[AusNOG] Remote Work - (SIP/Security/CGNAT)

Craig Askings craig at askings.com.au
Fri Nov 13 12:54:17 EST 2015


Snom phones have a built in OpenVPN client.

When I had it working at $job[-1] it worked remarkably well and punching through multiple layers on NAT etc.

Auth was done via a certificate installed into each phone. Very little traffic is leaked outside the VPN, during our validation.


1) DHCP request / ACK
2) VPN debug logs sent out (if enabled)
3) NTP time sync
4) VPN comes up
5) all remaining traffic over VPN

IIRC you could even have it VPN tunnel all the traffic on the PC LAN port as well.


> On 13 Nov 2015, at 11:10 am, Peter Fern <ausnog at 0xc0dedbad.com> wrote:
> 
> On 11/13/2015 09:59, Luke Iggleden wrote:
>> - Get around CGNat RTP Audio/SIP transport issues
>> - Ensure SIP server is not open to the world due to dynamic IP's
>> connecting
>> - Keep the bandwidth requirements to a minimum - Assume low speed DSL
>> (2M/512k)
> 
> Run a VPN client on the SIP endpoint (on a hardphone preferably, so you
> can control it, otherwise on the softphone OS) back to the SIP server,
> or nearby terminating device.  This solves the RTP and security issues. 
> Use G.729a to reduce network bandwidth.  At 450ms latency though,
> conversation quality is going to suck somewhat, no way around that.
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list