FOOD FOR THOUGHT Behind nat without Config on Router

turalo

Member
Joined
Oct 10, 2013
Messages
75
Reaction score
1
Hi guys. Long time no see :)

I wanted to ask you if anybody have ever created / succeded, to have a server behind nat and be able to connect to it from outside.

What I mean is. Normally when we are behind nat we need to open port 5060 to be able to at least register to that server. and other ports to be able to call / hear each other.

But is there a way to register / make calls from exten to exten without touching the router. and I mean without touching it AT ALL.

Now I know that this exists, because years ago I had a company visiting us to sell a PBX system based on some protocols that does not requiere to change router settings.

You will ask why.

the IDEA is, buy 1 raspbery pi, install PIAF on it. Enable encrytped SIP. create let's say 10 Extensions for for the company that's going to use it. Then create somekind of DYN DNS link to it, sothat it is reachable via xxx.mydomein.com (example)

Then give every user a ipod with softphone on it, or a simple android phone with softphone on it, no Telco sim, or maybe only internet sim card.

Then let's say, today the company is in Newyork, they put the Raspbery to power and lan cable. wait few minutes untill it starts. then all users can start their softphone where ever they are, and call each other, or make conference call. This is only for internal talks, non external. so, just extension to extension. but extensions can and will be outside nat, most of times.

Then when they finish, they just turn of phones, and take the raspbery off the power.

So basicly it will be a mobile, untapable secure way of communication for a closed group of people. this way they will be 99% sure nobody can listen to what theiy are saying.

so, basicly there are 2 problems, the first is Dynamic dns , wich I thought was easyly solvable.
and second is the NAT. This group of people work mostly from the 1 day hire conference rooms, or hotels. so they will not have any acces to routers. so it must work without doing anyting on nat or router.

anybody any IDEA ? :)
 

dziny

Guru
Joined
Sep 4, 2014
Messages
45
Reaction score
19
The thing that makes this unworkable is that you want to carry the PBX with you. Every hotel/conference etc has network configured differently yet you want to be able to reach that PBX by the softphones. That's incredibly optimistic. Especially since you have no access to the corresponding routers. Also the quality of internet at these locations is variable and PBX definitely needs a solid pipe you cannot guarantee. Forget about it. Make the PBX fixed (could be on a good connection in your location/work or in a cloud) and then register the softphones to it. For security use VPN or TLS with SRTP.
 

henry

Member
Joined
Apr 2, 2014
Messages
99
Reaction score
30
Device behind a router = non-routable IP address.
Hence - in general terms - cannot be done...
 

turalo

Member
Joined
Oct 10, 2013
Messages
75
Reaction score
1
We gotto go step by step here :)
Just to clear things up. I'm in VOIP and IT business for more then 10 years. Working for a Known IT and Telco.
So you can be sure that I do have enough knowledge on basics of voip, networks etc...

1. Networks configured differently, yes, but I will put the pbx in DHCP.
2. No Acces to routers, that's the whole point.
3. Quality, is very good here in EUROPE, in UEROPE we have at least 5-10mb speeds, actually much higher, but at least 5-10. so that will not be a problem
4. Security, the whole point is, that PBX will be not on static places / IP, that makes it vulnerable to Atackers / Governments etc...
That's why it's not only just VPN etc... but must be dynamic, that's why I suggested maybe something with dynamic dns, so the domein that will be used, will be pointing each time to right IP adress.
And when conference or talks are done, the power goes off the box and tadaaa nobody will have time to try to hack it. next time will be difrent place and the box will be in hands of owner so he can feel safe :)


So it's the Idea to find a way to pass this. keep in mind I have Public IP adresses in Datacenters, I have servers, VPN servers, and all difrent types of servers, in difrent places. So If anyone has any ide how to put this to work.

the point is simple. communication must not be tapable. that's the whole point.
WHen the server is on static IP and always online, there is plenty of time to brake in, also static IP means that governments can just put a tap on it. but if the box will move all the time, that will not be as easy. So basicly it will be more secure.

there must be a way to do this, I know there are companies doing it. As I said I had this one company visiting us years ago. their sistem worked based on flash or something like that. so the traffic was just passing.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
The concepts to make it doable are pretty basic and google-able. Many p2p type products do it, usually with a public arbitrar/hub of some sort, but if all endpoints are known, even just by name it could be done without the hub. But... it could NEVER be anywhere close to 100% through all firewalls, double nat scenarios, etc, without allowing a fall back to a central, accessible server that can relay traffic as a last resort

It's not something that can be done with asterisk without investing some time and code.
 

dziny

Guru
Joined
Sep 4, 2014
Messages
45
Reaction score
19
4. Security, the whole point is, that PBX will be not on static places / IP, that makes it vulnerable to Atackers / Governments etc...
That's why it's not only just VPN etc... but must be dynamic, that's why I suggested maybe something with dynamic dns, so the domein that will be used, will be pointing each time to right IP adress.
And when conference or talks are done, the power goes off the box and tadaaa nobody will have time to try to hack it. next time will be difrent place and the box will be in hands of owner so he can feel safe :)
Sorry but this is the most ridiculous concept of security I have ever heard. Internet IP addresses are constantly scanned looking for open ports. You connect a device and within few ours it will be hit by attacks. You want security? You configure firewall, encrypt all communications (VPN, TLS/SRTP), implement fail2ban, don't expose web portal to public etc. That's security. You mitigate all possible vectors of attack. Not "praying" that the device will be connected short time so that the attacks won't come. They will. Always.
 

turalo

Member
Joined
Oct 10, 2013
Messages
75
Reaction score
1
Sorry but this is the most ridiculous concept of security I have ever heard. Internet IP addresses are constantly scanned looking for open ports. You connect a device and within few ours it will be hit by attacks. You want security? You configure firewall, encrypt all communications (VPN, TLS/SRTP), implement fail2ban, don't expose web portal to public etc. That's security. You mitigate all possible vectors of attack. Not "praying" that the device will be connected short time so that the attacks won't come. They will. Always.



There you said it :) "within few hours" The idea behind this is a fast comunications between collegues, it's not about talking for hours. it's about 5-15 minutes tops. means the main person has the box, he wants to speak to somebody or the whole group, he sends a signal via sms etc... to the person saying, talk in 5 minutes.
then he puts he box to power and lan. Box starts, let's say max 5 minutes will take startup. next 10 minutes they talk. then box is gone.

and of course.
1. the box will not be having any webserver, any open ports, only SSH and only to specified local adres or something in that fashion. there will be fail2ban althow behind a not configured router, the chance of being hit is 95% less.
Sip traffic will go over vpn (if needed) and will be encrypted sip. so basicly.
it will be 99.9% save.
The only way to get to it would be true compromissing one of the users by corruption or what ever :)))
so, if I get the register and voice to work the rest is 100% covered.

sip encryption and over vpn will make it almost, let's say 99.9% save against the PROVIDERS and OFICIAL tappers. and all other will make it hidden, so even in that 10 - 20 minutes time the chance that it will get hacked is lowered by 99%

and the fine thing is, the users are technicaly and also psycologicaly save, cause they also know as long as the box is ofline, nothing can happen to it.
 

henry

Member
Joined
Apr 2, 2014
Messages
99
Reaction score
30
I think you should start with looking at the technology behind Tor.
Silk Road survived 2.5 years running 24/7.
Your 10 minutes chats will be invincible...

And then just build a plain vanilla PBX on top of it.
This way you have at least the RIGHT security protocol in place.

Also, keep in mind that 75%+ of breaches are from "insiders" - former
employees, disgruntled employees, boyfriends, girlfriends, etc.
 

turalo

Member
Joined
Oct 10, 2013
Messages
75
Reaction score
1
I think you should start with looking at the technology behind Tor.
Silk Road survived 2.5 years running 24/7.
Your 10 minutes chats will be invincible...

And then just build a plain vanilla PBX on top of it.
This way you have at least the RIGHT security protocol in place.

Also, keep in mind that 75%+ of breaches are from "insiders" - former
employees, disgruntled employees, boyfriends, girlfriends, etc.



I hear what you'r saying but the TOR part does not give me any peace of mind, I'm a person that just knows to much about to many things as they say sometimes :))) or in other words, I dont believe in TOR being what it / they say it is. I'm comming from the Times of SSSR and, also have see many things in many countries, wich tell me that the whole TOR is just a joke to find those that want to hide easyly.
I dont believe in fairytales. I know that if there is TOR it means Governments or special organizations already have full control of it, other wise they would never let nobody use it. Now, why silk road survived ? I dont think it did :) I know only stories when people got cought because they were there, and ware also on TOR :)))
and the other stories, I dont know, i never experianced them, so for me there is no value of TOR while thousands of companies just have and sell very cheaply complete profiles of computers / persons, etc... And by profile I mean realy profile, including your Hardware low level info, wich makes it almost inpossible to hide, even if you are on TOR.
 

henry

Member
Joined
Apr 2, 2014
Messages
99
Reaction score
30
Paranoid is good. But somewhere you have to draw the line in the sand.
If you start with the search of mathematically proven privacy, there is no bottom in that rabbit hole...
 
Joined
Jul 28, 2011
Messages
162
Reaction score
48
Not possible without some sort of proxy in the middle to accept incoming connections from your PBX and your phones.

Without incoming NAT on either the phone side or the PBX side, the two cannot establish a connection. Period.

If you had some company demo a product that did what you are describing, they were running some sort of web service somewhere that the PBX and the phones connected to.
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
Not possible without some sort of proxy in the middle to accept incoming connections from your PBX and your phones.

Without incoming NAT on either the phone side or the PBX side, the two cannot establish a connection. Period.

Not entirely true.

Most such services (and there are many) rely on a central public moderator service and udp hole punching. The moderator usually only lets each client know the address of the other and then steps back, the clients communicate directly with each other. For a closed set of devices, all with dyndns names that are known to each other, clients could easily do their own udp-hole punching without a moderator. It's not really all that difficult.

UDP hole punching is not a 100% reliable thing though. Some firewall configs will not allow it. Without a publically accessible fall back host to relay traffic it would never be 100%(probably 90%+ though).

But again, it's not something that can be done with asterisk without investing some time and code.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,203
Latest member
frapu
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top