Hello All,
I am currently researching a solution for tunnelling VoIP traffic since VoIP is blocked in the country concerned. It appears that the ISP is targeting OpenVPN and OpenSwan and blocking them so I want to try something different.
My solution based on OpenVPN worked great until it got blocked by the ISP about a week ago. It was using an OpenVPN server hosted in a US Datacenter and the VPN clients were simply routers with third party Linux firmware with the OpenVPN client embedded in the firmware.
I am also investigating the possibility of tunnelling OpenVPN through SSH but I have to watch my IP overheads here because the ISP watches the upload bandwidth as well!
Has anyone attempted or had any success using stunnel for a similar scenario as I have mentioned?
Thanks in Advance
Regards,
Errol
On Tue, Jun 03, 2008 at 11:13:45AM +0100, Errol Samuels wrote:
Hello All,
I am currently researching a solution for tunnelling VoIP traffic since VoIP is blocked in the country concerned. It appears that the ISP is targeting OpenVPN and OpenSwan and blocking them so I want to try something different.
My solution based on OpenVPN worked great until it got blocked by the ISP about a week ago. It was using an OpenVPN server hosted in a US Datacenter and the VPN clients were simply routers with third party Linux firmware with the OpenVPN client embedded in the firmware.
I am also investigating the possibility of tunnelling OpenVPN through SSH but I have to watch my IP overheads here because the ISP watches the upload bandwidth as well!
Has anyone attempted or had any success using stunnel for a similar scenario as I have mentioned?
The SSH and SSL protocols ought to have roughly the same amount of overhead, so whether you choose tunnelling over SSH or over stunnel should have pretty much no bearing on the traffic.
Now... stunnel should work just as well as SSH, but it also has just the same basic "limitation" - or, rather, design goal - stunnel is used only for forwarding TCP connections. I'm not sure what your VoIP model is, but if it is in any way based on UDP packets flying around, then neither stunnel nor SSH would be of any use to you.
With that in mind, if it's a TCP connection that you want to encrypt, either stunnel or SSH port forwarding should do the job just fine, although for "permanent" setups I would rather use stunnel, since SSH may have some issues with timeouts and dropped control connections and such.
G'luck, Peter
Hi Peter,
Now... stunnel should work just as well as SSH, but it also has just the same basic "limitation" - or, rather, design goal - stunnel is used only for forwarding TCP connections. I'm not sure what your VoIP model is, but if it is in any way based on UDP packets flying around, then neither stunnel nor SSH would be of any use to you.
My VoIP model is using 10000 - 20000 udp for the media so this is the reason I have to tunnel OpenVPN through SSH or Stunnel since I can forward my udp traffic through OpenVPN.
With that in mind, if it's a TCP connection that you want to encrypt, either stunnel or SSH port forwarding should do the job just fine, although for "permanent" setups I would rather use stunnel, since SSH may have some issues with timeouts and dropped control connections and such.
I need to investigate if Stunnel is available as a package for OpenWRT or DD-WRT firmware.
Thanks
Errol
G'luck, Peter
-- Peter Pentchev roam@ringlet.net roam@cnsys.bg
roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This would easier understand fewer had omitted.
Hi Peter,
Now... stunnel should work just as well as SSH, but it also has just the same basic "limitation" - or, rather, design goal - stunnel is used only for forwarding TCP connections. I'm not sure what your VoIP model is, but if it is in any way based on UDP packets flying around, then neither stunnel nor SSH would be of any use to you.
My VoIP model is using 10000 - 20000 udp for the media so this is the reason I have to tunnel OpenVPN through SSH or Stunnel since I can forward my udp traffic through OpenVPN.
Another alternative that I am exploring is SSH or Stunnels with Socat! http://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html but I need to find out how to forward a range of ports through it.
With that in mind, if it's a TCP connection that you want to encrypt, either stunnel or SSH port forwarding should do the job just fine, although for "permanent" setups I would rather use stunnel, since SSH may have some issues with timeouts and dropped control connections and such.
I need to investigate if Stunnel is available as a package for OpenWRT or DD-WRT firmware.
Thanks
Errol
G'luck, Peter
-- Peter Pentchev roam@ringlet.net roam@cnsys.bg
roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This would easier understand fewer had omitted.
On Tue, Jun 03, 2008 at 12:52:35PM +0100, Errol Samuels wrote:
Hi Peter,
Now... stunnel should work just as well as SSH, but it also has just the same basic "limitation" - or, rather, design goal - stunnel is used only for forwarding TCP connections. I'm not sure what your VoIP model is, but if it is in any way based on UDP packets flying around, then neither stunnel nor SSH would be of any use to you.
My VoIP model is using 10000 - 20000 udp for the media so this is the reason I have to tunnel OpenVPN through SSH or Stunnel since I can forward my udp traffic through OpenVPN.
Oh... so you still want to use OpenVPN? That is, you want: - VoIP traffic - UDP packets on a virtual interface - OpenVPN encryption with OpenVPN configured for a TCP connection - and an additional stunnel or SSH wrapper?
Yikes :) This *will* add some additional overhead, and although the overhead will be the same no matter whether you choose SSH or stunnel, it will still be there anyway.
Another alternative that I am exploring is SSH or Stunnels with Socat! http://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html but I need to find out how to forward a range of ports through it.
Well, this might turn out to be a better alternative. If you use the netcat (or socat) method described there, you'll just need to run a lot of netcat (or socat) processes, one for each port you need to forward. I've not yet used socat, but from its manual page it seems that it cannot listen on more than one port either.
With that in mind, if it's a TCP connection that you want to encrypt, either stunnel or SSH port forwarding should do the job just fine, although for "permanent" setups I would rather use stunnel, since SSH may have some issues with timeouts and dropped control connections and such.
I need to investigate if Stunnel is available as a package for OpenWRT or DD-WRT firmware.
G'luck, Peter
Now... stunnel should work just as well as SSH, but it also has just the same basic "limitation" - or, rather, design goal - stunnel is used only for forwarding TCP connections. I'm not sure what your VoIP model is, but if it is in any way based on UDP packets flying around, then neither stunnel nor SSH would be of any use to you.
My VoIP model is using 10000 - 20000 udp for the media so this is the
reason
I have to tunnel OpenVPN through SSH or Stunnel since I can forward my
udp
traffic through OpenVPN.
Oh... so you still want to use OpenVPN? That is, you want:
- VoIP traffic
- UDP packets on a virtual interface
- OpenVPN encryption with OpenVPN configured for a TCP connection
- and an additional stunnel or SSH wrapper?
My OpenVPN server is already setup to use TCP connection so I just need to use additional Stunnel wrapper.
Yikes :) This *will* add some additional overhead, and although the overhead will be the same no matter whether you choose SSH or stunnel, it will still be there anyway.
However, I think I can set cipher to none in OpenVPN and do a bit more tweaking to conserve bandwidth since the OpenVPN will be secured within the Stunnel wrapper.
Another alternative that I am exploring is SSH or Stunnels with Socat! http://www.zarb.org/~gc/html/udp-in-ssh-tunneling.html but I need to
find
out how to forward a range of ports through it.
Well, this might turn out to be a better alternative. If you use the netcat (or socat) method described there, you'll just need to run a lot of netcat (or socat) processes, one for each port you need to forward. I've not yet used socat, but from its manual page it seems that it cannot listen on more than one port either.
It would be great to use netcat (or socat) but surprisingly it does seem to support port ranges so I think I may have to use OpenVPN with Stunnel and a bit of tweaking.
With that in mind, if it's a TCP connection that you want to encrypt, either stunnel or SSH port forwarding should do the job just fine, although for "permanent" setups I would rather use stunnel, since SSH may have some issues with timeouts and dropped control connections and such.
I need to investigate if Stunnel is available as a package for OpenWRT
or
DD-WRT firmware.
G'luck, Peter
-- Peter Pentchev roam@ringlet.net roam@cnsys.bg
roam@FreeBSD.org
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 because I didn't think of a good beginning of it.
Bordering on 2008-06-03 11:13 +0100, Errol Samuels implored:
I am currently researching a solution for tunnelling VoIP traffic since VoIP is blocked in the country concerned. It appears that the ISP is targeting OpenVPN and OpenSwan and blocking them so I want to try something different.
...
Has anyone attempted or had any success using stunnel for a similar scenario as I have mentioned?
If you're looking for something that has the familiarity of Stunnel and control both endpoints, you can set up a VPN with tappipe:
ftp://stunnel.mirt.net/tappipe/
Using OpenVPN in TCP mode would work too, but you might want to move the port away from the blocks used by your ISP.
Hi Brian,
Thanks for the information.
Which do you think from your experience would have the least overhead OpenVPN with Stunnel or Tunpipe/Tappipe?
Is there any documentation around for Tunpipe/Tappipe?
Regards,
Errol
-----Original Message----- From: Brian Hatch [mailto:bri@stunnel.org] Sent: 03 June 2008 17:38 To: Errol Samuels Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] Is anyone using Stunnel for tunnelling Voip?
Bordering on 2008-06-03 11:13 +0100, Errol Samuels implored:
I am currently researching a solution for tunnelling VoIP traffic since
VoIP
is blocked in the country concerned. It appears that the ISP is
targeting
OpenVPN and OpenSwan and blocking them so I want to try something
different.
...
Has anyone attempted or had any success using stunnel for a similar
scenario
as I have mentioned?
If you're looking for something that has the familiarity of Stunnel and control both endpoints, you can set up a VPN with tappipe:
ftp://stunnel.mirt.net/tappipe/
Using OpenVPN in TCP mode would work too, but you might want to move the port away from the blocks used by your ISP.
-- Brian Hatch "Carcas removal is one Systems and of my specialities." Security Engineer --Brian (spider killer) http://www.ifokr.org/bri/
Every message PGP signed
Around about 2008-06-03 18:14 +0100, Errol Samuels piped up:
Which do you think from your experience would have the least overhead OpenVPN with Stunnel or Tunpipe/Tappipe?
The latter.
Is there any documentation around for Tunpipe/Tappipe?
It's in the tarball.
Hello Brian,
Can Stunnel + Tappipe support multiple client connections to one server?
I have several OpenWRT routers that would need to be connected back to the server hosting the Stunnel + Tappipe Server.
Regards,
Errol
-----Original Message----- From: Brian Hatch [mailto:bri@stunnel.org] Sent: 04 June 2008 00:33 To: Errol Samuels Cc: stunnel-users@mirt.net Subject: Re: [stunnel-users] Is anyone using Stunnel for tunnelling Voip?
Around about 2008-06-03 18:14 +0100, Errol Samuels piped up:
Which do you think from your experience would have the least overhead OpenVPN with Stunnel or Tunpipe/Tappipe?
The latter.
Is there any documentation around for Tunpipe/Tappipe?
It's in the tarball.
-- Brian Hatch I need to be motherly, Systems and and strong, and confident, Security Engineer and ... iambic. http://www.ifokr.org/bri/ --Bree
Every message PGP signed
-
Brian Hatch -
Errol Samuels -
Peter Pentchev