WebRTC

From VoIPmonitor.org
Revision as of 16:50, 8 January 2026 by Admin (talk | contribs) (Rewrite: konsolidace, lepší struktura, tabulka pro srovnání metod, warning/note boxy, See Also sekce)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)


This guide covers monitoring encrypted WebRTC traffic with VoIPmonitor, including SIP over Secure WebSocket (WSS) and DTLS-SRTP media encryption.

Overview

WebRTC requires encrypted transport for both signaling and media:

  • WSS (Secure WebSocket): SIP signaling encrypted with TLS
  • DTLS-SRTP: Media (RTP) encrypted via DTLS key negotiation

VoIPmonitor can decrypt both layers using either a private TLS key or the SSL Key Logger method.

Prerequisites: Configure sipport

⚠️ Warning: VoIPmonitor only monitors port 5060 by default. You must add WebRTC ports to sipport or traffic will be ignored.

Edit /etc/voipmonitor.conf: 

# Add WebRTC ports (WS=8088, WSS=8089)
sipport = 5060,8088,8089

# Or use port ranges
sipport = 5060,8080-8090

Restart after changes: systemctl restart voipmonitor

ℹ️ Note: In probe/server architecture, configure sipport on both probe and server.

Decryption Methods

Choose based on your environment:

Method When to Use Limitations
A: Private Key Development/testing, RSA ciphers Fails with TLS 1.3/PFS (DHE/ECDHE)
B: SSL Key Logger Production, TLS 1.3, PFS, distributed setups Requires library injection on PBX

Method A: Private Key

# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 192.168.2.107:8089 /etc/asterisk/keys/asterisk.pem

# Or use CIDR for multiple hosts
ssl_ipport = 192.168.2.0/24:8089 /path/to/key.pem

Method B: SSL Key Logger

Works with ALL cipher suites including TLS 1.3 and PFS.

1. Compile the library: 

git clone https://github.com/voipmonitor/sniffer.git /usr/local/src/voipmonitor-git
cd /usr/local/src/voipmonitor-git/tools/ssl_keylogger/
make

2. Configure PBX to send session keys:

For Asterisk (create /etc/default/asterisk-ssl): 

SSLKEYLOG_UDP='127.0.0.1:1234'
LD_PRELOAD='/usr/local/src/voipmonitor-git/tools/ssl_keylogger/sslkeylog.so'

For FreeSWITCH, add to systemd service: 

ExecStart=env SSLKEYLOG_UDP='127.0.0.1:1234' LD_PRELOAD='/path/to/sslkeylog.so' /usr/bin/freeswitch ...

3. Configure VoIPmonitor: 

# /etc/voipmonitor.conf
ssl = yes
ssl_ipport = 192.168.2.0/24:8089    # NO key file path!
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234

# Add loopback if sending keys locally
interface = eth0,lo

💡 Tip: For distributed mode (packetbuffer_sender=yes), send keys to the central server IP, not localhost.

For complete SSL Key Logger documentation, see TLS Decryption.

Asterisk Configuration

Step 1: Generate TLS Certificates

mkdir -p /etc/asterisk/keys && cd /etc/asterisk/keys

# Create CA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

# Create server certificate
openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out cert.crt

# Combine for Asterisk
cat key.pem cert.crt > asterisk.pem

Step 2: Configure HTTP Server

/etc/asterisk/http.conf: 

[general]
enabled = yes
bindaddr = 0.0.0.0
bindport = 8088          ; WS (unencrypted)
tlsenable = yes
tlsbindaddr = 0.0.0.0:8089  ; WSS (encrypted)
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlscipher = AES128-SHA

Step 3: Configure RTP

/etc/asterisk/rtp.conf: 

[general]
icesupport = yes
; stunaddr = stun.l.google.com:19302

Step 4: Configure PJSIP

Disable old chan_sip in /etc/asterisk/modules.conf: 

noload => chan_sip.so

/etc/asterisk/pjsip.conf: 

[global]
type = global
realm = 192.168.2.107

; --- Transports ---
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0:5060

[transport-wss]
type = transport
protocol = wss
bind = 0.0.0.0:8089

; --- WebRTC Template ---
[webrtc-template](!)
type = endpoint
disallow = all
allow = opus,ulaw,alaw
context = internal-webrtc
media_encryption = dtls
dtls_verify = fingerprint
dtls_cert_file = /etc/asterisk/keys/asterisk.pem
dtls_ca_file = /etc/asterisk/keys/ca.crt
dtls_setup = actpass
use_avpf = yes
ice_support = yes
rtcp_mux = yes

; --- User 101 ---
[101](webrtc-template)
auth = 101-auth
aors = 101-aor

[101-auth]
type = auth
auth_type = userpass
username = 101
password = secret101

[101-aor]
type = aor
max_contacts = 1

Step 5: Dialplan

/etc/asterisk/extensions.conf: 

[internal-webrtc]
exten => _1XX,1,Dial(PJSIP/${EXTEN})

WebRTC Client Setup (sipML5)

Using sipML5:

Basic Settings:

  • Display Name: 101
  • Private Identity: 101
  • Public Identity: sip:101@192.168.2.107
  • Password: secret101
  • Realm: 192.168.2.107

Expert Mode:

  • WebSocket Server URL: wss://192.168.2.107:8089/ws
  • Enable RTCWeb Breaker: Checked
  • Disable 3GPP Early IMS: Checked

⚠️ Warning: Before login, open https://192.168.2.107:8089/ws in browser and accept the self-signed certificate.

Third-Party WebRTC Monitoring (--rtp-no-sig)

For monitoring WebRTC where you have no access to signaling (e.g., external providers).

When to Use

  • Third-party WebRTC service without signaling access
  • Only media (RTP) stream is accessible
  • Need QoS metrics without decryption

Configuration

# Start with --rtp-no-sig flag
voipmonitor --rtp-no-sig --interface eth0

# Or add to systemd service ExecStart line

Behavior:

  • CDRs created from RTP packets using SSRC identifiers
  • QoS metrics (MOS, jitter, packet loss) collected without decryption
  • Caller ID and call direction unavailable

With Audio Replay

Combine --rtp-no-sig with SSL Key Logger for full monitoring: 

# On WebRTC server
SSLKEYLOG_UDP='10.0.0.10:1234'
LD_PRELOAD='/path/to/sslkeylog.so'

# On VoIPmonitor sensor
ssl = yes
ssl_sessionkey_udp = yes
ssl_sessionkey_udp_port = 1234

See Also

AI Summary for RAG

Summary: Guide for monitoring encrypted WebRTC (WSS/DTLS-SRTP) with VoIPmonitor. CRITICAL: Add WebRTC ports to sipport (e.g., sipport = 5060,8088,8089) before configuring decryption. Two methods: Private Key (ssl_ipport = IP:PORT /path/key.pem) fails with TLS 1.3/PFS; SSL Key Logger works with all ciphers via LD_PRELOAD injection and ssl_sessionkey_udp=yes. For distributed mode, send keys to central server IP. Includes Asterisk WSS/PJSIP setup. Use --rtp-no-sig for third-party WebRTC without signaling access.

Keywords: webrtc, wss, secure websocket, dtls, srtp, encrypted, tls, ssl, asterisk, pjsip, freeswitch, decryption, ssl_ipport, sslkeylog, ld_preload, ssl_sessionkey_udp, sipport, rtp-no-sig, pfs, tls 1.3, distributed mode, 8088, 8089

Key Questions:

  • How do I monitor encrypted WebRTC calls with VoIPmonitor?
  • Why is VoIPmonitor not detecting WebRTC traffic?
  • How do I configure sipport for WebRTC ports 8088/8089?
  • What is the difference between Private Key and SSL Key Logger decryption methods?
  • How do I configure Asterisk for secure WebRTC?
  • How does --rtp-no-sig work for third-party WebRTC monitoring?
  • How do I decrypt DTLS-SRTP for audio replay?
Retrieved from "https://www.voipmonitor.org/doc/index.php?title=WebRTC&oldid=10171"