VOIP and VPN

Surprisingly, using VOIP across an SSL-based VPN can actually improve the call quality (as measured by MOS scores). The improvement seems to be due to encapsulating the UDP VOIP packets ( SIP and RTP ) in TCP/IP. NB Datagram-based VPNs, such as IPSec’s ESP are still bad.

According to a study by Sirrix VPN has no negative influence on latency, jitter and packet loss; in the case of the g7.11 codec and compressed VPN it is even possible to gain 10% bandwidth compared to non-VPN traffic. Apart from that, different common VPN solutions have a big difference in the available throughput, which is due to the rather small packet sizes and greatly increased overhead:

With enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the VPN overhead is high:
g723 with 30ms RTP size and using VPN tunneling: approx. 80% overhead;
g729a with 20ms RTP size and using VPN tunneling: approx. 80% overhead;

But when making some adjustments on the encryption/authentication settings and double the RTP size, the overhead can go down to about 20%-30%, which is affordable for most of the cases.

In addition, SBO VPN works to lessen the uses of bandwidth consumption for SIP communication directly by bypassing internet firewall. To make a SIP call with Codec G.729 or G. 723, it consumed about 31.5 kbps bandwidth. But, the noticeable matter is that the payload size is only 8 kbps. Rest of the bandwidth is consumed by RTP and other headers. SBO VPN system works here to reduce 80% internet consumption by replacing the RTP and only transmit payload size.

Comparing to SRTP as an encryption method for VoIP: approx. 5% additional overhead.

There is an OpenVPN-based service available on the net which resolves the excessive traffic consumption issue. Several voice packets are placed in the buffer before encapsulation. This minimizes VPN impact and traffic usage doesn’t grow with VPN service. This can also help to prevent VoIP traffic detection by packet size since the size of a single packet is comparable with MTU size (usually 1500 or less).

VoIP and VPN Forums:

• VoIP Security Forum

VoIP Tunneling methods

• iTel Byte Saver helps VoIP service providers offer their services in geographical areas where VoIP calls are blocked by firewalls.
• SBO Tunneling Method for VoIP
• Zebedee: Can tunnel UDP via TCP (HowTo for Asterisk in German)
• Stunnel: Uses SSL, can do both UDP and TCP
• OpenVPN: Can do both UDP and TCP

Mizutech VoIP tunneling solution: A complete solution (both server and client side) for encrypted VoIP

Articles

• SBO vs Open VPN- Virtual Private Network– Bypass any types of internet firewall by encrypting and also Reduce Bandwidth Cost for VoIP termination.
• O’Reilly Emerging Telephony Strangely, SSL VPNs can help VoIP call quality

See also

• VPN
• Asterisk encryption
• Personal VPN