[asterisk-users] Which internet phone protocol best to choose

Alex Balashov abalashov at evaristesys.com
Sat Sep 13 14:31:12 CDT 2008 

Steve Totaro wrote:

> I think the most notably missing solution is OpenVPN and SIP.
> 
> One port for the tunnel, encrypted traffic, benefits of IAX as far as
> firewalls and hostile governments (BTW, IAX2 is not as obscure as it
> once was, therefore, the hostile government argument is not as
> anywhere as strong as a VPN).
> 
> Since you will be running SIP over the VPN, you get the
> interoperability that SIP provides.
> 
> I am sure you could pretty quickly find someone to offer you the
> gateway side of the VPN for a small charge, or a virtual hosted server
> should do fine.  I have not looked but there may be some VoIP
> providers that offer or would accommodate OpenVPN tunnels.

I would strongly agree with Steve here, and use this approach myself.

Aside from what he mentioned, I think one of the biggest benefits of 
OpenVPN is the fact that unlike most other VPN technologies, it runs 
over a straight UDP service, making its traffic indistinguishable from 
ordinary bidirectional UDP traffic.  It's just a client talking to a 
concentrator on UDP port 1194, doing IP-in-UDP encapsulation.  And the 
client initiates the connection, so no port forwarding/DNAT is required 
on the client side.

This makes the traffic rather difficult to identify without deep packet 
inspection, and thus far more difficult to stop.  You would have to be 
willing to block arbitrary UDP services.  And you can always use another 
port if 1194 is blocked.

Its advantage is in its simplicity.  Other approaches to VPNs - i.e. 
Cisco VPNs - rely on IPSec and GRE encapsulation, which insert 
themselves at various points Layer 3 - 5, which can be blocked in 
firewalls and which can require various technical obstacles to be 
overcome in order to use (i.e. IPSec pass-through in NAT gateways).  It 
can also be very difficult to get such VPNs up and running quickly 
without spending money and figuring out a whole bunch of low-level 
details (at least, if you really want to understand how it works). 
OpenVPN's a snap.

-- Alex

-- 
Alex Balashov
Evariste Systems
Web    : http://www.evaristesys.com/
Tel    : (+1) (678) 954-0670
Direct : (+1) (678) 954-0671
Mobile : (+1) (706) 338-8599

More information about the asterisk-users mailing list