Asterisk VoIP Server over OpenVPN in Tor Hidden Service.

Good Evening.

Generate encryption keys with OpenSSL.

OpenVPN server openvpn.conf configuration file:
Code:
mode server
tls-server
dev tun
proto tcp-server
port 1194

server 10.8.0.0 255.255.0.0

ca /vpn/ca.crt
cert /vpn/server.crt
key /vpn/server.key
dh /vpn/dh2048.pem
tls-crypt /vpn/ta.key

cipher AES-256-CBC
auth SHA3-512

log /var/log/openvpn.log
status /var/log/openvpn-status.log

user nobody
group nobody
persist-key
persist-tun
chroot /usr/local/etc/openvpn/jail
auth-nocache

# If you want to allow clients to communicate between themselves e.g. start own services like UnrealIRCd Servers.
client-to-client
client-config-dir /ccd

OpenVPN clients client.conf configuration file:
Code:
client
remote-cert-tls server
dev tun

<connection>
remote youroniondomain.onion 1194 tcp-client
socks-proxy 127.0.0.1 9050
</connection>

cipher AES-256-CBC
auth SHA3-512

user nobody
group nogroup
persist-key
persist-tun
chroot /etc/openvpn/jail
auth-nocache

log /var/log/openvpn/openvpn.log
status /var/log/openvpn/openvpn-status.log

<ca>
</ca>

<cert>
</cert>

<key>
</key>

<tls-crypt>
</tls-crypt>

Tor Hidden Service torrc configuration file:
Code:
HiddenServiceDir /usr/local/torhs/szczybelski/
HiddenServicePort 1194 127.0.0.1:1194

Tor clients torrc configuration file:
Code:
SOCKSPort 9050

Asterisk sip.conf configuration file:
Code:
[general]
transport=udp
port=5060
bindaddr=10.8.0.1
disallow=all
allow=ulaw
allow=alaw
allow=gsm
directmedia=no
nat=yes
localnet=10.8.0.0/255.255.255.0

[friends_internal](!)
type=friend
host=dynamic
context=from-internal
disallow=all
allow=ulaw
allow=alaw
allow=gsm

[demo-alice](friends_internal)
secret=password

[demo-bob](friends_internal)
secret=password

[demo-norbert](friends_internal)
secret=password

Asterisk extensions.conf configuration file:
Code:
[from-internal]
exten=>6001,1,Dial(SIP/demo-alice,20)
exten=>6002,1,Dial(SIP/demo-bob,20)
exten=>6003,1,Dial(SIP/demo-norbert,20)

My main conception of this tutorial was to proof that VoIP can work in Tor.

This is chrooted configuration but if someone really need to start that kind of network, please isolate servers in virtual machines.
I prefer FreeBSD bhyve.

Also update CPU microcode against Spectre and Meltdown vulnerabilities.

I illustrate simply setup:

172.16.0.2/10.8.0.1 OpenVPN Server – bhyve VM on server.
172.16.0.3/10.8.0.10 OpenVPN Client with Apache – bhyve VM on server.
172.16.0.4/10.8.0.20 OpenVPN Client with Asterisk – bhyve VM on server.
172.16.0.5/10.8.0.30 OpenVPN Client with UnrealIRCd – bhyve VM on server.

172.31.0.9/10.8.10.10 OpenVPN Client with Apache – bhyve VM on client.
192.168.38.37/10.8.10.20 OpenVPN Client with UnrealIRCd – bhyve VM on client.

… and so on.

Setup static IP addresses in ccd directory for these servers.

Not tested but you can also start BIND DNS Server for hostnames against IP addresses.

That’s all!
It’s working with 1 s delay.
Enjoy!

There are also Quantum Resistant OpenVPN Project:
OPEN QUANTUM SAFE - Software for prototyping quantum-resistant cryptography
https://openquantumsafe.org
https://github.com/open-quantum-safe
https://github.com/open-quantum-safe/liboqs
https://github.com/open-quantum-safe/openssl
I am not providing any security warranty, just sharing information.

Any security improvements are welcome.


Also on Whonix Wiki:

Also published on:

Norbert.
 
Last edited:
Back
Top