WebRTC: Difference between revisions
No edit summary |
(Add Part 4 about --rtp-no-sig for third-party WebRTC monitoring when signaling access is not available) |
||
| Line 202: | Line 202: | ||
After completing these steps, you can return to the sipML5 tab and click "Login". Your client should register successfully, and calls will be encrypted and monitored by VoIPmonitor. | After completing these steps, you can return to the sipML5 tab and click "Login". Your client should register successfully, and calls will be encrypted and monitored by VoIPmonitor. | ||
== Part 4: Monitoring Third-Party WebRTC Services Without Signaling Access == | |||
In some scenarios, you may need to monitor WebRTC traffic from a third-party service where you cannot access the SIP signaling (for example, when monitoring calls from an external provider's WebRTC server). For these cases, VoIPmonitor offers the <code>--rtp-no-sig</code> command-line option, which allows you to capture and analyze RTP streams without processing signaling. | |||
=== When to Use <code>--rtp-no-sig</code> === | |||
Use <code>--rtp-no-sig</code> when: | |||
* You are monitoring WebRTC traffic from a third-party service where signaling is not accessible | |||
* You have network access to the media (RTP) stream but not to the signaling (SIP/WS) packets | |||
* You need to collect QoS metrics (MOS, packet loss, jitter) for WebRTC calls that use a single UDP port for all streams (BUNDLE) | |||
=== How <code>--rtp-no-sig</code> Works === | |||
When you start the VoIPmonitor sniffer with <code>--rtp-no-sig</code>: | |||
* VoIPmonitor creates CDRs (Call Detail Records) based entirely on RTP packets | |||
* It identifies separate RTP streams using SSRC (Synchronization Source) identifiers, not STUN packets | |||
* It detects calls when RTP packets start flowing and closes them when the stream stops | |||
* Quality metrics (MOS, packet loss, jitter) are collected even without decryption | |||
=== Configuration === | |||
To use <code>--rtp-no-sig</code>, modify your VoIPmonitor startup command or service file: | |||
<pre> | |||
# Direct command-line usage: | |||
voipmonitor --rtp-no-sig --interface eth0 | |||
# For systemd service, edit /etc/systemd/system/voipmonitor.service | |||
# Add the --rtp-no-sig flag to the ExecStart line: | |||
ExecStart=/usr/sbin/voipmonitor -c /etc/voipmonitor.conf --rtp-no-sig --daemon --pidfile /var/run/voipmonitor/voipmonitor.pid | |||
</pre> | |||
=== Limitations Without Signaling === | |||
When using <code>--rtp-no-sig</code>, certain features are unavailable or have limitations: | |||
* Caller ID information is not available (no SIP INVITE to extract phone numbers) | |||
* Call direction (incoming/outgoing) cannot be determined | |||
* You must rely on IP addresses to group related calls | |||
* Audio replay requires decryption (see below) | |||
=== Decrypting DTLS-SRTP for Audio Replay === | |||
If you need to replay the audio from captured WebRTC calls, you must decrypt the DTLS-encrypted media. This is achieved by installing the VoIPmonitor SSL Key Logger library on the WebRTC server. The keylogger captures DTLS session keys and forwards them to the VoIPmonitor sensor. | |||
For detailed instructions on setting up the SSL Key Logger, see the [[Tls]] documentation. The key points are: | |||
1. The WebRTC server must have the <code>sslkeylog.so</code> library preloaded via <code>LD_PRELOAD</code> | |||
2. The keylogger sends session keys to VoIPmonitor over UDP (or TCP for secure transport) | |||
3. VoIPmonitor uses these keys to decrypt the DTLS handshake and derive SRTP master keys | |||
Note: Quality of Service (QoS) metrics can be collected by VoIPmonitor even without decryption, allowing you to monitor call quality while maintaining the encrypted media's confidentiality. | |||
=== Combining <code>--rtp-no-sig</code> with SSL Key Logger === | |||
For complete third-party WebRTC monitoring (CDRs + audio replay), combine both methods: | |||
<pre> | |||
# On the WebRTC server: | |||
# Configure SSL Key Logger to send session keys to VoIPmonitor sensor | |||
SSLKEYLOG_UDP='10.0.0.10:1234' | |||
LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so' | |||
# On the VoIPmonitor sensor: | |||
# Enable both RTP-only mode and key reception | |||
ssl_sessionkey_udp = yes | |||
ssl_sessionkey_udp_port = 1234 | |||
ssl = yes | |||
# Note: No ssl_ipport needed -- keys are applied dynamically | |||
# Start VoIPmonitor with --rtp-no-sig: | |||
voipmonitor --rtp-no-sig --interface eth0 | |||
</pre> | |||
== AI Summary for RAG == | == AI Summary for RAG == | ||
'''Summary:''' This guide provides a comprehensive tutorial on configuring VoIPmonitor to sniff encrypted WebRTC traffic, specifically SIP over Secure WebSockets (WSS) and DTLS-SRTP. It details the full setup process for an Asterisk PBX. Part 1 explains how to configure VoIPmonitor itself by enabling `ssl` and setting `ssl_ipport` with the correct private key. Part 2 provides a detailed, step-by-step guide for Asterisk, including: generating a self-signed CA and server certificate using OpenSSL; configuring Asterisk's HTTP server for WSS in `http.conf`; enabling ICE support in `rtp.conf`; and setting up PJSIP transports (`wss`) and endpoints with mandatory DTLS media encryption. Part 3 concludes with instructions for configuring a WebRTC client (sipML5) to connect to the secure Asterisk setup, emphasizing the need to manually trust the self-signed certificate in the browser. | '''Summary:''' This guide provides a comprehensive tutorial on configuring VoIPmonitor to sniff encrypted WebRTC traffic, specifically SIP over Secure WebSockets (WSS) and DTLS-SRTP. It details the full setup process for an Asterisk PBX. Part 1 explains how to configure VoIPmonitor itself by enabling `ssl` and setting `ssl_ipport` with the correct private key. Part 2 provides a detailed, step-by-step guide for Asterisk, including: generating a self-signed CA and server certificate using OpenSSL; configuring Asterisk's HTTP server for WSS in `http.conf`; enabling ICE support in `rtp.conf`; and setting up PJSIP transports (`wss`) and endpoints with mandatory DTLS media encryption. Part 3 concludes with instructions for configuring a WebRTC client (sipML5) to connect to the secure Asterisk setup, emphasizing the need to manually trust the self-signed certificate in the browser. Part 4 explains how to use the `--rtp-no-sig` command-line option for monitoring third-party WebRTC services when signaling access is not available, including configuration instructions, limitations of RTP-only mode, how to combine it with the SSL Key Logger for audio replay, and using SSRC identifiers to separate RTP streams on a single UDP port (BUNDLE). | ||
'''Keywords:''' webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, http.conf, rtp.conf, sipml5, freeeswitch, decryption, `ssl_ipport`, openssl, certificate, self-signed | '''Keywords:''' webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, http.conf, rtp.conf, sipml5, freeeswitch, decryption, `ssl_ipport`, openssl, certificate, self-signed, `--rtp-no-sig`, `rtp-no-sig`, rtp only, no signaling, third party, sslkeylog, key logger, ssrlc, bundle, single udp port, qos, quality of service, dtls-srtp decryption | ||
'''Key Questions:''' | '''Key Questions:''' | ||
* How can I monitor encrypted WebRTC calls? | * How can I monitor encrypted WebRTC calls? | ||
| Line 215: | Line 288: | ||
* What is the purpose of `dtls_cert_file` in `pjsip.conf`? | * What is the purpose of `dtls_cert_file` in `pjsip.conf`? | ||
* How to configure sipML5 for a secure connection to Asterisk? | * How to configure sipML5 for a secure connection to Asterisk? | ||
* How do I monitor WebRTC traffic from a third-party service without signaling access? | |||
* What does the `--rtp-no-sig` command-line option do? | |||
* How can I capture WebRTC RTP streams when SIP signaling is not available? | |||
* What is the SSL Key Logger and how does it help decrypt WebRTC media? | |||
* How do I use SSL Key Logger to replay audio from encrypted WebRTC calls? | |||
Revision as of 08:48, 5 January 2026
This guide provides a complete, step-by-step tutorial for configuring Asterisk to support secure WebRTC clients and enabling VoIPmonitor to capture and decrypt the associated SIP over Secure WebSocket (WSS) and SRTP traffic.
Overview
WebRTC (Web Real-Time Communication) requires encrypted transport for both signaling and media. This is achieved using:
- WSS (Secure WebSocket): For the SIP signaling, encrypting it with TLS.
- DTLS-SRTP: For the media (RTP) stream, encrypting it with DTLS negotiation to establish SRTP keys.
VoIPmonitor can sniff and decrypt both layers, provided it has access to the private TLS key used by the PBX. This guide will walk through the full setup for Asterisk.
Part 1: Configuring VoIPmonitor to Decrypt TLS
First, ensure your sensor is configured to decrypt TLS traffic. In `/etc/voipmonitor.conf`, you must enable the SSL module and provide the path to the same private key your PBX will use.
# /etc/voipmonitor.conf ssl = yes # Point to the private key used by your PBX. # Format: <IP of PBX> : <WSS Port> /path/to/private.key # # Example for this guide: ssl_ipport = 192.168.2.107 : 8089 /etc/asterisk/keys/asterisk.pem
Note: This configuration is also applicable for FreeSWITCH. You would just need to point to the key file used by FreeSWITCH.
Part 2: Configuring Asterisk for Secure WebRTC
This section details the full configuration for Asterisk, from generating keys to setting up PJSIP endpoints.
Step 1: Generate TLS Certificates
First, we need to create a Certificate Authority (CA) and a server certificate that Asterisk will use for its HTTPS and WSS interfaces.
# Create a directory for your keys mkdir -p /etc/asterisk/keys cd /etc/asterisk/keys # 1. Create a private key for your local Certificate Authority (CA) openssl genrsa -des3 -out ca.key 4096 # 2. Create a root CA certificate openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # 3. Create a private key for the Asterisk server openssl genrsa -out key.pem 2048 # 4. Create a certificate signing request (CSR) for the Asterisk server openssl req -new -key key.pem -out req-sip_server.csr # 5. Sign the server certificate with your CA openssl x509 -req -days 3650 -in req-sip_server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_server.crt # 6. Combine the private key and signed certificate into a single .pem file for Asterisk cat key.pem > asterisk.pem cat cert-sip_server.crt >> asterisk.pem
Step 2: Configure Asterisk's HTTP Server for WSS
Edit `/etc/asterisk/http.conf` to enable the built-in web server and activate TLS for the WebSocket transport.
; /etc/asterisk/http.conf [general] enabled = yes bindaddr = 0.0.0.0 bindport = 8088 ; Port for unencrypted WS tlsenable = yes tlsbindaddr = 0.0.0.0:8089 ; Port for encrypted WSS tlscertfile = /etc/asterisk/keys/asterisk.pem tlscipher = AES128-SHA
Step 3: Configure RTP Settings
Edit `/etc/asterisk/rtp.conf` and ensure ICE support is enabled, which is essential for WebRTC clients to traverse NAT.
; /etc/asterisk/rtp.conf [general] icesupport = yes ; You can optionally configure a public STUN server ; stunaddr = stun.l.google.com:19302
Step 4: Configure PJSIP for WebRTC
This is the core configuration. We will set up UDP, WS, and WSS transports, and then create endpoints that require DTLS encryption.
- First, disable the old chan_sip module in `/etc/asterisk/modules.conf` to avoid conflicts
; /etc/asterisk/modules.conf noload => chan_sip.so
- Next, configure `/etc/asterisk/pjsip.conf`
; /etc/asterisk/pjsip.conf [global] type = global user_agent = MyAsteriskPBX realm = 192.168.2.107 ; Use your Asterisk server's IP or domain ; --- Transports --- [transport-udp] type = transport protocol = udp bind = 0.0.0.0:5060 [transport-ws] type = transport protocol = ws bind = 0.0.0.0:8088 [transport-wss] type = transport protocol = wss bind = 0.0.0.0:8089 ; --- WebRTC Endpoint Template --- ; We create a template to avoid repeating settings [webrtc-endpoint-template](!) type = endpoint disallow = all allow = opus,ulaw,alaw context = internal-webrtc auth = webrtc-auth aors = webrtc-aor ; Require DTLS encryption for media media_encryption = dtls dtls_verify = fingerprint dtls_cert_file = /etc/asterisk/keys/asterisk.pem dtls_ca_file = /etc/asterisk/keys/ca.crt dtls_setup = actpass use_avpf = yes ice_support = yes media_use_received_transport = yes rtcp_mux = yes ; --- Define Users (101 and 102) --- [101](webrtc-endpoint-template) ; Inherits from the template [webrtc-auth](+) type = auth auth_type = userpass username = 101 password = your_strong_password_101 [webrtc-aor](+) type = aor max_contacts = 1 [102](webrtc-endpoint-template) ; Inherits from the template [webrtc-auth](+) type = auth auth_type = userpass username = 102 password = your_strong_password_102 [webrtc-aor](+) type = aor max_contacts = 1
Step 5: Create a Basic Dialplan
Edit `/etc/asterisk/extensions.conf` to allow the two users to call each other.
; /etc/asterisk/extensions.conf [internal-webrtc] exten => 101,1,NoOp(Call to 101) same => n,Dial(PJSIP/101) same => n,Hangup() exten => 102,1,NoOp(Call to 102) same => n,Dial(PJSIP/102) same => n,Hangup()
Part 3: Configuring the WebRTC Client (sipML5)
Now, configure your WebRTC softphone to connect to Asterisk. This example uses the popular sipML5 online client.
Step 1: Basic Settings
Enter your user credentials on the main registration screen.
- Display Name: `101`
- Private Identity: `101`
- Public Identity: `sip:101@192.168.2.107`
- Password: `your_strong_password_101`
- Realm: `192.168.2.107`
Step 2: Expert Mode Settings
Click "Expert Mode" and configure the following:
- Disable Video: Checked (unless you need video).
- Enable RTCWeb Breaker: Checked.
- WebSocket Server URL: `wss://192.168.2.107:8089/ws` (Note the wss:// prefix and the correct port).
- ICE Servers: `[]` (Leave empty or use `[{ "url": "stun:stun.l.google.com:19302" }]`)
- Disable 3GPP Early IMS: Checked.
Step 3: Trust the Certificate
Before attempting to register, you must open a new browser tab and navigate to `https://192.168.2.107:8089/ws`. Your browser will show a security warning because the certificate is self-signed. You must accept the risk and proceed. This action adds a temporary security exception, allowing the WebSocket connection to be established.
After completing these steps, you can return to the sipML5 tab and click "Login". Your client should register successfully, and calls will be encrypted and monitored by VoIPmonitor.
Part 4: Monitoring Third-Party WebRTC Services Without Signaling Access
In some scenarios, you may need to monitor WebRTC traffic from a third-party service where you cannot access the SIP signaling (for example, when monitoring calls from an external provider's WebRTC server). For these cases, VoIPmonitor offers the --rtp-no-sig command-line option, which allows you to capture and analyze RTP streams without processing signaling.
When to Use --rtp-no-sig
Use --rtp-no-sig when:
- You are monitoring WebRTC traffic from a third-party service where signaling is not accessible
- You have network access to the media (RTP) stream but not to the signaling (SIP/WS) packets
- You need to collect QoS metrics (MOS, packet loss, jitter) for WebRTC calls that use a single UDP port for all streams (BUNDLE)
How --rtp-no-sig Works
When you start the VoIPmonitor sniffer with --rtp-no-sig:
- VoIPmonitor creates CDRs (Call Detail Records) based entirely on RTP packets
- It identifies separate RTP streams using SSRC (Synchronization Source) identifiers, not STUN packets
- It detects calls when RTP packets start flowing and closes them when the stream stops
- Quality metrics (MOS, packet loss, jitter) are collected even without decryption
Configuration
To use --rtp-no-sig, modify your VoIPmonitor startup command or service file:
# Direct command-line usage: voipmonitor --rtp-no-sig --interface eth0 # For systemd service, edit /etc/systemd/system/voipmonitor.service # Add the --rtp-no-sig flag to the ExecStart line: ExecStart=/usr/sbin/voipmonitor -c /etc/voipmonitor.conf --rtp-no-sig --daemon --pidfile /var/run/voipmonitor/voipmonitor.pid
Limitations Without Signaling
When using --rtp-no-sig, certain features are unavailable or have limitations:
- Caller ID information is not available (no SIP INVITE to extract phone numbers)
- Call direction (incoming/outgoing) cannot be determined
- You must rely on IP addresses to group related calls
- Audio replay requires decryption (see below)
Decrypting DTLS-SRTP for Audio Replay
If you need to replay the audio from captured WebRTC calls, you must decrypt the DTLS-encrypted media. This is achieved by installing the VoIPmonitor SSL Key Logger library on the WebRTC server. The keylogger captures DTLS session keys and forwards them to the VoIPmonitor sensor.
For detailed instructions on setting up the SSL Key Logger, see the Tls documentation. The key points are:
1. The WebRTC server must have the sslkeylog.so library preloaded via LD_PRELOAD
2. The keylogger sends session keys to VoIPmonitor over UDP (or TCP for secure transport)
3. VoIPmonitor uses these keys to decrypt the DTLS handshake and derive SRTP master keys
Note: Quality of Service (QoS) metrics can be collected by VoIPmonitor even without decryption, allowing you to monitor call quality while maintaining the encrypted media's confidentiality.
Combining --rtp-no-sig with SSL Key Logger
For complete third-party WebRTC monitoring (CDRs + audio replay), combine both methods:
# On the WebRTC server: # Configure SSL Key Logger to send session keys to VoIPmonitor sensor SSLKEYLOG_UDP='10.0.0.10:1234' LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so' # On the VoIPmonitor sensor: # Enable both RTP-only mode and key reception ssl_sessionkey_udp = yes ssl_sessionkey_udp_port = 1234 ssl = yes # Note: No ssl_ipport needed -- keys are applied dynamically # Start VoIPmonitor with --rtp-no-sig: voipmonitor --rtp-no-sig --interface eth0
AI Summary for RAG
Summary: This guide provides a comprehensive tutorial on configuring VoIPmonitor to sniff encrypted WebRTC traffic, specifically SIP over Secure WebSockets (WSS) and DTLS-SRTP. It details the full setup process for an Asterisk PBX. Part 1 explains how to configure VoIPmonitor itself by enabling `ssl` and setting `ssl_ipport` with the correct private key. Part 2 provides a detailed, step-by-step guide for Asterisk, including: generating a self-signed CA and server certificate using OpenSSL; configuring Asterisk's HTTP server for WSS in `http.conf`; enabling ICE support in `rtp.conf`; and setting up PJSIP transports (`wss`) and endpoints with mandatory DTLS media encryption. Part 3 concludes with instructions for configuring a WebRTC client (sipML5) to connect to the secure Asterisk setup, emphasizing the need to manually trust the self-signed certificate in the browser. Part 4 explains how to use the `--rtp-no-sig` command-line option for monitoring third-party WebRTC services when signaling access is not available, including configuration instructions, limitations of RTP-only mode, how to combine it with the SSL Key Logger for audio replay, and using SSRC identifiers to separate RTP streams on a single UDP port (BUNDLE). Keywords: webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, http.conf, rtp.conf, sipml5, freeeswitch, decryption, `ssl_ipport`, openssl, certificate, self-signed, `--rtp-no-sig`, `rtp-no-sig`, rtp only, no signaling, third party, sslkeylog, key logger, ssrlc, bundle, single udp port, qos, quality of service, dtls-srtp decryption Key Questions:
- How can I monitor encrypted WebRTC calls?
- How do I configure VoIPmonitor to decrypt WSS and DTLS-SRTP traffic?
- What Asterisk configuration is needed for secure WebRTC?
- How do I set up a PJSIP endpoint for a WebRTC client?
- How do I generate a self-signed certificate for Asterisk?
- Why is my WebRTC client not connecting over WSS?
- What is the purpose of `dtls_cert_file` in `pjsip.conf`?
- How to configure sipML5 for a secure connection to Asterisk?
- How do I monitor WebRTC traffic from a third-party service without signaling access?
- What does the `--rtp-no-sig` command-line option do?
- How can I capture WebRTC RTP streams when SIP signaling is not available?
- What is the SSL Key Logger and how does it help decrypt WebRTC media?
- How do I use SSL Key Logger to replay audio from encrypted WebRTC calls?