Using a VTun tunnel to make SIP (Voice over IP) work behind restrictive firewalls or filtering proxies

Making SIP (Session Initiation Protocol) work despite of firewall restrictions and/or packet filtering (e.g. some providers filter SIP packets, because they want to sell their own VOIP products...).  

Prerequisites

  • Linux server with public IP address, root access and "vtun"
  • Client with Linux and "vtun"

I´m using debian, to install vtun just do a "aptitude install vtun" on both your server and client.

Configuration 

Configure the vtun server (vtund.conf) to use TCP and compression (optionally encryption). Enable IP Masquerading when the tunnel is established ("iptables -t nat -A POSTROUTING ...").

Here my /etc/vtund.conf of the server:

mytunnel {
        type tun;
        proto tcp;
        compress zlib:2;
        encrypt no;
        keepalive yes;
        password YourPasswordHere;
        up {
                ifconfig "%% 10.1.0.1 pointopoint 10.1.0.2 mtu 1450";
                firewall "-t nat -A POSTROUTING -s 10.1.0.2 -j MASQUERADE";
        };
        down {
                firewall "-t nat -F";
                ifconfig "%% down";
        };
}

Our server will have the IP 10.1.0.1 (one endpoint of the tunnel). Our client will get the IP 10.1.0.2.

Here the client config:

mytunnel {
        type tun;
        passwd YourPasswordHere;
        up {
                ifconfig "%% 10.1.0.2 pointopoint 10.1.0.1 mtu 1450";
                route "add -net 199.9.0.0/16 gw 10.1.0.1";
        };
}

The providers IP address (of the SIP servers) lie in the net 199.9.0.0/16. The route command makes sure that all requests (UDP packets) to the SIP server (our SIP proxy/provider) go through our vtun tunnel.

Usage 

Now start the tunnel daemon on the server: vtund -s (on Debian: /etc/init.d/vtun start)

And start the tunnel daemon on the client: vtund mytunnel 1.2.3.4 (replace 1.2.3.4 with the public IP address of your server). On Debian you can edit /etc/default/vtun and start the daemon via /etc/init.d/vtun start)

You should have a running tunnel by now: check with ifconfig that there is a new "tun0" interface with "pointopoint" ips.

Finally you can start your SIP softphone (ekiga, wengophone, linphone, kphone, twingle, or whatever). Make sure that the softphone is using the "tun0" interface and that your route to the SIP server is going over the "tun0" interface: route -n. Your VOIP application should now work with the vtun tunnel and thereby circumvent any firewall/proxy restrictions.

Disadvantages

The tunnel adds same latency (tune "compress" and "encrypt" options) to the VOIP connection. The TCP tunnel is not well suited for real-time data like VOIP, but it´s the only option if UDP does not work.

Created by Henning Jacobs
Guerra Creativa - Creative Crowdsourcing