Tuesday, May 31, 2016

GNU Gatekeeper 4.2

I'm happy to announce the release of GNU Gatekeeper 4.2.

Version 4.2 is mainly a bug fix release.

A bug in proxying H.239 connections through NAT has been fixes as well
as a number of possible crashes and a few other small bugs.

The main functional change is that GnuGk's old NAT traversal method is
now disabled by default. Everybody should use H.460.x. If you want keep
using the old NAT traversal method, you can re-enable it with



You can download the new version from

Please see the full change log below.


Changes from 4.1 to 4.2
  • BUGFIX(ProxyChannel.cxx) fix H.239 forwarding issue in call where  only one side uses H.460.19
  • BUGFIX(configure.in) make sure LUA test fails for versions below 5.2
  • BUGFIX(gkh235.cxx) small fix with password auth
  • BUGFIX(ProxyChannel.cxx) apply codec filtering also to  receiveAndTransmit capabilities
  • BUGFIX(ProxyChannel.cxx) fix crash in RTP multiplexing
  • BUGFIX(ProxyChannel.cxx) fix crash when using H.245 tunneling translation
  • BUGFIX(gk.cxx) fix shutdown on NetBSD 7
  • BUGFIX(ProxyChannel.cxx) fix compile on NetBSD 7
  • new switch: [RoutedMode] FilterVideoFastUpdatePicture= to reduce the  number of update requests from endpoints
  • disable SSLv3 when using TLS
  • BUGFIX(ProxyChannel.cxx) fix crash in call cleanup
  • support ON and OFF event in LuaAcct
  • BUGFIX(sqlacct.*) implement ON and OFF event as documented
  • new switches [RoutedMode] EnableGnuGkNATTraversal=1 and [Endpoint]  EnableGnuGkNATTraversal=1 to keep GnuGk's old NAT traversal method enabled

Sunday, April 17, 2016

Please tell us what you think about the GNU Gatekeeper!

We are running a suvery to get feedback and ideas for the future development of the GNU Gatekeeper.

Please take a moment to answer a few short questions:


Thanks for your time!

Wednesday, February 17, 2016

GNU Gatekeeper 4.1

I'm happy to announce the availability of GNU Gatekeeper 4.1.

This is mainly a bug fix release. If you are using GnuGk as a server in
a traversal zone or if you do H.239 presentations with Avaya endpoints,
you are strongly encouraged to update. This version also fixes a memory
leak that mainly affects long running gatekeepers with a lot of RAS
traffic. Some of the bugs were long standing, so if you skipped some
previous releases, this is really a good time to update.

The main new feature in this release is expanded LUA support.
Besides LUA authentication and LUA routing, there is now a LuaAcct
module that allows you to run a script on every accounting event of your
choice. Please see the updated manual for details.

You can download the new version from

Please see the full change log below.

My support website https://www.willamowius.com also got a face lift.
Please check it out as well.


Changes from 4.0 to 4.1

  • BUGFIX(ProxyChannel.cxx) fix crash processing Setup
  • BUGFIX(RasSrv.cxx) update IP/port of traversal neighbor on every SCI,  not only on IP changes
  • new status port command: PrintNeighbors
  • BUGFIX(ProxyChannel.cxx) fix H.239 inside multiplePayloadStream from  Avaya XT5000 with H.460.19
  • new accounting module: LuaAcct
  • LUA: new library "gnugk" to allow access to GnuGk functionality
  • BUGFIX(configure) set all detected options in gnugkbuildopts.h on Unix
  • BUGFIX(ProxyChannel.cxx) removing H.235 capabilities might have skipped items
  • BUGFIX(lua.cxx) initialize all LUA variables for LUA routing
  • status port configuration (MaxStatusClients, StatusEventBacklog, StatusEventBacklogRegex) now changable at runtime
  • BUGFIX(GkStatus.cxx) fix StatusEventBacklogRegex for patterns that start at the beginning of the event line
  • BUGFIX(ProxyChannel.cxx) use RealPresence Group 0-Byte keep-alive for IgnoreSignaledH239PrivateIPs (needs LARGE_FDSET to work)
  • new switches to set database connect and read timeout (only used by  MySQL for now)
  • new switch to set worker thread idle timeout: [Gatekeeper::Main] WorkerThreadIdleTimeout=
  • BUGFIX(gk.cxx) better test for gatekeeper shutdown
  • BUGFIX(Routing.cxx) fix fromIP for ARQ and LRQ RouteRequests
  • BUGFIX(gkauth.cxx) only call Q.931 checks when activated
  • BUGFIX(Routing.cxx) fix RouteRequest from unregistered caller who  doesn't provide any alias
  • new switch: [RoutedMode] DisableSettingUDPSourceIP=1

Friday, January 29, 2016

Getting H.323 through Firewalls and NAT by using the free GNU Gatekeeper

The H.323 protocol places IP numbers inside the signaling messages and establishes multiple TCP and UDP connections for a single call. You can't even be sure beforehand of the direction in which some of these connections are established. This makes it harder to get
H.323 through a NAT than other protocols.

To get through firewalls and NATs, the GNU Gatekeeper supports a lot of different traversal methods and protocols. The combination of H.460.18 and H.460.19 (usually called "H.460 NAT traversal" for short) is by far the most common NAT traversal protocol and is supported by virtually all H.323 endpoints today.

The best approach is to place a GNU Gatekeeper on a public IP address in front of your firewall and enable H.460.18 NAT traversal. You don't have to open any inbound port - just allow outgoing connections in your firewall, which is usually the default anyway.

If not all of your endpoints support H.460.18 or if you have a lot of internal calls, you can place a 2nd GnuGk inside your firewall and let it tunnel calls out for all internal endpoints combined. This called a "traversal zone". See Chapter 10 in the GNU Gatekeeper manual how to configure the outside GnuGk as traversal server and the GnuGk inside the firewall as traversal client.

A simple, one gatekeeper configuration for NAT traversal looks like this:




Register all your endpoints with the gatekeeper, whether they are inside or outside the firewall, and you should be able to make calls in and out.

Thursday, December 3, 2015

GNU Gatekeeper 4.0 available

I am pleased to announce the release of GNU Gatekeeper 4.0.

It is now available from http://www.gnugk.org/h323download.html.

This release includes source code suitable for Linux, Windows, MacOS X,
FreeBSD, NetBSD, OpenBSD and Solaris and executables for Linux.

GnuGk 4.0 includes many new features as well as some important bug
fixes, but remains fully compatible with your previous configuration

Whats new ?
  • rewrite of the H.235 password authentication - much better interoperability and much more secure (it is high time to get ride of MD5 based authentication!)
  • IP authentication for all RAS and Q.931 messages
  • important IPv6 updates and fixes
  • support for TCS0 call transfers ("reroute") that can be initiated from applications
  • better NAT traversal support for unregistered endpoints
  • better blocking of spam calls using SQLAuth
  • per endpoint codec filtering
  • DisplayIE rewriting
  • more secure handling of status port passwords (only hash stored)
  • important fix for ODBC database driver
  • CalledPartyNumber IE rewriting for better Polycom interoperability
  • bug fixes

Some of the new 4.0 features are discussed in more detail this post:

Changes from 3.9 to 4.0
  • [...PasswordAuth] CheckID switch is now deprecated, use [H235] CheckSendersID instead
  • provide vendor informations from ARQ or Setup as %{Vendor} in SQLAuth CallQuery
  • prepend timestamp to events in status port backlog
  • BUGFIX(Routing.cxx) remove newlines from vendor string before sending out  RouteRequest to virtual queue
  • BUGFIX(gksql_odbc.cxx) fix DSN initialization when having multiple DSNs at the same time
  • new switch: [RoutedMode] UpdateCalledPartyToH225Destination=1 to always rewrite the CalledPartyNumberIE in Setup to the first E.164 of the H.225 destinationAddress
  • BUGFIX(ProxyChannel.cxx) fix crash on shutdown
  • new settings for [RoutedMode] ScreenDisplayIE=: 'Calling', 'Called', 'CallingCalled' to set the DisplayIE to the (rewritten) caller ID
  • new switch: [RoutedMode] AppendToDisplayIE= to add a string to the DisplayIE when ScreenDisplayIE= is on
  • changed default: H.460.18 keep-alive in traversal zone between neighbors now defaults to 19 sec (was 29)
  • new switch: [RoutedMode] H46018KeepAliveInterval=
  • BUGFIX(ProxyChannel.cxx) better port detection for H.239 when IgnoreSignaledPrivateH239IPs=1
  • BUGFIX(gkacct.cxx) %{caller-port} and %{called-port} now default to "0" instead of the empty string when not available (eg. in direct mode) to avoid SQL errors when they are stored in a numeric column
  • BUGFIX(RasSrv.cxx) fix additive registration with parent gatekeeper
  • BUGFIX(ProxyChannel.cxx) fix IPv6 dual-stack proxy on Linux and Windows
  • dump file descriptor usage on USR2 signal (Linux only)
  • new switch [RoutedMode] DisableFastStart=1
  • support for H.235.1, incl. setting and checking tokens in all RAS and Q.931 messages
  • extend SimplePasswordAuth and FileIPAuth to all RAS and all Q.931 messages
  • store only PBKDF2 hash for [GkStatus::Auth] password in config, not a recoverable password
  • BUGFIX(ProxyChannel.cxx) fix crash when receiving message without UUIE
  • new switch [EP::] DisabledCodecs=
  • much improved TCS0 3rd-party call transfer using 'Reroute' command on status port
  • BUGFIX(Routing.cxx) add field for destination alias in ARQ if missing and a dynamic routing policy sets it
  • BUGFIX(ProxyChannel.cxx) fix crash in H.235 Media for endpoints with more than 64 capability entries in TCS
  • new switch [Proxy] AllowSignaledIPs= to skip to skip auto-detect for network when IgnoreSignaledIPs=1

Friday, November 20, 2015

Wireshark 2 is out - including H.323 over IPv6 decoding

Wireshark 2 has been released. It includes decoding of H.323 over IPv6 wich didn't work properly in all previous version.

Wireshark 2 has a new UI that takes a moment to get used to, but also includes a version with the 'lecacy' UI if you need to get things donme in a hurry and can't fuss with the new UI right now.

Sunday, November 1, 2015

New GNU Gatekeeper 4.0 Features

GnuGk 4.0 is in Beta now. Please give it a try!

H.235 password authentication

Until now, GnuGk only supported MD5 password tokens well. The password
only secured RRQ and ARQ messages in the direction from the endpoint to
the gatekeeper and MD5 is considered a pretty weak algorithm. MD5
tokens are widely supported by vendors and are usually called "H.235",
but strictly speaking they aren't part of any ITU spec.

The new implementation in GnuGk closely follows the H.235.1
specification. It secures all RAS (RRQ, ARQ, BRQ, DRQ etc.) and all
Q.931 (Setup, Alerting etc.) messages. It also secures both directions,
so the gatekeeper can check every message if it is really from the
endpoint and also the endpoint can make sure its really talking to its

The interpretation of H.235.1 varies between vendors (or their
implementation is just buggy, your call). Thats why GnuGk defaults to
rather strict checks, but has configuration switches ([H235] config
section) to enable interoperability with vendor implementations.

During development I ran tests with AudioCodes, Polycom, Inovaphone and
H323Plus endpoints.

For example if you are using a AudioCodes gateway, you should set



You can even tighten security with CheckID=1 in [SimplePasswordAuth].

Per endpoint codec filtering

Suppose you have this MCU, that works fine when endpoints use H.263,
but a lot of calls using H.264 fail. Now you can simply disable H.264
in your GnuGk config, even if that MCU doesn't give you that option:



Now that MCU can't negotiate H.264 any more and all calls will use
H.263. All other endpoint can still use all codecs.

Or suppose you have a Radvision MCU that is rather strict about using
symmetric codecs. Many endpoints don't handle symmetric codec
requirements correctly, but it often helps to simply disable H.239 if
you aren't using it away:


If all your endpoints follow all the specs, you'll probably never need
this feature. Unfortunately not all do and thats when this feature
comes in handy.

IPv6 and IPv4-IPv6 conversion

Actually this is not a new feature in GnuGk 4.0, but 4.0 brings some
significant bug fixes and improvements.

We all know IPv6 will come some day, but hasn't so far, because some
equipment still works better with IPv4 or some network doesn't support
it, yet etc.

With GnuGk, you don't have to convert your network to IPv6, you can
simply add it as another option and GnuGk will convert between IPv4 and
IPv6 whenever necessary. So you can keep all your legacy endpoints that
only support IPv4 and still have them reach other endpoints that work
on IPv6.

I would suggest you give IPv6 a try in your network now, before things
get very urgent and must be done in a rush.

The config part in GnuGk is rather easy:


In all places where you can put an IPv4 address, you can also place an
IPv6 address.

BTW: If you want to see your IPv6 H.323 calls in Wireshark, you need a
new version. I worked with the Wireshark developers to get the
disection fixed. That patch will probably be in 2.0.0rc1.