Secure encrypted phone calls with your IPhone

I generated a small presentation on how to connect an IPhone with an Asterisk server through pptp VPN.
Watch this short presentation Secure IPhone
or see the complete story with tutorial videos: I generated a small presentation on how to connect an IPhone with an Asterisk server through pptp VPN.
Watch this short presentation Secure IPhone
or see the complete story with tutorial videos:

More details

Getting the VPN tunnel working

The IPhone does support three different variants of VPN.

  • L2TP
  • PPTP
  • IPSec

I choose PPTP because it was easy to setup. Unfortunately the IPhone does not support OpenVPN, which I would prefer.

Setting up pptpd

Installing MPPE Support

Most people want their tunnels encrypted. Check the version of your kernel; if it is below 2.6.15-rc1 then you do not have MPPE support. To check further, test like this:

# modprobe ppp-compress-18 && echo success

If this fails, follow the Debian MPPE HOWTO, then return here.

Installing the Server Program

Install the pptpd package from the Debian Project:

# apt-get install pptpd

Configure IP Address Range

Edit the file /etc/pptpd.conf for the IP address range, for example:

localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

Note: see pptpd.conf(5) for more details on the other options.

Note: you will need to restart pptpd to make changes to /etc/pptpd.conf effective:

# /etc/init.d/pptpd restart

Adding Users

Configure /etc/ppp/chap-secrets for the accounts, for example:

# echo "username pptpd password *" >> /etc/ppp/chap-secrets

Note: this method has all the usernames in one file. There are other ways, including authentication using Radius, or using Samba. Check the mailing list (subscribe, archives).

Note: you do not need to restart pptpd, a change to chap-secrets is effective for the next connection.

NAT for the vpn network

We need to add nat translation to the vpn network and enable ip forwarding.

/sbin/iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
echo "1" >/proc/sys/net/ipv4/ip_forward

We also need to edit /etc/sysctl.conf and enable the following line, so that this is enable by the next reboot:

# Uncomment the next line to enable packet forwarding for IPv4
net/ipv4/ip_forward=1

Setting up Asterisk

We need to add an user in the /etc/asterisk/sip.conf

[general]
port=5060
bindaddr=0.0.0.0
context=fromLOCAL
realm=atorg.vpn
tos_sip=cs3     ; fuer SIP-Pakete (Kommunikationsaufbau)
tos_audio=ef    ; fuer RTP-Audio-Pakete
tos_video=af41  ; fuer RTP-Video-Pakete
language=de
disallow=all
allow=alaw
allow=ulaw
allow=ilbc
;allow=gsm
allow=h261
dtmfmode=inband
srvlookup=yes
videosupport=yes
canrenvite=nonat
maxexpiry=7200
defaultexpiry=3600
musiconhold=default
nat=yes

[30]
; SipPhone
nat=yes
type=friend
context=trunk
secret=***
host=dynamic
callerid=&quote;IPhone via SIP through PPTP&quote; <30>

Setup the IAX2 trunking to the asterisk with PSTN connection:

[general]
port=5036
bandwidth=low
disallow=all
allow=gsm

jitterbuffer=yes
tos=lowdelay

register =^gt; trunk2thestar:***@thestar.vpn

[trunk2atorg]
type=friend
host=dynamic
trunk=yes
auth=md5,plaintext,rsa
secret=***
username=trunk2atorg
qualify=yes
context=trunk

And now we need to add this to our small /etc/asterisk/extensions.conf

[globals]

[trunk]
; Anrufe von local SIP users
exten => _X.,1,Dial,IAX2/trunk2thestar:***@thestar.vpn/${EXTEN}
exten => _X.,2,Congestion(5)
exten => _X.,3,Hangup()
exten => _X.,102,Playback(tt-allbusy)
exten => _X.,103,Hangup()

How does it look like on the iPhone

Just watch this short movie: VPN on IPhone

Testing

Example of pptpd login and logoff, when you move the slider of the VPN on the IPhone

Jun  6 21:02:46 atorg pptpd[7290]: CTRL: Client 62.216.217.17 control connection started
Jun  6 21:02:46 atorg pptpd[7290]: CTRL: Starting call (launching pppd, opening GRE)
Jun  6 21:02:46 atorg pppd[7291]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jun  6 21:02:46 atorg pppd[7291]: pppd 2.4.4b1 started by root, uid 0
Jun  6 21:02:46 atorg pppd[7291]: Using interface ppp0
Jun  6 21:02:46 atorg pppd[7291]: Connect: ppp0 < --> /dev/pts/0
Jun  6 21:02:46 atorg pptpd[7290]: GRE: Bad checksum from pppd.
Jun  6 21:02:49 atorg pppd[7291]: MPPE 128-bit stateless compression enabled
Jun  6 21:02:49 atorg pppd[7291]: Cannot determine ethernet address for proxy ARP
Jun  6 21:02:49 atorg pppd[7291]: local  IP address 192.168.42.1
Jun  6 21:02:49 atorg pppd[7291]: remote IP address 192.168.42.10

Jun  6 21:05:50 atorg pppd[7291]: LCP terminated by peer (MPPE disabled)
Jun  6 21:05:50 atorg pppd[7291]: Connect time 3.1 minutes.
Jun  6 21:05:50 atorg pppd[7291]: Sent 9127 bytes, received 7660 bytes.

Example of a SIP login, SIP call with IAX2 trunking and SIP logout

atorg*CLI>
    -- Registered SIP '30' at 192.168.42.10 port 5060 expires 10
    -- Executing Dial("SIP/30-066d", "IAX2/trunk2thestar:***@thestar.vpn/6666") in new stack
    -- Called trunk2thestar:***@thestar.vpn/6666
    -- Call accepted by 10.23.0.10 (format gsm)
    -- Format for call is gsm
    -- IAX2/10.23.0.10:4569-1 answered SIP/30-066d
    -- Hungup 'IAX2/10.23.0.10:4569-1'
    -- Unregistered SIP '30'

More details

Getting the VPN tunnel working

The IPhone does support three different variants of VPN.

  • L2TP
  • PPTP
  • IPSec

I choose PPTP because it was easy to setup. Unfortunately the IPhone does not support OpenVPN, which I would prefer.

Setting up pptpd

Installing MPPE Support

Most people want their tunnels encrypted. Check the version of your kernel; if it is below 2.6.15-rc1 then you do not have MPPE support. To check further, test like this:

# modprobe ppp-compress-18 && echo success

If this fails, follow the Debian MPPE HOWTO, then return here.

Installing the Server Program

Install the pptpd package from the Debian Project:

# apt-get install pptpd

Configure IP Address Range

Edit the file /etc/pptpd.conf for the IP address range, for example:

localip 192.168.0.1
remoteip 192.168.0.234-238,192.168.0.245

Note: see pptpd.conf(5) for more details on the other options.

Note: you will need to restart pptpd to make changes to /etc/pptpd.conf effective:

# /etc/init.d/pptpd restart

Adding Users

Configure /etc/ppp/chap-secrets for the accounts, for example:

# echo "username pptpd password *" >> /etc/ppp/chap-secrets

Note: this method has all the usernames in one file. There are other ways, including authentication using Radius, or using Samba. Check the mailing list (subscribe, archives).

Note: you do not need to restart pptpd, a change to chap-secrets is effective for the next connection.

NAT for the vpn network

We need to add nat translation to the vpn network and enable ip forwarding.

/sbin/iptables -t nat -A POSTROUTING -s 192.168.42.0/24 -o eth0 -j MASQUERADE
echo "1" >/proc/sys/net/ipv4/ip_forward

We also need to edit /etc/sysctl.conf and enable the following line, so that this is enable by the next reboot:

# Uncomment the next line to enable packet forwarding for IPv4
net/ipv4/ip_forward=1

Setting up Asterisk

We need to add an user in the /etc/asterisk/sip.conf

[general]
port=5060
bindaddr=0.0.0.0
context=fromLOCAL
realm=atorg.vpn
tos_sip=cs3     ; fuer SIP-Pakete (Kommunikationsaufbau)
tos_audio=ef    ; fuer RTP-Audio-Pakete
tos_video=af41  ; fuer RTP-Video-Pakete
language=de
disallow=all
allow=alaw
allow=ulaw
allow=ilbc
;allow=gsm
allow=h261
dtmfmode=inband
srvlookup=yes
videosupport=yes
canrenvite=nonat
maxexpiry=7200
defaultexpiry=3600
musiconhold=default
nat=yes

[30]
; SipPhone
nat=yes
type=friend
context=trunk
secret=***
host=dynamic
callerid=&quote;IPhone via SIP through PPTP&quote; <30>

Setup the IAX2 trunking to the asterisk with PSTN connection:

[general]
port=5036
bandwidth=low
disallow=all
allow=gsm

jitterbuffer=yes
tos=lowdelay

register =^gt; trunk2thestar:***@thestar.vpn

[trunk2atorg]
type=friend
host=dynamic
trunk=yes
auth=md5,plaintext,rsa
secret=***
username=trunk2atorg
qualify=yes
context=trunk

And now we need to add this to our small /etc/asterisk/extensions.conf

[globals]

[trunk]
; Anrufe von local SIP users
exten => _X.,1,Dial,IAX2/trunk2thestar:***@thestar.vpn/${EXTEN}
exten => _X.,2,Congestion(5)
exten => _X.,3,Hangup()
exten => _X.,102,Playback(tt-allbusy)
exten => _X.,103,Hangup()

How does it look like on the iPhone

Just watch this short movie: VPN on IPhone

Testing

Example of pptpd login and logoff, when you move the slider of the VPN on the IPhone

Jun  6 21:02:46 atorg pptpd[7290]: CTRL: Client 62.216.217.17 control connection started
Jun  6 21:02:46 atorg pptpd[7290]: CTRL: Starting call (launching pppd, opening GRE)
Jun  6 21:02:46 atorg pppd[7291]: Plugin /usr/lib/pptpd/pptpd-logwtmp.so loaded.
Jun  6 21:02:46 atorg pppd[7291]: pppd 2.4.4b1 started by root, uid 0
Jun  6 21:02:46 atorg pppd[7291]: Using interface ppp0
Jun  6 21:02:46 atorg pppd[7291]: Connect: ppp0 < --> /dev/pts/0
Jun  6 21:02:46 atorg pptpd[7290]: GRE: Bad checksum from pppd.
Jun  6 21:02:49 atorg pppd[7291]: MPPE 128-bit stateless compression enabled
Jun  6 21:02:49 atorg pppd[7291]: Cannot determine ethernet address for proxy ARP
Jun  6 21:02:49 atorg pppd[7291]: local  IP address 192.168.42.1
Jun  6 21:02:49 atorg pppd[7291]: remote IP address 192.168.42.10

Jun  6 21:05:50 atorg pppd[7291]: LCP terminated by peer (MPPE disabled)
Jun  6 21:05:50 atorg pppd[7291]: Connect time 3.1 minutes.
Jun  6 21:05:50 atorg pppd[7291]: Sent 9127 bytes, received 7660 bytes.

Example of a SIP login, SIP call with IAX2 trunking and SIP logout

atorg*CLI>
    -- Registered SIP '30' at 192.168.42.10 port 5060 expires 10
    -- Executing Dial("SIP/30-066d", "IAX2/trunk2thestar:***@thestar.vpn/6666") in new stack
    -- Called trunk2thestar:***@thestar.vpn/6666
    -- Call accepted by 10.23.0.10 (format gsm)
    -- Format for call is gsm
    -- IAX2/10.23.0.10:4569-1 answered SIP/30-066d
    -- Hungup 'IAX2/10.23.0.10:4569-1'
    -- Unregistered SIP '30'

Bookmark and Share

One thought on “Secure encrypted phone calls with your IPhone

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>