/weblog/securing-asterisk-voip-with-openvpn

Securing Asterisk VoIP with OpenVPN

Monday, May 26, 2008

Businesses strive for the same goal; minimize costs to maximize profits. With the wealth of open source solutions, a small business can present a high tech image and still keep a lid on the expenses. In a recent Asterisk project, I had the opportunity to design a secure inter-connect between two new Asterisk installations. The requirement called for a seamless integrated phone system between offices in Victoria and Vancouver. Office to office dialling by extension, voice mail and conference calling had to be encrypted and within a manageable budget.

I have been using Linux and Asterisk together since 2003. Asterisk is a full blown Linux based PBX system meeting all the requirements of voice mail, conference calling, caller ID, call parking, music on hold, PBX to PBX dialing and much more. Asterisk was created and founded by Mark Spencer, who later started Digium. Digium is the sponsor and developer, and they also offer compatible hardware for use with Asterisk.

With Asterisk handling all the PBX functionality, the next requirement to marry to this project is securing the voice communication between the offices.

One of the biggest concerns when dealing with office to office VoIP communications is security. Normally, VoIP is not encrypted, so naturally, I looked at possible ways to encrypt the traffic. Building VPN tunnels between the offices was the first logical choice. I weighed several possible virtual private network (VPN) solutions before deciding on "OpenVPN" (http://openvpn.sourceforge.net). OpenVPN is a mature open-source project that allows me to pick the authentication and encryption method; it's based on OpenSSL. I also liked it because it allowed me to build UDP based VPN tunnels. This is important when dealing with VoIP.

For the most part, VoIP is transmitted by UDP/RTP (Real Time Protocol) packets. There is a good reason for this. TCP provides verification of packet delivery. This sounds like a good thing, but in the VoIP world, it's not. With TCP, if a packet is dropped, the remote side will retransmit the packet at the receivers request. By the time the voice packet is retransmitted, it's to late to put it in our audio stream! If we don't receive the packet within the allotted time it's useless to us. This is why network latency is such a issue with VoIP. TCP was designed to correct dropped packets as well re-organized out of sequence packets. This is very, very bad for VoIP. UDP on the other hand, allows packets to be sent out of order and there is no verification if the packet arrived. It's sent, and if it makes it, it makes it. This is the reason you do not want to use a TCP based VPN. If you encapsulate UDP traffic within a TCP tunnel, and the TCP tunnel traffic gets dropped or corrupted, it will cause a retransmission which completely defeats the purpose of VoIP using UDP.

Next I set up Inter-Asterisk-eXchange (IAX2) between each of the Asterisk boxes. With our encrypted UDP based tunnels up, we now had to put each Asterisk PBX server in communications with each other. I decided to use the Asterisk native, IAX2 protocol because it's a simple protocol. IAX2 can be trunked. "Trunking" means that when there is more than on call over a IAX2 connection, the 'calls' can share some of the IP header overhead thus reducing our bandwidth utilization requirement for voice conversations between branches.

I haven't done specific measurements yet, but I generally find OpenVPN to be very efficient (not to mention easy-to-use and hassle-free compared to its IPsec-based competitors). Because in UDP mode it doesn't try to guarantee reliability, it also doesn't break protocols (like those used for VoIP data) that expect late packets to just be dropped.

If you are looking to implement a secure office to office VoIP solution, please feel free to contact me.