Secure your VoIP: encryption HOWTO using openvpn and asterisk

It is not difficult to prevent wiretapping of your VoIP calls by encryption, and it can be achieved using free software tools running under Linux - no purchase of hardware or software is needed. I try to give here explicit instructions and sample config files to establish a secure VoIP communication within a closed group of participants, employing the virtual private network (VPN). It is certainly not a novel idea, but a step-by-step HOWTO is not so easy to find, so this page might be useful for you. The prerequisite to being able to follow these instructions is that you are (or are willing to become) a bit familiar with Linux (beyond its clicking interfaces) and understand the basics of IP networking.

Concerning openvpn, there are many HOWTOs, I found this one very useful.
To proceed with the configuration, follow the stepwise procedure:

1. Generate openvpn self-signed certificate and keys

vi /usr/share/openvpn/easy-rsa/vars #change export KEY_SIZE=2048 cd /usr/share/openvpn/easy-rsa/ . ./vars ./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-key client2 ./build-key client3 ./build-key client4 ./build-dh openvpn --genkey --secret ta.key
For private use, self-signed certificate is good enough; unless you suffer schizophrenia, you can trust yourself :-).

2. Install, configure, and start openvpn on the server

Edit the /etc/openvpn/openvpn.conf file (or wherever it is in your distro). Select UDP for better performance, or TCP if you want to tunnel openvpn traffic via http or socks proxy. I employ the tun interface method, I did not test bridging via tap interfaces. Edit the server IP and netmask, paths to the key files etc., and cipher to be employed. You can start from my config file here.

3. Install, configure, and start openvpn on the client(s)

Again edit the /etc/openvpn/openvpn.conf file on clients. Copy ca.crt, clientxxx.key, clientxxx.crt, ta.key files to the client (using a secure channel) and store them preferably on an encrypted filesystem. Sample client openvpn.conf is here. Start the client daemon and use ifconfig and ping to check whether it works. Use system logs, Wireshark etc. for debugging. If you happen to be behind a firewall, you might need to use tunneling via http. See here for some hints.

Notice that if you for some reason do not like openvpn, it should be possible to do the same trick using ssh with its "-w" option which allows UDP and TCP tunneling - use the HOWTO here and continue with asterisk configuration.

4. Install and configure Asterisk on the server

Obviously, if you mean it seriously with the security, the VPN and Asterisk server must be under your physical control, not just on a hosted virtual server ``in a cloud''. Besides the security, it gives you the comfort to use hardware VoIP phones connected to the trusted wired network at home or in company headquarters, while the outgoing traffic is VPN-protected. Using a smart enough VoIP gateway for a traditional phone, with properly configured dial-plans, you can use the same traditional phone to dial "normal" numbers and your private VoIP numbers. But for God's sake, after spending time on this configuration, do not spoil everything by using a DECT cordless phone, their encryption is extremely weak and open source DECT sniffing project is under way!
Also note that the weakest link in the security chain might be malware on the clients or even on the server, you should check for rootkits and install security patches regularly (and avoid Windows clients operated by stupid users who download malware and write their passwords to web pages on a request in email spam :-)).

The very basic configuration of Asterisk for creating a private network is not difficult, essentially you need to edit only two files from /etc/asterisk, and you can use my sample files: sip.conf and extensions.conf. Check for 'voipjiri' entries in these files and edit them appropriately. Then change in sip.conf the localnet entries if you use different IP addresses for your local net and VPN. The externip and fromdomain entries are used if your asterisk should listen also publicly for unencrypted traffic.
It is crucial to employ the option directmedia=no in sip.conf to ensure that all client-client voice RTP traffic will travel via the server, rather than through the simplest direct connection between two clients (which would be in plaintext). Notice that this is the opposite of what is recommended for efficiency!

5. Install and configure linphone or other VoIP program on the clients

Linphone is a lightweight SIP VoIP client which works quite reliably. A sample config file for use with a private VPN network and privately numbered Asterisk SIP network is here. It assumes you have in your /etc/hosts declared hostname "vpn" for your vpn server 10.11.22.1 which runs also Asterisk, while 10.11.22.6 is the tun0 interface on the client. After the installation and troubleshooting is done and you get the calls through (with voice in both directions ;-)), it is a good idea to use Wireshark to check that your VoIP is really secure - whether all SIP handshaking as well as RTP streams do really go through the encrypted VPN! Notice that on N900, the Maemo SIP client unfortunately has a bug, which prevents it from working correctly with VPN. But Linphone can be compiled in the scratchbox environment and installed on N900. (See my collection of tips and tricks for the Nokia N900 phone if you are interested.)

Electronics page


Hobby page


My main page


TOP of family pages