WebRTC: Difference between revisions

This guide provides a complete, step-by-step tutorial for configuring Asterisk to support secure WebRTC clients and enabling VoIPmonitor to capture and decrypt the associated SIP over Secure WebSocket (WSS) and SRTP traffic.

Overview

WebRTC (Web Real-Time Communication) requires encrypted transport for both signaling and media. This is achieved using:

• WSS (Secure WebSocket): For the SIP signaling, encrypting it with TLS.
• DTLS-SRTP: For the media (RTP) stream, encrypting it with DTLS negotiation to establish SRTP keys.

VoIPmonitor can sniff and decrypt both layers, provided it has access to the private TLS key used by the PBX. This guide will walk through the full setup for Asterisk.

Part 1: Configuring VoIPmonitor to Decrypt TLS

First, ensure your sensor is configured to decrypt TLS traffic. In `/etc/voipmonitor.conf`, you must enable the SSL module and provide the path to the same private key your PBX will use.

# /etc/voipmonitor.conf

ssl = yes

# Point to the private key used by your PBX.
# Format: <IP of PBX> : <WSS Port> /path/to/private.key
#
# Example for this guide:
ssl_ipport = 192.168.2.107 : 8089 /etc/asterisk/keys/asterisk.pem

Note: This configuration is also applicable for FreeSWITCH. You would just need to point to the key file used by FreeSWITCH.

Part 2: Configuring Asterisk for Secure WebRTC

This section details the full configuration for Asterisk, from generating keys to setting up PJSIP endpoints.

Step 1: Generate TLS Certificates

First, we need to create a Certificate Authority (CA) and a server certificate that Asterisk will use for its HTTPS and WSS interfaces.

# Create a directory for your keys
mkdir -p /etc/asterisk/keys
cd /etc/asterisk/keys

# 1. Create a private key for your local Certificate Authority (CA)
openssl genrsa -des3 -out ca.key 4096

# 2. Create a root CA certificate
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# 3. Create a private key for the Asterisk server
openssl genrsa -out key.pem 2048

# 4. Create a certificate signing request (CSR) for the Asterisk server
openssl req -new -key key.pem -out req-sip_server.csr

# 5. Sign the server certificate with your CA
openssl x509 -req -days 3650 -in req-sip_server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_server.crt

# 6. Combine the private key and signed certificate into a single .pem file for Asterisk
cat key.pem > asterisk.pem
cat cert-sip_server.crt >> asterisk.pem

Step 2: Configure Asterisk's HTTP Server for WSS

Edit `/etc/asterisk/http.conf` to enable the built-in web server and activate TLS for the WebSocket transport.

; /etc/asterisk/http.conf

[general]
enabled = yes
bindaddr = 0.0.0.0
bindport = 8088 ; Port for unencrypted WS

tlsenable = yes
tlsbindaddr = 0.0.0.0:8089 ; Port for encrypted WSS
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlscipher = AES128-SHA

Step 3: Configure RTP Settings

Edit `/etc/asterisk/rtp.conf` and ensure ICE support is enabled, which is essential for WebRTC clients to traverse NAT.

; /etc/asterisk/rtp.conf

[general]
icesupport = yes
; You can optionally configure a public STUN server
; stunaddr = stun.l.google.com:19302

Step 4: Configure PJSIP for WebRTC

This is the core configuration. We will set up UDP, WS, and WSS transports, and then create endpoints that require DTLS encryption.

First, disable the old chan_sip module in `/etc/asterisk/modules.conf` to avoid conflicts

; /etc/asterisk/modules.conf
noload => chan_sip.so

Next, configure `/etc/asterisk/pjsip.conf`

; /etc/asterisk/pjsip.conf

[global]
type = global
user_agent = MyAsteriskPBX
realm = 192.168.2.107 ; Use your Asterisk server's IP or domain

; --- Transports ---
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0:5060

[transport-ws]
type = transport
protocol = ws
bind = 0.0.0.0:8088

[transport-wss]
type = transport
protocol = wss
bind = 0.0.0.0:8089

; --- WebRTC Endpoint Template ---
; We create a template to avoid repeating settings
[webrtc-endpoint-template](!)
type = endpoint
disallow = all
allow = opus,ulaw,alaw
context = internal-webrtc
auth = webrtc-auth
aors = webrtc-aor

; Require DTLS encryption for media
media_encryption = dtls
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
use_avpf = yes
ice_support = yes
media_use_received_transport = yes
rtcp_mux = yes

; --- Define Users (101 and 102) ---
[101](webrtc-endpoint-template) ; Inherits from the template
[webrtc-auth](+)
type = auth
auth_type = userpass
username = 101
password = your_strong_password_101
[webrtc-aor](+)
type = aor
max_contacts = 1

[102](webrtc-endpoint-template) ; Inherits from the template
[webrtc-auth](+)
type = auth
auth_type = userpass
username = 102
password = your_strong_password_102
[webrtc-aor](+)
type = aor
max_contacts = 1

Step 5: Create a Basic Dialplan

Edit `/etc/asterisk/extensions.conf` to allow the two users to call each other.

; /etc/asterisk/extensions.conf

[internal-webrtc]
exten => 101,1,NoOp(Call to 101)
 same => n,Dial(PJSIP/101)
 same => n,Hangup()

exten => 102,1,NoOp(Call to 102)
 same => n,Dial(PJSIP/102)
 same => n,Hangup()

Part 3: Configuring the WebRTC Client (sipML5)

Now, configure your WebRTC softphone to connect to Asterisk. This example uses the popular sipML5 online client.

Step 1: Basic Settings

Enter your user credentials on the main registration screen.

• Display Name: `101`
• Private Identity: `101`
• Public Identity: `sip:101@192.168.2.107`
• Password: `your_strong_password_101`
• Realm: `192.168.2.107`

Step 2: Expert Mode Settings

Click "Expert Mode" and configure the following:

• Disable Video: Checked (unless you need video).
• Enable RTCWeb Breaker: Checked.
• WebSocket Server URL: `wss://192.168.2.107:8089/ws` (Note the wss:// prefix and the correct port).
• ICE Servers: `[]` (Leave empty or use `[{ "url": "stun:stun.l.google.com:19302" }]`)
• Disable 3GPP Early IMS: Checked.

Step 3: Trust the Certificate

Before attempting to register, you must open a new browser tab and navigate to `https://192.168.2.107:8089/ws`. Your browser will show a security warning because the certificate is self-signed. You must accept the risk and proceed. This action adds a temporary security exception, allowing the WebSocket connection to be established.

After completing these steps, you can return to the sipML5 tab and click "Login". Your client should register successfully, and calls will be encrypted and monitored by VoIPmonitor.

AI Summary for RAG

Summary: This guide provides a comprehensive tutorial on configuring VoIPmonitor to sniff encrypted WebRTC traffic, specifically SIP over Secure WebSockets (WSS) and DTLS-SRTP. It details the full setup process for an Asterisk PBX. Part 1 explains how to configure VoIPmonitor itself by enabling `ssl` and setting `ssl_ipport` with the correct private key. Part 2 provides a detailed, step-by-step guide for Asterisk, including: generating a self-signed CA and server certificate using OpenSSL; configuring Asterisk's HTTP server for WSS in `http.conf`; enabling ICE support in `rtp.conf`; and setting up PJSIP transports (`wss`) and endpoints with mandatory DTLS media encryption. Part 3 concludes with instructions for configuring a WebRTC client (sipML5) to connect to the secure Asterisk setup, emphasizing the need to manually trust the self-signed certificate in the browser. Keywords: webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, http.conf, rtp.conf, sipml5, freeeswitch, decryption, `ssl_ipport`, openssl, certificate, self-signed Key Questions:

• How can I monitor encrypted WebRTC calls?
• How do I configure VoIPmonitor to decrypt WSS and DTLS-SRTP traffic?
• What Asterisk configuration is needed for secure WebRTC?
• How do I set up a PJSIP endpoint for a WebRTC client?
• How do I generate a self-signed certificate for Asterisk?
• Why is my WebRTC client not connecting over WSS?
• What is the purpose of `dtls_cert_file` in `pjsip.conf`?
• How to configure sipML5 for a secure connection to Asterisk?