FOOD FOR THOUGHT New PBX Setup - Securing Calls without VPN

markd89

Member
Joined
Sep 3, 2013
Messages
97
Reaction score
9
Hi,

On my current Purple system at RentPBX, I am using TravelinMan and Neorouter. All traffic between extensions and the PBX goes over Neorouter. This works pretty well, but I don't like that Neorouter latency increases if I push other traffic over it.

I'm going to setup a new PBX on Vultr. I'm thinking about securing the traffic between extensions and PBX using Port Knocking and SRTP without a VPN. The thinking being that I'll get less latency that way and still keep out bad people and protect the privacy of calls. Maybe I'd configure OpenVPN as well for everything other than calls.

Does that make sense? Any ideas for improvements?

Thanks!
Mark
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
How much extra latency is neorouter introducing, ie, ping public_ip vs ping vpn_ip? Is neorouter set for udp/tcp P2P or relay? Where is neorouter running on the endpoint side pf the connection?

At the end of the day, VPN vs SRTP should be doing about the same workload encrypting/decrypting packets.

Exceptions could be if neorouter is relaying, or neorouter is running on an under-powered device like an older router.
 

markd89

Member
Joined
Sep 3, 2013
Messages
97
Reaction score
9
How much extra latency is neorouter introducing, ie, ping public_ip vs ping vpn_ip? Is neorouter set for udp/tcp P2P or relay? Where is neorouter running on the endpoint side pf the connection?

At the end of the day, VPN vs SRTP should be doing about the same workload encrypting/decrypting packets.

Exceptions could be if neorouter is relaying, or neorouter is running on an under-powered device like an older router.

The Neorouter server is running on RentPBX. Neorouter is setup to relay. Maybe that's the issue. I haven't opened router ports for P2P and not sure if it is possible in my configuration. The extensions are Debian PCs with iptables and one Android phone which also has iptables. I think their documentation said that you can't use iptables and p2p mode.

During a call. From my location, I can ping the RentPBX server and get about 50ms. Pinging the same server over Neorouter adds about 100ms. If I push something else over the VPN at the same time, I get another 50-100 ms latency. It seems to be worse over lower bandwidth connections.

What you you think?

I apreciate your help.

Thanks,
Mark
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
The Neorouter server is running on RentPBX. Neorouter is setup to relay. Maybe that's the issue. I haven't opened router ports for P2P and not sure if it is possible in my configuration. The extensions are Debian PCs with iptables and one Android phone which also has iptables. I think their documentation said that you can't use iptables and p2p mode.
The relay is at least part of the problem.

The udp P2P hole punching technique should work with most client iptables rulesets unless they drop everything on the INPUT chain without any state (RELATED, ESTABLISHED) rules. That would be unusual.

Not that there is anything wrong with the proposed solution, but it's good to know where the problem really is.
 

markd89

Member
Joined
Sep 3, 2013
Messages
97
Reaction score
9
The relay is at least part of the problem.

The udp P2P hole punching technique should work with most client iptables rulesets unless they drop everything on the INPUT chain without any state (RELATED, ESTABLISHED) rules. That would be unusual.

Not that there is anything wrong with the proposed solution, but it's good to know where the problem really is.

Thanks, jerrm.

I hadn't heard about udp hole punching. I did a web search and now I know a little.

Do you have any guidance (or better rules) for what would help Neorouter go P2P?

Thanks again,
Mark
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
It's hard to say working blind, but generally UDP "just works" if the dev has implemented properly. There are a lot of variables - firewall rules on the client and any border router/firewall come into play, but if you have control over those elements any issues should be surmountable.

I've only kicked the tires on neorouter one afternoon, so can't comment on any specific setup it may need or quirks it may have.

Since the pbx itself is public and static, there should be no issues with OpenVPN. A VPN would allow access to UCP and anything else on the PBX server without having those services directly exposed to the wild (or messing with port knocking or dyndns whitelisting).

Otherwise, the SIP/tls and SRTP solution is OK. Combined with @wardmundy's "public" server rules you should be fine.
 

Members online

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top