Use your VOIP softphone @work

Some VOIP softphones like X-lite rely on SIP (connection) and RTP (voice) protocols which both work on top of UDP.

In previous posts (1 and 2), I explained how to create a tunnel between a machine in a corporate networkand an external machine (like your home machine). The solution was based on SOCKS capabilities of a ssh tunnel which can behave like a Socks proxy server (-D optionof openssh).

With recent versions of openSSH, SOCKSv5 is even supported and therefore it becomespossible to tunnel UDP. Unfortunately, I haven’t found any Socksv5 compliant VOIP softphone.

To tunnel UDP over a TCP tunnel (a SSH tunnel) a combination of netcat and named pipescan be used (like explained here). The main disadvantage of this solution is that youhave to create a UDP to TCP pipe on one side of the tunnel and a TCP to UDP pipe on the other side for each remote port you have to access (5060 for SIPand 8000 for RTP by default).

Another solution is to create a VPN over your SSH tunnel.I chose vtun for its ease of you use but you could use other VPN over SSL solutions like openvpn.Note that there aren’t any Windows client for vtun. Openvpn can have Windows client and can create ethernet bridges (bridging the 2 virtual interfaces of your VPN tunnel.

Anyway with vtun you’ll be able to tunnel udp over a SSH tunnel. Beware that creating a VPN on top of a SSH tcp tunnel you expose your corporate network to attacks coming from your home network…I won’t detail here all the steps to create the solutions but only give an overviewof each step and refer to links:

  • 1) Configure your SSH daemon on your home machine. Use xinetd possiblyto forward connections on port 443 to port 22.
  • 2) Use corkscrew and ssh to establish a tunnel between your workstation at workand your home machine through your office proxy and firewall (on local and remote port 5000 in the following example).

    ssh -F ~/.bin/config -g -N -L 5000:localhost:5000 foo@home
  • 2bis) If your corporate proxy requires NTLM authentication you can use NTLM maps and connect corkscrew to the listen port of NTML maps.

  • 3) Configure and run vtun server on your home machine (See this).
  • 4) Also, configure and run vtun client on a Linux machine inside your corporate network.
  • 5) Configure routes properly to access the SIP proxy through your VPN (asterisk server at homeor Internet SIP server).
  • 6) Just configure your SIP phone as if you had direct access to the server (if you don’t nat).

Passing through corporate Firewall (Part2)

Last time I have used the combination of proxytunnel and SSH to connect tomy home machine from a corporate network behind a firewall and proxy. But it seems that proxytunnel is unable to pass through Microsoft ISA Proxy server. At least, I have tried with the -u and -p arguments of proxytunnels and it didn’t work (even with a username following this pattern domain\username or username@domain) The Microsoft ISA proxy server requires NTLM authenticationand there’s another combination that worked successfully to be able to connect through it to an external machine on SSL :Ntlmaps, Corkscrew which tunnels ssh through HTTPS and of courseSSH.

Ntlmaps is a Python program that acts as a proxy software that allows you to authenticate via an MS Proxy Server using the proprietary NTLM protocol. Once downloaded, all you need is to configure the hostname/port of your corporateproxy and your Windows domain username/password (I left other options with their default values).

Corscrew can be compiled with Cygwin tools under Windows. Once compiled and installed configure SSH to use it. In order to do so, edit your ~/.ssh/config file and use the following command:

 ProxyCommand /usr/local/bin/corkscrew 5865 %h %p

Corkscrew will use your local ntlmaps proxy server which in turn is authenticated on Microsoft proxy server. Then use SSH (openSSH) like this :

# ssh -C -N -D 1080 -p 443 root@myhomemachine

-D to use the SSH daemon at the other side of the tunnel as a Socksv5 proxy server. It will listen locally on port 1080

  • -C for compression
  • -D to not start a shell

Then you can configure your software to use the Socks proxy server on localhost port 1080

Passing through corporate firewall

Well, at least from inside your corporate network ;-)to surf, chat and more anonymously.

After reading this blog article thanks man) and its comments, I tried it and I have to say thatI have been happily surprised how easy it was. I didn’t know the existence of proxytunnel and that’s the key in it (for the theory about establishing a Ssh connectionthrough a SSL proxy see here).

Proxytunnel allows you to establish a SSH connectionvia a corporate proxy (all proxies that supports the CONNECT command). Here a schema of the solution I adopted :

Schema |Internet
----------- SSL ------------- SSL --------- SSL 443--------------
| Windows WS| --------| Company Proxy |-----| Firewall|--------| Home SSh Server |
| | | "CONNECT TO" | | | | | |
----------- --------------- --------- | -----------------

The other major point in this solution is the usage of a Socks5 server that will allow you to connect to any machine of your internal network with any Socks5 compliant software. A socks5 proxy is a proxy on layer4 of OSI model. For example, I have been able to establish a VNC connection to a Windows XP machine on my home network with “Smart CodeVNC manager” that has Socks5 capabilites.

Here are the steps I followed.

1) First check the prequesites

Tools needed on client side (we’ll make the assumption that it runs on Windows)

Server side prerequisites:

  • SSH daemon and that’s it.
  • Port 443 opened.
  • Optional: xinetd or a NAT tool to do port redirection (I used OpenBSD packet filter to redirect connections on port 443 on my Internet gateway to an internal Linux server in my home network).

2) SSH server configuration

The only thing to do is to configure it to listen on port 443 and authorize root loggin. Or you can use xinetd to use port redirection or any NAT tool ( PF, Netfilter…) and leave the server run on port 22.

3) Client SSH configuration
In a cygwin terminal, create a $HOME/.ssh/config file and add the following lines:

Host myserver   KeepAlive yes   ProxyCommand path_to_proxytunnel/proxytunnel.exe -g proxy_ip_address -G proxy_port -d ssh_server address -D ssh_server_port

The ssh server port should be 443.

4) Establish the ssh tunnel

In one command, you establish a SSH tunnel with SOCKS5 capabilities to your remote SSH server.

# ssh -D 1080 -l root myserver

update: use -N to avoid opening a Shell and -C for compression

Actually, the -D enables dynamic port redirection and listens on local port 1080.Connections are tunneled through SSH and are on the other side of the tunnel made by the remote SSh server (which behaves as a Socks proxy). ssh can also understant SOCKS5 protocol therefore you know have a Socks5 server that listens on port 1080 locally. The SOCKS connections are tunneled and are remotely executed by your ssh server

5) Configure your Workstation software to use the Socks5 server on port 1080 on localhost and enjoy.

Note that you can use IP of your remote internal network, you created “a kind of VPN”for SOCKS5 compliant software. For example, let’s say that you have on your home network a Web server that runs on the private address You can now reach it by typing in firefox

Also don’t forget to use a firewall on your workstation or your coworkers will gladly be able to connect to your Socks5 proxy.

Broadcasting music with Itunes on your corporate Network

Well,since most companies don't allow their employees to host mp3 on serversespecially on production servers ;-) Here's a little trick if you havea machine connected to the internet at home (with a fixed IP address ordyndns to easily connect to it) to listen your mp3.

Once again it uses SSL tunnel and SSH (See my previous post)to connect through your corporate firewalls and proxies to your homemachine. As a Itunes server I chose to use mt-daapd daemon on a Linuxserver. Here are steps:

1) On your home machine configure mt-daapd daemon. The step mostly consists in chosing the directory where your mp3s are.

2) Configure ssh on your corporate machine to use stunnel (See my previous post)

3)Configure the SSh daemon at home (See my previous post)

4) On your local machine, use RendezvousProxy tool as a proxy for RendezVousprotocol. Itunes uses RendezVous protocol to automatically discover anyItunes server. It works with multicast packets (not investigated thatmuch on it).Configure RendezvousProxy to listen on port 3690 for instance and use daacp.tcp plugin.

5) Establish the SSL tunnel:

# ssh -N -C -L 3690:mp3remotehost:3689 user@homegateway

Where -N option does not open a shell. -C is for compression.-L is for port forwarding. 3690 is the local port open your machine.mp3host and 3689 are the hostname andport of your mt-daapd server. user and homegateway are the user andhost of your home gateway with whom you will establish the SSHconnection.

6) Start Itunes and your server should be listed in the left pane.

I have tested it with my home internet connection which is a DSLconnection with 256 Mbits/s upload capabilities and it rocks. No need to tell your coworkers who use Itunes that you host a mp3 broadcasting server because if they are in the same LAN, they all should see it…

Ask you network administrator also to route IP multicast packets for the RDV address to make your whole company enjoy your mp3 server ;-)