SSH vs. OpenVPN?

Home » Asterisk Users » SSH vs. OpenVPN?
Asterisk Users 6 Comments

Hello

In case a NAT firewall prevents using STUN to open SIP/RTP ports, a
solution is to first connect the phone to the Asterisk server through
a tunnel, and then have data go through the tunnel.

Are there hardphones that support OpenVPN?

If none, what about SSH? Is this a good alternative to use VoIP with
SIP?

If you’ve tried either or both solutions, I’m interested in any
feedback.

Thank you.

6 thoughts on - SSH vs. OpenVPN?

  • On Tue, 31 Jan 2012 07:57:22 -0500, “bakko”
    wrote:

    Thanks for the infos.

    If someone tried the Snom, Grandstream, or Yeallink, how good is their
    OpenVPN connection?

  • Using Yealink T-28 with OpenVPN works fine – about three weeks now with
    no issues. Bummed that it seems to only support one tunnel, though. I
    asked their support team if they could make whatever changes necessary
    to support multiple, and their response made it sound promising 🙂

    I love this phone, actually.

    j

  • On Tue, 31 Jan 2012 10:03:46 -0600, Jeff LaCoursiere
    wrote:

    Thanks for the feedback. Multiple tunnels are for conference calls?

  • Jeff LaCoursiere wrote:

    As in you can’t register the phone to more then 1 remote Asterisk server
    via 2 different VPN tunnels or you can’t have more then 1 call per VPN link?

    Doug

  • For the record: you can. But it’s not really a good idea. Two options:

    1. ssh -D: “dynamic” port forwarding. Which basically means that it
    creates a socks4/socks5 proxy. You can now use e.g. sockify and connect
    UDP-based programs over that connection.

    2. ssh -w: create a tun device and create a tunnel on top of that (root
    access of some sort is required).

    That said, the ssh connection is TCP. The basic reasoning in
    http://sites.inka.de/sites/bigred/devel/tcp-tcp.html applies to the VoIP
    UDP payload as well.

    Oh, and for the record, you can tunnel practically on top of anything.
    Just in case you’re not familiar with it: IP over DNS (which means you
    don’t even need direct access, and can use proxied DNS queries).
    http://code.kryo.se/iodine/
    I figure you won’t get quality audio with that, though.