[Freeswitch-users] VoIP encryption recommendations

Giovanni Maruzzelli gmaruzz at gmail.com
Wed Feb 20 09:25:25 UTC 2019


I would give a try webrtc with STUN/TURN on your server on 443, using
websocket on port 443 on same server that will serve https on same port.
You can use apache reverse websocket proxy, able to discriminate between
plain https and ssl websocket requests.

So, in this example, a total of two servers: one dedicated to
https/webrtc(sip or verto), one to stun/turn, both servers using ssl on
443. You can optionally add a third server for SIP TLS signaling, this too
on 443, with media going through the stun/turn server.

Maybe as codec you want to use a variable rate codec (check your opus
config, or another one) and no comforto noise/rtp waste, so you have a
(relatively) random traffic pattern, instead of a steady rtp flow.

-giovanni

On Tue, Feb 19, 2019 at 10:15 PM Joel Serrano <joel at textplus.com> wrote:

> Bipin,
>
> Did you try the linphone tunnel? AFAIR they encrypt SIP+RTP on client
> (requires linphone obviously), they also provide a server which receives
> such connections and pass over the unencrypted SIP+RTP to the backend.
>
> I think it's worth the try... some years ago it got around most blocks we
> tested. We ended up not implementing it but the initial tests did look
> good, don't know nowadays though...
>
> On Tue, Feb 19, 2019 at 11:59 AM Bipin Patel via FreeSWITCH-users <
> freeswitch-users at lists.freeswitch.org> wrote:
>
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Bipin Patel <bipin at xbipin.com>
>> To: <freeswitch-users at lists.freeswitch.org>
>> Cc:
>> Bcc:
>> Date: Tue, 19 Feb 2019 23:58:21 +0400
>> Subject: Re: [Freeswitch-users] VoIP encryption recommendations
>>
>> Btw we have tried almost all codecs and currently using g711u but it's
>> just impossible to get through easily not to mention the isp even
>> blacklists whole data center subnets if they find any data center to be a
>> safe heaven for VoIP providers.
>>
>> They even have this mechanism that home users if attempt to connect to
>> any blocked service then their IP ends up on a blacklist and then the
>> filtering gets worse for them until they reboot the router which gets them
>> a new IP and things get back to normal
>>
>> No wonder this region is considered a million dollar market where
>> Microsoft and Facebook itself can't manage to keep Skype and WhatsApp calls
>> even running no matter what.
>>
>>
>> On February 19, 2019 11:50:45 PM Bipin Patel <bipin at xbipin.com> wrote:
>>
>>> Hi,
>>>
>>>
>>> The whole sip protocol is blocked and udp VPN don't connect and tcp ones
>>> they delay packets a lot so calls end up heavily choppy. On mobile data the
>>> restrictions are even heavier and if packets are anywhere close to VoIP or
>>> VoIP over VPN etc they get filtered. Etisalat is the isp which buys
>>> blocking equipment from some vendor in UK who specialize in blocking VoIP
>>> and VPN. Last I was told by some person working there was they use a lot of
>>> L7 packet inspectors.
>>>
>>> Secondly it's not about setting up custom solutions for any company or
>>> client but we generate a lot of retail traffic so users need something that
>>> they can run on mobile etc like a customized dialer. Untill now I used to
>>> give them a openvpn profile which they used to run and then use Zoiper to
>>> place calls but all that is blocked now.
>>>
>>> Webrtc seems to work as of now coz it's new but there isn't a webrtc
>>> based mobile dialer till now which anyone can install and just use it to
>>> place calls
>>>
>>>
>>>
>>> On February 19, 2019 9:47:46 PM Sergey Safarov <s.safarov at gmail.com>
>>> wrote:
>>>
>>>> In your case need
>>>> 1) increase ptime value to 40;
>>>> 2) use codec without compression;
>>>> 3) need to enable VAD feature;
>>>>
>>>> Also you can route torrent client network traffic via VPN together with
>>>> VoIP traffic. This will mask VoIP packets and not allow math your traffic
>>>> to VoIP profile on ISP equipment.
>>>>
>>>>
>>>> вт, 19 февр. 2019 г. в 19:53, Bipin Patel via FreeSWITCH-users <
>>>> freeswitch-users at lists.freeswitch.org>:
>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Bipin Patel <bipin at xbipin.com>
>>>>> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>>>> Cc:
>>>>> Bcc:
>>>>> Date: Tue, 19 Feb 2019 20:24:20 +0400
>>>>> Subject: VoIP encryption recommendations
>>>>> hi,
>>>>>
>>>>> i would like the ask the community about VoIP encryption, currently in
>>>>> few middle east countries VoIP is officially blocked. The isp are so
>>>>> aggressive that they use all sorts of fancy tools to block it including
>>>>> skype calls, whatsapp calls etc and are very successful in doing it. So far
>>>>> companies like voipswitch and recently few others have been providing
>>>>> tunneling mechanisms  to get over this but recently UDP traffic is heavily
>>>>> filtered and they go to the extreme of checking packet length and pattern
>>>>> and artificially introduce delay, jitter or simply block it if the number
>>>>> of hits are high. Switching to TLS/SRTP also doesnt help, it works with
>>>>> some isp but as soon as you try same using mobile data it stops working coz
>>>>> they match packet length and block based on the profile. ZRTP doesnt work
>>>>> coz a normal RTP streams needs to start and then it starts encrypting it
>>>>> but those initial RTP get blocked.
>>>>>
>>>>> With lack of any more VoIP encryption protocols its almost getting
>>>>> impossible to bypass block so has anyone have any ideas of any other modern
>>>>> form of encryption which can be used for VoIP (btw VPN are also blocked and
>>>>> more over if packet size increases then nothing works on mobile data).
>>>>>
>>>>> The market demand of skype replacements is also extremely high coz
>>>>> skype, hangouts, whatsapp video, instagram video, viber etc etc, u name it
>>>>> and its blocked.
>>>>>
>>>>> --
>>>>> Regards,
>>>>> Bipin
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: Bipin Patel via FreeSWITCH-users <
>>>>> freeswitch-users at lists.freeswitch.org>
>>>>> To: FreeSWITCH Users Help <freeswitch-users at lists.freeswitch.org>
>>>>> Cc:
>>>>> Bcc:
>>>>> Date: Tue, 19 Feb 2019 08:53:29 -0800 (PST)
>>>>> Subject: [Freeswitch-users] VoIP encryption recommendations
>>>>>
>>>>> _________________________________________________________________________
>>>>> Professional FreeSWITCH Services
>>>>> sales at freeswitch.com
>>>>> https://freeswitch.com
>>>>>
>>>>> Official FreeSWITCH Sites
>>>>> https://freeswitch.com/oss
>>>>> https://freeswitch.org/confluence
>>>>> https://cluecon.com
>>>>>
>>>>> FreeSWITCH-users mailing list
>>>>> FreeSWITCH-users at lists.freeswitch.org
>>>>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>>>>> UNSUBSCRIBE:
>>>>> http://lists.freeswitch.org/mailman/options/freeswitch-users
>>>>> https://freeswitch.com
>>>>
>>>>
>>>
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: Bipin Patel via FreeSWITCH-users <
>> freeswitch-users at lists.freeswitch.org>
>> To: <freeswitch-users at lists.freeswitch.org>
>> Cc:
>> Bcc:
>> Date: Tue, 19 Feb 2019 11:59:01 -0800 (PST)
>> Subject: Re: [Freeswitch-users] VoIP encryption recommendations
>> _________________________________________________________________________
>> Professional FreeSWITCH Services
>> sales at freeswitch.com
>> https://freeswitch.com
>>
>> Official FreeSWITCH Sites
>> https://freeswitch.com/oss
>> https://freeswitch.org/confluence
>> https://cluecon.com
>>
>> FreeSWITCH-users mailing list
>> FreeSWITCH-users at lists.freeswitch.org
>> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
>> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
>> https://freeswitch.com
>
> _________________________________________________________________________
> Professional FreeSWITCH Services
> sales at freeswitch.com
> https://freeswitch.com
>
> Official FreeSWITCH Sites
> https://freeswitch.com/oss
> https://freeswitch.org/confluence
> https://cluecon.com
>
> FreeSWITCH-users mailing list
> FreeSWITCH-users at lists.freeswitch.org
> http://lists.freeswitch.org/mailman/listinfo/freeswitch-users
> UNSUBSCRIBE:http://lists.freeswitch.org/mailman/options/freeswitch-users
> https://freeswitch.com



-- 
Sincerely,

Giovanni Maruzzelli
OpenTelecom.IT
cell: +39 347 266 56 18
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeswitch.org/pipermail/freeswitch-users/attachments/20190220/c5e302c9/attachment-0001.html>


More information about the FreeSWITCH-users mailing list