How to bypass SIP blocking by ISP?

Introduction

In this article we will see how we can bypass SIP traffic blocking. There are a lot of countries where local ISPs block SIP traffic. It makes it impossible for enterprises or private persons to leverage from low rates on international calls provided by various SIP trunk providers.

Solution

One of the solutions is to connect to a VPN server in another country and then connect to SIP provider through that VPN server. The VPN connection to the remote VPN server is encrypted, therefore local ISP can’t detect and block SIP traffic. I will show you how to setup VPN server in a few easy steps.

The diagram below shows how it’s going to work:

I will use FreePBX 14 as an IP PBX, but the solution itself is vendor independent and you can use any IP PBX or gateway that supports SIP protocol.

As a SIP trunk provider I will use Skype Connect service which is really nice and easy to setup, but you can use any other SIP trunk service.

Step 1. Setup a SIP trunk account

Collect the required information from your SIP trunking service provider.

You will need the following:

• SIP Username
• Password
• SIP server address
• SIP port

Below is the required SIP information from my Skype account:

Step 2. VPN Subscription

As for VPN part, there are two options: you can either have your own virtual machine in a cloud like AWS or Digital Ocean where you will setup your own VPN server or you can use one of the VPN service providers.

The VPN service provider way is much easier, because you don’t have to maintain a remote VPN server.

There are lots of VPN providers out there, but I have tested this solution with PureVPN which works well for me and has an excellent support team.

Go to PureVPN and get a subscription. Make sure you also purchase Port Forwarding and Dedicated IP add-ons.

Once you create an account you will get an email with your details like this:

Now you have all required information to create a VPN tunnel between your IP PBX and PureVPN server.

Step 3. Setup VPN on FreePBX

I will provide instructions on how to configure PPTP VPN tunnel from FreePBX 14 distro which is essentially a CentOS box. If you have another IP PBX and operating system you can get detailed steps from PureVPN support team.

Go to your FreePBX CLI and run the following commands:

yum install -y wget ( This will install wget utility )
yum install -y jq ( This will install a jq utility )
yum install -y pptp ( This will install PPTP package )
wget https://www.dropbox.com/s/tvy8x1iv4rph12t/cyberpptp.sh
chmod +x cyberpptp.sh ( To allow the execute rights )

Now you can run cyberpptp.sh script to bring up the VPN tunnel:

sudo ./cyberpptp.sh –add purevpn hostname username password

All this information has been emailed to you by PureVPN as shown on the picture above:

• hostname – hostname of the VPN server
• username – your username (like, purevpn0dXXXXXX )
• password – your password

Now you can verify that you obtained a Public IP address on ppp0 interface using ip address command:

To disconnect the VPN run the following command:

sudo ./cyberpptp.sh –delete purevpn

Step 4. Configure SIP trunk on FreePBX

Now that our server has an active VPN connection, let’s configure SIP trunk to Skype on FreePBX server.

Go to Connectivity->Trunks and click Add Trunk (choose chan_pjsip).

Give it a descriptive name and make sure Outbound CallerID is set to your Skype SIP Username.

Go to PJSIP settings tab and specify the values like shown below:

Switch to Advanced tab and make sure you set values for From Domain and From User fields:

Don’t forget to click Submit and Apply Configuration.

Now you can go to FreePBX CLI and make sure that SIP trunk is up. Use pjsip list registrations command for this:

All you have to do now is configure an outbound route and route the calls to desired destinations through Skype SIP trunk.

Security Considerations

Don’t forget to make necessary firewall configuration on your operating system, because now that you have a Public IP address, you will get scanned by various bots from all over the internet. It is a good idea to permit SIP traffic only from/to your SIP providers IP address.

For example, the following iptables rules will provide some basic security for your server(description is given in bold):

1. iptables -A INPUT -j ACCEPT -s 63.209.144.201 -d your_public_ip (allows all traffic from sip.skype.com)
2. iptables -A INPUT -j DROP -p tcp –destination-port 22 -d
   your_public_ip (drops all SSH traffic to the Public IP)
3. iptables -A INPUT -j DROP -p tcp –destination-port 80 -d
   your_public_ip (drops all traffic to port 80 from the Internet)
4. iptables -A INPUT -j DROP -p tcp –destination-port 443 -d
   your_public_ip (drops all traffic to port 443 from the Internet)
5. iptables -A INPUT -j DROP -p tcp –destination-port 5060 -d
   your_public_ip (drops all TCP SIP messages from the Internet)
6. iptables -A INPUT -j DROP -p udp –destination-port 5060 -d
   your_public_ip (drops all UDP SIP messages from the Internet)

The first rule allows SIP traffic from sip.skype.com, therefore the last two rules will match and drop only SIP traffic from other sources which is malicious. The second rule will drop all SSH traffic from the internet which will be constantly trying to bruteforce crack your SSH password.

You can also inspect more closely which ports are open on your server and specify the corresponding firewall rules, but I highly recommend to at least apply the rules mentioned above.

Conclusion

Now you should have a working SIP trunk even if your ISP blocks SIP traffic.