How To setup Asterisk VoIP server over OpenVPN in Tor hidden service.

Support
1

First create OpenSSL CA with easy-rsa or OpenSSL for OpenVPN.

This is OpenVPN server configuration file:

tls-server
port 1194
proto tcp
dev tun
ca /etc/ssl/ca.crt
cert /etc/ssl/server.crt
key /etc/ssl/server.key
dh /etc/ssl/dh2048.pem
topology subnet
server 10.0.0.0 255.255.0.0
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher AES-256-CBC
max-clients 100
persist-key
persist-tun
status /var/log/openvpn-status.log
log /var/log/openvpn.log
log-append /var/log/openvpn-append.log
verb 3
auth SHA512

This is OpenVPN client configuration file:

client
dev tun
proto tcp
remote hiddenservicexxx.onion 1194
resolv-retry infinite
nobind
persist-key
persist-tun
ca /home/norbert/new/ca.crt
cert /home/norbert/new/demo-norbert.crt
key /home/norbert/new/demo-norbert.key
cipher AES-256-CBC
auth SHA512
verb 3
socks-proxy 127.0.0.1 9050
remote-cert-tls server

This is Asterisk sip.conf configuration file:

[general]
transport=udp
port=5060
bindaddr=10.0.0.1
disallow=all
allow=ulaw
allow=alaw
allow=gsm
directmedia=no
nat=yes
localnet=10.0.0.0/255.255.0.0

[friends_internal](!)
type=friend
host=dynamic
context=from-internal
disallow=all
allow=ulaw
allow=alaw
allow=gsm

[demo-alice](friends_internal)
secret=password

[demo-bob](friends_internal)
secret=password

[demo-norbert](friends_internal)
secret=password

This is Asterisk extensions.conf configuration file:

[from-internal]
exten=>6001,1,Dial(SIP/demo-alice,20)
exten=>6002,1,Dial(SIP/demo-bob,20)

This is Tor hidden service server torrc configuration file:

HiddenServiceDir /usr/local/torhs/winternight/
HiddenServicePort 1194 127.0.0.1:1194

This is Tor client configuration file:

SOCKSPort 9050

That’s all. It’s working with 1s delay.
Enjoy. :slight_smile:

3 Likes
2

To summarize it, to see if I got the right overview in my mind.

  • You host a Tor hidden service.
  • An OpenVPN server is reachable on that Tor hidden service.
  • OpenVPN is used so you can tunnel UDP over Tor.
  • So you then can you Asterisk which is UDP only?

It’s interesting!

You didn’t like any of the other VoIP solutions we have in the wiki?

3

Hello Patrick.

That’s right. :slight_smile:

1 Like
4

UPDATE

Generate encryption keys with OpenSSL.

OpenVPN server openvpn.conf configuration file:

mode server
tls-server
dev tun
proto tcp-server
port 1194

server 10.8.0.0 255.255.0.0
 
ca /vpn/ca.crt
cert /vpn/server.crt
key /vpn/server.key
dh /vpn/dh2048.pem
tls-crypt /vpn/ta.key
 
cipher AES-256-CBC
auth SHA3-512
 
log /var/log/openvpn.log
status /var/log/openvpn-status.log
 
user nobody
group nobody
persist-key
persist-tun
chroot /usr/local/etc/openvpn/jail
auth-nocache

# If you want to allow clients to communicate between themselves e.g. start own services like UnrealIRCd Servers.
client-to-client
client-config-dir /ccd

OpenVPN clients client.conf configuration file:

tls-client
remote-cert-tls server
dev tun

<connection>
remote youroniondomain.onion 1194 tcp-client
socks-proxy 127.0.0.1 9050
</connection>

cipher AES-256-CBC
auth SHA3-512
  
user nobody
group nogroup
persist-key
persist-tun
chroot /etc/openvpn/jail
auth-nocache
 
log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log
 
<ca>
</ca>
  
<cert>
</cert>
  
<key>
</key>

<tls-crypt>
</tls-crypt>

Tor Hidden Service torrc configuration file:

HiddenServiceDir /usr/local/torhs/szczybelski/
HiddenServicePort 1194 127.0.0.1:1194

Tor clients torrc configuration file:

SOCKSPort 9050

Asterisk sip.conf configuration file:

[general]
transport=udp
port=5060
bindaddr=10.8.0.1
disallow=all
allow=ulaw
allow=alaw
allow=gsm
directmedia=no
nat=yes
localnet=10.8.0.0/255.255.0.0
 
[friends_internal](!)
type=friend
host=dynamic
context=from-internal
disallow=all
allow=ulaw
allow=alaw
allow=gsm
 
[demo-alice](friends_internal)
secret=password
 
[demo-bob](friends_internal)
secret=password
 
[demo-norbert](friends_internal)
secret=password

Asterisk extensions.conf configuration file:

[from-internal]
exten=>6001,1,Dial(SIP/demo-alice,20)
exten=>6002,1,Dial(SIP/demo-bob,20)
exten=>6003,1,Dial(SIP/demo-norbert,20)

That’s all!
It’s working with 1 s delay.

Enjoy!

3 Likes
5

@Norbert_Szczybelski Awesome. So is there a VoIP client setup/configuration step too or how do users communicate?

Can Asterix be setup to use TCP instead? That would simplify things a lot.

2 Likes
6

Good morning HulaHoop.

Reading IETF RFC 6347 and thinking about DTLS over TCP.

This is old configuration of Asterisk but I will do some research and publish results.

I was testing on two Android phones.
I dont remember what VoIP client software I was used.

Norbert.

2 Likes
7

@Norbert_Szczybelski

I like your setup! Openvpn has always been one of my key softwares in most of my tasks; very versatile and adaptable to almost anything. Usin it over a hidden service is a great idea.
To add to your already great effort, a couple more options you can use for your server config file are:
tls-crypt ta.key 0
key-direction 0
For the option of encrypting the control channel with aes256-ctr so handshake is not visible. Not required of course, but an option. If you use this, do not use the “tls-auth” option or “auth” options. tls-crypt uses sha256 (built in).
reneg-sec
This allows you to set the interval between new control-channel handshakes. The default with no setting enabled is 1 hour. If you wanted 5 minutes for example, put “reneg-sec 300”
You can use elliptic curves too instead of rsa. To do so add:
dh none
ecdh-curve secp384r1 (or whatever your OpenSSL or other SSL software can support)
This next one can help if there is too big a latency:
socket-flags TCP_NODELAY
None of the above are vital, and your config is excellent on its own, I just was expanding on it.
If you use any of the options, in the client side you should use “key-direction 1” and a corresponding “tls-crypt” option as well since they have to match in client and server. The “reneg-sec” option can be on either or both sides. The lowest value is what takes precedence.
To use elliptic curves options, your client and server certs and keys will need to be generated with those parameters through something like easy-rsa, or openssl, or something.
In Openssl setups (and maybe in others, but I have not tried yet) you have an option to set the hash for the pseudo random number generator. The option “prng sha512 64” would set it to sha512 for example. “prng sha256 32” would be sha256 and so on. If used, set this option in both client and server configs. This is an advanced config option that usually you do not need to play with, but you can if you know what you are doing.
You can also (in Openssl) choose what engine the crypto uses. Every system may have different options. The command:
sudo openvpn --show-engines
shows what is available on your system. In Openssl, confirm with:
openssl engine
To set the option, add an option to client and server: “engine dynamic” (or whatever choice those commands showed you)
Again, Openvpn does all this already, but sometimes there are special cases where you want control over such things. If you are not sure, then do not use the option.

1 Like
8

Morning @anontor

I have now lot of work but i will study your improvments.

My main conception of this tutorial was to proof that VoIP can work in Tor.

This is chrooted configuration but if someone really need to start that kind of network, please isolate servers in virtual machines.

I prefer FreeBSD bhyve.

Also update CPU microcode against Spectre and Meltdown vulnerabilities.

I ilustrate simply setup.
172.16.0.1/10.8.0.1 OpenVPN Server bhyve VM.
172.16.0.2/10.8.0.10 OpenVPN Client with Apache bhyve VM.
172.16.0.3/10.8.0.20 OpenVPN Client with Asterisk bhyve VM.
172.16.0.4/10.8.0.30 OpenVPN Client with UnrealIRCd bhyve VM.

Setup static IP addresses in ccd directory for these servers.

I not tested but you can also start BIND DNS Server for hostnames against IP addresses.

Norbert.

9

@anontor There are also post-quantum OpenVPN project.

OPEN QUANTUM SAFE
open-quantum-safe on GitHub
open-quantum-safe/liboqs on GitHub
PQCrypto-VPN on GitHub

I am not provide any security warranty, just share information.

Norbert.

10

Awesome, that could relieve the users from having to configure OpenVPN at all.

If using TCP directly I wonder if VOoIP clients can just parse the onion service name directly instead of configuring DNS. Better that way for security. Tor also has a feature “MAPADDRESS” that lets you assign a custom non-public IP address to a specific onion address which can make things easier.

Yeah I know thanks. We’ve listed the liboqs on our wiki.

Comment:
This is a MS project and I have no faith in anything crypto from that company. They aren’t using NTRU which is the most robust lattice crypto algo that exists.

Nonetheless it’s useful to know what the landscape looks like out there.

1 Like
11

You could add instructions here too:

Or on a dedicated page if that seems better.

1 Like
12

Evening @Patrick

I submitted changes.
Please correct me if something are wrong.

Thank You. :slightly_smiling_face:

2 Likes