WebRTC
This guide provides a complete, step-by-step tutorial for configuring Asterisk to support secure WebRTC clients and enabling VoIPmonitor to capture and decrypt the associated SIP over Secure WebSocket (WSS) and SRTP traffic.
Overview
WebRTC (Web Real-Time Communication) requires encrypted transport for both signaling and media. This is achieved using:
- WSS (Secure WebSocket): For the SIP signaling, encrypting it with TLS.
- DTLS-SRTP: For the media (RTP) stream, encrypting it with DTLS negotiation to establish SRTP keys.
VoIPmonitor can sniff and decrypt both layers, provided it has access to the private TLS key used by the PBX. This guide will walk through the full setup for Asterisk.
Part 1: Configuring VoIPmonitor to Decrypt TLS
First, ensure your sensor is configured to decrypt TLS traffic. In `/etc/voipmonitor.conf`, you must enable the SSL module and provide the path to the same private key your PBX will use.
# /etc/voipmonitor.conf ssl = yes # Point to the private key used by your PBX. # Format: <IP of PBX> : <WSS Port> /path/to/private.key # # Example for this guide: ssl_ipport = 192.168.2.107 : 8089 /etc/asterisk/keys/asterisk.pem
Note: This configuration is also applicable for FreeSWITCH. You would just need to point to the key file used by FreeSWITCH.
Part 2: Configuring Asterisk for Secure WebRTC
This section details the full configuration for Asterisk, from generating keys to setting up PJSIP endpoints.
Step 1: Generate TLS Certificates
First, we need to create a Certificate Authority (CA) and a server certificate that Asterisk will use for its HTTPS and WSS interfaces.
# Create a directory for your keys mkdir -p /etc/asterisk/keys cd /etc/asterisk/keys # 1. Create a private key for your local Certificate Authority (CA) openssl genrsa -des3 -out ca.key 4096 # 2. Create a root CA certificate openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # 3. Create a private key for the Asterisk server openssl genrsa -out key.pem 2048 # 4. Create a certificate signing request (CSR) for the Asterisk server openssl req -new -key key.pem -out req-sip_server.csr # 5. Sign the server certificate with your CA openssl x509 -req -days 3650 -in req-sip_server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert-sip_server.crt # 6. Combine the private key and signed certificate into a single .pem file for Asterisk cat key.pem > asterisk.pem cat cert-sip_server.crt >> asterisk.pem
Step 2: Configure Asterisk's HTTP Server for WSS
Edit `/etc/asterisk/http.conf` to enable the built-in web server and activate TLS for the WebSocket transport.
; /etc/asterisk/http.conf [general] enabled = yes bindaddr = 0.0.0.0 bindport = 8088 ; Port for unencrypted WS tlsenable = yes tlsbindaddr = 0.0.0.0:8089 ; Port for encrypted WSS tlscertfile = /etc/asterisk/keys/asterisk.pem tlscipher = AES128-SHA
Step 3: Configure RTP Settings
Edit `/etc/asterisk/rtp.conf` and ensure ICE support is enabled, which is essential for WebRTC clients to traverse NAT.
; /etc/asterisk/rtp.conf [general] icesupport = yes ; You can optionally configure a public STUN server ; stunaddr = stun.l.google.com:19302
Step 4: Configure PJSIP for WebRTC
This is the core configuration. We will set up UDP, WS, and WSS transports, and then create endpoints that require DTLS encryption.
- First, disable the old chan_sip module in `/etc/asterisk/modules.conf` to avoid conflicts
; /etc/asterisk/modules.conf noload => chan_sip.so
- Next, configure `/etc/asterisk/pjsip.conf`
; /etc/asterisk/pjsip.conf [global] type = global user_agent = MyAsteriskPBX realm = 192.168.2.107 ; Use your Asterisk server's IP or domain ; --- Transports --- [transport-udp] type = transport protocol = udp bind = 0.0.0.0:5060 [transport-ws] type = transport protocol = ws bind = 0.0.0.0:8088 [transport-wss] type = transport protocol = wss bind = 0.0.0.0:8089 ; --- WebRTC Endpoint Template --- ; We create a template to avoid repeating settings [webrtc-endpoint-template](!) type = endpoint disallow = all allow = opus,ulaw,alaw context = internal-webrtc auth = webrtc-auth aors = webrtc-aor ; Require DTLS encryption for media media_encryption = dtls dtls_verify = fingerprint dtls_cert_file = /etc/asterisk/keys/asterisk.pem dtls_ca_file = /etc/asterisk/keys/ca.crt dtls_setup = actpass use_avpf = yes ice_support = yes media_use_received_transport = yes rtcp_mux = yes ; --- Define Users (101 and 102) --- [101](webrtc-endpoint-template) ; Inherits from the template [webrtc-auth](+) type = auth auth_type = userpass username = 101 password = your_strong_password_101 [webrtc-aor](+) type = aor max_contacts = 1 [102](webrtc-endpoint-template) ; Inherits from the template [webrtc-auth](+) type = auth auth_type = userpass username = 102 password = your_strong_password_102 [webrtc-aor](+) type = aor max_contacts = 1
Step 5: Create a Basic Dialplan
Edit `/etc/asterisk/extensions.conf` to allow the two users to call each other.
; /etc/asterisk/extensions.conf [internal-webrtc] exten => 101,1,NoOp(Call to 101) same => n,Dial(PJSIP/101) same => n,Hangup() exten => 102,1,NoOp(Call to 102) same => n,Dial(PJSIP/102) same => n,Hangup()
Part 3: Configuring the WebRTC Client (sipML5)
Now, configure your WebRTC softphone to connect to Asterisk. This example uses the popular sipML5 online client.
Step 1: Basic Settings
Enter your user credentials on the main registration screen.
- Display Name: `101`
- Private Identity: `101`
- Public Identity: `sip:101@192.168.2.107`
- Password: `your_strong_password_101`
- Realm: `192.168.2.107`
Step 2: Expert Mode Settings
Click "Expert Mode" and configure the following:
- Disable Video: Checked (unless you need video).
- Enable RTCWeb Breaker: Checked.
- WebSocket Server URL: `wss://192.168.2.107:8089/ws` (Note the wss:// prefix and the correct port).
- ICE Servers: `[]` (Leave empty or use `[{ "url": "stun:stun.l.google.com:19302" }]`)
- Disable 3GPP Early IMS: Checked.
Step 3: Trust the Certificate
Before attempting to register, you must open a new browser tab and navigate to `https://192.168.2.107:8089/ws`. Your browser will show a security warning because the certificate is self-signed. You must accept the risk and proceed. This action adds a temporary security exception, allowing the WebSocket connection to be established.
After completing these steps, you can return to the sipML5 tab and click "Login". Your client should register successfully, and calls will be encrypted and monitored by VoIPmonitor.
AI Summary for RAG
Summary: This guide provides a comprehensive tutorial on configuring VoIPmonitor to sniff encrypted WebRTC traffic, specifically SIP over Secure WebSockets (WSS) and DTLS-SRTP. It details the full setup process for an Asterisk PBX. Part 1 explains how to configure VoIPmonitor itself by enabling `ssl` and setting `ssl_ipport` with the correct private key. Part 2 provides a detailed, step-by-step guide for Asterisk, including: generating a self-signed CA and server certificate using OpenSSL; configuring Asterisk's HTTP server for WSS in `http.conf`; enabling ICE support in `rtp.conf`; and setting up PJSIP transports (`wss`) and endpoints with mandatory DTLS media encryption. Part 3 concludes with instructions for configuring a WebRTC client (sipML5) to connect to the secure Asterisk setup, emphasizing the need to manually trust the self-signed certificate in the browser. Keywords: webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, http.conf, rtp.conf, sipml5, freeeswitch, decryption, `ssl_ipport`, openssl, certificate, self-signed Key Questions:
- How can I monitor encrypted WebRTC calls?
- How do I configure VoIPmonitor to decrypt WSS and DTLS-SRTP traffic?
- What Asterisk configuration is needed for secure WebRTC?
- How do I set up a PJSIP endpoint for a WebRTC client?
- How do I generate a self-signed certificate for Asterisk?
- Why is my WebRTC client not connecting over WSS?
- What is the purpose of `dtls_cert_file` in `pjsip.conf`?
- How to configure sipML5 for a secure connection to Asterisk?