SIP over VPN
Author Image

By: Aivis Olsteins

In News

2018-07-27

Blocking of VoIP services and VPN

VoIP is still being blocked in many countries, and the list is not getting shorter.

The fact that the VoIP is blocked in many countries is not new. The list is very long, and mostly includes African, Middle East, South East Asian and some other countries. There are many resources on the internet which lists those countries, and those lists vary from site to site. That is mostly due to the fact that not all countries or governments admit that they are doing so, or they just don't tell anything at all. The reasons range from willingness to protect legacy (read: state monopoly, very high priced) carriers business which can be eroded by people using much cheaper VoIP services to state surveillance which is lot easier to achieve if number of telecom operators is limited. The situation is more complicated by fact, that the methods of blocking vary from country to country. Not all services are blocked everywhere. There are places which blocks VoIP based services like Skype, but will allow regular SIP calls to be made. Or it can be vice-versa, or they can block both. Then, some relatively forgotten protocol like H.323 or MGCP might work or not. Also techniques to block vary very widely. Perhaps it is related to the level of sophistication of people implementing the services or actual willingness to comply. We have seen schemes very primitive like blocking default SIP port 5060 only. These can be circumvented very easy, by selecting non-standard port. Then, there are techniques which are more sophisticated: by inspecting packed payload and blocking all packets by their contents, e.g. regardless of port used just block all SIP packets. Those blocking methods, in turn can be circumvented by usage of encryption which hides contents of the packets. Most easiest way is to use VPN - it encrypts the traffic and no content is visible to interceptor. I am not a security expert, but I can image that there are methods which allow to detect a VoIP traffic inside of VPN as well.

Lately, small country in Equatorial Africa also joined the list of VoIP blockers. The method of changing default SIP ports did not help, it was at least somehow advanced. We decided to try VPN, and in particular SoftEther VPN server and client. We decided to use its default protocol, Ethernet over HTTPS. The choice was made because SoftEther is reported to have better latency due to full Ethernet frame utilization, which is essential for quality of VoIP conversations. Also, the use of HTTPS protocol on standard port 443 makes it very hard to detect as a something which is not actually a HTTPS. There are many webpages now with HTTPS support, and it would be very difficult for detection system to really distinguish between real HTTPS web traffic and SIP traffic hidden on VPN disguised as HTTPS.

The results were good: the SIP sessions were possible to establish, with any standard SIP device, and without changing anything in the SIP configuration (both server and client). The voice quality was reported by both parties, inside the blocked region and other party outside to be of high quality.

The soltion is now available for our SIP customers of DataTechLabs Cloud services.

Leave a comment
About Author
Author Image

My name is Aivis Olsteins and I am owner of DataTechLabs. My experience in Telecoms started in early 1990's and I have worked in multiple technical positions in mobile, messaging and data networks. My expertise lies in telecom networks, database systems, distributed processing and large data analysis. These posts are my attempt to share my knowledge with everyone who might find it useful.

Get in Touch

If you have something to say, please use the contact form below to get in touch with us. We will get back to you as soon as possible.

Mail Us

DataTechLabs SIA, Muzikas str 12A
Jurmala, LV-2008, Latvia.

Call Us

+371 67 66 09 01
+ 1 202 499 1550

E-mail Us

info@datatechlabs.com
support@datatechlabs.com