Simple TLS Gateway

Well, 2020 is certainly a strange year… Some of us have been working from home for a very long time while others are now just understanding the benefits. Of course, when a drastic change in work environment becomes a forced change, the implementation can be quite daunting.

Let’s look at telephony for example.

Many small, medium, and even enterprise PBX deployments have been designed to only allow endpoints (aka phones) to connect from within the local network.

So, how can you allow remote connectivity to your pbx without changing your PBX?

Enter Kamailio —
The Open Source SIP Server

Kamailio® (successor of former OpenSER and SER) is an Open Source SIP Server released under GPL, able to handle thousands of call setups per second. Kamailio can be used to build large platforms for VoIP and realtime communications – presence, WebRTC, Instant messaging and other applications. Moreover, it can be easily used for scaling up SIP-to-PSTN gateways, PBX systems or media servers like Asterisk™, FreeSWITCH™ or SEMS.

One feature that truly shines for our work from home scenario focuses on some of Kamailio bridging capabilities. Kamailio can bridge TLS (secure) connections from the outside work (aka work from home) to UDP “connections” on the local network (aka to the PBX).

By combining Kamailio with RTPengine, you can also bridge secure audio (SRTP) on the outside to normal audio (RTP) on the inside.

Basic Concept

Basic Visual Concept of TLS/SRTP Bridge
Basic Visual Concept of TLS/SRTP Bridge

The concept allows you to replace the PBXIP with your PBX’s IP address, and public/private/domain as well. You can easily use Let’s Encrypt to get an SSL certificate for your domain.

Endpoints appear to the PBX as on the local network. In most cases, no configuration changes would be needed to your PBX whatsoever.

Example Config

I’ve posted an example TLS/SRTP bridge config on my github repo.

Hope this helps you… if you have any questions, comments, please don’t hesitate to reach out.

Additional Resources / Information

6 Comments

Mosi 2020-07-17 Reply

Hello,
Very nice, thank you for sharing ! I have noticed a strange behaviour tho. In a case of an incoming call coming to the IPBX (from a mobile phone through a PSTN gw), forwarded to the bridge then to the UAC, once the UAC answers, if the BYE is initiated by the UAC, the other end (the phone behind the PSTN gw) doesn’t receive a BYE and is still connected.

In any other case (incoming call from PSTN hang up by the mobile phone, outgoing call from the UAC to the PSTN hang up by the UAC, outgoing call from the UAC to the PSTN hang up by the mobile phone).

So It is only in case of an incoming call hang up by the UAC that the BYE gets lost.

If you have any clue…

Thanks and regards,
Mosi

Fred Posner 2020-07-21 Reply

Not seeing that on my testing… looking at a pcap would help.

Mosi 2021-04-19 Reply

Hello,
Sorry for the late reply, it was only a question of missing loose routing (so the ACK was not send to the TLS bridge).

Yet, in case on reINVITE (for exemple if the call is put on hold), it seems that RTP Engine writes twice the SDP (twice exactly the same thing). I have tried with call RTP ENGINE with loop-protect, but it didn’t help.

Have you noticed that ?

Thanks and regards,
Mosi

Mosi 2021-04-19 Reply

Actually, when I add a record_route() in the main route so that the TLS proxy always remains in the path (for ACK, BYE and…reINVITE), that’s how I get the issue : the reINVITE sent from the UAC arrives to the TLS proxy (on the TLS interface) and is forwarded to the PBX (from the UDP interface of the TLS proxy).

But this reINVITE sent to the PBX, after having gone through the TLS proxy, contains the SDP duplicated:
v=0
o=me 1726 1734 IN IP4 1.2.3.4
s=Talk
c=IN IP4 1.2.3.4
t=0 0
m=audio 41968 RTP/AVP 0 8 3 18 101

v=0
o=me 1726 1734 IN IP4 1.2.3.4
s=Talk
c=IN IP4 1.2.3.4
t=0 0
m=audio 41968 RTP/AVP 0 8 3 18 101

It is twice exactly the same SDP payload and many SIP client don’t like that. Any clue why ?
Thanks !
Mosi

Juan Gonzaelz 2020-12-16 Reply

Great, thank you, is possible login too from webrtc?, or need change very advanced in the actual code.

Fred Posner 2020-12-28 Reply

You could use this with WebRTC using the websockets module and some additional listening actions / rtpengine mods.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.