Support for TLS Proxy

david551 · April 27, 2025, 3:15pm

If it is transparent, it needs to use TLS on both sides. Actually a TLS proxy would not use SIP, as it wouldn’t be able to decrypt the TLS contents.

josh4trunks · April 27, 2025, 4:06pm

I think my terms just aren’t correct. By transparent I mean it terminates TLS and passes along the underlying TCP stream.

I guess instead hacking away and creating custom patches I can just run Kamailio on my OPNsense router. I was just trying to avoiding setting up another service, but it seems it actually would be easier at this point, lol.

josh4trunks · April 28, 2025, 4:37pm

So now I’m looking into using kamailio. Defintly alot more to learn, but then it looks like I could also integrate in rtpproxy to handle SRTP decoding which would be a plus. Basically my goal is to strip all encryption on my OPNsense router, which will do it in hardware using QAT. And forward SIP + RTP to my FreeBSD server running Asterisk.

I’m thinking this is not the best place to ask for Kamailio advice/support, lol. But if you do have any resources you could point to I would appreciate it. It seems like most guides I found want to handle user registrations on Kamailio, I believe I want that done on Asterisk, since one of my users (the video doorbell), is on a physically separated LAN and can only talk to Asterisk.

Thanks!

meightee · May 1, 2025, 8:20am

Kamailio resources for me are kb.asipto.com and the kamailio mailing list.

Success.

josh4trunks · May 9, 2025, 5:06am

So I got this working by using a SIP proxy (Kamailio) as suggested; see the relevant configs below. The TLS config add some security through obscurity; if DOMAIN.com is not requested through SNI the default server is used. The default server requires and verifys the client’s certificate, but that will never work because ca_list is not set.

I eventually will also work on getting RTPProxy setup for SRTP to RTP conversion on my Firewall, but not a priority for now.

pjsip.conf

outbound_proxy = sip:FW_LAN_IP:5060\;lr

kamailio.cfg

listen = tls:WAN_INTERFACE:5061 advertise "DOMAIN.com":5061
listen = udp:FW_LAN_IP:5060

loadmodule "uac.so"
modparam("rr", "append_fromtag", 1)

request_route {
	record_route();
	if(dst_ip==FW_LAN_IP) {
		uac_replace_from("sip:$fU@DOMAIN.com:5061");
		lookup("location");
		t_relay_to_tls();
	} else {
		t_relay_to_udp("ASTERISK_IP","5060");
	}
	exit();
}

reply_route {
	if(is_method("REGISTER") && status=="200") {
		save("location","0x06");
	}
	return;
}

tls.cfg

[server:default]
verify_client = on
private_key = /usr/local/etc/ssl/selfsigned.key
certificate = /usr/local/etc/ssl/selfsigned.pem

[server:any]
verify_client = off
private_key = /usr/local/etc/ssl/DOMAIN_com.pem
certificate = /usr/local/etc/ssl/DOMAIN_com.pem
server_name = DOMAIN.com
server_name_mode = 0

Topic		Replies	Views
Asterisk & PJSIP issue with TLS Asterisk Support	8	1261	October 30, 2017
PJSIP calling SIPS endpoint using TLS leads to immediate BYE upon call pickup Asterisk SIP	5	315	April 19, 2024
SIP Transport: TCP (LAN:OK; Outside:OK) / TLS (LAN:OK; Outside: NOTOK) Asterisk SIP	2	478	January 1, 2020
Calling from internal endpoint to external Asterisk SIP	7	147	July 6, 2024
Use of 'outboundproxy=x' with tcp transport possible? Asterisk Support	4	422	November 17, 2011

Support for TLS Proxy

Related topics