TLS And NAT
I want to configure communication with my phone provider using TLS for all the obvious reasons. Since I’m behind a firewall, I’ll be needing to do it with NAT. There are examples of UDP plus NAT in pjsip.conf, but none for TLS plus NAT. Would it be correct to set up the TLS transport stanza to look like the [transport-udp-nat] stanza example, replacing UDP with TLS in lines like ‘transport=tls’ and ‘protocol=tls’, and including the lines for local_net, external_media_address and external_signaling_address?
—
3 thoughts on - TLS And NAT
Hello Steve,
use the following configuration for the transport and bind this transport to the trunk:
[transport_name]
type=transport protocol=tls bind=192.168.13.24 ; your bind IP
ca_list_file=/etc/pki/tls/certs/ca-bundle.crt
; method=tlsv1_2
verify_server=yes allow_reload=no
;tos=0xb8
;cos=3
external_media_address=your.ext.host.name ; hostname pointing to your ext. IP
external_signaling_address=your.ext.host.name ; hostname pointing to your ext. IP
local_net=192.168.0.0/24 # your local net
Regards Michael
—
Thanks, Michael. A few questions:
Is [transport_name] a reserved word, or am I supposed to replace it with a name of my own, like ‘[did-transport]’?
Some of the keywords I haven’t seen before. Is ca_list_file supposed to be an aggregate of the public and private key? And what are the
‘method,’ ‘tos’ and ‘cos’ keywords, which are commented out in your instructions?
Otherwise, the rest is quite clear.
—
Yes. You are free.
ca_list_file is the list of all CAs the server should accept as valid (these are public keys – no private keys) like Let’s encrypt e.g..
Take a look here:
https://github.com/asterisk/asterisk/blob/master/configs/samples/pjsip.conf.sample
Search for “tos=0”
Regards, Michael
—