Surprisingly, using VOIP across an SSL-based VPN can actually improve the call quality (as measured by MOS scores). The improvement seems to be due to encapsulating the UDP VOIP packets ( SIP and RTP ) in TCP/IP. NB Datagram-based VPNs, such as IPSec's ESP are still bad.
According to a study by Sirrix VPN has no negative influence on latency, jitter and packet loss; in the case of the g7.11 codec and compressed VPN it is even possible to gain 10% bandwidth compared to non-VPN traffic. Apart from that, different common VPN solutions have big difference on the available throughput, which is due to the rather small packet sizes and greatly increased overhead:
With enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the vpn overhead is high:
g723 with 30ms RTP size and using VPN tunneling: approx. 85% overhead;
g729a with 20ms RTP size and using VPN tunneling: approx. 80% overhead;
But when making some adjustments on the encryption/authentication settings and double the RTP size, the overhead can go down to about 20%-30%, which is affordable for most of cases.
Comparing to SRTP as encryption method for VoIP: approx. 5% additional overhead.
VoIP and VPN Forums:
According to a study by Sirrix VPN has no negative influence on latency, jitter and packet loss; in the case of the g7.11 codec and compressed VPN it is even possible to gain 10% bandwidth compared to non-VPN traffic. Apart from that, different common VPN solutions have big difference on the available throughput, which is due to the rather small packet sizes and greatly increased overhead:
With enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the vpn overhead is high:
g723 with 30ms RTP size and using VPN tunneling: approx. 85% overhead;
g729a with 20ms RTP size and using VPN tunneling: approx. 80% overhead;
But when making some adjustments on the encryption/authentication settings and double the RTP size, the overhead can go down to about 20%-30%, which is affordable for most of cases.
Comparing to SRTP as encryption method for VoIP: approx. 5% additional overhead.
VoIP and VPN Forums:
Tunnel methods
- Zebedee: Can tunnel UDP via TCP (HowTo for Asterisk in German)
- Stunnel: Uses SSL, can do both UDP and TCP
- OpenVPN: Can do both UDP and TCP
- Mizutech VoIP tunneling solution: A complete solution (both server and client side) for encrypted voip
Articles
- VoIP-sip.org - VoIP call quality over VPN
- Network World - Test shows VoIP call quality can improve with SSL VPN links
- O'Reilly Emerging Telephony Strangely, SSL VPNs can help VoIP call quality
- VoIP News Net - VoIP Security via VPN - how to do it yourself.
- Michigan Telephone, VoIP and Broadband blog - Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 1,