Zoiper

[Richmond]

I've been using Zoiper android client. I looked in the settings and
found it was saying warning, battery usage. The advice was to turn off
running in background so I did so, but then when I tried to make a call
it didn't work so I had to turn it on again. I think this may be a
misleading warning because accubattery doesn't list Zoiper as high
usage.

But that lead me to the first question. I tried using the desktop debian
linux client and it only offered me udp, it did not offer TLS. So I am
wondering if my calls are encrypted. It is quite important that they
are, because I press access codes when connected. Does Zoiper android do
encryption in the free version?

Also, is there another client I could use. I think I have tried cslip
simple, and grandstream but couldn't get either to work.

I am using voiptalk.org

[Woody]

You shouldn't have any issues with CSipSimple - it is one of the more
reliable VoIP apps. Another that also works quite well is Sipdroid.

I have been using both for years with no problem.

[Richmond]

OK I will try those. I have just tried linphone for android but it only
works if I select UDP. And I can't hear any dialling sound.

I wonder if it is my free voip talk account which does not support TLS
or TCP?

[David Woolley]

On 05/08/2021 13:30, Richmond wrote:
> I tried using the desktop debian
> linux client and it only offered me udp, it did not offer TLS. So I am
> wondering if my calls are encrypted. It is quite important that they
> are, because I press access codes when connected. Does Zoiper android do
> encryption in the free version?

TLS is not sufficient for your requirements; you actually need media
encryption (SRTP or ZRTP), especially as INFO support isn't listed for
Zoiper.

According to its feature matrix
<https://www.zoiper.com/pdf/Zoiper_Product_Comparison_Chart.pdf>, both
TLS only and TLS plus SRTP are paid for options, on all the listed
clients, including the web client.

A better solution is likely to be the use of a VPN.

Note that information on when you are keying in the access codes, and
their probable length, is likely to be available, even with media
encryption, as RFC 4733 packets are generally shorter than speech media
ones, although that sort of detailed traffic flow security may not be an
issue for you.

[Richmond]

I couldn't find csipsimple in the android store. I think it has changed
its name but I cannot remember the new name (google...) Ah, it is
discontinued.

I tried sipdroid, but I get the same thing as linphone, I have to use
UDP. I can dial my home phone number and see it ringing, but their is no
dialling sound, and I cannot dial the echo service 904 or the balance
901 which I can with zoiper. I am not sure who provides this service, it
must be voiptalk I think because the 901 gives a balance.

It's all rather confusing.

[Richmond]

So for what does it use tls? Perhaps only to log into the server?

I see that sipdroid mentions a free vpn called PBXes. I haven't tried it
yet but I have a feeling it is not quite free.

[David Woolley]

On 05/08/2021 14:35, Richmond wrote:
> So for what does it use tls? Perhaps only to log into the server?

TLS is used to protect the signalling channel (the actual SIP + SDP).
Unless you use INFO for DTMF, which is uncommon, and not included in the
feature list of Zoiper, your key presses are sent in the media channel
([x]RTP). As such, they need to be protected using SRTP (which depends
on a key exchange on the signalling channel, so, in practice also
requires TLS), or ZRTP, which is done entirely on the media channel, but
has some limitations on authentication.

In practice encryption is single hop, and, for TLS/SRTP, the keys are
necessarily exposed at each hop, even if the encrypted media is
forwarded unchanged. So,unless all the hops are trusted, your codes may
still be exposed. ZRTP has limited support, although the paid version
of Zoiper 5 apparently supports it.

[David Woolley]

On 05/08/2021 14:13, David Woolley wrote:

> A better solution is likely to be the use of a VPN.

I hadn't taken in that you were using a public VoIP gateway (Internet
Telephony Service Provider - ITSP) when I suggested a VPN, as I meant
virtual Private network in its original meaning, not in the sense of an
anonymising service. The sort of VPN I was thinking of would require
both ends of each SIP hop to be within your (organisation's) control.

[Richmond]

noel <delet...@invalid.lan> writes:

> grandstream wave app
>
> https://play.google.com/store/apps/details?id=com.grandstream.wave
>
> fully featured, and, is full free - unlike zoiper

I couldn't get that working at all.

I have had a bad afternoon, not only did things mostly not work, but
even things which were working stopped working. It's possible zoiper
running on the desktop was stopping anything else using the account.

Anyway I have android linphone working and I have enabled ZTRP so I just
assume it will work. I still cannot dial 901 though.

[David Woolley]

On 05/08/2021 16:19, Richmond wrote:

> Anyway I have android linphone working and I have enabled ZTRP

You really should positively verify that ZRTP is working, as I gather
some clients can, silently, fall back to RTP.

Also be aware that ZRTP is vulnerable to a man in the middle attack on
the first session with any given peer.

Incidentally, there is no mention of ZRTP anywhere on voiptalk.org's web
site, and their standard configuration guides give instructions for
unencrypted SIP over UDP, and RTP, although they have some pages on
specific phones saying they support SIPS over TLS and SRTP.

[Woody]

CSipSimple hasn't been discontinued, just Google dropped it from the
Play Store. You can however search for it (with Google!) and download it.

[notya...@gmail.com]

More recent "free" versions of Zoiper have less functionality - e.g. multiple accounts. OTOH the paid version isn't much and a mate who uses it commercially uses the paid version no problem.

UDP is a connectionless protocol, so packets don't necessarily all go the same way, which makes it difficult to tap in the network.

[Richmond]

David Woolley <da...@ex.djwhome.demon.invalid> writes:

> On 05/08/2021 16:19, Richmond wrote:
>
>> Anyway I have android linphone working and I have enabled ZTRP
>
> You really should positively verify that ZRTP is working, as I gather
> some clients can, silently, fall back to RTP.

How would I do that?

>
> Also be aware that ZRTP is vulnerable to a man in the middle attack on
> the first session with any given peer.
>
> Incidentally, there is no mention of ZRTP anywhere on voiptalk.org's
> web site, and their standard configuration guides give instructions
> for unencrypted SIP over UDP, and RTP, although they have some pages
> on specific phones saying they support SIPS over TLS and SRTP.

In the settings of Linphone there is an option to make the ZRTP
mandatory. I am phoning an analogue landline, so I expect the encryption
is from client to a voiptalk server. So if the server doesn't support
it, then perhaps it won't work or I will get an error. I don't want to
waste credit experimenting, I'll just have to wait until I make a call.

[David Woolley]

On 05/08/2021 19:03, Richmond wrote:
>> You really should positively verify that ZRTP is working, as I gather
>> some clients can, silently, fall back to RTP.

> How would I do that?
>

Making it mandatory should do it, but the other way, for desktops, and
laptops, is to use wireshark to actually capture the protocol and make
sure that you really are getting it. Amongst other things the data
should be very random, even for nominal silence. This will be easiest
to see with G.711 (A-law or µ-law).

[David Woolley]

On 05/08/2021 18:38, notya...@gmail.com wrote:

> UDP is a connectionless protocol, so packets don't necessarily all go the same way, which makes it difficult to tap in the network.

The only place that the OP is likely to be vulnerable, given that he
trusts the ITSP and PSTN, is when using a public Wi-Fi hotspot, and
there won't be diverse routing of frames in that context. I suppose the
uplink from the router is also vulnerable, although tools for tapping
ADSL are, I imagine specialist, and of limited value, because of the
extent to which HTTPS is used. That would also not involve diverse
routing of individual packets

Generally, I wouldn't rely on diverse routing for added security.

[Richmond]

I think I can discount deliberate targeted wiretapping. I don't know why
anyone would want to do that. It was just casual eavesdropping that
bothered me. Maybe someone at my ISP or at voiptalk. How long does voice
data sit around on servers? Probably not very long, I have no idea
though.

[Richmond]

I could try that. At the moment my wifi is seperated from my wired
network though, and this computer has no wifi card. So I'll try the
mandatory option first.

[Bob Eager]

On Thu, 05 Aug 2021 10:38:54 -0700, notya...@gmail.com wrote:

> UDP is a connectionless protocol, so packets don't necessarily all go
> the same way, which makes it difficult to tap in the network.

TCP isn't connectionless, but there's still nothing to say that packets
will be routed the same during the connection.

[David Woolley]

On 05/08/2021 21:09, Richmond wrote:
> Maybe someone at my ISP or at voiptalk. How long does voice
> data sit around on servers? Probably not very long, I have no idea
> though.

You can't use technical measures to protect against someone at the ITSP
looking.

Typically less than 20ms.

[Andy Burns]

Mark Clayton wrote:

> UDP is a connectionless protocol, so packets don't necessarily all go
> the same way, which makes it difficult to tap in the network.

TCP *is* a connection-based protocol but even then packets don't
necessarily all go the same way, so TCP vs UDP doesn't enter into the
difficulty of wire-tapping.

[Bob Eager]

And that's one of the reasons TCP has sequence numbers.

[Richmond]

The mandatory option didn't work with linphone, but then neither did the
no encryption option. Nothing worked. The only app that works is Zoiper,
and I got cut off in the middle of the call.

If this is what it will be like after they switch the analog lines off
then I don't want to play.

Thanks for your advice anyway.

[Richmond]

noel <delet...@invalid.lan> writes:

> its actually very reliable, and very simple to setup, I cant fathom out
> why you have so much trouble, try looking here

When you say "it" what do you mean? I had no trouble with Zoiper, I set
it up, it works, and I can dial all of these numbers to test it.

https://www.voiptalk.org/products/voip-useful-numbers

But any other client I try, I cannot dial any of those numbers. Linphone
was easy to set up, it showed I was connected to the network, I was able
to make my own phone ring, but I was not able to dial any of those
numbers and when I dialled someone else I got total silence, not even a
ringing tone.

I don't really want to use up all my credit trying to get clients to
work. It would be useful if I could dial one of those free "useful"
numbers.


> https://helpdesk.ausics.net/kb/faq.php?cid=1

What is ausics?

[Woody]

If you are not getting ringing or a ringtone on your handset the
likelihood is that you do not have your ATA or whatever set up
correctly. You need to tell the unit what cadence it should ring for an
incoming call and the composition of that cadence. Likewise the ringing
in the earpiece and again is generated by the ATA so it needs to be told
what to do.

This link
https://tinyurl.com/ys2czkrw
will take you to the Sipgate site and show you a UK setup.

You will need to work out how the dial plan works and to adjust it to
suit your needs. https://tinyurl.com/4h7wavsz explains it all.

Sipgate also recommend the following SIP and RTP addresses:-
SIP port 43160 (usually 5060)
RTP min 43104 (usually 5104)
RTP max 43120 (usually 5120)

One other question: have you tried calls both with and without Stun active?

[Richmond]

I am not using Sipgate, I am using Voiptalk. See voiptalk.org.

Also I am using an app on a smartphone, I don't hava an ATA.

I am not entirely sure voiptalk is even SIP, I think it probably is but
it doesn't say so anywhere that I can see.

The settings are described here:

https://www.voiptalk.org/products/xlite-setup.html

Although that xlite phone no longer exists, it has become a paid for
bria service. (and I am not using Windows anyway).

Anyway I had an idea earlier that I have a sipgate.co.uk account set up
on my old phone, and according to the instructions on voiptalk I can
phone that account free by dialling
<account-number>@sipgate.co.uk. That's not possible on zoiper because it
has a numeric keypad, but I found a work around. If I click on messages,
I can then send a text message, and that interface has a free format box
for the recipient number, so I put in the sipgate account and tried to
send a message but it failed, although it didn't say why. Then I clicked
the phone button to actually call the sipgate account, but that failed
too saying not found.

I also saw on the voiptalk website that you can call sipgate using
sipbroker. You can do this by dialing a prefix and then dialing the
SIP-code of the sipgate provider. It gives a list of them here:

http://www.sipbroker.com/sipbroker/action/providerWhitePages

But I couldn't see sipgate.co.uk on there. I tried sipgate.com but it
didn't work.

[Richmond]

I made a breakthrough. I got the 905 test number to work with
linphone. Unfortunately when I record it plays back nothing. 903 echo
test doesn't work either but at least it answers and I can hear the
robot voice.

[Woody]

The reason that I added the Sipgate config is because it is essentially
generic except for the parts that specifically relate to Sipgate where
you substitute the Voiptalk equivalent.

The dial plan is generic to all service providers as it sets up the UK
cadences etc.

[Richmond]

I have grandstream wave video lite working now (for audio). I have found
I need to have nat.voiptalk.org:5065 as a proxy and outgoing proxy and I
need it to be enforced. This gets the 901-90x numbers working. The
microphone didn't work with linphone but it does with grandstream, I
don't know why.

[notya...@gmail.com]

True, but each node will create a routing table and tend to stick to it.

Either way it makes tapping a Voip call away from the originating or terminal nodes quite a hard task.

[David Woolley]

On 07/08/2021 19:48, notya...@gmail.com wrote:
> True, but each node will create a routing table and tend to stick to it.

The nodes will only look at the IP layer, which is shared with UDP.

[Richmond]

I didn't achieve much with my efforts. I got grandstream wave working,
but when I selected any encryption option I got an error message "not
acceptable" which I think must have come from the voiptalk server. I
wonder who dreamed up that error message?

So I am looking at aaisp and it says a stand alone voip package for
£1.20 pcm, and 1.5p per call. That seems pretty good. Does anyone know
if they support encryption?

[Chris Green]

notya...@gmail.com <notya...@gmail.com> wrote:
> On Thursday, 5 August 2021 at 21:32:44 UTC+1, Bob Eager wrote:
> > On Thu, 05 Aug 2021 10:38:54 -0700, notya...@gmail.com wrote:
> >
> > > UDP is a connectionless protocol, so packets don't necessarily all go
> > > the same way, which makes it difficult to tap in the network.
> > TCP isn't connectionless, but there's still nothing to say that packets
> > will be routed the same during the connection.
>
> True, but each node will create a routing table and tend to stick to it.
>

Surely the routing table is the "host's" not the program's, or
whatever is using the connection's.

--
Chris Green
·

[Bob Eager]

There are routing tables all down the line.

[Chris Green]

Yes, but still nothing that the program/app can see.

--
Chris Green
·