The Open Secure Telephony Network is a standard that defines how to configure a VoIP softswitch with the capability to have secure two-way VoIP conversations if both parties are using the same server. The system requires both backend and frontend components, which makes OSTN is a little different than some of the other Guardian apps. Unlike Gibberbot, there are few public SIP services that support secure signalling for a mobile app to connect with. Notably
Tanstagi.net offers free accounts. But it’s more fun to run your own.
Ready? Here’s the 12 step program.
The core server system is what provides user registration and media proxying. The reference application I used is called Freeswitch. It has a plethora of configuration options, so I chose to use a configuration management system called Chef to get everything set correctly.
- Bootstrap a Debian server. Right now the only supported platform for an automated installation is Debian 6 “Squeeze”. The adventerous may try to run the cookbook on another platform and do some bug fixing
- Install sudo, curl and git if you don’t already have them.
apt-get install sudo curl git-core
- Get a static IP address. This is crucial! Your users will need a place to register from anywhere in the world
- Get a domain name. This is also crucial! Your users will prefer to register to a name rather than an IP address
- Configure a local hostname. This is a dependency for the cookbook to properly configure Freeswitch to serve your custom domain. Unfortunately, this process varies based on OS and has bizarre conventions that make no sense. Just follow the instructions and don’t ask questions. Remember to reboot after changing the hostname
- Install Chef from the opscode full stack.
- Download the freeswitch cookbook and execute it with chef-solo
- Walk away and have some coffee or a beer, depending on where the sun is relative to you
- When the Chef run is finished, Freeswitch will be up and running. Check with
netstat -lntp
you should see freeswitch listening on TCP port 5061 - Create users by running
/opt/chef/embedded/bin/ruby /usr/local/freeswitch/scripts/gen_users
. Without arguments, it will print the required parameters. Run it with an offset of 1000 and as many users as you like. Copy the XML files output by the script to/usr/local/freeswitch/conf/directory/default/
The script will also output a file with plaintext passwords so you can provision user handsets. Put this file somewhere safe and encrypted - Reload the XML into Freeswitch’s memory.
/usr/local/freeswitch/bin/fs_cli -x "reloadxml"
- Install CSipSimple and configure it to connect to your domain name with the username/password pair
If you make it through these steps, congratulations! You are now a Freeswitch operator. If you’re curious what is behind all of this and why it works, you should read about SIP, ZRTP and SDP. It’s also worth noting that the Chef cookbook configures the server to act as an SSL Certificate Authority. This is used for Secure SIP. The current landscape of using commercially signed certificates in Freeswitch is far more complicated than any HTTPS web server you may have worked with.
If you’d like to get help from me or another Guardian Project hacker, you can create issues in our tracker and message SteeleNivenson on Freenode or OFTC in channel #guardianproject. Oh yeah, and there’s Twitter @leeazzarello.