{"id":24,"date":"2025-12-13T22:07:40","date_gmt":"2025-12-13T22:07:40","guid":{"rendered":"https:\/\/nsputnik.com\/blog\/?p=24"},"modified":"2025-12-27T04:19:14","modified_gmt":"2025-12-27T04:19:14","slug":"phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones","status":"publish","type":"post","link":"https:\/\/nsputnik.com\/blog\/2025\/12\/13\/phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones\/","title":{"rendered":"Phreephoning: A Free, Private, Encrypted Phone System with Raspberry Pi and Analog Phones"},"content":{"rendered":"<style><span data-mce-type=\"bookmark\" style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" class=\"mce_SELRES_start\">\ufeff<\/span><span data-mce-type=\"bookmark\" style=\"display: inline-block; width: 0px; overflow: hidden; line-height: 0;\" class=\"mce_SELRES_start\">\ufeff<\/span><br \/>.code-box {<br \/>    background-color: #f4f4f4 !important;<br \/>    border: 1px solid #ddd !important;<br \/>    border-radius: 4px !important;<br \/>    padding: 12px !important;<br \/>    margin: 10px 0 30px 0 !important;<br \/>    overflow-x: auto !important;<br \/>    position: relative !important;<br \/>    display: block !important;<br \/>}<br \/>.code-box pre {<br \/>    margin: 0;<br \/>    padding: 0;<br \/>    border: none;<br \/>    background: transparent;<br \/>}<br \/>.code-box code {<br \/>    white-space: pre;<br \/>    display: block;<br \/>    background-color: transparent;<br \/>    padding: 0;<br \/>    font-size: 14px;<br \/>}<br \/>.note {<br \/>    background-color: #fff3cd;<br \/>    border-left: 4px solid #ffc107;<br \/>    padding: 10px 15px;<br \/>    margin: 10px 0;<br \/>}<br \/>.important {<br \/>    background-color: #f8d7da;<br \/>    border-left: 4px solid #dc3545;<br \/>    padding: 10px 15px;<br \/>    margin: 10px 0;<br \/>}<br \/>table {<br \/>    border-collapse: collapse;<br \/>    margin: 10px 0;<br \/>}<br \/>th, td {<br \/>    border: 1px solid #ddd;<br \/>    padding: 8px;<br \/>    text-align: left;<br \/>}<br \/>th {<br \/>    background-color: #f4f4f4;<br \/>}<br \/><\/style>\n<p>What if you could pick up an old-school telephone in your house, call a friend&#8217;s house across town, the country or world, and have that call travel over your existing internet connection, fully encrypted, with no monthly bill from a phone company? That&#8217;s the basic idea behind this project. Phreephoneing is a free, private phone system built from a Raspberry Pis, Analog Telephone Adapters (ATAs), subnet routers, and a main router that creates an encrypted mesh between locations.<\/p>\n<p><a href=\"https:\/\/github.com\/nsputnik\/phreephoning\/blob\/main\/phreephoning-setup-guide.md\" target=\"_blank\" rel=\"noopener\">Github<\/a><br \/>\n<a href=\"https:\/\/docs.google.com\/presentation\/d\/19Re2Ca_tQteEhlfqD-B7velJAX4z6orv\/edit?usp=sharing&#038;ouid=105490797376323213165&#038;rtpof=true&#038;sd=true\" target=\"_blank\" rel=\"noopener\">Google Slides<\/a><\/p>\n<h2>WRT Powered Subnet Router \/ Tailscale Setup Guide for VoIP ATAs<\/h2>\n<p>This guide covers setting up a GL.iNet Brume 2\/Beryl AX router with Tailscale to connect remote ATAs to a central PBX for a free, private and encrypted phone system. It is not connected to the larger phone system. You can only call the users you set up with the system. You don&#8217;t have to pay a phone company monthly, just your ISP. Wireguard encrypts the traffic between subnet routers, just like the major data centers do.<\/p>\n<h2>Overview<\/h2>\n<p><a href=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-51\" src=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-300x273.jpg\" alt=\"\" width=\"300\" height=\"273\" srcset=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-300x273.jpg 300w, https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram-768x698.jpg 768w, https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/phreephoning-connection-diagram.jpg 960w\" sizes=\"auto, (max-width: 300px) 85vw, 300px\" \/><\/a><\/p>\n<h2>Prerequisites<\/h2>\n<ul>\n<li>A broadband internet connection at the main site and each remote site (no telephone line needed\u2014this system is completely independent from the telecom network)<\/li>\n<li>An existing wireless router with internet access at the main site and at each remote site (the Brume 2\/Beryl AX connects to these routers)<\/li>\n<li><a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt2500\/\">GL.iNet Brume 2 (GL-MT2500)<\/a> router, one for each remote line and one for the main site that will be on the same local network as the PBX, or <a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt3000\/\">GL.iNet Beryl AX (GL-MT3000)<\/a> which is the wireless version, great to use when one of your remote line users does not want to place the phone next to the router, but to another location without having to run ethernet cables. When we mention the remote Brume 2 and Tailscale, the Beryl AX can be substituted here, but we&#8217;ll go into the wireless details in a separate section near the end.<\/li>\n<li><a href=\"https:\/\/tailscale.com\/\">Tailscale account<\/a> (free tier is adequate)<\/li>\n<li>Tailscale client installed on your admin computer &#8211; download from <a href=\"https:\/\/tailscale.com\/download\">https:\/\/tailscale.com\/download<\/a> and sign in with the same Tailscale account. This allows you to SSH into any Brume via its Tailscale IP and also into each ATA admin. You will be on the same Tailnet.<\/li>\n<li>A Raspberry Pi 3, 4, or 5 (not Zero) with <a href=\"http:\/\/www.raspbx.org\/downloads\/\">RasPBX image<\/a> written to the microSD card.\u00a0 RasPBX is just Asterisk 16.13.0 &amp; FreePBX 15.0.16.75, Raspbian Buster Lite, Apache, PHP and MySQL all pre-installed on a bootable image.<\/li>\n<li>An <a href=\"https:\/\/www.ebay.com\/sch\/i.html?_nkw=analog+telephone+adapter\">ATA device<\/a> for each line (Cisco SPA, Linksys PAP2T, Grandstream HT802, etc.)<\/li>\n<li>An old touch tone analog telephone at each location you want to call or you want to call you.<\/li>\n<\/ul>\n<h2>Steps<\/h2>\n<p><strong>Main Site Setup (do these first):<\/strong><\/p>\n<ul>\n<li><a href=\"#step1\">Step 1: Main Site Brume 2 Setup<\/a><\/li>\n<li><a href=\"#step2\">Step 2: Main Site Firewall Configuration<\/a><\/li>\n<li><a href=\"#step3\">Step 3: Reserve PBX IP Address<\/a><\/li>\n<li><a href=\"#step4\">Step 4: Create Extensions in FreePBX<\/a><\/li>\n<li><a href=\"#step5\">Step 5: Configure Main Site ATA<\/a><\/li>\n<li><a href=\"#step6\">Step 6: Verify Main Site SIP Registration<\/a><\/li>\n<li><a href=\"#step7\">Step 7: Configure and Test Remote ATA Locally<\/a><\/li>\n<\/ul>\n<p><strong>Remote Site Setup (repeat for each remote location):<\/strong><\/p>\n<ul>\n<li><a href=\"#step8\">Step 8: Remote Site Brume 2 Setup<\/a><\/li>\n<li><a href=\"#step9\">Step 9: Remote Site Firewall Configuration<\/a><\/li>\n<li><a href=\"#step10\">Step 10: Verify Tailscale Routing<\/a><\/li>\n<li><a href=\"#step11\">Step 11: Reconfigure Remote ATA for Deployment<\/a><\/li>\n<li><a href=\"#step12\">Step 12: Verify Remote SIP Registration<\/a><\/li>\n<li><a href=\"#step13\">Step 13: Deploy to Remote Site<\/a><\/li>\n<\/ul>\n<p><strong>Final Steps:<\/strong><\/p>\n<ul>\n<li><a href=\"#step14\">Step 14: Reboot Test<\/a><\/li>\n<li><a href=\"#step15\">Step 15: Make a Test Call<\/a><\/li>\n<li><a href=\"#step16\">Step 16: Export Backups<\/a><\/li>\n<li><a href=\"#optional-wireless\">Optional: Wireless Setup with Beryl AX (Remote Sites)<\/a><\/li>\n<\/ul>\n<h2>Main Site Setup<\/h2>\n<p>Complete all main site steps before setting up any remote sites.<\/p>\n<p><a name=\"step1\"><\/a><\/p>\n<h2>Step 1: Main Site Brume 2 Setup<\/h2>\n<p>The main site Brume 2 sits on the same local network as the PBX and acts as the Tailscale gateway for remote sites. It stays in <strong>Router mode<\/strong> (the default) but connects differently than remote Brumes.<\/p>\n<div class=\"important\"><strong>Set up the main Brume first!<\/strong> The main Brume must be configured and advertising its subnet before remote Brumes can connect to the PBX.<\/div>\n<h3>Initial Setup<\/h3>\n<ol>\n<li>At your local site where the PBX will live, connect Brume 2 <strong>WAN port<\/strong> to your router (gets internet and local network via DHCP)<\/li>\n<li>The PBX and local ATA connect to the <strong>same network as the Brume&#8217;s WAN<\/strong> (not the LAN port), so just connect them to your router<\/li>\n<li>Access Brume web UI (default: http:\/\/192.168.8.1)<\/li>\n<li>Set admin password<\/li>\n<li>Leave Network Mode as <strong>Router<\/strong> (the default)<\/li>\n<li>Note the Brume&#8217;s WAN IP (check your router&#8217;s DHCP client list)<\/li>\n<\/ol>\n<h3>Enable Tailscale and Join Tailnet<\/h3>\n<ol start=\"7\">\n<li>In Brume web UI: <strong>Applications \u2192 Tailscale<\/strong><\/li>\n<li>Click <strong>Enable Tailscale<\/strong><\/li>\n<li>Click the authentication link and log into your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong><\/li>\n<li>Enable <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>Note the Tailscale IP assigned (100.x.x.x) &#8211; visible in Tailscale admin console<\/li>\n<\/ol>\n<h3>Approve Route and Name Device<\/h3>\n<ol start=\"13\">\n<li>Go to <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">https:\/\/login.tailscale.com\/admin\/machines<\/a><\/li>\n<li>Find the main Brume and <strong>approve the subnet route<\/strong> (192.168.1.0\/24)<\/li>\n<li><strong>Rename the device<\/strong> &#8211; click the three-dot menu \u2192 &#8220;Edit machine name&#8221; \u2192 name it something like &#8220;gl-mt2500-main&#8221; or &#8220;gl-mt2500-pbx-site&#8221; to identify it easily<\/li>\n<\/ol>\n<div class=\"note\"><strong>Key difference from remote Brumes:<\/strong> The main Brume&#8217;s PBX is on its WAN side (e.g., 192.168.1.0\/24), not LAN side. This means the firewall rules use <code>eth0<\/code> instead of <code>br-lan<\/code>.<\/div>\n<p><a name=\"step2\"><\/a><\/p>\n<h2>Step 2: Main Site Firewall Configuration<\/h2>\n<p>SSH to the main Brume to configure the firewall rules. These are specific to the <strong>main site<\/strong> because the PBX is on the WAN side.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.8.1<\/code><\/pre>\n<\/div>\n<p>(Password is the same as the web UI admin password you created)<\/p>\n<h3>Make Filesystem Writable<\/h3>\n<p>GL.iNet routers use a read-only overlay filesystem by default. Run this command first to ensure your changes persist across reboots:<\/p>\n<div class=\"code-box\">\n<pre><code>. \/lib\/functions\/gl_util.sh && remount_ubifs<\/code><\/pre>\n<\/div>\n<h3>2a. Create UCI Firewall Zone<\/h3>\n<p>Run these commands to create a Tailscale firewall zone:<\/p>\n<div class=\"code-box\">\n<pre><code># Create Tailscale zone\r\nuci add firewall zone\r\nuci set firewall.@zone[-1].name='ts'\r\nuci set firewall.@zone[-1].input='ACCEPT'\r\nuci set firewall.@zone[-1].output='ACCEPT'\r\nuci set firewall.@zone[-1].forward='ACCEPT'\r\nuci set firewall.@zone[-1].device='tailscale0'\r\n\r\n# Add forwarding ts -&gt; lan\r\nuci add firewall forwarding\r\nuci set firewall.@forwarding[-1].src='ts'\r\nuci set firewall.@forwarding[-1].dest='lan'\r\n\r\n# Add forwarding lan -&gt; ts\r\nuci add firewall forwarding\r\nuci set firewall.@forwarding[-1].src='lan'\r\nuci set firewall.@forwarding[-1].dest='ts'\r\n\r\n# Save changes\r\nuci commit firewall<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>uci show firewall | grep -E \"zone.*ts|forwarding\"<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2b. Configure \/etc\/rc.local (Main Site)<\/h3>\n<p>This ensures Tailscale settings persist after reboot.<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> When typing these commands, the closing <code>ENDFILE<\/code> must have <strong>no spaces before it<\/strong>. If your terminal adds leading spaces when you paste, use the arrow keys and backspace to remove them before pressing Enter.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt; \/etc\/rc.local &lt;&lt; 'ENDFILE'\r\n# Put your custom commands here that should be executed once\r\n# the system init finished. By default this file does nothing.\r\n\r\n. \/lib\/functions\/gl_util.sh\r\nremount_ubifs\r\n\r\n# Wait for Tailscale to be ready\r\nsleep 10\r\n\r\n# Apply Tailscale settings - advertise the PBX subnet\r\ntailscale up --advertise-routes=192.168.1.0\/24 --accept-routes --reset\r\n\r\nexit 0\r\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/rc.local<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2c. Configure \/etc\/firewall.user (Main Site)<\/h3>\n<p>The main site uses <code>eth0<\/code> (WAN interface) because the PBX is on the WAN side.<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> Same as above &#8211; the closing <code>ENDFILE<\/code> must have <strong>no leading spaces<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt;&gt; \/etc\/firewall.user &lt;&lt; 'ENDFILE'\r\n\r\n# MASQUERADE traffic from WAN subnet to Tailscale\r\niptables -t nat -I POSTROUTING -o tailscale0 -s 192.168.1.0\/24 -j MASQUERADE\r\n\r\n# FORWARD rules for eth0 &lt;-&gt; tailscale0 (WAN to Tailscale)\r\niptables -I FORWARD -i tailscale0 -o eth0 -j ACCEPT\r\niptables -I FORWARD -i eth0 -o tailscale0 -j ACCEPT\r\n\r\n# Restart Tailscale to restore its rules\r\n\/etc\/init.d\/tailscale restart\r\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/firewall.user<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>2d. Apply Settings<\/h3>\n<div class=\"code-box\">\n<pre><code>tailscale up --advertise-routes=192.168.1.0\/24 --accept-routes --reset\r\n\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<p><a name=\"step3\"><\/a><\/p>\n<h2>Step 3: Reserve PBX IP Address<\/h2>\n<p>Log into your main site router and create a DHCP reservation for the PBX (Raspberry Pi). This prevents the router from assigning a different IP address to the PBX after a power outage or reboot, which would require updating all ATA configurations.<\/p>\n<p>Look for DHCP reservation, static lease, or address reservation in your router&#8217;s settings. You&#8217;ll need the PBX&#8217;s MAC address and its current IP (192.168.1.100 or whatever you&#8217;ve been using).<\/p>\n<p><a name=\"step4\"><\/a><\/p>\n<h2>Step 4: Create Extensions in FreePBX<\/h2>\n<p>Create SIP extensions for <strong>all<\/strong> phones in your system &#8211; both the main site ATA and all remote ATAs. Do this now while you&#8217;re at the main site.<\/p>\n<ol>\n<li>Log into FreePBX web interface on your local network (check your router for the PBX IP). The default username is admin, password is admin.<\/li>\n<li>Go to <strong>Applications \u2192 Extensions<\/strong><\/li>\n<li>Click <strong>Add Extension<\/strong> \u2192 <strong>Add New PJSIP Extension<\/strong> (or SIP if using chan_sip)<\/li>\n<li>Enter:\n<ul>\n<li><strong>User Extension<\/strong>: Extension number (e.g., 100 for main site, 101-109 for remote sites)<\/li>\n<li><strong>Display Name<\/strong>: Description (e.g., &#8220;Main House&#8221;, &#8220;Mom and Dad&#8221;, &#8220;Uncle Bob&#8221;)<\/li>\n<li><strong>Secret<\/strong>: Copy the auto-generated password or set your own<\/li>\n<\/ul>\n<\/li>\n<li>Click <strong>Submit<\/strong><\/li>\n<li>Click the <strong>red &#8220;Apply Config&#8221; button<\/strong> at the top<\/li>\n<li>Copy the <strong>Secret<\/strong> (password) &#8211; you&#8217;ll need it for the ATA<\/li>\n<li>Repeat steps 2 through 7 for each phone in your system (main site + all remote sites)<\/li>\n<\/ol>\n<div class=\"note\"><strong>Tip:<\/strong> Create all extensions now so you have the passwords ready when configuring each ATA.<\/div>\n<p><a name=\"step5\"><\/a><\/p>\n<h2>Step 5: Configure Main Site ATA<\/h2>\n<p>The main site ATA connects directly to your router (same network as the PBX), so configuration is simpler than remote ATAs.<\/p>\n<p>Access the ATA&#8217;s web interface and configure:<\/p>\n<h3>Network Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>Connection Type<\/td>\n<td><strong>DHCP<\/strong> or <strong>Static IP<\/strong><\/td>\n<\/tr>\n<tr>\n<td>IP Address<\/td>\n<td>(If static: 192.168.1.101 or similar)<\/td>\n<\/tr>\n<tr>\n<td>Subnet Mask<\/td>\n<td>255.255.255.0<\/td>\n<\/tr>\n<tr>\n<td>Default Gateway<\/td>\n<td>Your router&#8217;s IP (e.g., 192.168.1.1)<\/td>\n<\/tr>\n<tr>\n<td>Primary DNS<\/td>\n<td>8.8.8.8 or your router&#8217;s IP<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>SIP\/Line Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>SIP Proxy<\/td>\n<td>192.168.1.100 (PBX IP)<\/td>\n<\/tr>\n<tr>\n<td>SIP Port<\/td>\n<td>5060<\/td>\n<\/tr>\n<tr>\n<td>Register<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>User ID<\/td>\n<td>Extension number (e.g., 100)<\/td>\n<\/tr>\n<tr>\n<td>Auth ID<\/td>\n<td>Same as User ID<\/td>\n<\/tr>\n<tr>\n<td>Password<\/td>\n<td>SIP secret from FreePBX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>If you will use both lines on a 2 line ATA the 2nd line should use SIP port 5061, and it might set this automatically, but verify it.<\/p>\n<p><strong>Click &#8220;Submit All Changes&#8221;<\/strong> to save and trigger registration.<\/p>\n<p><a name=\"step6\"><\/a><\/p>\n<h2>Step 6: Verify Main Site SIP Registration<\/h2>\n<h3>Check the ATA<\/h3>\n<ol>\n<li>Access the ATA&#8217;s web admin (e.g., http:\/\/192.168.1.101)<\/li>\n<li>Look for registration status &#8211; usually on the main status page or under Line\/SIP settings<\/li>\n<li>Should show <strong>&#8220;Registered&#8221;<\/strong> or <strong>&#8220;Online&#8221;<\/strong><\/li>\n<\/ol>\n<h3>Verify on the PBX<\/h3>\n<p>SSH into the PBX (Raspberry Pi). The username: root, password: raspberry.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.1.100<\/code><\/pre>\n<\/div>\n<p>Check registration:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep 100\r\n# or for chan_sip:\r\nasterisk -rx \"sip show peers\" | grep 100<\/code><\/pre>\n<\/div>\n<p>Should show the extension with status &#8220;OK&#8221; or &#8220;Avail&#8221;.<\/p>\n<h3>Test Dial Tone<\/h3>\n<p>Pick up the phone connected to the main site ATA. You should hear a dial tone, confirming the ATA is registered with the PBX.<\/p>\n<p><a name=\"step7\"><\/a><\/p>\n<h2>Step 7: Configure and Test Remote ATA Locally<\/h2>\n<p>Before setting up the remote Brume 2, test the remote ATA locally on your main network. This confirms the extension works before adding the complexity of the Tailscale tunnel.<\/p>\n<h3>Temporary Local Setup<\/h3>\n<p>Connect the remote ATA directly to your main router (the same network as the PBX), <strong>not<\/strong> to the Brume 2 yet. Leave the ATA&#8217;s network settings on <strong>DHCP\/Dynamic<\/strong> &#8211; no network configuration is needed for this test.<\/p>\n<h3>SIP\/Line Settings<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Value<\/th>\n<\/tr>\n<tr>\n<td>SIP Proxy<\/td>\n<td>192.168.1.100 (PBX IP)<\/td>\n<\/tr>\n<tr>\n<td>SIP Port<\/td>\n<td>5060<\/td>\n<\/tr>\n<tr>\n<td>Register<\/td>\n<td>Yes<\/td>\n<\/tr>\n<tr>\n<td>User ID<\/td>\n<td>Extension number (e.g., 101)<\/td>\n<\/tr>\n<tr>\n<td>Auth ID<\/td>\n<td>Same as User ID<\/td>\n<\/tr>\n<tr>\n<td>Password<\/td>\n<td>SIP secret from FreePBX (created in <a href=\"#step4\">Step 4<\/a>)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><strong>Click &#8220;Submit All Changes&#8221;<\/strong> to save and trigger registration.<\/p>\n<h3>Test Local Call<\/h3>\n<ol>\n<li>Verify the ATA shows <strong>&#8220;Registered&#8221;<\/strong> in its web interface<\/li>\n<li>Pick up the phone connected to this ATA &#8211; you should hear dial tone<\/li>\n<li>Dial the main site extension (e.g., 100)<\/li>\n<li>The main site phone should ring &#8211; answer and verify two-way audio works<\/li>\n<li>Hang up, then test the other direction: pick up the main site phone and dial this extension (e.g., 101)<\/li>\n<li>Answer and verify two-way audio works in both directions<\/li>\n<\/ol>\n<p>Once calls succeed in both directions, you&#8217;ve confirmed the extension is configured correctly. You&#8217;ll reconfigure this ATA for the remote subnet after setting up the remote Brume 2.<\/p>\n<h2>Remote Site Setup<\/h2>\n<p>Repeat these steps for each remote location. Complete the main site setup first!<\/p>\n<p><a name=\"step8\"><\/a><\/p>\n<h2>Step 8: Remote Site Brume 2 Setup<\/h2>\n<p>Each remote site needs its own Brume 2 in <strong>router mode<\/strong> (the default) with a unique subnet.<\/p>\n<div class=\"important\"><strong>IMPORTANT: Configure before deployment!<\/strong> Set up and join each remote Brume to your Tailnet <strong>before<\/strong> shipping or bringing it to the remote location. This allows you to SSH into the remote Brume 2 via Tailscale for troubleshooting after deployment.<\/div>\n<h3>Pre-deployment Setup (do this at your location)<\/h3>\n<p>To avoid IP conflicts, configure each remote Brume while:<\/p>\n<ul>\n<li>The main Brume is <strong>powered off<\/strong>, OR<\/li>\n<li>On a <strong>different network<\/strong> from the main Brume (since both default to 192.168.8.1)<\/li>\n<\/ul>\n<ol>\n<li>Connect Brume 2 <strong>WAN port<\/strong> to your router (needs internet for Tailscale auth)<\/li>\n<li>Access Brume web UI (default: http:\/\/192.168.8.1)<\/li>\n<li>Set admin password<\/li>\n<li>Go to <strong>Network \u2192 LAN<\/strong><\/li>\n<li>Change the <strong>LAN IP<\/strong> to use a unique subnet:\n<ul>\n<li>Change the third octet (the &#8220;8&#8221; in 192.168.<strong>8<\/strong>.1) to a unique number<\/li>\n<li>Example: change <code>192.168.8.1<\/code> to <code>192.168.10.1<\/code> for the first remote site<\/li>\n<li>Use sequential numbers: 192.168.9.1, 192.168.10.1, 192.168.11.1, etc.<\/li>\n<li>The subnet mask stays <code>255.255.255.0<\/code><\/li>\n<li>Click <strong>Apply<\/strong> &#8211; you&#8217;ll be disconnected briefly as the IP changes<\/li>\n<\/ul>\n<\/li>\n<li>Reconnect to the Brume at its new IP (e.g., http:\/\/192.168.10.1)<\/li>\n<li>Note this new LAN IP &#8211; it becomes the ATA&#8217;s gateway<\/li>\n<\/ol>\n<h3>Enable Tailscale<\/h3>\n<ol start=\"8\">\n<li>In Brume web UI: <strong>Applications \u2192 Tailscale<\/strong><\/li>\n<li>Click <strong>Enable Tailscale<\/strong><\/li>\n<li>Click the authentication link and log into your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong><\/li>\n<li>Enable <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>Note the Tailscale IP assigned (100.x.x.x) &#8211; visible in Tailscale admin console<\/li>\n<\/ol>\n<h3>Approve Route and Name Device<\/h3>\n<ol start=\"14\">\n<li>Go to <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">https:\/\/login.tailscale.com\/admin\/machines<\/a><\/li>\n<li>Find the new Brume and <strong>approve the subnet route<\/strong><\/li>\n<li><strong>Rename the device<\/strong> &#8211; use the name or initials of the friend\/family member where it will be deployed (e.g., &#8220;gl-mt2500-uncle-bob&#8221;, &#8220;gl-mt2500-mom-dad&#8221;).\u00a0 This is done by clicking the 3 dost on the right and selecting Edit Rout Settings.\u00a0 Then you will see the route or routes to approve.<\/li>\n<\/ol>\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-73\" src=\"https:\/\/nsputnik.com\/blog\/wp-content\/uploads\/2025\/12\/tailsacle-admin-2.jpg\" alt=\"Tailscale device admin\" width=\"960\" height=\"435\"><\/h3>\n<h3>Choosing a Subnet<\/h3>\n<p>Use a unique \/24 subnet for each site:<\/p>\n<table>\n<tbody>\n<tr>\n<th>Site<\/th>\n<th>Subnet<\/th>\n<th>Brume LAN IP<\/th>\n<\/tr>\n<tr>\n<td>Main (PBX)<\/td>\n<td>192.168.1.0\/24<\/td>\n<td>(WAN side, no change needed)<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 1<\/td>\n<td>192.168.9.0\/24<\/td>\n<td>192.168.9.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 2<\/td>\n<td>192.168.10.0\/24<\/td>\n<td>192.168.10.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 3<\/td>\n<td>192.168.11.0\/24<\/td>\n<td>192.168.11.1<\/td>\n<\/tr>\n<tr>\n<td>Remote Site 4<\/td>\n<td>192.168.12.0\/24<\/td>\n<td>192.168.12.1<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<div class=\"note\"><strong>Why start above 8?<\/strong> The Brume defaults to 192.168.8.x. Using 9, 10, 11&#8230; makes it easy to remember which site is which and avoids conflicts with the default. Also avoid 192.168.0.x and 192.168.1.x as these are common home network subnets that may conflict at remote sites.<\/div>\n<p><a name=\"step9\"><\/a><\/p>\n<h2>Step 9: Remote Site Firewall Configuration<\/h2>\n<p>SSH to the remote Brume to configure the firewall rules. These are specific to <strong>remote sites<\/strong> because the ATA is on the LAN side.<\/p>\n<div class=\"code-box\">\n<pre><code>ssh root@192.168.X.1<\/code><\/pre>\n<\/div>\n<p>(Replace X with your subnet number, e.g., 192.168.10.1. Password is the same as the web UI admin password you created)<\/p>\n<h3>Make Filesystem Writable<\/h3>\n<p>GL.iNet routers use a read-only overlay filesystem by default. Run this command first to ensure your changes persist across reboots:<\/p>\n<div class=\"code-box\">\n<pre><code>. \/lib\/functions\/gl_util.sh && remount_ubifs<\/code><\/pre>\n<\/div>\n<h3>9a. Create UCI Firewall Zone<\/h3>\n<p>Run these commands to create a Tailscale firewall zone (same as main site):<\/p>\n<div class=\"code-box\">\n<pre><code># Create Tailscale zone\r\nuci add firewall zone\r\nuci set firewall.@zone[-1].name='ts'\r\nuci set firewall.@zone[-1].input='ACCEPT'\r\nuci set firewall.@zone[-1].output='ACCEPT'\r\nuci set firewall.@zone[-1].forward='ACCEPT'\r\nuci set firewall.@zone[-1].device='tailscale0'\r\n\r\n# Add forwarding ts -&gt; lan\r\nuci add firewall forwarding\r\nuci set firewall.@forwarding[-1].src='ts'\r\nuci set firewall.@forwarding[-1].dest='lan'\r\n\r\n# Add forwarding lan -&gt; ts\r\nuci add firewall forwarding\r\nuci set firewall.@forwarding[-1].src='lan'\r\nuci set firewall.@forwarding[-1].dest='ts'\r\n\r\n# Save changes\r\nuci commit firewall<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>uci show firewall | grep -E \"zone.*ts|forwarding\"<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9b. Configure \/etc\/rc.local (Remote Site)<\/h3>\n<p>Copy the code below to a text editor, replace <code>192.168.X.0\/24<\/code> with your actual subnet (e.g., 192.168.10.0\/24), then paste into the terminal:<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> The closing <code>ENDFILE<\/code> must have <strong>no spaces before it<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt; \/etc\/rc.local &lt;&lt; 'ENDFILE'\r\n# Put your custom commands here that should be executed once\r\n# the system init finished. By default this file does nothing.\r\n\r\n. \/lib\/functions\/gl_util.sh\r\nremount_ubifs\r\n\r\n# Wait for Tailscale to be ready\r\nsleep 10\r\n\r\n# Apply Tailscale settings - CHANGE SUBNET BELOW\r\ntailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset\r\n\r\n# Add explicit route to PBX - CHANGE IP BELOW IF DIFFERENT\r\nip route add 192.168.1.100\/32 dev tailscale0 2&gt;\/dev\/null || true\r\n\r\nexit 0\r\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/rc.local<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9c. Configure \/etc\/firewall.user (Remote Site)<\/h3>\n<p>Remote sites use <code>br-lan<\/code> (LAN interface) because the ATA is on the LAN side.<\/p>\n<p>Copy the code below to a text editor, replace <code>192.168.X.0\/24<\/code> with your actual subnet, then paste into the terminal:<\/p>\n<div class=\"important\"><strong>IMPORTANT:<\/strong> The closing <code>ENDFILE<\/code> must have <strong>no leading spaces<\/strong>.<\/div>\n<div class=\"code-box\">\n<pre><code>cat &gt;&gt; \/etc\/firewall.user &lt;&lt; 'ENDFILE'\r\n\r\n# allow LAN &lt;-&gt; Tailscale\r\niptables -I FORWARD -i tailscale0 -o br-lan -j ACCEPT\r\niptables -I FORWARD -i br-lan -o tailscale0 -j ACCEPT\r\n\r\n# MASQUERADE traffic from LAN to Tailscale - CHANGE SUBNET BELOW\r\niptables -t nat -I POSTROUTING -o tailscale0 -s 192.168.X.0\/24 -j MASQUERADE\r\n\r\n# Restart Tailscale to restore its rules\r\n\/etc\/init.d\/tailscale restart\r\nENDFILE<\/code><\/pre>\n<\/div>\n<p>Verify:<\/p>\n<div class=\"code-box\">\n<pre><code>cat \/etc\/firewall.user<\/code><\/pre>\n<\/div>\n<p>The output should match the content you entered above.<\/p>\n<h3>9d. Apply Settings<\/h3>\n<div class=\"code-box\">\n<pre><code>tailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset\r\n\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<p><a name=\"step10\"><\/a><\/p>\n<h2>Step 10: Verify Tailscale Routing<\/h2>\n<p>On the remote Brume, test connectivity to the PBX:<\/p>\n<div class=\"code-box\">\n<pre><code># Should show route is advertised\r\ntailscale debug prefs | grep -A3 AdvertiseRoutes\r\n\r\n# Should return \"pong from &lt;main-brume-name&gt;\"\r\ntailscale ping 192.168.1.100\r\n\r\n# Should succeed with ~20-50ms latency\r\nping -c 3 192.168.1.100<\/code><\/pre>\n<\/div>\n<h3>If <code>tailscale ping<\/code> says &#8220;no matching peer&#8221;:<\/h3>\n<ol>\n<li>Check that the main site subnet (e.g., 192.168.1.0\/24) route is approved for the <strong>main Brume<\/strong> in Tailscale admin<\/li>\n<li>Run <code>tailscale up --accept-routes --reset<\/code> again on the remote Brume<\/li>\n<li>Wait 30 seconds and retry<\/li>\n<\/ol>\n<p><a name=\"step11\"><\/a><\/p>\n<h2>Step 11: Reconfigure Remote ATA for Deployment<\/h2>\n<p>Connect the ATA you tested in Step 7 to the remote Brume&#8217;s LAN port.<\/p>\n<h3>Network Settings<\/h3>\n<p>No changes needed &#8211; leave the ATA on <strong>DHCP<\/strong>. The Brume will assign it an IP address in the correct subnet automatically.<\/p>\n<p>To find the ATA&#8217;s IP address, log into the Brume 2 web admin and check the <strong>Clients<\/strong> list.<\/p>\n<h3>SIP\/Line Settings<\/h3>\n<p>No changes needed &#8211; the SIP settings from Step 7 remain the same. The ATA will reach the PBX at 192.168.1.100 through the Tailscale tunnel.<\/p>\n<p><a name=\"step12\"><\/a><\/p>\n<h2>Step 12: Verify Remote SIP Registration<\/h2>\n<h3>Check the ATA<\/h3>\n<ol>\n<li>Access the ATA&#8217;s web admin (e.g., http:\/\/192.168.10.100). If you are unsure of the ATA&#8217;s IP you can see it under Clients in the Brume 2\/Beryl AX web admin.<\/li>\n<li>Look for registration status &#8211; usually on the main status page or under Line\/SIP settings<\/li>\n<li>Should show <strong>&#8220;Registered&#8221;<\/strong> or <strong>&#8220;Online&#8221;<\/strong><\/li>\n<li>If it shows &#8220;Registering&#8230;&#8221;, &#8220;Failed&#8221;, or &#8220;Offline&#8221;, there&#8217;s a connectivity issue &#8211; check the Brume&#8217;s Tailscale connection first (<a href=\"#step10\">Step 10<\/a>)<\/li>\n<\/ol>\n<h3>Verify on the PBX<\/h3>\n<p>SSH into the PBX and check registration:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep 101\r\n# or for chan_sip:\r\nasterisk -rx \"sip show peers\" | grep 101<\/code><\/pre>\n<\/div>\n<p>Replace 101 with your extension number. Should show status &#8220;OK&#8221; or &#8220;Avail&#8221;.<\/p>\n<p>If not registered, wait 1-2 minutes or reboot the ATA.<\/p>\n<p><a name=\"step13\"><\/a><\/p>\n<h2>Step 13: Deploy to Remote Site<\/h2>\n<p>Once pre-configured and tested locally, deployment is simple:<\/p>\n<ol>\n<li>Ship or carry the Brume 2, ATA, phone, and all the cables to the remote location<\/li>\n<li>Connect Brume <strong>WAN port<\/strong> to the remote site&#8217;s router (gets internet via DHCP)<\/li>\n<li>Connect Brume <strong>LAN port<\/strong> to ATA (or a switch with ATA connected)<\/li>\n<li>Connect an analog phone to the ATA<\/li>\n<li>Power on &#8211; the Brume will automatically connect to Tailscale<\/li>\n<li>Test by calling between the remote phone and main site phone<\/li>\n<\/ol>\n<h3>Remote Administration<\/h3>\n<p>If anything goes wrong, you can access the Brume remotely via its Tailscale IP:<\/p>\n<ol>\n<li>Visit the <a href=\"https:\/\/login.tailscale.com\/admin\/machines\">Tailscale admin console<\/a><\/li>\n<li>Find the Brume 2 you need to access<\/li>\n<li>Click the dropdown arrow next to the Tailscale IP address and click the copy icon<\/li>\n<li>Make sure the Tailscale client app is running and logged in on your computer<\/li>\n<li>Paste that IP address into a new browser tab &#8211; you&#8217;re now logged into the Brume 2 web admin remotely<\/li>\n<li>To access the ATA, go to the <strong>Clients<\/strong> tab in the Brume 2 admin to find the ATA&#8217;s IP address<\/li>\n<li>Copy that IP and paste it into a new browser tab to access the ATA&#8217;s web admin<\/li>\n<\/ol>\n<h2>Final Steps<\/h2>\n<p><a name=\"step14\"><\/a><\/p>\n<h2>Step 14: Reboot Test<\/h2>\n<p>Verify everything survives a power cycle:<\/p>\n<ol>\n<li><strong>Power off<\/strong> the Brume (unplug power)<\/li>\n<li>Wait 30 seconds<\/li>\n<li><strong>Power on<\/strong><\/li>\n<li>Wait 3-5 minutes for full boot and Tailscale connection<\/li>\n<li>Check ATA registration on PBX:\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\" | grep &lt;extension&gt;<\/code><\/pre>\n<\/div>\n<\/li>\n<\/ol>\n<p>If registration fails after reboot, check:<\/p>\n<ul>\n<li><code>\/etc\/rc.local<\/code> has the tailscale up command<\/li>\n<li><code>\/etc\/firewall.user<\/code> has the MASQUERADE rule<\/li>\n<li>Subnet route is still approved in Tailscale admin<\/li>\n<\/ul>\n<p><a name=\"step15\"><\/a><\/p>\n<h2>Step 15: Make a Test Call<\/h2>\n<p>The ultimate test &#8211; pick up the phone and make a call!<\/p>\n<ol>\n<li>Pick up the analog phone connected to the ATA<\/li>\n<li>Listen for dial tone (confirms ATA is working and registered. If there is no dialtone it is not registered with the PBX, needs more route troubleshooting)<\/li>\n<li>Dial another extension on the system<\/li>\n<li>Verify two-way audio works (you can hear them, they can hear you)<\/li>\n<\/ol>\n<p>If you don&#8217;t hear dial tone:<\/p>\n<ul>\n<li>Check ATA registration (<a href=\"#step6\">Step 6<\/a> for main site, <a href=\"#step12\">Step 12<\/a> for remote)<\/li>\n<li>Verify the phone is plugged into the correct ATA port (usually &#8220;Phone 1&#8221;)<\/li>\n<li>Check the ATA&#8217;s line settings match the FreePBX extension<\/li>\n<\/ul>\n<p>If you hear dial tone but get a fast busy signal when calling the remote extension:<\/p>\n<ul>\n<li>The remote extension is likely not registered with the PBX<\/li>\n<li>Check the remote ATA&#8217;s registration status in its web admin<\/li>\n<li>Verify Tailscale routing (<a href=\"#step10\">Step 10<\/a>) and firewall configuration (<a href=\"#step9\">Step 9<\/a>)<\/li>\n<\/ul>\n<p>If you hear dial tone but calls don&#8217;t connect:<\/p>\n<ul>\n<li>Verify the dial plan on the ATA allows the numbers you&#8217;re dialing<\/li>\n<\/ul>\n<p><a name=\"step16\"><\/a><\/p>\n<h2>Step 16: Export Backups<\/h2>\n<p>Save a backup of each Brume configuration:<\/p>\n<ol>\n<li>Access Advanced Settings by logging in to the Brume 2&#8217;s administration panel through your browser (use the Tailscale IP address for that location) and navigate to More Settings -&gt; Advanced.<\/li>\n<li>Click log into LuCi. You will be prompted to log in to the LuCi interface using your root username and password.<\/li>\n<li>Hover over the System menu at the top nav In the LuCi interface anc click Backup\/Flash Firmware.<\/li>\n<li>Click Generate archive. This will download a .tar.gz file. This is a snapshot for all settings in the this Brume 2. Make sure to prepend the file name with the name of the location or friend\/family member that this Brume 2 lives at, Example: `main-backup-GL-MT2500-2025-12-15.tar.gz`, `uncle-bob-backup-GL-MT2500-2025-12-15.tar.gz`<\/li>\n<li>Restore Settings (if and when needed) on the same page in LuCi you can click Upload archive under the restore settings if you had to reset the Brume 2 for some reason or misconfigured it in some way.<\/li>\n<\/ol>\n<p><a name=\"optional-wireless\"><\/a><\/p>\n<h2>Optional: Wireless Setup with Beryl AX (Remote Sites)<\/h2>\n<p>For remote sites where you don&#8217;t want to place the phone right next to the router or need to avoid running cables, you can use a wireless subnet router instead: the <a href=\"https:\/\/www.gl-inet.com\/products\/gl-mt3000\/\">GL.iNet Beryl AX (GL-MT3000)<\/a>.<\/p>\n<p>The Beryl AX connects wirelessly to the remote site&#8217;s existing WiFi router, then provides a wired ethernet port for the ATA. This lets you place the phone anywhere with a power outlet and WiFi coverage.<\/p>\n<h3>Setting Up Beryl AX in Repeater Mode<\/h3>\n<ol>\n<li>Power on the Beryl AX and connect your computer to it via ethernet or its default WiFi network (check the label on the device for the default SSID and password)<\/li>\n<li>Access the web UI at http:\/\/192.168.8.1<\/li>\n<li>Complete initial setup (set admin password, timezone, etc.)<\/li>\n<li>Go to <strong>Network \u2192 LAN<\/strong> and change the LAN IP to a unique subnet (e.g., 192.168.10.1) just like with the Brume 2 &#8211; this avoids conflicts<\/li>\n<li>Click <strong>Apply<\/strong> and reconnect to the new IP (e.g., http:\/\/192.168.10.1)<\/li>\n<li>Go to <strong>Internet \u2192 Repeater<\/strong><\/li>\n<li>If you have a spare router give that router the same name and password as the one it will be connected to at your friend&#8217;s or family member&#8217;s home and then set up the Beryl AX to log into it, so once it is on site, it will connect directly. Confirm, if you can, if your friend or family member&#8217;s existing router is 5gHz or 2.5gHz.<\/li>\n<li>Click <strong>Scan<\/strong> to find available WiFi networks<\/li>\n<li>Select the remote site&#8217;s WiFi network and enter the password<\/li>\n<li>Click <strong>Join<\/strong> &#8211; the Beryl will connect wirelessly to the wireless network once it is on site. For setup, just use Ethernet.<\/li>\n<li>Reconnect and verify the connection shows as active in the Repeater section<\/li>\n<\/ol>\n<h3>Configure Tailscale and Firewall<\/h3>\n<p>Once connected to WiFi or Ethernet, configure Tailscale on the Beryl AX the same way as the Brume 2 in <a href=\"#step8\">Step 8<\/a>, then configure the firewall as in <a href=\"#step9\">Step 9<\/a> (Remote Site version):<\/p>\n<ol start=\"12\">\n<li>Go to <strong>Applications \u2192 Tailscale<\/strong> and enable it<\/li>\n<li>Authenticate with your Tailscale account<\/li>\n<li>Enable <strong>&#8220;Allow Remote Access LAN&#8221;<\/strong> and <strong>&#8220;Allow Remote Access WAN&#8221;<\/strong><\/li>\n<li>SSH to the Beryl: <code>ssh root@192.168.X.1<\/code><\/li>\n<li>Configure the UCI firewall zone (Step 8a)<\/li>\n<li>Configure <code>\/etc\/rc.local<\/code> (Step 8b &#8211; Remote Site version)<\/li>\n<li>Configure <code>\/etc\/firewall.user<\/code> (Step 8c &#8211; Remote Site version)<\/li>\n<li>Run: <code>tailscale up --advertise-routes=192.168.X.0\/24 --accept-routes --reset<\/code><\/li>\n<li>Restart firewall: <code>\/etc\/init.d\/firewall restart<\/code><\/li>\n<li>Approve the subnet route in Tailscale admin and rename the device<\/li>\n<li>Export a backup<\/li>\n<\/ol>\n<h3>Deployment<\/h3>\n<ol>\n<li>Ship or bring the pre-configured Beryl AX, ATA and phone to the remote location<\/li>\n<li>Power it on anywhere with WiFi coverage &#8211; it will automatically connect to the WiFi network you configured<\/li>\n<li>Connect the ATA to the Beryl&#8217;s LAN port via ethernet<\/li>\n<li>Connect an analog phone to the ATA<\/li>\n<li>The Beryl connects to WiFi \u2192 Tailscale \u2192 PBX automatically<\/li>\n<\/ol>\n<div class=\"note\"><strong>Note:<\/strong> The Beryl AX remembers the WiFi network credentials. If the remote site&#8217;s WiFi password changes, you&#8217;ll need to SSH in via Tailscale and update the Repeater settings, or have someone on-site temporarily connect to the Beryl&#8217;s LAN to access the web UI.<\/div>\n<p><a name=\"quick-reference\"><\/a><\/p>\n<h2>Quick Reference<\/h2>\n<h3>Key Files on Brume<\/h3>\n<table>\n<tbody>\n<tr>\n<th>File<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<tr>\n<td><code>\/etc\/rc.local<\/code><\/td>\n<td>Tailscale up command at boot<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/firewall.user<\/code><\/td>\n<td>MASQUERADE and FORWARD rules<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/config\/firewall<\/code><\/td>\n<td>UCI firewall zones (persistent)<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/config\/tailscale<\/code><\/td>\n<td>GL.iNet Tailscale settings<\/td>\n<\/tr>\n<tr>\n<td><code>\/etc\/tailscale\/tailscaled.state<\/code><\/td>\n<td>Tailscale auth state<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Essential Commands (Brume 2\/Beryl AX)<\/h3>\n<p>Check Tailscale status:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale status<\/code><\/pre>\n<\/div>\n<p>Check advertised routes:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale debug prefs | grep -A3 AdvertiseRoutes<\/code><\/pre>\n<\/div>\n<p>Test Tailscale routing to an IP:<\/p>\n<div class=\"code-box\">\n<pre><code>tailscale ping &lt;ip-address&gt;<\/code><\/pre>\n<\/div>\n<p>Check firewall rules:<\/p>\n<div class=\"code-box\">\n<pre><code>iptables -L FORWARD -n -v | head -10\r\niptables -t nat -L POSTROUTING -n -v | grep MASQ<\/code><\/pre>\n<\/div>\n<p>Restart Tailscale:<\/p>\n<div class=\"code-box\">\n<pre><code>\/etc\/init.d\/tailscale restart<\/code><\/pre>\n<\/div>\n<p>Restart firewall (also runs firewall.user):<\/p>\n<div class=\"code-box\">\n<pre><code>\/etc\/init.d\/firewall restart<\/code><\/pre>\n<\/div>\n<h3>Essential Commands (RasPBX)<\/h3>\n<p>Check registered extensions:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip show endpoints\"<\/code><\/pre>\n<\/div>\n<p>Or for chan_sip:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"sip show peers\"<\/code><\/pre>\n<\/div>\n<p>Monitor SIP activity in real-time (Control+C to exit):<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"pjsip set logger on\"<\/code><\/pre>\n<\/div>\n<p>Live console with verbosity &#8211; more v&#8217;s = more detail (type &#8220;quit&#8221; to exit):<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rvvvv<\/code><\/pre>\n<\/div>\n<p>Check active calls:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"core show calls\"<\/code><\/pre>\n<\/div>\n<p>View recent call history:<\/p>\n<div class=\"code-box\">\n<pre><code>asterisk -rx \"core show channels verbose\"<\/code><\/pre>\n<\/div>\n<p>Restart Asterisk (if needed):<\/p>\n<div class=\"code-box\">\n<pre><code>systemctl restart asterisk<\/code><\/pre>\n<\/div>\n<h3>Firewall Configuration Differences<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Setting<\/th>\n<th>Main Site<\/th>\n<th>Remote Site<\/th>\n<\/tr>\n<tr>\n<td>Interface<\/td>\n<td><code>eth0<\/code> (WAN)<\/td>\n<td><code>br-lan<\/code> (LAN)<\/td>\n<\/tr>\n<tr>\n<td>Reason<\/td>\n<td>PBX is on WAN side<\/td>\n<td>ATA is on LAN side<\/td>\n<\/tr>\n<tr>\n<td>rc.local route<\/td>\n<td>Not needed<\/td>\n<td>Adds route to PBX<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Example Network Layout<\/h3>\n<table>\n<tbody>\n<tr>\n<th>Device<\/th>\n<th>Tailscale IP<\/th>\n<th>LAN Subnet<\/th>\n<th>Purpose<\/th>\n<\/tr>\n<tr>\n<td>Main Brume<\/td>\n<td>100.x.x.1<\/td>\n<td>192.168.1.0\/24<\/td>\n<td>PBX site gateway<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 1<\/td>\n<td>100.x.x.2<\/td>\n<td>192.168.10.0\/24<\/td>\n<td>Remote house 1<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 2<\/td>\n<td>100.x.x.3<\/td>\n<td>192.168.11.0\/24<\/td>\n<td>Remote house 2<\/td>\n<\/tr>\n<tr>\n<td>Remote Brume 3<\/td>\n<td>100.x.x.4<\/td>\n<td>192.168.12.0\/24<\/td>\n<td>Remote house 3<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n","protected":false},"excerpt":{"rendered":"<p>What if you could pick up an old-school telephone in your house, call a friend&#8217;s house across town, the country or world, and have that call travel over your existing internet connection, fully encrypted, with no monthly bill from a phone company? That&#8217;s the basic idea behind this project. Phreephoneing is a free, private phone &hellip; <a href=\"https:\/\/nsputnik.com\/blog\/2025\/12\/13\/phreephoning-a-free-private-encrypted-phone-system-with-raspberry-pi-and-analog-phones\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Phreephoning: A Free, Private, Encrypted Phone System with Raspberry Pi and Analog Phones&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":51,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":91,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions\/91"}],"wp:attachment":[{"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsputnik.com\/blog\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}