The PPTP VPN solution for avoiding VOIP block

 

EASY3CALL TECHNOLOG LIMITED

 

 

The PPTP VPN will make your VOIP service non-blocking and safe.

 

Index

1     The Normal VOIP Usage. 2

2     The SIP Proxy inside the PPTP. 3

3     The SIP Proxy outside the PPTP. 4

4     Step by step setup guide for a PPTP solution. 5

4.1      How to make GIP300 to work with PPTP. 5

4.2      How to set up a PPTP VPN Server with Linux. 7

4.2.1        The OPENSER setup. 8

4.2.2        The configuration for PPTPD.. 9

4.2.3        Start your services. 10

4.2.4        enable  packet forwarding. 10

4.2.5        stop your services. 10

4.2.6        Clients configuration. 10

4.3      Sip Proxy outside the PPTP VPN network. 11

4.3.1        how to setup gip300 to work in this instance. 12

4.3.2        how to setup the server side. 13

5     Summary. 14

 

FIGURE 1 The normal VOIP usage. 2

FIGURE 2 Put all device in a PPTP VPN.. 3

FIGURE 3 GIP300 and SIP Server all in a PPTP VPN.. 4

FIGURE 5 The GIP300 Sip Only Route Strategy. 6

FIGURE 6 ENABLE the SIP account with VPN.. 7

FIGURE 7 Install the PPTP server and SIP Proxy in same computer 8

FIGURE 9 The GIP300 'ALL' Route Strategy. 13

 

1       The Normal VOIP Usage

FIGURE 1 The normal VOIP usage

General speaking, all terminals use their real IP address to register to the SIP proxy. All your information will be transferred nakedly on the Internet, so someone can easily steal your personal information. For example someone can easily intercept your packets and decode to original voice information and there is another problem as well. In some countries providing VOIP service is not allowed so you can not use VOIP services as the network providers blocked all your VOIP packets.

 

2       The SIP Proxy inside the PPTP

FIGURE 2 Put all device in a PPTP VPN

In the above diagram there is a PPTP or L2TP VPN server on the Internet. All devices connect to the VPN server and receive a virtual IP address with a certain username and password. And the VPN server has its own virtual IP.

 

In the diagram GIP300 A uses virtual IP 10.10.0.11 to register to SIP proxy with IP 10.10.0.12. All the packets are sent to the VPN Server and then forwarded to its destination. All devices exchange information through the VPN network and all packets are encrypted. So it is safe to use VPN providing VOIP. Everyone must login to the VPN Server and then use your VOIP service. It is easy to control the network to reject someone who wants to destroy your service.

 

FIGURE 3 GIP300 and SIP Server all in a PPTP VPN

Furthermore there is another advantage by using VPN. As all the packets are encrypted no one knows what you transfer on the cable. So it is not easy to block your voice packets and service.

 

3       The SIP Proxy outside the PPTP

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

In this strategy, the PPTP server work as a NAT router between the PPTP private network and the internet. The SIP Proxy can be any normal SIP Proxy, for example, the FWD proxy.

 

This strategy is mainly to solve the VOIP block problem. Because usually, the packet monitoring and block is working on access network, for example, the ADSL access network or the Dial-up access network. There is no block in backbone network. So, the packet from PPTP server to SIP Proxy is safe generally.

 

This strategy is very useful for some ITSP who can not put all the device including SIP Proxy and Median Gateway in a PPTP VPN.

 

4       Step by step setup guide for a PPTP solution

4.1    How to make GIP300 to work with PPTP

It is easy to use PPTP with gip300 and you just need to do two steps.

Firstly, please use your web browser to login to gip300.

Select Network configuration, look at the picture as below:

 

FIGURE 5 The GIP300 Sip Only Route Strategy

GIP300 supports three type of VPN and here you should select PPTP.

Set the PPTP server address (you may ask your service provider for your PPTP server address)

Set the PPTP server port as 1723

Set your username and password (you may ask your service provider for the username and password)

Set your SIP proxy address as 10.10.0.1(you may ask your service provider for your SIP proxy address)

Look at the web configuration picture of GIP300 for the settings

FIGURE 6 ENABLE the SIP account with VPN

 

Save your settings and reboot the device

 

When GIP300 starts it will connect to the PPTP server and login to receive a virtual IP address such as 10.10.0.11.then it will use this IP to register to SIP proxy 10.10.0.12 through a encrypted tunnel. When you call someone all your voice packets will go through the encrypted tunnel too. That is to say all your voice packet are send to VPN server 10.10.0.1 through the encrypted tunnel and then  will be forwarded to the final destination.

 

4.2    How to set up a PPTP VPN Server with Linux

Probably you are the service provider and you want to use VPN with your VOIP service. Please refer to PPTPD on Linux/Unix platform or you just need a windows server. Windows itself contains PPTP support.

 

Here I will provide the detailed configuration information for you to build a PPTP Server with Linux. Additionally, it include a setup guide for OPENSER, you can use it as the SIP Proxy for test.

The network diagram is as follows:

FIGURE 7 Install the PPTP server and SIP Proxy in same computer

Here the SIP proxy and the PPTP server is installed in the same machine.

Software platform is free.

Debian etch (Debian version 4.0 ,code name etch)

Openser(debian package),or you may want to use Asterisk

Pptpd(debian package)

 

Step 1

install debian GNU linux on your server

 

Step 2

apt-get install openser pptpd

 

After step 2 all packages are installed.

 

Step 3

Config your software

 

4.2.1       The OPENSER setup

edit /etc/default/openser

RUN_OPENSER=no

change this line to

RUN_OPENSER=yes

 

edit /etc/openser/openser.cfg

 

If you don't want to use default port 5060,you may change to this

#port=5060

port=53

 

 

4.2.2       The configuration for PPTPD

 

edit /etc/pptpd.conf

 

at last of this file

you may see something like this

#localip 192.168.0.1

#remoteip 192.168.0.234-238,192.168.0.245

# or

#localip 192.168.0.234-238,192.168.0.245

#remoteip 192.168.1.234-238,192.168.1.245

 

change to this

localip 10.10.0.1

remoteip 10.10.0.2-238

 

Above command lines mean the PPTP server's virtual IP will be 10.10.0.254 and the terminals connect to the PPTP server will receive IP 10.10.0.2- 10.10.0.238

 

edit /etc/ppp/pptpd-options

if you want to encrypt your packets,you need the things like follows

 

# {{{

refuse-pap

refuse-chap

refuse-mschap

# Require the peer to authenticate itself using MS-CHAPv2 [Microsoft

# Challenge Handshake Authentication Protocol, Version 2] authentication.

require-mschap-v2

# Require MPPE 128-bit encryption

# (note that MPPE requires the use of MSCHAP-V2 during authentication)

require-mppe-128

# }}}

 

 

Above commands mean the tunnel will use mppe-128 algorithm to encrypt your packets

 

 

And then add your VPN username and passwords

 

edit /etc/ppp/chap-secrets

 

add lines like these

"111"   pptpd   "111"   10.10.0.23

"222"   pptpd   "222"   10.10.0.24

"333"   pptpd   "333"   10.10.0.25

"444"   pptpd   "444"   10.10.0.26

"555"   pptpd   "555"   10.10.0.27

"666"   pptpd   "666"   10.10.0.28

"777"   pptpd   "777"   10.10.0.29

"888"   pptpd   "888"   10.10.0.30

 

 

Above commands mean VPN username 111, password is 111 and will be assigned IP 10.10.0.23

username 222,password 222, will be assigned IP 10.10.0.24

 

4.2.3       Start your services

 

you may use this command to start PPTPD

/etc/init.d/pptpd restart

use this command to start openser

/etc/init.d/openser restart

you may wait until the virtual IP get ready(when one client connected to PPTPD) ,then start openser, So openser will bind to the virtual IP address.

4.2.4       enable packet forwarding

echo 1 >/proc/sys/net/ipv4/ip_forward

 

4.2.5       stop your services

/etc/init.d/pptpd stop

/etc/init.d/openser stop

 

4.2.6       Clients configuration

 

set PPTP server address to 63.233.189.104(your PPTP server IP address)

set PPTP server port 1723

set username as 111

set password as 111

 

GIP300 No.1

set sip proxy IP as 10.10.0.1

set sip proxy port as 53(we set it to 53 as in the configuration file above)

enable  VPN

set phone number 111(or any number you would like to set)

username 111(or any username you would like to set)

password 111(or any password you like)

 

 

GIP300 No.2

set PPTP server address to 63.233.189.104

set PPTP server port 1723

set username as 222

set password as 222

 

set sip proxy IP as 10.10.0.1

set sip proxy port as 53(we set it to 53 as in the configuration file above)

enable  VPN

phone number 222(or any number you would like to set)

username 222(or any username you would like to set)

password 222(or any password you like)

 

 

then save and reboot two IP phones.

After rebooting and registration you can call each other.

 

Notice: This is only a test environment. OPENSER will not authenticate any user so everyone can use the VOIP service with your VPN username and certain password. While that means any one in the VPN network can use your VOIP service. You may want to use OPENSER with MYSQL or POSTGRESQL to authenticate your VOIP users, if you want to learn more, please refer to http://openser.org/

 

 

4.3    Sip Proxy outside the PPTP VPN network

 

Some service providers do not want to put sip proxy in the PPTP VPN, the network may look like as below:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4.3.1       How to setup gip300 to work in this instance

You just need to change something in VPN network setup as FIGURE 9  GIP300 'ALL' Route Strategy

 

FIGURE 9  GIP300 'ALL' Route Strategy

 

4.3.2       How to setup the server side

In this way,the pptp server should forward all packets,to sip server ,or to media gateway.

vax:/proc/sys/net/ipv4# echo 1 > ip_forward

vax:/proc/sys/net/ipv4#

 

vax:/proc/sys/net/ipv4#iptables -t nat -A POSTROUTING -s 10.10.0.0/24  -o eth0 -j MASQUERADE

 

Then all are ok. You need to change nothing about the sip server or the media gateway.

 

 

5       Summary

The PPTP/L2TP VPN can work well with the SIP proxy. To establish a PPTP/L2TP VPN to protect your VOIP service, you need to find an IP Phones or ATAs which supports the PPTP/L2TP client, and you can build a PPTP/L2TP server with Linux.

 

There are two strategies to establish your SIP+PPTP network. The strategy one, you can put all device including SIP Proxy and media gateway in the PPTP VPN network. You will get the best security with this strategy.

 

The strategy two, you can put IP Phones or ATAs in the PPTP VPN only. The VPN server work as a NAT router in this instance. The SIP Proxy and media gateway need not in the PPTP VPN network. You can get the best flexibility with this strategy.

 

All E3CALL products including GIX100/GIX101 ATAs and GIP300/GIP300P IP Phones support PPTP/L2TP VPN client functions. You can establish a PPTP solution easily with E3CALL products.

 

download for full document with images http://www.e3call.com/documents/The%20PPTP%20VPN%20solution%20for%20avoiding%20VOIP%20block.doc