Secure your VoIP: HOWTO configure openvpn and asterisk (under Linux) to make encrypted VoIP calls by SIP/VPN protocol

In view of the recent (2013) affairs concerning widespread NSA wiretapping (which was no surprize to me, I was paranoid enough to expect something like that happening), encryption of voice communication becomes a hot topic. Various rather expensive "crypto-phones" offered by several companies become bestsellers... See also the excellent article by Richard Stallman entitled How Much Surveillance Can Democracy Withstand? if you are not convinced yet about the negative effects of mass surveillance.
However, with a bit of effort it is not difficult to prevent wiretapping of your VoIP calls by encryption, and it can be achieved using free software tools running under Linux - no purchase of hardware or software is needed. Of course, the whole scheme is as strong as its weakest point, which I guess are potential new 0-day vulnerabilities in Linux, similar to logjam, freak, heartbleed, glibc and bash vulnerabilities, which we witnessed recently, or even the backdoors in BIOS or harddisc firmware etc. which were recently reported. Needless to say, on both server machine and clients (like android phones) it is necessary not to use them for typical desktop activities like web browsing etc., since 0-day vulnerabilities in e.g. Flash etc. are quite common and hacking such a desktop/phone is much easier than hacking a server running only a few daemons. For smartphones, there is always also the possibility that the baseband processor has a direct access to the memory of the application processor, to GPS, microphone etc., and malicious network operator can do many evil things... Recently Snowden claimed that it is indeed the case and NSA has a user friendly toolkit to do this easily. So, this technique can prevent attempts on eavesdroping provided your operating system and hardware is secure, i.e. you must not use it on a smartphone if your communication is really worth listening for a powerful enemy :-). It would be great to have open source/open hardware baseband (implemented in FPGA) as a basis of a smartphone which you could trust, but so far this is just a dream. Nevertheless, a positive aspect is that openvpn based on SSL/TLS provides forward secrecy to your communication, so old communication before your machine was hacked should be safe. Another benefit of this scheme is that you can close SIP ports on the firewall, preventing attempts to hack into your asterisk server, which are very common, I used to have full logfiles of them.

I try to give here explicit instructions and sample config files to establish a secure VoIP communication within a closed group of participants, employing the virtual private network (VPN). (If you use a VoIP provider to connect from asterisk extensions to a public network, that remains unencryped as long as the provider does not offer VPN as well.) If even the fact of client's membership in this closed VPN group should be hidden from the adversary, one ought to run the VPN clients over the TOR network. For this purpose, run your openvpn server to listen on TCP and on the openvpn client, make sure it uses TCP and add to its openvpn.conf the following line: "socks-proxy localhost 9050" (after setting up the TOR connection first, of course). I have tested it during a trip to China and it worked (in 2015, using obfs3 bridges to get the TOR connection).

Content of this page is certainly not a novel idea, and the ingredients are scattered over the internet, but a step-by-step HOWTO is not so easy to find, so this page might be useful for you. It is convenient that the setup described here works also on Android smartphones, although you have to be very careful with Android to avoid its many security problems. Due to the baseband vulnerability of smartphones, using this encryption method on phones is not wise anyway.

Update: Asterisk and many SIP clients (e.g. linphone) now support encryption directly (SRTP/ZRTP, TLS). This was not the case when this text has originally been written. Still, you might want to combine the "native" VOIP encryption provided by these programs with the VPN as an extra layer of security. Also, if you happen to have older hardware SIP phone or gate, which does not support encryption yet, you can tunnel its traffic over a VPN router. Moreover, VOIP clients in smartphones (android, iphone) are also distributed without an encryption option (maybe as a result of government interventions ;-)), so here the combintion with openvpn is again handy.

Recently I came across a page on the same topic, which also might be useful for you.

The prerequisite to being able to follow these instructions is that you are (or are willing to become) a bit familiar with Linux (beyond its clicking interfaces) and understand the basics of IP networking.

Concerning openvpn, there are many HOWTOs, I found this one very useful.
To proceed with the configuration, follow the stepwise procedure:

1. Generate openvpn self-signed certificate and keys

Note that the path "/usr/share/openvpn/easy-rsa/vars" can differ depending on your linux distribution.

For private use, self-signed certificate is good enough; unless you suffer schizophrenia, you can trust yourself :-).

2. Install, configure, and start openvpn on the server

Edit the /etc/openvpn/openvpn.conf file (or wherever it is in your distro). Select UDP for better performance, or TCP if you want to tunnel openvpn traffic via http or socks proxy. I employ the tun interface method, I did not test bridging via tap interfaces. Edit the server IP and netmask, paths to the key files etc., and cipher to be employed. You can start from my config file here.

3. Install, configure, and start openvpn on the client(s)

Again edit the /etc/openvpn/openvpn.conf file on clients. Copy ca.crt, clientxxx.key, clientxxx.crt, ta.key files to the client (using a secure channel) and store them preferably on an encrypted filesystem. Sample client openvpn.conf is here. Start the client daemon and use ifconfig and ping to check whether it works. Use system logs, Wireshark etc. for debugging. If you happen to be behind a firewall, you might need to use tunneling via http. See here for some hints.

Notice that if you for some reason do not like openvpn, it should be possible to do the same trick using ssh with its "-w" option which allows UDP and TCP tunneling - use the HOWTO here and continue with asterisk configuration.

4. Install and configure Asterisk on the server

Obviously, if you mean it seriously with the security, the VPN and Asterisk server must be under your physical control, not just on a hosted virtual server ``in a cloud''. Besides the security, it gives you the comfort to use hardware VoIP phones connected to the trusted wired network at home or in company headquarters, while the outgoing traffic is VPN-protected. Using a smart enough VoIP gateway for a traditional phone, with properly configured dial-plans, you can use the same traditional phone to dial "normal" numbers and your private VoIP numbers. But for God's sake, after spending time on this configuration, do not spoil everything by using a DECT cordless phone, their encryption is extremely weak and open source DECT sniffing project is under way!
Also note that the weakest link in the security chain might be malware on the clients or even on the server, you should check for rootkits and install security patches regularly (and avoid Windows clients operated by stupid users who download malware and write their passwords to web pages on a request in email spam :-)).

The very basic configuration of Asterisk for creating a private network is not difficult, essentially you need to edit only two files from /etc/asterisk, and you can use my sample files: sip.conf and extensions.conf. Check for 'voipjiri' entries in these files and edit them appropriately. Then change in sip.conf the localnet entries if you use different IP addresses for your local net and VPN. The externip and fromdomain entries are used if your asterisk should listen also publicly for unencrypted traffic.
It is crucial to employ the option directmedia=no in sip.conf to ensure that all client-client voice RTP traffic will travel via the server, rather than through the simplest direct connection between two clients (which would possibly be in plaintext, for example if a hardware VoIP phone not supporting VPN on a trusted LAN is included). Notice that this is the opposite of what is recommended for efficiency!

5. Install and configure linphone or other VoIP program on the clients

Linphone is a lightweight SIP VoIP client which works quite reliably. A sample config file for use with a private VPN network and privately numbered Asterisk SIP network is here. It assumes you have in your /etc/hosts declared hostname "vpn" for your vpn server which runs also Asterisk, while is the tun0 interface on the client. However, it is better to replace "vpn" by the numeric IP in the .linphonerc file, otherwise in some circumstances linphone might hang in the resolver in spite of vpn being declared in /etc/hosts After the installation and troubleshooting is done and you get the calls through (with voice in both directions ;-)), it is a good idea to use Wireshark to check that your VoIP is really secure - whether all SIP handshaking as well as RTP streams do really go through the encrypted VPN! Notice that on N900, the Maemo SIP client unfortunately has a bug, which prevents it from working correctly with VPN. But Linphone can be compiled in the scratchbox environment and installed on N900. (See my collection of tips and tricks for the Nokia N900 phone if you are interested.)

6. Using this openvpn-encrypted VoIP setup on an Android smartphone

Recently I have installed the above setup on my new Samsung Galaxy S4 Active (I9295) phone with Android 4.2.2 Jelly Bean. The SIP client and OpenVPN work together smoothly and this phone has powerful enough processor for the real-time encryption job, and over LTE connection the sound is perfect. See my collection of tips and tricks for the Samsung Galaxy S4 Android smartphone if you are interested.

7. Using openvpn encryption with a hardware SIP phone which does not support it

By a little trick you can also employ any hardware phone which does not support any encryption in this setup, you just need besides the hardware SIP phone a) trusted wired LAN to connect it to and b) a little embedded server (e.g. Raspberry Pi) connected to this LAN, which will run the OpenVPN and forward the SIP connection. In this arrangement, you enter the setup of the hardware SIP phone the local LAN address of the embedded server as as default gateway and the VPN IP of your VPN/asterisk server as the address of SIP server. On the embedded server, you need to allow IP forwarding and NAT and it will pass both SIP and RTP connections of the hardware SIP client through the VPN. Assuming tun0 as its VPN network interface, it can be done by this little script:

echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter
echo 1 > $f
iptables -F
iptables -t nat -F
iptables -P INPUT ACCEPT
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

It's a good idea to again check with wireshark that the traffic really follows the encrypted channel/or use it for debugging if there are problems.

Other tools suitable for secret communication

As other tools suitable for secret communication I recommend uTOX and Ricochet

Electronics page

Hobby page

My main page

TOP of family pages