VPN Service

The VPN Service is meant to be used together with Diamondcard service. It allows you to secure all your voice calls between your location and our server. For example, let's say you are located in Ukraine and you make calls from your IP hard phone like a Grandstream or Cisco phone. Or maybe from an IP softphone like Ekiga or Twinkle. All data sent between your location and our server will be fully secured. That means registration packets as well as all voice traffic is secured and no one can eavesdrop or listen in on your traffic. Actually, they can listen in if they capture your traffic stream, but all they will hear is lots of noise and will be unable to decrypt it anytime soon. Soon meaning within years assuming they have supercomputers available to them. Now that's what we mean by security.

Not only will your calls be secure but another great benefit is that ISP's will not be able to block or lessen the priority on your call traffic either. The VPN Service also allows your calls to bypass any country specific blocking on VOIP calls too. Many users in the Middle east and other countries where VOIP is blocked can now use our VPN service to easily bypass country specific blocking.

You have a choice of two locations to use for the VPN service. Europe or USA. Whichever is closest to your current location is the one to use.

Security

The VPN service is implemented based on OpenVPN Community Software - the most popular open source technology that uses OpenSSL library and SSLv3/TLSv1 protocols with 1024 bits public keys (used during negotiation phase) and datastream encryption provided by BlowFish cryptographic algorithm with 128 bits keys. BlowFish cipher with relatively short keys provides optimal balance between crypto-strength of the phone conversation and voice quality, especially on low-end platforms. Please check OpenVPN Security Overview page and OpenVPN FAQ for more information regarding OpenVPN security model.

What IP Hard Phones Can You Use?

1. IP hard phone. Cisco, Snom, Polycom, Grandstream, Aastra, Linksys, Yealink T20/22/26/28/Wp52 are some of the popular IP hard phones. Hard phones mean they are physical in nature just like a regular analog phone your parents used to use at home.

We can support any IP hard phone (and VOIP adapters and other IP devices) in any of the following situations:

a) The IP hard phone supports OpenVPN protocol and allows uploading your certificate & key file to it. b) The IP hard phone is connected to the internet via Cisco (or some other) router which supports OpenVPN protocol and allows uploading your certificate & key file to it.

c) The IP hard phone is connected to the internet via linux or win.box which acts as a router. The user establishes an OpenVPN session on his/her linux/win box and routes IP hard phone's traffic through this box.

IP hard phones can be used with the VPN service if they support the OpenVPN protocol. This means the OpenVPN protocol is embedded into the phone within the software. You can administer the VPN Service setup through the IP hard phone administration center screens.

The VPN service is actively developed and we plan to extend IP hard phones support. The initial additions will be to add MS VPN protocol, routing secure traffic over http port 80 and other goodies as time goes on. The next release of the VPN Service will send your secure traffic across HTTP port 80. This way the traffic looks like any other web browsing traffic and will not be blocked. This alternative routing method can be used if your internet provider blocks VPN traffic. Although this occurs very infrequently, we want to cover all possible scenarios.

If you have any suggestions for other additions please send them in to us.

The VPN service is meant to be used in conjunction with our Diamondcard Service and cannot be used separately. The sole purpose of the VPN service is to transmit your voice traffic direct and secure to our European or USA servers.

The VPN Service is a flat fee monthly or yearly service. There are no limits on traffic or simultaneous calls.

It is well known that Diamondcard supports the open source community with large contributions over the years to Ekiga and Twinkle softphone projects. Our VPN Service utilizes the OpenVPN Community Open Source Software Project. We will be donating 10% of all VPN Service sales to this project.

FAQ

Q1: Will my VPN calls be as secure as my landline?

A1: Regular analog landline could be intercepted by anyone wishing to do that. Although VPN connection could be intercepted, it cannot be decrypted within a reasonable time. In this regard, VoIP communication over OpenVPN link is much more secure than a landline phone.

Q2: What type of equipment I can use with your VPN service?

A2: Any soft- or hard-phone which supports SIP protocol. If your phone works with diamondcard.us without VPN, then it will work with VPN too.

Q3: All your Installation Instructions are for Linux or Windows, but I have Mac. What shall I do?

A3: You can use Tunnelblick - free, open-source OpenVPN client for Mac. There are also other OpenVPN clients available for Mac platform.

Q4: Well, but I have iOS device, can I use your VPN service with it?

A4: Yes, for iOS devices you can use free OpenVPN Connect from iTunes store.

Q5: Can I use your VPN service with my Android phone? Shall I jailbreak my phone for this?

A5: Yes, for Android devices you can use free OpenVPN Connect from Google Play, this app does not require jailbreaking (or "rooting") your phone. There are also other OpenVPN clients available for Android platform.

Q6: After making a call, can I just leave OpenVPN running all the time, will it screw up my email or some such?

A6: Yes, you can leave it running for any period of time, OpenVPN does not affect other services or applications.

Q7: Who has access to the encrypted datastream on your OpenVPN server?

A7: When encrypted data arrive to our OpenVPN server, the server decrypts it and hands to one of our VoIP servers (separate boxes installed in the same rack), from there the datastream flows a usual way to the intended destination. We don't record neither encrypted nor decrypted traffic. For accounting purposes we just log call start/stop time and destination - exactly the same info one can see in his/her personal backend. Nobody (besides the user and the system administrator) can access this information. The system administrator uses these data in case of a conflict situation.

Q8: I'm using your VPN service. How to tell if VPN is on or off?

A8: Launch OpenVPN client and your soft- or hardphone then check if any of the following is true:

1. If the last message in OpenVPN window is Initialization Sequence Completed, then OpenVPN is running;

2. Check if openvpn binary is active with your Task Manager (Windows) or with: "ps -ax | grep openvpn" command (Linux), or with other task management software available for your system. If openvpn binary is active, then OpenVPN link is up;

3. Check if VoIP traffic is routed through OpenVPN interface with "netstat -rn" command (Linux or Windows Command Line). If the traffic is routed through tun0 interface, then OpenVPN link is active.

Q9: I'm using your VPN service. How to tell if my calls are secure?

A9: You have to install a traffic sniffer like Wireshark or similar and check your Internet traffic during a call without VPN link active. You will see a lot of RTP packets with codec type and similar things. After that, check the traffic with VPN service active. You will see just OpenVPN packets flowing to our OpenVPN server, without any meaningful info about packet type, flags, whatever. See OpenVPN Security Overview for more information regarding OpenVPN security.

Q10: Okey, can you tell me how much time it will take for someone to decrypt my call?

A10: Checking every key possible one could theoretically decrypt any encryption schema. However a sufficiently long key makes this line of attack impractical: even 128 bits key creates 2**128 possible keys, the huge number of operations (more than 3 with 38 zeroes following) required to try all possible 128-bit keys is widely considered to be out of reach for conventional digital computing techniques for the foreseeable future. Speaking about phone conversation encryption, it is sufficient to have a crack time more than the time required for the info in the conversation gets obsolete.

Q11: I have a Cisco IP phone connected to my Linux computer through a second NIC (not the NIC I connect to the internet with) that is setup as a shared device. The OpenVPN client is running on the computer but I can't figure out how or what setting I should use to connect my phone to your OpenVPN server?

A11: Check the following points on your Linux PC:

1. If IP forwarding is enabled.

2. If there is a route from the 2nd (IP phone) NIC to tun0 device;

3. If there is IP masquerading (or NAT) on tun0 interface for the traffic coming from IP phone.

Basically, you have to register with the service *without* openvpn first, notice routing and firewall settings concerning the 1st NIC, then disconnect the service, fire up openvpn, check routing and firewall settings of tun0 and update them with those you had for the first NIC when openvpn was disabled.

Q12: I'm trying to launch openvpn application on my Linux box, but it fails with the message saying something like: "could not execute external program". What can I do?

A12: This can happen on some Linux distros with recent versions of OpenVPN. Check the following points:

1. If your Linux has "ip" command installed: "whereis ip". If "ip" command is missing, install it using your system installation mechanism and try launching openvpn again;

2. If your system does have "ip" command, then the problem could be caused by openvpn binary resetting PATH environment varible. Copy "ip" binary to the directory from where you launch openvpn, e.g. if you start openvpn from /etc/openvpn, then "cp `which ip` /etc/openvpn", then "cd /etc/openvpn" and try launching openvpn again;

3. If all this fails, launch openvpn with verbose mode on: "openvpn --verb 5 --conf us.ovpn" and contact support@diamondcard.us.

Installation Instructions