[asterisk-users] Two Asterisks behind NAT and need to link them using IAX trunk

Anselm Martin Hoffmeister anselm at hoffmeister-online.de
Fri Jan 18 12:24:06 CST 2008


Am Freitag, den 18.01.2008, 04:21 -0800 schrieb bilal ghayyad:
> Hi;
> 
> Via OpenVPN or port forwarding is known for me, but
> via SSH is new for me, how I can do it and what is the
> difference by SSH and OpenVPN?

In principle both use a packet stream (SSH is TCP, OpenVPN is TCP or
UDP) for encapsulating IP packets. The main difference is that SSH port
forwarding forwards the packet data, but not the header: The packet is
stripped at side A and a seemingly different TCP connection is
established on side B. This also implies the main limitation of SSH,
that it is restricted to tunneling TCP (afaik).

OpenVPN in contrast takes entire IP packets, applies routing and tunnels
the entire packet through. You can tunnel any IP traffic through
OpenVPN, and the remote side IP address will persist. (You can even
tunnel IPX or Appletalk, if using the BRIDGE mode with virtual TAP
interfaces). Basically OpenVPN appears to the tunnel endpoint as a
virtual wire that behaves like an ethernet port. OpenVPN is far more
flexible when it comes to network restrictions.

On the other hand the SSH main idea is not VPN but secure shell
access :)

For VoIP I'd imagine SSH is quite impractical, if usable at all. Most
likely the TCP-only restriction will make life difficult.

SIP over OpenVPN works - I used it to tunnel from a trip to California
to my Asterisk back home in Germany. The voice quality was a bit poor,
but this might also relate to the WLAN and the multi-hop-internet route
in between. Speaking generally, of course an aditional layer (which both
OpenVPN and SSH introduce) does not improve the signal path quality, or
latency, or everything.

I have read recommendations to use OpenVPN in UDP mode to reduce
packetizing problems which would result in choppy sound as well. No
comparison numbers available here though.

BR
Anselm




More information about the asterisk-users mailing list