Surprisingly, using VOIP across an SSL-based VPN can actually improve the call quality (as measured by MOS scores). The improvement seems to be due to encapsulating the UDP VOIP packets ( SIP and RTP ) in TCP/IP. NB Datagram-based VPNs, such as IPSec's ESP are still bad.

According to a study by Sirrix VPN has no negative influence on latency, jitter and packet loss; in the case of the g7.11 codec and compressed VPN it is even possible to gain 10% bandwidth compared to non-VPN traffic. Apart from that, different common VPN solutions have big difference on the available throughput, which is due to the rather small packet sizes and greatly increased overhead:

With enabling authentication, encryption, HMAC, anti-replay attack, and initialization vector, and use small RTP size for Codec, the vpn overhead is high:
g723 with 30ms RTP size and using VPN tunneling: approx. 85% overhead;
g729a with 20ms RTP size and using VPN tunneling: approx. 80% overhead;

But when making some adjustments on the encryption/authentication settings and double the RTP size, the overhead can go down to about 20%-30%, which is affordable for most of cases.

Comparing to SRTP as encryption method for VoIP: approx. 5% additional overhead.

VoIP and VPN Forums:

• VoIP Security Forum

Tunnel methods

• Zebedee: Can tunnel UDP via TCP (HowTo for Asterisk in German)
• Stunnel: Uses SSL, can do both UDP and TCP
• OpenVPN: Can do both UDP and TCP
• Mizutech VoIP tunneling solution: A complete solution (both server and client side) for encrypted voip

Articles

• Network World - Test shows VoIP call quality can improve with SSL VPN links
• O'Reilly Emerging Telephony Strangely, SSL VPNs can help VoIP call quality
• VoIP News Net - VoIP Security via VPN - how to do it yourself.
• Michigan Telephone, VoIP and Broadband blog - Setting up an OpenVPN tunnel using a CentOS-based system as the server and a router flashed with Tomato firmware as the client – Part 1, Part 2, Part 3, and Part 4 - this method is suitable for use with hardware VoIP adapters that do not support any form of VPN tunneling.

Commercial services (in alphabetical order)

• 12vpn VoIP-friendly VPN gateway supporting OpenVPN, PPTP and L2TP/IPSec.
• Ciphron offers an OpenVPN Gateway for Snom 370 OpenVPN Edition. This enables users to easily set up and maintain the VPN tunnels in Snom 370 phones. Announcement: Launch of Ciphwall SPN for Snom 370 OpenVPN Edition Product: Ciphwall SPN 100.
• Road Warrior VPN.com - Road Warrior VPN.com is a OpenVPN (SSL) based VPN provider. They support SNOM phone which run OpenVPN directly on the phone. They also provide easy to use desktop clients.
• SafeVPN.Net provides VoIP-friendly VPN accounts on UK and US locations with multiple static IPs. Accounts can work on UDP and also on TCP mode to forward VoIP traffic. Accounts are know to work with Guyana, Bangladesh, Middle East locations and many more.
• SuperVPN.Net Super VPN offer paid and free PPTP and Open VPN sevices which provide you anonymous web surfing without provider logs for personal and business use.Also they offer VoIP VPN perfect to unblock Skype or any other VoIP software.
• VPN4SIP.COM - VPN4SIP.COM is a low cost WIFI router based VPN service that UNBLOCKS residential Ethernet VOIP adapters to make SIP or Skype Calls freely in Dubai/UAE, Oman, Qatar and Yemen.
• Soundwin Soundwin integrate VPN service into its own VOIP products N200 to provide more flexibile communication via VOIP. VPN feature also available on SR series ATA.
• VPN4VOIP.COM - VPN for VOIP is a low cost SSL based VPN service specially designed for VOIP traffic applications with best service quality in the market. It helps to bypass ISP blocking on VOIP calls utilizing the VPN tunneling technology and assigns mapped static public IP (5 IP with /28 VLAN) to VOIP gateways for wholesale traffic origination and termination applications. The service is QoS controlled, secure, flexible and reliable. User will get guaranteed ping performance and dedicated bandwidth. It is claimed to be working 100% with any ISP - Only one open UDP port is needed to get the solution works. You can use their free deployed client software under Windows XP/2003 with two Ethernet cards which changes the PC into a soft VPN router. Client side can use any dynamic or private IP connections to use the service, free evaluation is available.

• http://www.vpn3000.com VPN service, this vpn service will let you have privacy for you VOIP calls, and in case of VOIP being blocked, it will let you use VOIP, it is based on SSL, works on Windows, Linux, and Macs. To use it for VOIP if you run asterisk, you can have the asterisk server itself run the openvpn client, in case of an ATA you have to make sure that the ATA traffic goes over the VPN, the ATA could be connected to an Asterisk server running the VPN, or to a Windows or Linux server running the VPN and routing the trafic, the VPN can also be used with some routers that run Linux like Openwrt, or dd-wrt, in the case of a soft phone, you run the vpn on the computer that the soft phone is connected to, the VPN can also be used on some Linux phones, for example Openmoko running debian, or Nokia N810, and N900.

See also

• VPN
• Asterisk encryption