Asterisk and Linux to Build Secure VoIP Connection

Beave writes "Using Linux and the Asterisk PBX, it is possible to build a secure, cost effective VoIP (and traditional PSTN) PBX solutions. This article shows you how to take advantage of various hardware, software and tricks to accomplish this goal within a limited budget."

Useful Asterisk Resources

[TheMysteriousFuture]

Useful Asterisk Links:

The Asterisk Wiki
Note: the wiki search is useless. Search with google instead, use "searchterm site:voip-info.org" (without quotes).

The Asterisk Documentation Project

The Asterisk Mailing Lists
Note: to search the lists use google again. "searchterm site:lists.digium.com" (without quotes)" in google.

the #asterisk chat room on irc.freenode.org. Drop by and say hello.
Note that due to problems with massive spambot attacks regisitration is required to join the channel. Simply type
/msg nickserv register mypassword
/join #asterisk

The next time you join you will need to type
/msg nickserv identify mypassword

Re:Useful Asterisk Resources

[fiji]

Also useful for checking your connection to see if it can handle VoIP: testyourvoip.com (the site has had an overhaul... some interesting new features)

-ben

Re:Shows you how?

[Tony+Hoyle]

It's possible, but the available wireless VOIP handsets are 11b only and don't support WPA (both are showstoppers for me).

In the future I'm sure they'll become available.

I use my asterisk server to record incoming/outgoing numbers (the local telco wants paying for this service, although I have to pay them anyway for the callerid so I'm not sure I'm saving much), and to route calls over the cheapest provider (always analogue, as VOIP providers in this country are still 2-3 times more expensive than analogue ones) - which has saved me a fortune.

Re:Shows you how?

[Student_Tech]

Well you could get a PDA with a VOIP app running on it. For example, the Zaurus can have either KPhone/Pi or tkcPhone(demo version on their website). Both of those apps are SIP compatible.

So you get a PDA and a WiFi conectivity and there you go.

Probably not the best or most ideal solution, but it is something that does exist.

Re:A view from the industry

[LittleLebowskiUrbanA]

" the simplicity of the interfaces found on proprietary systems"

Apparently you've never used Avaya IP Office. I YEARN for the simplicity of text files. 3 freaking different GUIs to manage it and they're interconnected but you have to change things using at least 2 of them in many places.

Re:A view from the industry

[jaymzter]

Ok, I'll take next! 'change dialplan', versus what exactly in asterisk? No need to respond, I've read their convoluted explanation of their concept of a dialplan.
All that aside however, this isn't about knocking asterisk! I compared it to a Large Enterprise, and stated the obvious, that's all

Security wasn't part of Asterisk - it was OpenVPN

[billstewart]

The article said that they did't get their security from Asterisk itself - they added it on by using OpenVPN to build encrypted UDP tunnels and push the Asterisk IAX protocol through them. (No apparent detail on how to configure it.) Some of the Asterisk mailing lists talk about adding encryption to the transport protocols, but as near as I can tell from a few Google hits, that's really all a Wishlist for Somebody Else to implement rather than part of the core protocols.

That's really too bad - encrypting VOIP causes extemely annoying overhead problems, because the voice data packets are really small (they're not very big before compressing them, and then they're even smaller), so the minimum overhead for just doing the RTP+UDP+IP headers is several times the size of the voice traffic they carry, and IPSEC adds another two layers of headers, or SSL adds about three, and pretty soon that cute little elegant 8kbps compressed voice stream is looking like 40-80kbps and won't fit on your modem. SIP can use the SRTP protocol as a modification of RTP, so to the extent that anybody implements it, it's basically doing then encryption along with a layer you needed anyway, so it doesn't add much overhead. IAX doesn't appear to have this (which is especially frustrating because the IAX2 trunking protocol makes multiple simultaneous connections much more efficient, though I suppose if you've already done that, the extra overhead of IPSEC or OpenVPN may not bother you as much.)

Re:Security wasn't part of Asterisk - it was OpenV

[cduffy]

...so the minimum overhead for just doing the RTP+UDP+IP headers is several times the size of the voice traffic they carry, and IPSEC adds another two layers of headers, or SSL adds about three, and pretty soon that cute little elegant 8kbps compressed voice stream is looking like 40-80kbps and won't fit on your modem.

OpenVPN isn't IPsec, and while it uses the OpenSSL library for all the crypto "heavy lifting", it has its own over-the-wire protocol and is much more efficient than the traditional SSL way of doing things.

I use OpenVPN at work, and while I haven't done specific measurements, we've generally found it to be very efficient (not to mention easy-to-use and hassle-free compared to its IPsec-based competitors). Because in UDP mode it doesn't try to guarantee reliability, it also doesn't break protocols (like those used for VoIP data) that expect late packets to just be dropped.

So, in short, I'm not at all convinced that the use of OpenVPN is at all unfortunate or problematic here.