It is very interesting that I can actually make a mVoIP service from the scratch. I finally could make a call using OpenSIPs source through SIP protocol. I used external STUN server that helps me to find users' private IP address behind NAT firewalls.
However, the free external STUN server cannot find user's IP address to make a call when a smartphone is on 3G or 4G network. As a programmer, I won't give up to make a mVoIP service. However, I need a help at this time from you guys.
Is there a good way to solve this problem? Thank you.
There can be two problems here:
-you can't find the correct external address behind all kind of NAT. This depends on the NAT type only
-some mobile operators blocks STUN. You can add some modified stun or a simple encryption as a workaround
I actually could find IP address using external STUN server, however it failed to connect media session on 3G/4G network. So, I decided to use RTP proxy to make a SIP call.
OpenSIPs provides RTP proxy module, and it helps to make a call without NAT issue.
Related
This has taken me about a year to understand and get to, but I am the limit of my capability so reaching out to a StackOverflow guru please...
I would like to, if possible, secure my network model. The model is as shown in the diagram. To explain:-
All the aspects I have control of, is within the green shaded area. I cannot change anything outside this.
I run a simple application web server which is the VPN IPsec/L2tpd client. Static IP.
My router is ISP provided. It receives a DHCP Dynamic IP from the ISP.
My Digital Ocean Virtual Private Server has a static IP. It runs an NGINX reverse proxy that channels traffic through the VPN tunnel. It also runs the IPsec/L2tpd server.
A IPsec/L2TPD VPN tunnel is established and working.
A working VPN tunnel.
A cellphone that runs an app that communicates with my application server app. My cellphone receives a dynamic IP from my Network Operator.
I have three IP camera feeds served by my application server. Not a great speed but watchable in real-time.
I cannot change my ISP, or bandwidth/download/upload speed.
I cannot install VPN clients on the cellphone and I may want to access my app server through another cellphone provided by work so cannot install apps on it but does have unfettered web access through a browser.
Everything is now working, can't believe I've done it !
Anyway, my question is:-
Is there any way to secure the network so that only traffic from my mobile reaches - or rather is accepted - by my application server.
I accept IPsec/L2tpd is not great, but it is fast and I use this because I have tried OpenVPN, SoftEther and key based OpenSwan. These are waaaay to slow. The camera feeds are unwatchable and update one frame about every 5 seconds.
So with the limitations above, what can I do, what is possible? Please may I respectfully ask that you refrain from suggestions and concerns requiring a change to that which I cannot control, i accept all critique but that is not what I need here. I am asking for advice on how to secure , that which I can influence. Thank you
I cannot install VPN clients on the cellphone and I may want to access
my app server through another cellphone provided by work so cannot
install apps on it but does have unfettered web access through a
browser.
Due to the limitation that at the end, even a phone where you are not allowed to change anything but use the web, i suggest to configure proxy authentication on the nginx reverse proxy. I don't have experience with setting this up with nginx in particular but that's what should do the trick according to the network architecture and description you provided.
An example configuration on how to configure nginx for basic / client certificate auth can be found at: https://www.cloudsavvyit.com/1355/how-to-setup-basic-http-authentication-on-nginx/
I want build a router to control my internet access (wlan via server).
Only a few websites (via white/blacklist) should be available at specific times.
Are there any good packages for routing/proxying web (http/s, ftp) and email (pop/imap/smtp) traffic?
What you actually need is a good Firewall. Any decent firewall should be able to filter traffic by day-of-week and time-of-day. Even many of the better SOHO routers can do this. If your router can't do this, you should use a spare PC or server to act as a gateway, run Linux or BSD on that and configure a firewall accordingly. Most Linux versions have IPTABLES which is a simple but effective firewall which will do what you want.
To make things easy, set the PC up to be the DHCP server for the network and configure it so that, when other PC's get an IP address, the gateway IP is set to the same box (you may be able to get your normal router to do this instead otherwise turn off DHCP on the router).
Ideally, if using a gateway PC, set your routers to ONLY accept traffic from that gateway - better still, turn off NAT on the router and let the gateway do it too.
Here is a fairly comprehensive "how-to".
If all of that seems too much, you should consider upgrading your router to one that does all this for you. I personally use the Billion 7800N which would probably be suitable.
If you need an HTTP proxy check out node-http-proxy. I don't know much about FTP and mail proxies though.
I'm writing a piece of P2P software, which requires a direct connection to the Internet. It is decentralized, so there is no always-on server that it can contact with a request for the server to attempt to connect back to it in order to observe if the connection attempt arrives.
Is there a way to test the connection for firewall status?
I'm thinking in my dream land where wishes were horses, there would be some sort of 3rd-party, public, already existent servers to whom I could send some sort of simple command, and they would send a special ping back. Then I could simply listen to see if that arrives and know whether I'm behind a firewall.
Even if such a thing does not exist, are there any alternative routes available?
Nantucket - does your service listen on UDP or TCP?
For UDP - what you are sort of describing is something the STUN protocol was designed for. It matches your definition of "some sort of simple command, and they would send a special ping back"
STUN is a very "ping like" (UDP) protocol for a server to echo back to a client what IP and port it sees the client as. The client can then use the response from the server and compare the result with what it thinks its locally enumerated IP address is. If the server's response matches the locally enumerated IP address, the client host can self determinte that it is directly connected to the Internet. Otherwise, the client must assume it is behind a NAT - but for the majority of routers, you have just created a port mapping that can be used for other P2P connection scenarios.
Further, you can you use the RESPONSE-PORT attribute in the STUN binding request for the server to respond back to a different port. This will effectively allow you to detect if you are firewalled or not.
TCP - this gets a little tricky. STUN can partially be used to determine if you are behind a NAT. Or simply making an http request to whatismyip.com and parsing the result to see if there's a NAT. But it gets tricky, as there's no service on the internet that I know of that will test a TCP connection back to you.
With all the above in mind, the vast majority of broadband users are likely behind a NAT that also acts as a firewall. Either given by their ISP or their own wireless router device. And even if they are not, most operating systems have some sort of minimal firewall to block unsolicited traffic. So it's very limiting to have a P2P client out there than can only work on direct connections.
With that said, on Windows (and likely others), you can program your app's install package can register with the Windows firewall so your it is not blocked. But if you aren't targeting Windows, you may have to ask the user to manually fix his firewall software.
Oh shameless plug. You can use this open source STUN server and client library which supports all of the semantics described above. Follow up with me offline if you need access to a stun service.
You might find this article useful
http://msdn.microsoft.com/en-us/library/aa364726%28v=VS.85%29.aspx
I would start with each os and ask if firewall services are turned on. Secondly, I would attempt the socket connections and determine from the error codes if connections are being reset or timeout. I'm only familiar with winsock coding, so I can't really say much for Linux or mac os.
I was wondering what exactly the standards say about using IPv6/IPv4 tunneling to send a DNS query to a DNS server. Is this a valid thing to do? Does anyone know the RFCs (and sections if possible) that talk about this?
Thanks.
Of course it is possible. Once you have a tunnel, you can do it whatever you want, concerning IPv6.
If you tunnel the trafic f a complete network, other PCs maybe don't even know that they are behind a tunnel.
My PC here, for example, has some IPv4 and some IPv6 entries in the /etc/resolv.conf.
I have been reading about TURN and STUN servers because I would like to develop a browser-to-browser application so that BrowserA (behind a NAT) could communicate with BrowserB (behind a NAT). In this case, I think I should use TURN protocol.
My question: is there any other solution that does NOT require an external phisical server? A just-software solution would be simply perfect.
THANKS
Answer is no.
Explanation: NAT stands for Network Address Translation. It means translation of the 'private' IP of your device which is valid only on the LAN (Local Area Network) into a 'public' IP address which valid on the WAN (i.e., the wild wild part of the Internet that is on the other side of your NAT).
The problem is that the translated address is only visible from outside your LAN. Hence, you need a reachable device out there to read it and sent it back to you (or other peers).
You will always need a server/central peer to help establishing a connection between two peers located behind different NATs when they both have a private IP addresses.
http://samy.pl/pwnat/ works without an intermediary but also moving this question to serverfault might help :)
Thanks. Let's imagine that BrowserA (the one who starts the communication) knows the public IP of BrowserB, but not the other way round. It is the same answer for this question?