Home
Company
Latest News
Blog
Search


 

Page Source for VpnService

=begin options 

write = root 

=end options 

=head2 VPN Service 

The VPN Service is meant to be used together with Diamondcard service.
It allows you to secure all your voice calls between your location and
our server. For example, let's say you are located in Ukraine and you
make calls from your IP hard phone like a Grandstream or Cisco phone.
Or maybe from an IP softphone like Ekiga or Twinkle. All data sent
between your location and our server will be fully secured. That means
registration packets as well as all voice traffic is secured and no one
can eavesdrop or listen in on your traffic. Actually, they can listen
in if they capture your traffic stream, but all they will hear is lots
of noise and will be unable to decrypt it anytime soon. Soon meaning
within years assuming they have supercomputers available to them. Now
that's what we mean by security. 

Not only will your calls be secure but another great benefit is that
ISP's will not be able to block or lessen the priority on your call
traffic either. The VPN Service also allows your calls to bypass any
country specific blocking on VOIP calls too. Many users in the Middle
east and other countries where VOIP is blocked can now use our VPN
service to easily bypass country specific blocking. 

You have a choice of two locations to use for the VPN service. Europe
or USA. Whichever is closest to your current location is the one to
use. 

=head3 Security 

The VPN service is implemented based on L<OpenVPN Community
Software|http://openvpn.net> - the most popular open source
technology that uses OpenSSL library and SSLv3/TLSv1 protocols with
1024 bits public keys (used during negotiation phase) and datastream
encryption provided by BlowFish cryptographic algorithm with 128 bits
keys. BlowFish cipher with relatively short keys provides optimal
balance between crypto-strength of the phone conversation and voice
quality, especially on low-end platforms. Please check L<OpenVPN
Security
Overview|http://openvpn.net/index.php/open-source/documentation/securit
y-overview.html> page and L<OpenVPN
FAQ|http://openvpn.net/index.php/open-source/faq.htm> for more
information regarding OpenVPN security model. 

=head3 What IP Hard Phones Can You Use? 

1. IP hard phone. Cisco, Snom, Polycom, Grandstream, Aastra, Linksys,
Yealink T20/22/26/28/Wp52 are some of the popular IP hard phones. Hard
phones mean they are physical in nature just like a regular analog
phone your parents used to use at home. 

We can support any IP hard phone (and VOIP adapters and other IP
devices) in any of the following situations: 

a) The IP hard phone supports OpenVPN protocol and allows uploading
your certificate & key file to it. 

b) The IP hard phone is connected to the internet via Cisco (or some
other) router which supports OpenVPN protocol and allows uploading your
certificate & key file to it. 

c) The IP hard phone is connected to the internet via linux or win.box
which acts as a router. The user establishes an OpenVPN session on
his/her linux/win box and routes IP hard phone's traffic through this
box. 

IP hard phones can be used with the VPN service if they support the
OpenVPN protocol. This means the OpenVPN protocol is embedded into the
phone within the software. You can administer the VPN Service setup
through the IP hard phone administration center screens. 

The VPN service is actively developed and we plan to extend IP hard
phones support. The initial additions will be to add MS VPN protocol,
routing secure traffic over http port 80 and other goodies as time goes
on. The next release of the VPN Service will send your secure traffic
across HTTP port 80. This way the traffic looks like any other web
browsing traffic and will not be blocked. This alternative routing
method can be used if your internet provider blocks VPN traffic.
Although this occurs very infrequently, we want to cover all possible
scenarios. 

If you have any suggestions for other additions please send them in to
us. 

The VPN service is meant to be used in conjunction with our Diamondcard
Service and cannot be used separately. The sole purpose of the VPN
service is to transmit your voice traffic direct and secure to our
European or USA servers. 

The VPN Service is a flat fee monthly or yearly service. There are no
limits on traffic or simultaneous calls. 

It is well known that Diamondcard supports the open source community
with large contributions over the years to Ekiga and Twinkle softphone
projects. Our VPN Service utilizes the OpenVPN Community Open Source
Software Project. We will be donating 10% of all VPN Service sales to
this project. 

=head2 FAQ 

B<Q1:> Will my VPN calls be as secure as my landline? 

B<A1:> Regular analog landline could be intercepted by anyone
wishing to do that. Although VPN connection could be intercepted, it
cannot be decrypted within a reasonable time. In this regard, VoIP
communication over OpenVPN link is much more secure than a landline
phone. 

B<Q2:> What type of equipment I can use with your VPN service? 

B<A2:> Any soft- or hard-phone which supports SIP protocol. If
your phone works with diamondcard.us without VPN, then it will work
with VPN too. 

B<Q3:> All your L<Installation Instructions|VpnInstall> are
for Linux or Windows, but I have Mac. What shall I do? 

B<A3:> You can use
L<Tunnelblick|http://code.google.com/p/tunnelblick/> - free,
open-source OpenVPN client for Mac. There are also other OpenVPN
clients available for Mac platform. 

B<Q4:> Well, but I have iOS device, can I use your VPN service
with it? 

B<A4:> Yes, for iOS devices you can use free L<OpenVPN
Connect|https://itunes.apple.com/us/app/openvpn-connect/id590379981?mt=
8> from iTunes store. 

B<Q5:> Can I use your VPN service with my Android phone? Shall I
jailbreak my phone for this? 

B<A5:> Yes, for Android devices you can use free L<OpenVPN
Connect|https://play.google.com/store/apps/details?id=net.openvpn.openv
pn> from Google Play, this app does not require jailbreaking (or
"rooting") your phone. There are also other OpenVPN clients available
for Android platform. 

B<Q6:> After making a call, can I just leave OpenVPN running all
the time, will it screw up my email or some such? 

B<A6:> Yes, you can leave it running for any period of time,
OpenVPN does not affect other services or applications. 

B<Q7:> Who has access to the encrypted datastream on your OpenVPN
server? 

B<A7:> When encrypted data arrive to our OpenVPN server, the
server decrypts it and hands to one of our VoIP servers (separate boxes
installed in the same rack), from there the datastream flows a usual
way to the intended destination. We don't record neither encrypted nor
decrypted traffic. For accounting purposes we just log call start/stop
time and destination - exactly the same info one can see in his/her
personal backend. Nobody (besides the user and the system
administrator) can access this information. The system administrator
uses these data in case of a conflict situation. 

B<Q8:> I'm using your VPN service. How to tell if VPN is on or
off? 

B<A8:> Launch OpenVPN client and your soft- or hardphone then
check if any of the following is true: 

1. If the last message in OpenVPN window is I<Initialization
Sequence Completed>, then OpenVPN is running; 

2. Check if openvpn binary is active with your Task Manager (Windows)
or with: "I<ps -ax | grep openvpn>" command (Linux), or with
other task management software available for your system. If openvpn
binary is active, then OpenVPN link is up; 

3. Check if VoIP traffic is routed through OpenVPN interface with
"I<netstat -rn>" command (Linux or Windows Command Line). If the
traffic is routed through I<tun0> interface, then OpenVPN link is
active. 

B<Q9:> I'm using your VPN service. How to tell if my calls are
secure? 

B<A9:> You have to install a traffic sniffer like
L<Wireshark|http://www.wireshark.org> or similar and check your
Internet traffic during a call B<without> VPN link active. You
will see a lot of RTP packets with codec type and similar things. After
that, check the traffic with VPN service active. You will see just
OpenVPN packets flowing to our OpenVPN server, without any meaningful
info about packet type, flags, whatever. See L<OpenVPN Security
Overview|http://openvpn.net/index.php/open-source/documentation/securit
y-overview.html> for more information regarding OpenVPN security. 

B<Q10:> Okey, can you tell me how much time it will take for
someone to decrypt my call? 

B<A10:> Checking every key possible one could theoretically
decrypt any encryption schema. However a sufficiently long key makes
this line of attack impractical: even 128 bits key creates 2**128
possible keys, the huge number of operations (more than 3 with 38
zeroes following) required to try all possible 128-bit keys is widely
considered to be out of reach for conventional digital computing
techniques for the foreseeable future. Speaking about phone
conversation encryption, it is sufficient to have a crack time more
than the time required for the info in the conversation gets obsolete. 

B<Q11:> I have a Cisco IP phone connected to my Linux computer
through a second NIC (not the NIC I connect to the internet with) that
is setup as a shared device. The OpenVPN client is running on the
computer but I can't figure out how or what setting I should use to
connect my phone to your OpenVPN server? 

B<A11:> Check the following points on your Linux PC: 

1. If IP forwarding is enabled. 

2. If there is a route from the 2nd (IP phone) NIC to tun0 device; 

3. If there is IP masquerading (or NAT) on tun0 interface for the
traffic coming from IP phone. 

Basically, you have to register with the service *without* openvpn
first, notice routing and firewall settings concerning the 1st NIC,
then disconnect the service, fire up openvpn, check routing and
firewall settings of tun0 and update them with those you had for the
first NIC when openvpn was disabled. 

B<Q12:> I'm trying to launch openvpn application on my Linux box,
but it fails with the message saying something like: "I<could not
execute external program>". What can I do? 

B<A12:> This can happen on some Linux distros with recent
versions of OpenVPN. Check the following points: 

1. If your Linux has "ip" command installed: "I<whereis ip>". If
"ip" command is missing, install it using your system installation
mechanism and try launching openvpn again; 

2. If your system does have "ip" command, then the problem could be
caused by openvpn binary resetting PATH environment varible. Copy "ip"
binary to the directory from where you launch openvpn, e.g. if you
start openvpn from /etc/openvpn, then "I<cp `which ip`>
/etc/openvpn", then "I<cd /etc/openvpn>" and try launching
openvpn again; 

3. If all this fails, launch openvpn with verbose mode on:
"I<openvpn --verb 5 --conf us.ovpn" and contact
L<mailto:support@diamondcard.us>. 

L<Installation Instructions|VpnInstall>