Bash Scripts Internet Linux Security Utilities

xsukax E2E Encrypted Voice Call Server

xsukax

xsukax E2E Encrypted Voice Call Server

A secure, end-to-end encrypted voice communication server with group-based access control, designed for private conversations with robust security protections.

Github Repo: https://github.com/xsukax/xsukax-E2EE-Voice-Call-Server

🔒 Security & Privacy Overview

This server implements a multi-layered security architecture that ensures:

  • True End-to-End Encryption: Audio is encrypted on the client side before transmission using AES-GCM with keys derived via ECDH P-256
  • Forward Secrecy: Each call generates unique ephemeral keys that are never reused
  • Group Isolation: Users can only communicate within their designated groups
  • Origin Security: SSL/TLS encryption between all components (browser ↔ Cloudflare ↔ origin server)
  • Privacy by Design: No audio recording, minimal data retention, and ephemeral user sessions

🛡️ Security Layers

1. Transport Layer Security

  • HTTPS/WSS Encryption: All communications use TLS 1.2+ encryption
  • Certificate Pinning: Self-signed certificates for origin validation
  • Cloudflare Integration: Designed to work with Cloudflare’s security features

2. Application Layer Encryption

  • Key Exchange: ECDH P-256 for perfect forward secrecy
  • Audio Encryption: AES-GCM 256-bit encryption for audio data
  • Client-Side Crypto: All encryption/decryption happens in the browser
  • Ephemeral Keys: Unique session keys for each call

3. Access Control

  • Group-Based Isolation: Users can only see and call users in their same group
  • URL-Based Groups: Group names are sanitized and validated
  • Session Management: Unique 6-character user IDs for each session
  • Call State Validation: Comprehensive call state checking prevents unauthorized actions

4. Privacy Protections

  • No Persistent Storage: No audio recordings or conversation logs
  • Ephemeral Data: User information exists only during active sessions
  • Earpiece Audio: Audio plays at 20% volume through earpiece only
  • Screen Wake Protection: Aggressive screen wake maintenance during calls

5. Network Security

  • Firewall Configuration: Automatic firewall rules for HTTPS traffic
  • Port Security: Only essential ports are opened (SSH, HTTPS)
  • Service Isolation: Dedicated system user with minimal privileges

📋 Prerequisites

System Requirements

  • Ubuntu 20.04+ or CentOS 8+ (other Linux distributions may work)
  • Python 3.8+
  • 1GB RAM minimum, 2GB recommended
  • CPU with AES-NI support for optimal encryption performance

Network Requirements

  • Open port 22000 (HTTPS) for the voice server
  • Domain name with DNS configured
  • Cloudflare account (recommended for additional security)

🚀 Installation Guide

Automated Installation (Recommended)

  1. Download the installation script:

    curl -O https://raw.githubusercontent.com/xsukax/xsukax-E2EE-Voice-Call-Server/refs/heads/main/xsukax-E2EE-Voice-Call-Server.sh

  2. Make the script executable:

    chmod +x xsukax-E2EE-Voice-Call-Server.sh

  3. Run as root:

    sudo ./xsukax-E2EE-Voice-Call-Server.sh

Manual Installation

  1. Install system dependencies: 
    
# Ubuntu/Debian
sudo apt update && sudo apt install -y python3 python3-pip python3-venv curl ufw openssl

CentOS/RHEL

sudo yum update -y && sudo yum install -y python3 python3-pip curl firewalld openssl


2. **Create service user**:
```bash
sudo useradd -r -s /bin/false -d /opt/voice-server voiceserver

  1. Create installation directory:

    sudo mkdir -p /opt/voice-server/app
sudo chown voiceserver:voiceserver /opt/voice-server

  2. Set up Python environment:

    cd /opt/voice-server
sudo -u voiceserver python3 -m venv venv
sudo -u voiceserver source venv/bin/activate
sudo -u voiceserver pip install Flask==3.0.0 Flask-SocketIO==5.3.6 eventlet==0.33.3

  3. Create server configuration: Copy the provided server.py to /opt/voice-server/app/server.py

  4. Generate SSL certificates:

    cd /opt/voice-server
sudo -u voiceserver openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
 -keyout server.key -out server.crt -subj "/CN=localhost"
sudo chmod 600 server.key
sudo chmod 644 server.crt

  5. Create systemd service: Create /etc/systemd/system/voice-server.service with the provided content

  6. Configure firewall:

    
# Ubuntu/Debian
sudo ufw allow ssh
sudo ufw allow 22000/tcp
sudo ufw enable

CentOS/RHEL

sudo firewall-cmd –permanent –add-port=22000/tcp sudo firewall-cmd –permanent –add-service=ssh sudo firewall-cmd –reload


9. **Start the service**:
```bash
sudo systemctl daemon-reload
sudo systemctl enable voice-server
sudo systemctl start voice-server

🌐 Cloudflare Configuration

Tunnel Setup

  1. Create a Cloudflare Tunnel in your Zero Trust dashboard
  2. Configure the tunnel to point to https://localhost:22000
  3. Set up your public hostname (e.g., voice.yourdomain.com)

Security Settings

  1. SSL/TLS Encryption Mode: Set to “Full (Strict)”
  2. Always Use HTTPS: Enable
  3. TLS Settings: Disable TLS verification (for self-signed cert)
  4. HTTP Settings: Disable chunked encoding

Additional Security

  1. WAF Rules: Configure appropriate Web Application Firewall rules
  2. Access Policies: Set up authentication if needed
  3. DDoS Protection: Enable Cloudflare’s DDoS mitigation

🏷️ Group Management

Creating Groups

Groups are created automatically via URL:

  • https://voice.example.com/work → Creates “work” group
  • https://voice.example.com/family → Creates “family” group
  • https://voice.example.com/friends → Creates “friends” group

Group Security

  • Name Sanitization: Group names are sanitized (alphanumeric, hyphens, underscores only)
  • Length Limits: Group names truncated to 20 characters
  • Case Insensitive: Group names are converted to lowercase
  • Isolation: Complete separation between different groups

Sharing Groups

  1. Visit your group URL (e.g., https://voice.example.com/mygroup)
  2. Click the “Group Info” section
  3. This copies both the group URL and your user ID
  4. Share via secure messaging apps (WhatsApp, Telegram, Signal)

📱 Usage Guide

Joining a Call

  1. Access the group: Visit your group URL
  2. Get your ID: Note your 6-character user ID
  3. See online users: View other users in your group
  4. Initiate call: Click “Private Call” next to any user

During a Call

  • Earpiece Audio: Audio plays at 20% volume through earpiece only
  • Screen Wake: Screen stays awake automatically during calls
  • Encryption Status: Visual indicator shows encryption status
  • Mute Control: Microphone can be muted during calls

Security Indicators

  • 🔒 Encryption Active: End-to-end encryption is established
  • 📱 Earpiece Mode: Audio routing through private earpiece
  • 🔓 Screen Wake: Screen wake protection active
  • 🟢 Online Status: Connection status indicator

🔧 Troubleshooting

Common Issues

Audio not working:

  • Check browser microphone permissions
  • Ensure HTTPS is properly configured
  • Verify Cloudflare tunnel is active

Screen wake not working:

  • Check browser support for Wake Lock API
  • iOS may have limitations on background audio

Connection issues:

  • Verify port 22000 is open and accessible
  • Check Cloudflare tunnel configuration
  • Validate SSL certificate setup

Logs and Monitoring

View service logs:

journalctl -u voice-server -f

Check service status:

systemctl status voice-server

Test SSL connection:

openssl s_client -connect localhost:22000

Performance Issues

High CPU usage:

  • Ensure AES-NI is available on the CPU
  • Consider upgrading server resources for large groups

Audio quality problems:

  • Check network latency between users and Cloudflare
  • Verify sufficient bandwidth is available

🚨 Security Best Practices

Deployment Recommendations

  1. Regular Updates: Keep the OS and Python dependencies updated
  2. Network Segmentation: Isolate the voice server in its own network segment
  3. Monitoring: Implement comprehensive logging and monitoring
  4. Backups: Regularly backup SSL certificates and configuration

Cloudflare Security

  1. WAF Rules: Implement appropriate Web Application Firewall rules
  2. Rate Limiting: Configure rate limiting to prevent abuse
  3. Bot Protection: Enable bot management features
  4. Access Policies: Use Cloudflare Access for additional authentication

Client-Side Security

  1. Browser Updates: Ensure clients use updated browsers
  2. Network Security: Advise users to avoid public Wi-Fi for sensitive calls
  3. Session Management: Encourage users to refresh for new session IDs periodically

🔄 Maintenance

Updating the Server

  1. Stop the service: systemctl stop voice-server
  2. Update the server.py file
  3. Restart the service: systemctl start voice-server

Certificate Renewal

SSL certificates are valid for 365 days. To renew:

cd /opt/voice-server
sudo -u voiceserver openssl req -x509 -nodes -days 365 -newkey rsa:4096 \
    -keyout server.key -out server.crt -subj "/CN=localhost"
sudo systemctl restart voice-server

Monitoring Health

Set up monitoring for:

  • Service availability (port 22000)
  • CPU and memory usage
  • Network bandwidth
  • Active calls and groups

📞 Support

For general support and troubleshooting, check:

  • Service logs: journalctl -u voice-server -f
  • Network connectivity: telnet yourdomain.com 22000
  • SSL certificate: openssl s_client -connect yourdomain.com:22000

📄 License

This project is licensed under the GNU General Public License v3.0 – see the LICENSE file for details.

🙏 Acknowledgments

  • Flask and Flask-SocketIO teams for the excellent web framework
  • Cloudflare for security and performance enhancements
  • WebRTC and modern browser APIs for real-time communication capabilities

Important: This software is designed for secure communications but should be regularly audited for security vulnerabilities. Always keep the system and dependencies updated to the latest versions.

Leave a Reply

Your email address will not be published. Required fields are marked *