Simple TLS Gateway

Well, 2020 is certainly a strange year… Some of us have been working from home for a very long time while others are now just understanding the benefits. Of course, when a drastic change in work environment becomes a forced change, the implementation can be quite daunting.

Let’s look at telephony for example.

Many small, medium, and even enterprise PBX deployments have been designed to only allow endpoints (aka phones) to connect from within the local network.

So, how can you allow remote connectivity to your pbx without changing your PBX?

Enter Kamailio —
The Open Source SIP Server

Kamailio® (successor of former OpenSER and SER) is an Open Source SIP Server released under GPL, able to handle thousands of call setups per second. Kamailio can be used to build large platforms for VoIP and realtime communications – presence, WebRTC, Instant messaging and other applications. Moreover, it can be easily used for scaling up SIP-to-PSTN gateways, PBX systems or media servers like Asterisk™, FreeSWITCH™ or SEMS.

One feature that truly shines for our work from home scenario focuses on some of Kamailio bridging capabilities. Kamailio can bridge TLS (secure) connections from the outside work (aka work from home) to UDP “connections” on the local network (aka to the PBX).

By combining Kamailio with RTPengine, you can also bridge secure audio (SRTP) on the outside to normal audio (RTP) on the inside.

Basic Concept

Basic Visual Concept of TLS/SRTP Bridge
Basic Visual Concept of TLS/SRTP Bridge

The concept allows you to replace the PBXIP with your PBX’s IP address, and public/private/domain as well. You can easily use Let’s Encrypt to get an SSL certificate for your domain.

Endpoints appear to the PBX as on the local network. In most cases, no configuration changes would be needed to your PBX whatsoever.

Example Config

I’ve posted an example TLS/SRTP bridge config on my github repo.

Hope this helps you… if you have any questions, comments, please don’t hesitate to reach out.

Additional Resources / Information

2 Comments

Mosi 2020-07-17 Reply

Hello,
Very nice, thank you for sharing ! I have noticed a strange behaviour tho. In a case of an incoming call coming to the IPBX (from a mobile phone through a PSTN gw), forwarded to the bridge then to the UAC, once the UAC answers, if the BYE is initiated by the UAC, the other end (the phone behind the PSTN gw) doesn’t receive a BYE and is still connected.

In any other case (incoming call from PSTN hang up by the mobile phone, outgoing call from the UAC to the PSTN hang up by the UAC, outgoing call from the UAC to the PSTN hang up by the mobile phone).

So It is only in case of an incoming call hang up by the UAC that the BYE gets lost.

If you have any clue…

Thanks and regards,
Mosi

Fred Posner 2020-07-21 Reply

Not seeing that on my testing… looking at a pcap would help.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.