Introduction
FreePBX Distro (formerly AsteriskNOW) is a specialised, CentOS-based PBX platform tailored for telephony administrators rather than desktop users. It ships with yum (or dnf on newer builds) as its package manager, and typically runs headless, exposing configuration via its web GUI. While you can install GNOME or XFCE, most admins rely on CLI tools and the integrated firewall (iptables/nftables). This environment demands a VPN solution that is lightweight, kernel-friendly, and easy to integrate with existing telephony and firewall rules.
Why These VPNs Suit FreePBX Distro
- WireGuard is ultra-lightweight, has minimal dependencies, and offers stellar performance—ideal for voice traffic.
- OpenVPN is battle-tested, flexible with TCP/UDP modes, and available out of the box via EPEL for CentOS.
- strongSwan (IPsec) leverages built-in kernel IPsec support, fitting environments with strict security policies or existing IPsec peers.
VPN Comparison Table
| VPN Solution | Repo amp Package Manager | Protocol amp Kernel Integration | Client Platforms | Performance | Firewall Integration |
|---|---|---|---|---|---|
| WireGuard | ELRepo amp EPEL (yum/dnf) | UDP-based, in-kernel module | Linux, Windows, macOS, iOS, Android | Very high (minimal overhead) | Simple iptables/nftables rules |
| OpenVPN | EPEL (yum/dnf) | SSL/TLS over UDP/TCP (userland) | Linux, Windows, macOS, iOS, Android | Good (configurable cipher) | Established iptables/nftables guides |
| strongSwan | EPEL (yum/dnf) | IPsec/IKEv2 (kernel accel.) | Linux, Windows, macOS, iOS, Android | High (kernel IPsec) | Native IPsec hooks into netfilter |
1. Installing and Configuring WireGuard
WireGuard’s lean design makes it perfect for a PBX environment.
Step A: Enable ELRepo amp Install
# rpm --import https://www.elrepo.org/RPM-GPG-KEY-elrepo.org # yum install https://www.elrepo.org/elrepo-release-7.el7.elrepo.noarch.rpm # yum install epel-release # yum install kmod-wireguard wireguard-tools
Step B: Generate Keys amp Server Config
# mkdir -p /etc/wireguard # wg genkey tee /etc/wireguard/server_private.key wg pubkey > /etc/wireguard/server_public.key # cat gt /etc/wireguard/wg0.conf ltltEOF [Interface] PrivateKey = (cat /etc/wireguard/server_private.key) Address = 10.0.0.1/24 ListenPort = 51820 # Example peer (client) [Peer] PublicKey =AllowedIPs = 10.0.0.2/32 EOF
Step C: Firewall amp Start
# firewall-cmd --permanent --add-port=51820/udp # firewall-cmd --permanent --add-masquerade # firewall-cmd --reload # Enable IP forwarding # sed -i s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/ /etc/sysctl.conf # sysctl -p # Start and enable # systemctl enable wg-quick@wg0 # systemctl start wg-quick@wg0
2. Installing and Configuring OpenVPN
OpenVPN offers robust TLS security and is well supported in CentOS/EPEL.
Step A: Install Packages
# yum install epel-release # yum install openvpn easy-rsa # mkdir -p /etc/openvpn/server # cp -r /usr/share/easy-rsa/3/ /etc/openvpn/server/
Step B: PKI amp Server Config
# cd /etc/openvpn/server # ./easyrsa init-pki # ./easyrsa build-ca nopass # ./easyrsa gen-req server nopass # ./easyrsa sign-req server server # ./easyrsa gen-dh # openvpn --genkey --secret ta.key # Create server.conf cat gt /etc/openvpn/server/server.conf ltltEOF port 1194 proto udp dev tun ca pki/ca.crt cert pki/issued/server.crt key pki/private/server.key dh pki/dh.pem tls-auth ta.key 0 server 10.8.0.0 255.255.255.0 push redirect-gateway def1 bypass-dhcp push dhcp-option DNS 8.8.8.8 keepalive 10 120 persist-key persist-tun user nobody group nobody status openvpn-status.log verb 3 EOF
Step C: Firewall amp Enable
# firewall-cmd --permanent --add-port=1194/udp # firewall-cmd --permanent --add-masquerade # firewall-cmd --reload # Enable IP forwarding # sed -i s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/ /etc/sysctl.conf # sysctl -p # systemctl enable openvpn-server@server # systemctl start openvpn-server@server
3. Installing and Configuring strongSwan (IPsec/IKEv2)
strongSwan integrates seamlessly with kernel IPsec for organisations already using IPsec.
Step A: Install strongSwan
# yum install epel-release # yum install strongswan
Step B: Basic IPsec Config
# cat gt /etc/strongswan/ipsec.conf ltltEOF config setup charondebug=ike 2, knl 2, cfg 2 conn rwvpn keyexchange=ikev2 left=%any leftid=@server.example.com leftcert=serverCert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.9.0.0/24 rightsendcert=never eap_identity=%identity EOF # Credentials echo server.example.com : RSA serverKey.pem gt /etc/strongswan/ipsec.secrets echo user1 : EAP yourpassword gtgt /etc/strongswan/ipsec.secrets
Step C: Firewall amp Start
# firewall-cmd --permanent --add-service=ipsec # firewall-cmd --permanent --add-masquerade # firewall-cmd --reload # Enable IP forwarding # sed -i s/net.ipv4.ip_forward = 0/net.ipv4.ip_forward = 1/ /etc/sysctl.conf # sysctl -p # systemctl enable strongswan # systemctl start strongswan
Conclusion
For a FreePBX Distro environment, WireGuard shines with its simplicity and performance, OpenVPN delivers mature flexibility, and strongSwan integrates natively if you need strict IPsec compliance. Each can be installed via EPEL/ELRepo, integrates into iptables/nftables, and ensures your PBX management and SIP/RTP streams stay secure.
Leave a Reply