[gentoo-user] public wifi blocking ports

[gentoo-user] public wifi blocking ports

[Joseph]

I've installed "zoiper" (this is an softphone app to connect to my Asterisk server) on my old phone and it works on my private network over wifi.
I'm using standard IAX port 4569 to register, so this port is open on my firewall.

But when I catch an open public wifi network in a Mall or a Tim Horton "zoiper" failed to register.

Do they block outgoing ports of public WiFi networks? 
What are my alternatives?

I can open any port on my DD-Wrt and redirect it to my Asterisk server.

-- 
Joseph

Re: [gentoo-user] public wifi blocking ports

[Bill Kenworthy]

On 25/12/14 15:43, Joseph wrote:
> I've installed "zoiper" (this is an softphone app to connect to my
> Asterisk server) on my old phone and it works on my private network over
> wifi.
> I'm using standard IAX port 4569 to register, so this port is open on my
> firewall.
> 
> But when I catch an open public wifi network in a Mall or a Tim Horton
> "zoiper" failed to register.
> 
> Do they block outgoing ports of public WiFi networks? What are my
> alternatives?
> 
> I can open any port on my DD-Wrt and redirect it to my Asterisk server.
> 

Quite often happens in this part of the world.  I run an openvpn ssl vpn
on port 443 with an ssl multiplexor on the server end - route all the
voip traffic through the vpn.  Doesnt work well if bandwidth is really
constrained but its the difference between having at least something or
nothing at all.

BillK

Re: [gentoo-user] public wifi blocking ports

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1933 bytes --]

On Thursday 25 Dec 2014 08:43:23 Bill Kenworthy wrote:
> On 25/12/14 15:43, Joseph wrote:
> > I've installed "zoiper" (this is an softphone app to connect to my
> > Asterisk server) on my old phone and it works on my private network over
> > wifi.
> > I'm using standard IAX port 4569 to register, so this port is open on my
> > firewall.
> > 
> > But when I catch an open public wifi network in a Mall or a Tim Horton
> > "zoiper" failed to register.
> > 
> > Do they block outgoing ports of public WiFi networks? What are my
> > alternatives?
> > 
> > I can open any port on my DD-Wrt and redirect it to my Asterisk server.
> 
> Quite often happens in this part of the world.  I run an openvpn ssl vpn
> on port 443 with an ssl multiplexor on the server end - route all the
> voip traffic through the vpn.  Doesnt work well if bandwidth is really
> constrained but its the difference between having at least something or
> nothing at all.
> 
> BillK

Most public WiFi hot spots in Europe, especially in multinational coffee shop 
chains, not only block privileged ports to thwart SOCK proxies, ssh, ipsec, et 
al., but also use deep-packet inspection and Man-In-The-Middle attack to 
decrypt your TLS connection to http, https, IMAP4, and POP3 and check your 
payload.  They do this to make sure that you are not some unsavoury character, 
using their Internet connection for questionable activities.  A number of 
companies (like Websense) offer this kind of helpful services to those who 
need to spy on our private communications.

If you check the SSL certificate that is returned from e.g. gmail, you'll see 
that it has not been issued by gmail, or their CA.  Most client applications 
should warn you when you try to connect to a website over TLS.  In such cases 
I would consider your communications over this channel compromised, should you 
decide to proceed.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]

Re: [gentoo-user] public wifi blocking ports

[Joseph]

On 12/25/14 16:43, Bill Kenworthy wrote:
>On 25/12/14 15:43, Joseph wrote:
>> I've installed "zoiper" (this is an softphone app to connect to my
>> Asterisk server) on my old phone and it works on my private network over
>> wifi.
>> I'm using standard IAX port 4569 to register, so this port is open on my
>> firewall.
>>
>> But when I catch an open public wifi network in a Mall or a Tim Horton
>> "zoiper" failed to register.
>>
>> Do they block outgoing ports of public WiFi networks? What are my
>> alternatives?
>>
>> I can open any port on my DD-Wrt and redirect it to my Asterisk server.
>>
>
>Quite often happens in this part of the world.  I run an openvpn ssl vpn
>on port 443 with an ssl multiplexor on the server end - route all the
>voip traffic through the vpn.  Doesnt work well if bandwidth is really
>constrained but its the difference between having at least something or
>nothing at all.
>
>BillK

I do run VoIP over vpn but that is between two points on cable connection and it works very well. 
But running vpn over wifi plus VoIP will not work very well if at all. Voice will be very choppy. 

-- 
Joseph

Re: [gentoo-user] public wifi blocking ports

[Bill Kenworthy]

On 26/12/14 01:42, Joseph wrote:
> On 12/25/14 16:43, Bill Kenworthy wrote:
>> On 25/12/14 15:43, Joseph wrote:
>>> I've installed "zoiper" (this is an softphone app to connect to my
>>> Asterisk server) on my old phone and it works on my private network over
>>> wifi.
>>> I'm using standard IAX port 4569 to register, so this port is open on my
>>> firewall.
>>>
>>> But when I catch an open public wifi network in a Mall or a Tim Horton
>>> "zoiper" failed to register.
>>>
>>> Do they block outgoing ports of public WiFi networks? What are my
>>> alternatives?
>>>
>>> I can open any port on my DD-Wrt and redirect it to my Asterisk server.
>>>
>>
>> Quite often happens in this part of the world.  I run an openvpn ssl vpn
>> on port 443 with an ssl multiplexor on the server end - route all the
>> voip traffic through the vpn.  Doesnt work well if bandwidth is really
>> constrained but its the difference between having at least something or
>> nothing at all.
>>
>> BillK
> 
> I do run VoIP over vpn but that is between two points on cable
> connection and it works very well. But running vpn over wifi plus VoIP
> will not work very well if at all. Voice will be very choppy.

Not necessarily - it depends on bandwidth at both ends (my server is on
adsl.) The important point is port 443 and ssl for the VPN which gets
past all blocking I have encountered so far though I have not noticed
deep packet inspection using MITM yet. I am using self signed certs so
it should show up if its attempted.

What I have encountered is excessive latency on some open WIFI networks
that makes voice conversation unpleasant.

Re: [gentoo-user] public wifi blocking ports

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1880 bytes --]

On Friday 26 Dec 2014 02:49:37 Bill Kenworthy wrote:
> On 26/12/14 01:42, Joseph wrote:
> > On 12/25/14 16:43, Bill Kenworthy wrote:
> >> On 25/12/14 15:43, Joseph wrote:
> >>> I've installed "zoiper" (this is an softphone app to connect to my
> >>> Asterisk server) on my old phone and it works on my private network
> >>> over wifi.
> >>> I'm using standard IAX port 4569 to register, so this port is open on
> >>> my firewall.
> >>> 
> >>> But when I catch an open public wifi network in a Mall or a Tim Horton
> >>> "zoiper" failed to register.
> >>> 
> >>> Do they block outgoing ports of public WiFi networks? What are my
> >>> alternatives?
> >>> 
> >>> I can open any port on my DD-Wrt and redirect it to my Asterisk server.
> >> 
> >> Quite often happens in this part of the world.  I run an openvpn ssl vpn
> >> on port 443 with an ssl multiplexor on the server end - route all the
> >> voip traffic through the vpn.  Doesnt work well if bandwidth is really
> >> constrained but its the difference between having at least something or
> >> nothing at all.
> >> 
> >> BillK
> > 
> > I do run VoIP over vpn but that is between two points on cable
> > connection and it works very well. But running vpn over wifi plus VoIP
> > will not work very well if at all. Voice will be very choppy.
> 
> Not necessarily - it depends on bandwidth at both ends (my server is on
> adsl.) The important point is port 443 and ssl for the VPN which gets
> past all blocking I have encountered so far though I have not noticed
> deep packet inspection using MITM yet. I am using self signed certs so
> it should show up if its attempted.
> 
> What I have encountered is excessive latency on some open WIFI networks
> that makes voice conversation unpleasant.

Do you use QoS at both ends? It could make a difference with ADSL.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 473 bytes --]