Bill Mongan

Bill Mongan

Professor, Author, Machine Learning Researcher, Educational Consultant, and Scholar of Teaching and Learning; Host: digitalsignature.fm

Setting Up FreePBX on a Raspberry Pi with AREDN MeshPhone and 44net Integration

6 minute read

Published:

This guide will walk you through setting up FreePBX on a Raspberry Pi, trunking it with MeshPhone over an AREDN network, and optionally making it accessible via a 44net allocation.

Prerequisites

  • A Raspberry Pi with a supported operating system.
  • An AREDN node with MeshPhone support.
  • A 44net allocation (optional).

Step 1: Install FreePBX

I installed FreePBX version 17.0.19.17 with Asterisk 21.5.0 using a script. You can also flash a prebuilt FreePBX Raspberry Pi image to your SD card.

Step 2: Configure FreePBX

Use the configuration instructions provided on this mesh page (AREDN mesh connection required to view): MeshPhone FreePBX Configuration

Configuration Steps

  1. Create an Extension:
    • Note the secret, which will be provisioned on your phone.
    • Configure your phone with the server IP and port (default: 5060).
  2. Firewall Configuration: If using 44net, set up your router and FreePBX node firewall.

Step 3: Router and Firewall Configuration

On the 44net Router:

If your AREDN router is behind a 44net router, forward traffic for SIP (port 5060) as follows:

/ip firewall filter add chain=input protocol=tcp port=5060 src-address=<your 44net cloud IP> action=accept comment="Allow TCP 5060 from specific IP"
/ip firewall filter add chain=input protocol=udp port=5060 src-address=<your 44net cloud IP> action=accept comment="Allow UDP 5060 from specific IP"

Move these rules above any default drop rules in WebFig.

On the AREDN Node:

Forward port 5060 (TCP/UDP) to the FreePBX server.

On the FreePBX Node:

If using 44net, add your allocation to SIP Settings as a local network:

  • Under SIP Settings: Add your 44net allocation.

Add firewall rules via SSH to allow traffic:

sudo iptables -A INPUT -p udp --dport 5060 -s <your AMPR 44net allocation>/<subnet> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5060 -s <your AMPR 44net allocation>/<subnet> -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 5060 -s <your 44net cloud IP>/32 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 5060 -s <your 44net cloud IP>/32 -j ACCEPT

Make these rules persistent:

sudo iptables-save > /etc/iptables/rules.v4

Step 4: Trunk Configuration

Modify the following files to set up trunking with MeshPhone. Retrieve example files from: MeshPhone FreePBX Configuration

File Modifications

iax_custom.conf

[<your peer's callsign here>]    ; must match username coming from far end
type=friend                      ; peer=outgoing; user=incoming; friend=both way
host=<your peer's PBX IP address here>  ; send calls to this host IP address at far end
username=<your callsign here>   ; username sent to far end
secret=<a shared password here> ; shared secret between both ends
auth=plaintext                   ; plaintext; rsa; md5
context=MeshPhone                ; destination context for incoming calls
disallow=all                     ; disallow all incoming codecs
allow=ulaw                       ; allow ulaw codec
allow=alaw                       ; allow alaw codec
allow=gsm                        ; allow gsm codec
qualify=yes                      ; constantly ping far end to determine trunk status
transfer=no                      ; do not directly connect endpoints
trunk=yes                        ; allow multiple simultaneous calls

globals_custom.conf

NEIGHBOR=<your peer's callsign here>
; [globals] line commented out (if necessary)

meshphone.conf

Add below the first local extension rule, if not already present. Replace XXXXXXX with the peer’s phone number range (e.g., 55512xx for numbers starting with 55512):

; NEIGHBOR=<your peer's callsign here>
exten => _XXXXXXX,1,Dial(IAX2/${NEIGHBOR}/${EXTEN})
exten => _XXXXXXX,n,GoTo(Utilities,Sorry,1)

extensions_custom.conf

Add below access codes to create 4-digit dialing rules. Replace XXXX with the dialing plan and YYY with the area code to prepend:

exten => _XXXX,1,GoTo(MeshPhone,YYY${EXTEN},1)

And to get the office code to echo by overriding the default error response, add this to the bottom of extensions_custom.conf:

[ext-local-custom]
exten => _X.,1,NoOp(Custom Bad-Number Handling)
exten => _X.,n,ResetCDR()
exten => _X.,n,Set(CDR_PROP(disable)=true)
exten => _X.,n,Progress()
exten => _X.,n,Wait(1)
exten => _X.,n,Goto(Utilities,Sorry,1) ; Redirect to custom "Sorry" message
exten => _X.,n,Hangup()

exten => i,1,NoOp(Custom Invalid Number Handling)
exten => i,n,ResetCDR()
exten => i,n,Set(CDR_PROP(disable)=true)
exten => i,n,Progress()
exten => i,n,Wait(1)
exten => i,n,Goto(Utilities,Sorry,1) ; Redirect to custom "Sorry" message
exten => i,n,Hangup()

Optional: Public Availability via 44net

To connect a phone via Groundwire using your 44net allocation:

  1. Set up a WireGuard connection from your mobile phone to the 44net allocation.
  2. Configure Groundwire to connect to your PBX over the 44net address (making sure to allow that 44net address through your 44net firewall, your PBX firewall, and port forwarding from the AREDN router).

Installing WireGuard

To install Wireguard (if needed to make a connection to 44net), run the following from your PBX:

sudo apt install wireguard -y
sudo modprobe wireguard resolvconf

Configure WireGuard

Then, save your public and private key to /etc/wireguard/publickey and /etc/wireguard/privatekey, respectively, and enter your Wireguard configuration and peer information into /etc/wireguard/wg0.conf. Set their permissions:

chmod 600 /etc/wireguard/privatekey
chmod 600 /etc/wireguard/wg0.conf

I removed the IPv6 address from my Wireguard configuration because my pbx does not support IPv6.

Starting the Wireguard Tunnel

Start the tunnel to test, and set it to start at startup, via:

sudo wg-quick up wg0
sudo systemctl enable wg-quick@wg0

Allow SIP Port(s) through the Wireguard Interface

Modify iptables as follows to allow port 5060 (and/or others) through the wg0 interface:

sudo iptables -A INPUT -i wg0 -p udp --dport 5060 -j ACCEPT
sudo iptables -A INPUT -i wg0 -p tcp --dport 5060 -j ACCEPT
sudo cp /etc/iptables/rules.v4 /etc/iptables/rules.v4.bak
sudo iptables-save >/etc/iptables/rules.v4

Set the Outside IP Address and Local Networks on the FreePBX Configuration Portal

Log into the FreePBX webpage, and go to Settings - Asterisk SIP Settings. Set your external address to your tunnel address (or other outside address), and add the subnet of that address to your list of local networks.

Enabling Multiple Registrations Per line

To allow pjsip extension users to have multiple registrations (i.e., phones) on their line, you can go to Connectivity - Extensions - Advanced and set Max Connections to 5. You can also set Outbound Concurrency Limit to 3. Then, under Connectivity - Extensions - Find Me/Follow Me, enable this feature and set the rule to ringallv2-prim.

Optional: fail2ban

To auto-reject invalid registration attempts, you can install fail2ban via:

apt install fail2ban

Save and apply all changes to FreePBX and your network configurations.

You May Also Enjoy

Setting Up HBLink for a Private DMR Network with HBlink

4 minute read

Published:

This guide walks you through setting up HBLink for a private DMR network, including configuring a Parrot (echo test) repeater and talkgroup. Ensure that you have administrative access to your server and basic knowledge of Python.

Using ChatGPT to Write Code

7 minute read

Published:

I’ve been asked occasionally about my opinion about generative AI tools such as Chat GPT and their potential to disrupt the way we design and create. While I think there is a risk that fundamental knowledge and skill may erode as they are abstracted away by tools like these, I also think these tools create wonderful “jumping off points” for prototyping ideas. We still need a technically educated population to a) know what questions to ask, b) ask them in a precise way, and c) validate the results.