When install some VOIP software such as Kphone or vock (with nodejs), it always specify server-side and client-side installation. If both VOIP chat users already know his target IP client address to each other, why we still need to install software on server-side ? OR since the phone or website VOIP users' IP is dynamic IP that is not static , we need to place the VOIP user's information such as his dynamic IP for talk communcation for both two VOIP client on server-side. Is it corect in concept ?
For developer, they can just write client-side VOIP software if both client IP and port used that are fixed or static , no need to server-side assist, Is it correct. Server-side is just bridge purpose between two client if thier IP are dynamic , right ?
Please advise
You answered your question mostly correctly.
One of the main purpose of a VoIP server (among routing/billing/ivr/voicemail/others) is the registrar functionality. This means that softphones can register to the server, and then any peer can easily contact the softphone via the server since this solves all dynamic/private IP issues. However in SIP you can always make calls directly between two endpoints by specifying the exact location, so:
-If your softphone s registered to a server, then you call the peer by its username, like: abc
-If your softphone is not connected to a server, then you call still call other phones by exact SIP URI, like: abc#ipaddress:port
The SIP bible can be found here: RFC3261
Related
I'm trying to follow the code given here to implement NAT hole punching in Node.js. I'd like to know if the server is strictly necessary. Having read about hole punching, I am under the impression that the purpose of the server is to allow the clients to exchange some information (including but not limited to their addresses and ports they want to communicate on) so that they can proceed to talk directly. Assuming the clients already had each other's information (again, including but not limited to their addresses and ports), would the server still be necessary? If so why and if not, how could this be implemented?
For instance, say one were to build an application where client_A prints out all information that would have been transmitted to the server for user_A to read, who then sends this to user_B, who then submits this info to client_B (this could be done via email for example). Wouldn't this avoid the need for a server?
Here is another explanation of why I think it might be possible to remove the server in the middle:
In NAT hole punching (assuming I understand it correctly), the communications begin when client_A sends a message to the server. The message contains some information that the server then passes on to client_B when client_B contacts the server. After this point, client_A and client_B are able to communicate directly without the need for the server. I am under the impression that once a direct connection between client_A and client_B has been established, the server could go offline and the two clients would still be able to communicate directly with one another. If this is the case, then I would imagine that any information that is being used to maintain this connection (be that addresses, ports, or any other kind of info) could be exchanged through any other channel (eg: email, a handwritten letter, a voice call, etc) at the beginning of the protocol, and then the connection could be established without ever needing the server.
Regarding 'tricking' the router
As manishig pointed out to me in a comment (thanks), NAT hole punching also requires tricking the router. If I understand correctly (please correct me if not) the router is tricked by having the router store the info for directing incoming packets from the server to client_A, however, these packets are actually coming from client_B after the initial phase of the protocol. If this is a correct description of the problem, is there a way to trick the router that doesn't require using a server?
There are ways to communicate between two remote computers over the internet without an intermidiate server, but IMO it is not the preferred way.
Why an intermidiate server is needed?
If client_A and client_B are both in the same LAN (e.g your home/office network) you can make sure (configure on the clients side and/or the router) that they will have a static ip address over this LAN and they can just talk freely.
E.G: If client_A is listening on port 8080, client_B can create a connection to client_A_ip on port 8080
Over the internet any packet sent is passed through NAT usually at least twice. One time after going through your LAN (e.g your home/office router) and at least once over an ISP endpoint. Which means you have no controll over the public ip and port assigned to your packet.
Now not only that you don't have controll over your packet's assigned public ip and port, these are also not static. They won't change while you have an active TCP connection, but you don't have any other guarantee from your ISP regarding your assigned public ip and port.
The intermediate server`s purpose is to dynamically update each client with it's peer info and also keeping the tcp connection open, so that peer to peer comunication will be available.
Alternative solution to an intermidiate server (Not recommended)
If you want your clients to communicate without an intermidiate server you can buy a public static ip from your ISP (if they support it) and then there are ways you can make (with some config) that one of your clients have a public static ip and port that the other client can connect to.
But I wouldn't recommend it, since it requires some understanding in IT and security risks.
Also if both client's are portable and connect to different networks all the time it's not a valid solution
This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...
I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-
All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
A IPsec/L2TPD VPN tunnel is established and working.
A working VPN tunnel.
A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
I cannot change my ISP, or bandwidth/download/upload speed.
I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.
Everything is now working, can't believe I've done it !
Anyway, my question is:-
Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.
I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.
So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you
I cannot install VPN clients on the cellphone and I may want to access
my app server through another cellphone provided by work so cannot
install apps on it but does have unfettered web access through a
browser.
Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.
An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/
I created a Tcp server using net module in NodeJS and tried to get the mac address info from each client to generate uuid. However, in the Socket object, there is no information about it. Also I tried to get read mac address from arp table, but it's not working either. Any other ways to figure it out?
Because the MAC address belongs to the layer 2 of the OSI layers you will not be able to access it unless you are in the same address space because it gets stripped out by routers.
Explanation
MAC address, belongs to layer 2 "Data Link Layer" of 7 OSI Layers. The clients' MAC addresses are only visible to the routers they directly connect to.
Routers will partially disassemble the packet to get at the layer 3 "Network Layer" headers in order to determine where the packet should be shipped, where IP address is being used.
Then, Layer 4, "Transport Layer", is where you're talking about specific protocols, like TCP.
Therefore, as a server, you CANNOT get the clients' MAC address unless you are connected to your clients in layer 2.
I did something similar before for class rooms in production environment. In my case, I have access to all client machines. Either you have admin access to all clients or you can pre-register the client into your database somehow, you can do the following. If not, please ignore this answer.
Create another NodeJs program hosted a web service in Clients (Don't forget to implement some kind of security). This program could be just a simple ExpressJs with getmac node module.
Register all IPs or domain name of the clients to Server database. Could be manual or, in my case, when Client turned-on it's auto send a request to server to register itself. (Implement client-server validation if needed)
When Server needed the mac from client, Server app sends a request to each pre-registered client to get its mac address or any other information Server needs from clients.
Net client in node js does not provide the mac address. You have the choice between :
1- sending the #mac your self: i mean in the client side you send the Mac address as data when you establish connection with the server.
2- use socket.io insteed net . It will afford you all the information you want
I'm working on a software written by a developer that didn't leave any documentation for the company and I've to understand how a server communicate with a device.
I think it sends it some strings over a socket (to log-in in the device and check some parameters), I've the public IP address of the server and the public IP address of the device.
I'd like to know if there is a way to see what the server 'tells' to this device and vice-versa, I gave a quick look to Wireshark but I can't understand how to use it correctly.
I have a security question about games and network.
Today most games (like Call of Duty) uses a 'on client side host' server system. So for some time, one client becomes the host of the game. I'm looking for some resources on how to do this properly (in a technical and safe way) because I'm working on a project like that.
But for now the only solution I found is to share the IP address of my host clients to other guest clients. And I'm not proud of this. So I am looking for a method or technology like IP masking or another stuff like that would protect my customers from other malicious customers that could retrieve IP of my customers and maybe hack them?
EDIT:
But what I'm asking is if there is any solution like services like on the fly subdomains redirections with parameters for connecting to specific clients or anything like that? I mean
subdomain.mygame.com/clientname
If you want true peer-to-peer connections in your game there is no way around sharing the IP address. After all if they are to talk with one another then they need to know how to reach the others.
Alternatively you can route all their traffic through your server and each client connects to it independently. That way they do not have to know any information about each other except your in-game user id.