OSS Infrastructure¶
Technical details for the OSS VPS and its connection to the NUC gateway.
OSS VPS¶
| Property | Value |
|---|---|
| IP | 185.252.235.208 |
| Hostname | open.astradial.com |
| OS | Debian / Ubuntu |
| Node.js | 20.x |
| Database | MariaDB (astradial_oss, user: astradial) |
| PBX | Asterisk 20 |
| Process Manager | PM2 (process: astradial-oss) |
| Reverse Proxy | Nginx (443 with SSL -> port 8080) |
| SSL | Let's Encrypt via certbot |
Services¶
| Service | Port | Notes |
|---|---|---|
| API | 8080 | Proxied via Nginx on 443 |
| SIP (UDP) | 5060 | opensip.astradial.com |
| RTP (UDP) | 10000-20000 | Media / audio |
| SSH | 22 | Admin only |
| HTTP | 80 | Certbot redirect |
| HTTPS | 443 | Nginx reverse proxy |
| Twenty CRM | 3000 | Separate service |
Firewall (UFW)¶
22/tcp ALLOW # SSH
80/tcp ALLOW # HTTP (certbot)
443/tcp ALLOW # HTTPS (API)
5060/udp ALLOW # SIP signaling
10000:20000/udp ALLOW # RTP media
fail2ban
fail2ban is active on the OSS VPS protecting SSH and SIP from brute-force attacks.
PM2 Process¶
NUC Connection (Option A -- SIP over Public Internet)¶
The NUC connects to the OSS VPS via SIP over the public internet. There is no WireGuard tunnel.
graph LR
PSTN[Tata PSTN] -->|SIP Trunk| NUC[NUC Gateway<br/>192.168.0.13]
NUC -->|SIP over Internet| OSS[OSS VPS<br/>185.252.235.208]
OSS -->|SIP| Dev[Developer Softphone]NUC Trunk Configuration¶
| Property | Value |
|---|---|
| Endpoint name | nuc_oss_gateway |
| Auth | Username / password |
| Transport | UDP |
| Direction | NUC -> OSS VPS (one-way) |
DID Routing on NUC¶
DIDs are routed in the NUC's from-tata context, before the catch-all rule. Each assigned DID gets a dialplan entry:
; OSS DID routing (in from-tata context, before catch-all)
exten => 912240001234,1,Dial(PJSIP/912240001234@oss_trunk_endpoint,30)
exten => 912240005678,1,Dial(PJSIP/912240005678@oss_trunk_endpoint,30)
Security Model¶
Key Constraints
The OSS infrastructure is intentionally isolated from the production environment.
| Constraint | Detail |
|---|---|
| No WireGuard | OSS VPS cannot reach the NUC's internal network |
| SIP over internet | Signaling + audio traverse public internet only |
| One-way routing | NUC -> OSS only; OSS cannot initiate calls to NUC |
| No SSH for contributors | Admin manages everything via scripts |
| Separate database | astradial_oss -- completely isolated from production |
| fail2ban + UFW | Brute-force protection on SSH and SIP |