breaks too easily, and avoid stretchy string because that sort of defeats the purpose – you want the string to help pull the fiber, not the other way around). The fiber I’ve seen needs to be inside something to protect it (no direct burial) – you can use cheap irrigation pipe for the purpose, as long as it’s large enough for the connectors at the ends to pull through (don’t try to be thrifty and undersize the pipe, but at the same time realize that fiber with the small LC connectors has plenty of room inside a standard one inch irrigation pipe, assuming you’re not pulling several multiple fiber pairs or other wires and cables). Also, you should use pulling lubricant on long pulls to prevent damage to the fiber jacket.
EDIT by TechNotes editor (March, 2021): Once again, the above was true when originally written, but now you can buy cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” that is not nearly as fragile as the orange stuff.
When you buy the fiber, it will have connectors attached at each end (at least it had better have, if you want to actually use it — don’t buy bulk cable that doesn’t have the connectors attached!). These connectors usually have two-letter designations. Popular types are LC (the smallest you’re likely to encounter, which makes it very popular these days), SC, and ST. The media converter (or switch) has to be able to accept the type of connectors your cable has. If your media converter has an ST connector and the cable has LC connectors, you’re out of luck. Sometimes you can buy cable with different connectors on each end, so be careful that it matches your media converters. If you find that your cable has one type of connector and your media converter expects another, you may be able to use a fiber optic coupler/adapter and then a very short fiber cable (sometimes referred to as a patch cable) that has the two different types of connectors on the two cable ends. So for example, if your cable is a duplex multimode type that has LC connectors but your media converter accepts ST connectors, you would need a LC-LC duplex multimode fiber optic cable adapter/coupler and then a LC to ST duplex multimode fiber patch cable. You just need to make sure that the patch cable has the same specifications as the cable you are trying to join it to.
A gigabit interface converter (GBIC) is a standard for transceivers, commonly used with Gigabit Ethernet and fibre channel. By offering a standard, hot swappable electrical interface, one gigabit ethernet port can support a wide range of physical media, from copper to long-wave single-mode optical fiber, at lengths of hundreds of kilometers.
The appeal of the GBIC standard in networking equipment, as opposed to fixed physical interface configurations, is its flexibility. Where multiple different optical technologies are in use, an administrator can purchase GBICs as needed, not in advance, and they can be the specific type needed for each link. This lowers the cost of the base system and gives the administrator far more flexibility. On the other hand if it is known that a switch will mostly have one port type (especially if that port type is copper) purchasing a switch with that port type built in will probably be cheaper and take up less space per port.
The GBIC standard is non-proprietary and is defined by the SFF Committee in document # SFF-8053i.
A variation of the GBIC called the mini-GBIC or SFP exists as well. It has the same functionality / modularity but in a smaller form factor.
SFP transceivers are designed to support SONET, Gigabit Ethernet, Fibre Channel, and other communications standards. The standard is expanding to SFP+ which will be able to support data rates up to 10.0 Gbit/s (that will include the data rates for 8 gigabit Fibre Channel, and 10GbE. SFP+ module versions for optics as well as copper are being introduced. In comparison to Xenpak, X2 or XFP type of modules, SFP+ modules leave some of the circuitry to be implemented on the host board instead of inside the module.[1])
Okay, in case you weren’t following along, a mini-GBIC, also known as a SFP, is a module that plugs into a media converter or a compatible switch. What this means to you is that you can buy a media converter, then plug in the SFP that matches the type of fiber and connectors that you have. So let’s say you have fiber with LC connectors – you get a SFP with LC connectors to match. Now suppose that at some point you need to replace that fiber with some that has ST connectors – you don’t have to throw out the entire media converter or switch, but instead you just get a new SFP. Not all media converters accept SFP’s, but many of the newer ones do. Also, not every manufacturer’s SFP will work with every media converter – if you buy an SFP you have to make sure it’s compatible with the media converter (or switch) that you own. It has become increasingly common to find fiber media converters sold with a compatible SFP as a bundle.
If you go the SFP route, you have to make sure of three things: That the connectors match the connectors on your fiber cable, that it’s intended for use with multimode rather than single-mode fiber, and that it’s for intermediate or short reach use (IR or SR — you may also find the designation SX or 1000Base-SX used to indicate a short to intermediate range SFP). In particular, you don’t want one with long reach optics because unless you use fiber attenuators you’ll overload and probably burn out the receiver at the other end (also, there’s a much greater chance of eye damage if you accidentally glance at the laser). To give you an idea of the difference, the short range optics are generally specified for runs up to a few hundred meters in length, while long range optics have distances specified in kilometers (sometimes as much as 80 km or more!).
So lets say that you want to run a fiber optic cable between two buildings that are a reasonably short distance apart — what do you need?
The first thing you need is a pipe or conduit of some kind between the two buildings. Irrigation pipe (the stuff you find at any home improvement store, or anyplace that sells underground lawn sprinkling supplies) is fine – remember you aren’t running anything electrical if all you are running is a fiber cable! The main thing is that the pipe or conduit that you use should be relatively smooth inside to minimize pulling resistance. Try to keep bends in the pipe to an absolute minimum. And yes, the pipe could be above ground as long as it’s sunlight resistant and not in a place subject to physical damage (but be aware that black pipe could get VERY hot in direct sunlight, so keep it out of the sun if at all possible). The purpose of the pipe or conduit is to protect the fiber. The pipe must be large enough for the connector (at the fiber cable’s end) to fit inside, with space to spare. If you have to splice sections of pipe together, the connectors may have a smaller inner diameter, so plan accordingly – you don’t want to get halfway through a pull and realize that the diameter at the splice point is too small to continue!
This article isn’t about burying pipe, but I will just suggest that you think about routing it far away from anyplace that people might be digging in the future, if at all possible — and if that’s not possible, then consider burying it as deep as possible, to minimize risk of backhoe failure (or on a farm, of getting plowed up!).
You need network pull string and electrical tape. The string must be longer than the fiber cable – if it’s twice as long then you could pull just the string through the pipe to use for pulling (a good shop vac and a small wad of paper tied to the end of the string is often enough to get the string started through the pipe), and still have enough left on the far end to tape the fiber cable to the string for the entire length. Do that every few feet, making sure that there’s a little slack in the fiber (not too much) when the string is pulled tight. Be sure to tape the leading end of the fiber connector (with the protective cap on) firmly to the string so it can’t try to flip over or do something equally undesirable during the pull. Note that if you are also pulling any kind of wire through the pipe on the same pull, you could tape the fiber to the wire rather than a string, assuming the wire is strong enough to not stretch during the pull.
EDIT by TechNotes editor (March, 2021): For short runs of cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” you may not need the pull string and tape, since that cable is less fragile than the orange fiber cable referenced in this article. But for longer runs, or if your pipe or conduit is undersized, I’d still consider using the pull string and tape, to avoid putting too much tension on the cable.
You need pulling lubricant — any electrical supply store sells this stuff. But note that this stuff can dissolve the adhesive on electrical tape (we found this out the hard way), so when you tape the cable to the string, try not to leave the adhesive side exposed. The trouble is that to really do it right you should use plenty of pulling lubricant, yet at the same time if you do, if you taped carelessly then you may have issues with the tape not holding as it should. That’s not a reason to apply less lubricant, but rather a reason to use a little extra tape and to make your tape wraps nice and tight, so the lube can’t get between the layers of tape (especially at the very start of the pull).
We used some blue gel stuff called Ideal Aqua-Gel II and used a paintbrush to apply it liberally to the fiber cable, after first using a funnel to dump some down the pipe. You can get a gallon pail of this stuff for between $15 and $20 at most electrical supply stores (the places the electricians shop), though you might wind up with another brand. We found that a gallon was really excessive, we could have easily got by with a quart of the stuff (on a 100-meter pull). On the other hand, it was much easier to dip a paint brush into the gallon pail, then slop it onto the fiber cable and down the pipe. You really don’t want to be stingy with it, since friction in the pipe can damage the fiber jacket.
EDIT by TechNotes editor (March, 2021): If you are using cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” and the run is short, you may not actually need the pulling lubricant, but it is always a good idea to reduce friction.
You need the fiber cable itself. The type of multimedia fiber cable that we are talking about here comes on a ridiculously small spool (and to me, it always looks larger in photos than it really is, which for years led me to think that it wouldn’t fit through the existing pipe that was used in this situation) — this is what 100 meters of dual fiber looked like before the bubble wrap was removed:
Fiber cable with LC connectors
The fiber we used was described as “Advanced Interconnect 100 Meter LC-LC Duplex MultiMode Fiber Optic Cable. This Advanced Interconnect cable part number 038-001-964 REV A. Cable is 50/125 OFNP Micron Fiber.” It was obtained from eBay seller isellcables. If you are wondering what a dual LC connector looks like, there is a good photo here. Note that the connector comes with a protective cap, which should be left in place during the pulling process.
EDIT by TechNotes editor (March, 2021): As mentioned earlier, this orange jacketed fiber cable is now considered old technology. What you probably want to use is cable designated as “Outdoor Armored Duplex Fiber Optic Cable” and OM3 or better. Strictly as an example (this is not a recommendation), in 2021 Amazon sells a product called Jeirdus 100Meters 328ft LC to LC 10G OM3 Outdoor Armored Duplex Fiber Optic Cable Jumper Optical Patch Cord Multimode 50/125 100M LC-LC for $128, with other lengths from 5 meters to 300 meters available. Something like that would definitely be preferable to the unprotected orange jacketed cable for outdoor runs, although I would note that because the cable is armored that means it could conduct electricity, even though the fiber connections at each end would still be electrically isolated. For additional electrical isolation you could add a length of unarmored cable at each end, using a LC-LC duplex multimode fiber optic cable adapter/coupler to join the cables together, but you would need to make sure the fiber optic cables you are joining have the same specifications (in particular, don’t connect simglemode to multimode cable).
You need a couple of fiber media converters, one for each end, and if they use SFP modules you’ll need a couple of those as well. They look like this:
Fiber media converterFiber media converter
Notice (if you can actually see it in these photos) that the fiber cable is plugged into the SFP module, which in turn is plugged into the media converter — here’s an enlarged and enhanced closeup, where you can just see the end of the SFP (the small chrome part) sticking out of the media converter:
Fiber connects to SFP module, inserted into media converter
This media converter was described on eBay as “Gigabit Fiber media converter multimode MM, 1000Base SX” and “The FIB1-1000ES MM is a Gigabit Ethernet copper to multimode 850nm LC connector fiber media converter. It has an SFP (Small Form Pluggable) slot occupied by an MM 850nm multimode module, Ethernet 1000Base-SX compatible. The Copper interface is an auto negotiating 10/100/1000 BaseT RJ45 interface with auto MDI/MDI-X detection. …” I would point out that it’s important that it actually says 10/100/1000 BaseT if your network runs at anything less than 1000BaseT speeds, because not all media converters will handle multiple speeds or speed conversions. As Paul Timmins told me, “it’s VERY possible for something to ONLY support Gigabit. When you get down to media converter territory, the reason they get cheaper is they have less guts to convert stuff between 1000T and 100T (you need buffers, ability to send gigabit pause frames when your buffers are full, etc).”
EDIT by TechNotes editor (March, 2021): As time has passed newer equipment has become available that can handle speeds up to 10 Gigabits. That may be serious overkill for most home users, but if you are doing heavy video editing or anything else that produces very large files, you may want to look into the higher speed equipment.
As it happened, this eBay sale included a LC SFP with each converter, so those didn’t have to be purchased separately. The seller on these was sales_fo4all. If you search on Amazon or eBay using a phrase such as Fiber Media Converter LC Multi-Mode you should be able to find something similar, possibly at a better price than what we paid.
Below is an individual SFP in its packaging – you can’t see the model number but it’s SFM-7000-S85, which is described as a “1000Base-SX, multi-mode, 550m, 850nm SFP transceiver” and additionally, that “The capacity of SFM-7000-S85 module is 1.25Gbps (Gigabit rate). The transceiver extended range allows operation on either 50/125um or 62.5/125um multi-mode fiber for up to 550m distance. (Note: for 62.5/125um fiber, maximum operating distance is only 275m).” Since our cable was the 50/125 stuff, we could have gone a much greater distance (about 1800 feet) if necessary, and if we’d had a cable that long! In the picture below, the black part on the left is a small protective cap that is removed before you plug in the fiber cable.
SFP module
A better picture of a SFP module can be found here. If you are observant, you may note that both the fiber converter and the SFP module shown above are made by the same company (CTC Union Technonlogies in this case). You may wonder, as I did, if you can use one manufacturer’s SFP with a different manufacturer’s media converter or SFP-compatible switch. According to Paul Timmins, “they’re theoretically universal but there’s absolutely nothing preventing them from vendor lockin (they’re active devices with internal serial numbers, etc, that help negotiate the capabilities of the optics with the device itself, and many vendors will refuse to work with another vendor’s GBIC/SFP).” I’m also told that a certain big name networking equipment manufacturer takes measures to prevent you from using competitor’s SFPs (which can often be overridden with undocumented commands). So if at all possible, when buying new equipment try to buy the media converter and SFP module as a matched set, or failing that, make sure that both the media converter and the SFP module come from the same manufacturer (unless there is some guarantee of compatibility, or the cost difference is great enough that you are willing to take the gamble that it will work). Then all you have to worry about is whether the SFP has the correct connectors to match your cable, and whether it’s the correct power level for the range you are using (again, don’t get anything that’s rated for use with cables of multiple kilometers in length, unless your cable really is that long!).
After you pull the fiber cable, connecting everything up is fairly straightforward. The SFP plugs into the media converter or switch, and the fiber cable plugs into the SFP. You then simply connect the media converters to your existing network at both ends using a Cat 5e or Cat 6 patch cable. Then apply the power to the media converters at both ends (if you don’t apply the power until everything is plugged in, you can’t accidentally look into the laser!).
If you happen to get the type of media converters shown above, you may notice that there are dip switches on the unit. There are for manually setting the port speed, and full or half duplex mode. We left these in the factory default position (all up, which is indicated as “UDP/NWAY” mode) and it works fine. Another thing you might wonder is whether you can connect a computer directly to the media converter at the distant end of the connection, and of course the answer is yes, though many people will prefer to connect a switch so that multiple devices can be used. And remember, you do have the option to buy a switch that accepts one or more SFP modules directly, which may mean you won’t need the standalone media converter at that end — but before you do, check the power requirements. As mentioned above, I found that such switches tended to be a bit power-hungry compared to the standalone media converters shown above.
What about the cost?
The upfront cost of running fiber is more expensive than using Cat 5e or Cat 6 underground, although if you add in the cost of good lightning protection at both ends (or replacing equipment that gets fried by lightning if you don’t use great lightning protection) then the cost difference is less significant. Today you can get 100 meters of fiber optic cable on eBay for about $80, including USPS Priority Mail shipping. The media converters and SFPs are still the expensive items — as I write this, they are going for $127 per set (media converter and SFP) on eBay, plus shipping. Add in the price of incidentals (pipe or conduit, pulling lubricant, network pull string) and you can expect to pay around $400 or perhaps a bit more for a 100-meter run (less if you can re-use existing pipe or conduit, more if you have to pay someone to dig a trench or otherwise run the cable through a difficult place). Of course you would have these same costs when running Cat 5e or Cat 6 underground, except for the media converters, so as a rough rule of thumb the price difference is the added price of the media converters and SFPs, minus the cost of the excellent lightning protection that you won’t need because fiber optic cable doesn’t conduct electricity.
EDIT by TechNotes editor (July, 2020 and March, 2021): It has taken years for prices to drop on these units but it appears the shift toward lower prices has finally begun. Amazon now sells some fiber media converters and SPF’s at significantly lower prices, for example you can get a Gigabit Ethernet Multi-Mode LC Fiber Media Converter (SFP SX Transceiver Included), up to 550M, 10/100/1000Base-Tx to 1000Base-SX from Amazon for under $40 at the time of this edit. We have not tested this item, but think it would work in the same way as the media converter and SPF shown above. Be sure to read the reviews before buying any item, since you probably don’t want to buy units that have a tendency to fail after a few weeks or months of use. You can also now buy fiber media converters and SPF’s rated at 10 Gigabits, though as you may expect the prices for those will be higher. And also, switches that directly accept SPF’s (eliminating the need for a separate standalone Fiber Media Converter) are now starting to become more common.
And it finally looks like the price of fiber optic cable has started to fall just a bit as well, a 100 Meter Multimode Duplex Fiber Optic Cable (50/125) – LC to LC – Orange purchased from Amazon will run you just a bit under $65, and you may even be able to find better deals than that on eBay or from some other source. But as noted above, you would probably be much better off to use cable that is designated as “Outdoor Armored Duplex Fiber Optic Cable” which although a bit more expensive, should be far more resistant to damage, and will probably last longer. And even if you don’t go the armored cable route, you would do well to consider avoiding the older technology orange cable shown in this article, in favor of cable designated as OM3 or OM4, or better if available. (End of edit.)
I figure that in practice, the fiber install will cost anywhere from about the same amount to an extra $150 compared to an equivalent Cat 5e/Cat 6 install (again, we’re talking a 100-meter run here), but it will be worth it the next time you have an intense electrical storm nearby and realize that you’re probably not going to lose a lightning protector, computer, or router because of a surge coming in over the network cable. It will also be worth it if the run is long enough that every hot and humid day results in a degraded connection when using Cat 5e or Cat 6 underground.
I do expect that the use of fiber will become more common in the future, since we will want ever-faster connections and there is a theoretical maximum on connection speed using copper. At some point, I expect the prices of fiber equipment to fall (the day they start selling it in the big office supply chain stores is the day you will see the price drop to more reasonable levels). But for now, the prices aren’t that unreasonable (especially compared to a few years ago). By the way, if you want to be the next millionaire, design a system that allows people to reliably attach their own connectors to bulk fiber cable, and that sells for under $100. It’s ridiculous that anyone should have to pay four-figure sums just to be able to attach ends to fiber cable.
One other thing I think would help with fiber acceptance is to make an ultra-strong fiber cable that’s designed for difficult pulls – something with enough integral strength that you could pull the cable itself and not have to worry about breaking the glass fibers, and with a thick enough and tough enough jacket to withstand pulls over rough or uneven surfaces. Basically, fiber cable that could take a lot of abuse without breaking (not that the stuff we used is all that fragile, but still, it would be nice to not have to worry that it can be easily damaged, especially when you’re paying around sixty to seventy bucks for a 100-meter roll).
Thanks and acknowledgements
I want to thank Paul Timmins (the creator of the very useful TelcoData.us Telecommunications Database) for his help and patience in helping me understand all this stuff. This article could not have been written without his assistance. Also I want to thank my oldest son, who probably doesn’t want me to mention him by name, for his help and for letting me photograph some of the components in a recent installation.
My purpose in writing this article was to try and help de-mystify some aspects of using fiber optic cable in place of Cat 5e/6 for runs between nearby buildings. Again, I am NOT an expert in this, and I may have left some questions unanswered. If you have questions or need clarification on some point, or if you see where I’ve made a glaring error, feel free to leave a comment. If I don’t respond, it probably means that I don’t know the answer, but maybe someone else with more expertise than I will chime in and help.
This is an edited version of a post that originally appeared on a blog called The Michigan Telephone Blog, which was written by a friend before he decided to stop blogging. It is reposted with his permission. Comments dated before the year 2013 were originally posted to his blog. The link to Amazon.com in this article is an affiliate link, and if you make a purchase through that link I will receive a small commission on the sale.
If you have set up an OpenVPN server on your system and are using it regularly, eventually you are going to want to trim the log file. Webmin actually makes that easy. Simply click on System, then Log File Rotation. You should see a bunch of existing log file rotation rules. Up near the top of the page there’s a line that reads:
Select all. | Invert selection. | Add a new log file to rotate.
Click on Add a new log file to rotate. You should get a page that looks like this:
Webmin Log File Rotation - Add New File page
The main thing here is to get the correct log file path into the topmost text area. The path will be something like:
/etc/openvpn/servers/servername/logs/openvpn.log
I generally keep all the default settings except for these two:
Rotate even if log file is empty? (I set to No) Ignore log file if missing? (I set to Yes)
But you can do as you wish. The important thing is to make sure that the log isn’t simply allowed to grow forever Set it up as you like, click Create, and you’re through.
And now a note for FreePBX and Asterisk users. When setting up an extension, if you use the permit and deny fields to enhance security, the correct way to fill these out may not be intuitive. For example, if you do sip show peers from the CLI, an extension at the client end of the tunnel may show up with an address in the range of addresses assigned by the client router (such as 192.168.5.x) and yet when you fill out the permit field, using that address may not work. Asterisk’s log file will generally tell you the address it wants to see, and in our case that was 10.8.0.10! No, I don’t know why, but just wanted to give you a “heads up” on that one.
Deny and Permit fields from FreePBX extension page
I had mentioned in Part 3 some of the things that needed to be done if, from machines on the server side of the VPN tunnel, you wanted to be able to access machines at the client network (where the router with the Tomato firmware is located) that are on the WAN port side of the router. Bear in mind that anything connected to one of the LAN ports on the router is considered to be part of your VPN, but sometimes you might wish to access a machine or device (such as an “upstream” router) on the WAN side of the router with the Tomato firmware. To do this, you need to add the route to the WAN side network in the server configuration (in the “up” and “down-pre” script sections at the bottom of the Webmin server’s configuration page, using an additional “route add” and an additional “route delete” statement), and then on the client configuration page you must add an additional iroute statement – all of those take the same format as the lines you added to access the network on the LAN side of your client. At that point, you can access machines on the WAN port side of the Tomato router, but it’s not reciprocal – they can’t access machines on the server side.
Now, I need to make an important distinction here – I’m talking about machines connected to the WAN side of the Tomato-firmware router. Anything connected to one of that router’s LAN ports should already have full access to your network (on the server side). But the thing to remember is that ANY traffic sent out by a client connected to the LAN side will go through the tunnel. In some cases that may not be the desired behavior – you might have a few devices that should use the local Internet connection for all outgoing traffic (that is, as a rule they DON’T send their traffic through the tunnel), BUT you’d like to make an exception so that they can access only the local network on the server side of the tunnel, so that “local” traffic CAN be routed through the tunnel. So, you’d have such devices on the WAN port side of the Tomato-firmware router (that is, connected to the same “upstream” router or switch as the Tomato-firmware router) so they don’t use your tunnel for the bulk of their traffic.
So the question then becomes, is it possible to allow those devices to use your tunnel ONLY for traffic to the local network on the server side of your tunnel? Well, it is, but it’s a bit tricky to set up. Note that you MUST first have it working in the opposite direction (that is, at a machine connected to the server side of the network, you can reach machines on the WAN port side of your Tomato-firmware router – that’s what I was talking about a couple of paragraphs up). If you can’t do that, you’re not going to get it working in the opposite direction. If you CAN do that, then here are the additional steps:
In the Tomato-firmware router, click on “Advanced” (in the left-hand menu), then “Firewall”, then check the box next to “Respond to ICMP ping.” You should now be able to ping the Tomato-firmware router from another device on the WAN side of the network (which may be important for testing and troubleshooting).
Next, click on “Administration”, then “Scripts”, then click the “Firewall” tab. You should see a big text entry box with (probably) nothing in it. Enter lines similar to the following:
In this example, addresses on the WAN port side of the Tomato-firmware router are in the 192.168.10.x range, while addresses on the server-side LAN are in the 192.168.0.x range. If either is different on your system, be sure to change all three instances of the appropriate base address.
Then click the Save button at the bottom of the page. After that it should look like this:
Administration | Scripts page | Firewall tab
Reboot the router (or you can ssh in and manually enter each of the lines from a command prompt, if you want to avoid the reboot). Now any traffic for the server-side LAN that reaches the Tomato-firmware router will get passed through the tunnel, but you still need to instruct the individual machines or devices to route that traffic correctly (which may be easier said than done for some machines). I don’t know how you do it from a Windows box, but I can tell you how it’s done on a temporary basis (that is, it survives until the next reboot) on a Linux-based or Mac OS X based machine. For the sake of these examples, assume the Tomato router is at (and can be pinged at) 192.168.10.50:
From a Linux box: sudo route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.10.50 eth0
(eth0 is the name of the interface used to connect to your local network)
From a Mac OS X box:
At a terminal prompt enter: sudo route add -net 192.168.0.0 -netmask 255.255.255.0 192.168.10.50
Then, if there are shares on server side of the network that you want to connect to, and you know the host machine’s IP address, open a Finder window, click on “Go” in the top menu bar, and enter this as the destination (substituting the correct IP address for the target machine): smb://192.168.0.xx:139
Note that in at least some cases, the connect attempt will fail if you don’t explicitly specify the port (:139) – this is apparently some kind of bug in recent versions of OS X.
If anyone knows how this is done on a Windows box, or how to make these route statements persist after a reboot (remember, they must be run by the root user or a user with root-level privileges, which is why the sudo statement is used — and you can’t put sudo in a script because it prompts for a password), please leave a comment and share your knowledge!
If you have followed this series thus far, I should point out that these articles are not static – if I find a mistake, or a better way to do things, they may get changed. On the other hand, since this particular router probably won’t be in my possession much longer, it may be something that I don’t do much more work on.
One thing I had said I would do in this last article is to give you a list of links that I found useful, or at least interesting, while working on this project. I didn’t actually utilize the information in all of these, and some are even a bit off-topic for the subject at hand, but this is just a small fraction of the pages I went through while trying to get this to work:
thor2002ro’s SDHC | SNMP | VPN | USB Mod (includes features from both of the above versions plus some additional features, but note that latest versions won’t run on routers with insufficient memory).
Optware installation instructions (supposed to also work with Tomato firmware, potentially allows use of numerous software packages originally written or converted for Linksys NSLU2)
“A set of disk utilities that will execute on a Tomato router. With these utilities you can now create ext2 partitions on a USB drive on the router itself, so you don’t have to use a Linux desktop machine to do it anymore.”
And there’s probably plenty of other great links that I’ve missed.
Finally, one more word about the TAP/TUN issue. I would sort have liked to have gotten this working in TAP mode. However when I tried to set it up, OpenVPN (on the server) complained about a missing brctl file. Well, it turned out that the way to get that file was to do yum install bridge-utils – sounds easy, right? I assure you, absolutely nothing about this project was easy, at least not for me.
The problem was that after I had installed the software and switched both sides from TUN to TAP, and then restarted the OpenVPN server, it brought down the entire local network! I mean to tell you, I couldn’t connect to any web pages or do anything else until I physically killed the power to the server box! When I brought it back up and disabled OpenVPN, everything connected to the LAN worked fine again. When I uninstalled bridge-utils and went back to using TUN, the tunnel started working again. I had been up all night, it was coming up on 7:00 AM, and I was just so doggone frustrated by that point that I never even tried to get TAP working again. Besides, I just don’t like doing things that can bring down the entire network. I suspect it was doing some kind of packet flood thing, sort of a denial-of-service attack on my local network – pardon me if I’m not thrilled about the prospect of trying that again!
After some additional online research, I suspect that part of the problem is that after installing bridge-utils, you need to create and/or modify certain files, such as /etc/sysconfig/network-scripts/ifcfg-br0, /etc/sysconfig/network-scripts/ifcfg-eth0, and possibly /etc/sysconfig/network-scripts/ifcfg-eth1 (though I’m not at all sure about that last one). For example, one site I went to (which, for some reason, I could only read by using Google’s cached copy, which is why I’m not giving a link) said, “Configure this server’s network configuration to use a bridge as its primary interface. You do this by bridging the physical ethX and virtual tapX interfaces into one logical br0 interface. The br0 interface will be assigned an IP address, and not the physical or virtual interfaces.” That site also suggests that those files should read as follows (note that I do not recommend following this advice verbatim, see my comments below):
/etc/sysconfig/network-scripts/ifcfg-br0 DEVICE=br0
TYPE=Bridge
IPADDR=192.168.0.50 <— local IP of the server
NETMASK=255.255.255.0
ONBOOT=yes
Please note the above is totally untested at this point, and I’m afraid that the advice to modify the existing files (particularly /etc/sysconfig/network-scripts/ifcfg-eth0) may (or may not) be ill-advised. What concerns me is that the /etc/sysconfig/network-scripts/ifcfg-eth0 file seems to contain a lot of essential information that is in effect being thrown out – for example, on our system, it reads as follows:
I’m just not sure what is the proper thing to do here — maybe just add the BRIDGE=br0 line to the existing file? But, if you do decide to try a full replacement of any file, be sure to copy the existing file to a safe location so that if things go badly you can recover your original file!
Some of the comments I have read suggest that TAP mode is not as efficient in transferring data, and/or not as secure (unless you add even more configuration options), so I’m thinking maybe we should leave well enough alone. But, if you have a truly burning desire to get it going, I suggest using the following Google search string for additional information – it may be strange, but it actually produced the most relevant results of all the searches I’ve tried over the last few days:
Hopefully this page won’t show up as the first result! 🙂
If you have any ideas about what went wrong, or in particular, if you manage to get this working in TAP mode, I’d be most interested to hear about it (and how you did it, if you got it working) – the comments are open.
EDIT (November 30, 2011): While I’m not really wanting to reopen this project at this late date (this still remains about the hardest thing I’ve ever tried to do with a computer, and I have a distinct aversion to revisiting it), I did receive an e-mail today from James R, which I will post verbatim here. NOTE THAT THIS IS NOT TESTED BY ME, SO USE AT YOUR OWN RISK:
From: James R (address redacted)
Subject: OpenVPN in bridged mode
Date: November 30, 2011 11:32:40 AM EST
The following is a script to fix the problems with getting bridged mode OpenVPN working with PBX in a Flash (CentOS 5.7 with Webmin). First you install the third party Webmin OpenVPN module, then use the script below. I haven’t tested it yet, but I believe it should work if not explain what actions needed to be done to repair it. Be kind, as my scripting skills are quite poor.
cat /usr/libexec/webmin/openvpn/br_scripts/bridge_start | sed
'2iPATH=$PATH:/sbin:/usr/sbin' >
/usr/libexec/webmin/openvpn/br_scripts/bridge_start
cat /usr/libexec/webmin/openvpn/br_scripts/bridge_end | sed
'2iPATH=$PATH:/sbin:/usr/sbin' >
/usr/libexec/webmin/openvpn/br_scripts/bridge_end
(End of James R’s e-mail. I fixed some punctuation and capitalization in the first paragraph, but otherwise it’s the way he sent it. I was NOT sure if the final couple of sections were really supposed to be three lines each, or one line each that got broken up by the e-mail software. I suspect the latter, but I’m leaving them as is in case I’m wrong about that. Again, please remember that the above is UNTESTED by me.)
Here’s another bit of information that may be useful for those of you that don’t know much about Linux — here is a very small list of Linux commands that may be useful in diagnosing any problems with your VPN tunnel:
ifconfig – shows the current list of network interfaces. On both ends of your tunnel you should see a tunx interface when the tunnel is operational. On Windows-based systems a similar command is ipconfig.
ip route show – shows current routing information for the system (see also route). ip route list gives a slightly different view.
iptables -L – lists the current iptables rules. Add the -v option to get a more verbose display.
netstat -r – similar to route but with a slightly different view.
ping address – tries to get a response from another connected machine or device. Note that not all systems or devices will respond to pings.
route – shows the current routing tables on the system (see also ip route show).
tcpdump -n – this shows a running display of all activity on the network interfaces. Be careful because this can produce a LOT of output very quickly. Use Control-C to interrupt, then be prepared to wait until the buffer empties (may take a few seconds).
tracerouteaddress – If you run a traceroute to a network address (either on the LAN or on the Internet) it will attempt to show each system the packets pass through on the way to their destination. This can be useful for determining if traffic to a particular destination is actually going through your tunnel. On Windows-based systems use tracert (a holdover from MS-DOS days when filenames were limited to eight characters!).
whichprogram-name – not a network command per se, but if you get an error message about a missing program, you can use whichprogram-name to try to determine if the program exists on your system, and the correct path to that program.
Note that there are additional options for most or all of the above commands – read the man page for that command (e.g. man tcpdump) if you are interested, or use a search engine to find more information (yeah, I think most man pages are painful, too). man is short for manual, by the way, not a reference to gender.
Anyway, I’m still trying to catch up on lost sleep, but if I think of anything else pertinent I’ll probably add it to this article, rather than making this series any longer. I hope if you attempt this, it’s not nearly as painful for you as it was for me!
Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here:
Cookie Policy
Over the years, many people have used DynDNS as a way to get a free domain name that will “track” their actual IP address, even if their ISP changes it. Apparently that free ride has all but come to an end. If you read the instructions that How-To Geek posted in their article How To Easily Access Your Home Network From Anywhere With DDNS, you will note that when you go to the DynDNS site now, it looks nothing like it did then, and the totally free option seems to have disappeared.
Recent Comments