SkillAgentSearch skills...

Openli

Open Source ETSI compliant Lawful Intercept software

GenerateConvertImprove

Install / Use

/learn @OpenLI-NZ/Openli
About this skill

Quality Score

0/100

Supported Platforms

Universal

README

OpenLI -- open source ETSI-compliant Lawful Intercept software

Version: 1.1.17

Copyright (c) 2024 - 2026 SearchLight Ltd, New Zealand. All rights reserved.

OpenLI was originally developed by the University of Waikato WAND research group. For further information please see https://www.wand.net.nz/.

OpenLI is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.

IMPORTANT

This software is provided AS-IS and offers no guarantee that it will able to completely satisfy your lawful intercept obligations. This version of the software is an initial release and we anticipate that there will still be many bugs and incompatibilities that we have not yet encountered in our testing so far. If you do encounter issues with the OpenLI software, please report them to us via our Github page (https://github.com/OpenLI-NZ/openli) so that we can continue to improve the quality of OpenLI for all of our users.

ALSO IMPORTANT

We acknowledge that lawful interception is a tool that can easily be abused by authoritarian regimes to violate the human rights and privacy of innocent citizens. OpenLI is free and open-source software and therefore we cannot directly control who uses OpenLI and where OpenLI is used. However, we must state that we categorically do not approve of or condone the use of OpenLI in countries or territories where the interception of communications can take place without the prior approval of a suitable independent legal authority (such as a judge or magistrate).

This software was created to allow network operators to comply with their legal obligations to assist law enforcement to prevent criminal or terrorist activity. Any use of this software to assist with the violation of human rights or the oppression of a populace is forbidden. If you are unsure as to whether your use of this software may violate these conditions, please contact us as hello@openli.nz and explain your situation to receive our advice on whether you may use OpenLI or not.

Software Packages

We currently package OpenLI for many common Linux distributions. We strongly recommend that you install OpenLI using a package if you can, rather than building from source.

Instructions on packaged installs can be found at: https://github.com/OpenLI-NZ/openli/wiki/Installing-Debian-Packaged-Version https://github.com/OpenLI-NZ/openli/wiki/Installing-via-RPM

Complementary Software

Here are some other software projects that are able to interface with an OpenLI deployment in useful ways:

  • mediaMin can ingest pcaps containing the intercept records produced by OpenLI and perform deep analysis of the media from intercepted calls. Very useful for both validating your OpenLI install by comparing the intercepted call audio with the original, or to form the basis of a LEA system to receive and process intercepts. mediaMin can also be used to prepare intercepted audio for ingestion into speech-to-text and LLM cloud models.
  • OpenLI Web Provisioner is a web-based GUI that allows you to configure intercepts, agencies and other core OpenLI configuration through your web browser.

The OpenLI Wiki

The best source of documentation for OpenLI is the OpenLI wiki at https://github.com/OpenLI-NZ/openli/wiki -- we have specific pages on a number of topics that may be relevant to OpenLI users (e.g. encryption, the REST API, DPDK with OpenLI, etc.). The wiki tends to be updated more often than the in-code documentation (e.g. the doc/ directory) as well.

If there is content that you would like to contribute to the OpenLI wiki, please feel free to reach out to us at hello@openli.nz and we will be more than happy to accept your contribution.

Dependencies for building from source

  • libtrace 4.0.27 or later (packages for Debian / Ubuntu are available from WAND as well).

  • libwandder 2.0.13 or later (packages for Debian / Ubuntu are available from WAND as well).

  • libyaml -- Debian / Ubuntu users can install the libyaml-dev package. Required for all components.

  • libosip2 -- Debian / Ubuntu users can install the libosip2-dev package. Only required for the collector.

  • uthash -- Debian / Ubuntu users can install the uthash-dev package. Required for all components.

  • libzmq -- Debian / Ubuntu users can install the libzmq3-dev package. Required for all components.

  • libJudy -- Debian / Ubuntu users can install the libjudy-dev package. Required for the collector and the mediator.

  • libmicrohttpd -- Debian / Ubuntu users can install the libmicrohttpd-dev package. Required for the provisioner.

  • libjson-c -- Debian / Ubuntu users can install the libjson-c-dev package. Required for the provisioner.

  • libssl -- Debian / Ubuntu users can install the libssl-dev package. Required for all components.

  • libsqlcipher -- Debian / Ubuntu users can install the libsqlcipher-dev package. Required for the provisioner.

  • librabbitmq -- Debian / Ubuntu users can install the librabbitmq-dev package. Required for the collector and mediator.

  • libb64 -- Debian / Ubuntu users can install the libb64-dev package. Required for the collector.

  • libtcmalloc -- Debian / Ubuntu users can install the libgoogle-perftools-dev package. Optional, but highly recommended for performance reasons.

  • libuuid -- Debian / Ubuntu users can install the uuid-dev package. Required by all components.

  • RabbitMQ Server -- Debian/Ubuntu users can install the rabbitmq-server package. Optional for the collector, required for the mediator.

Building OpenLI

To build OpenLI from source, just follow the series of steps given below.

  1. Run the ./bootstrap.sh script at the top level of the source tree (only required if you have cloned the OpenLI git repo).

  2. Run the ./configure script.

    If you wish to install OpenLI to a non-standard location (which is typically /usr/local/), append --prefix=<location> to the ./configure command.

    ./configure will fail if any of the required dependencies are missing. If you have installed any of the dependencies in non-standard locations, you may need to also tell ./configure where they are using the CFLAGS and LDFLAGS arguments. For example, if I had installed libtrace into the /home/wand/ directory, I would need to add CFLAGS="-I/home/wand/include" LDFLAGS="-L/home/wand/lib" to the ./configure command.

    To disable the building of any of the three core OpenLI components, you can add any of the following to your './configure' command.

     --disable-provisioner
 --disable-mediator
 --disable-collector

  3. Run make.

  4. To install OpenLI on your system, run make install. If you haven't set the prefix in Step 2, you'll probably need to run this command as a superuser (e.g. sudo make install).

    This last step is optional -- the OpenLI software components should run without needing to be installed.

Mediator RabbitMQ Setup

If you have built OpenLI from source, you will also need to perform some additional manual configuration steps to allow your mediator to be able to use RabbitMQ server for its internal message passing.

Note, you only need to do this for the mediator component and only if you built the mediator from source rather than using a packaged install.

More details can be found at https://github.com/OpenLI-NZ/openli/wiki/RabbitMQ-for-internal-buffering-on-Mediators but a brief set of instructions is included below:

First, if you haven't already done so, install RabbitMQ server. Instructions can be found at https://www.rabbitmq.com/download.html

Configure RabbitMQ on your mediator to only accept connections from localhost by adding the following lines to a config file called /etc/rabbitmq/rabbitmq.conf (note, if this file does not exist then just create it -- if it does exist, just add the config to it):

    listeners.tcp.default = 127.0.0.1:5672
    loopback_users.guest = false

Start the RabbitMQ service:

    service rabbitmq-server restart

Next, create the OpenLI-med vhost on your RabbitMQ server:

    rabbitmqctl add_vhost "OpenLI-med"

Create the openli.nz user and assign them a password:

    rabbitmqctl add_user "openli.nz" "<secretpassword>"

Give the new user permissions to interact with the OpenLI-med vhost:

    rabbitmqctl set_permissions -p "OpenLI-med" "openli.nz" ".*" ".*" ".*"

The last thing you need to do is to provide your OpenLI mediator with the password for the openli.nz user. There are two ways you can do this. The first is by adding a configuration option to your mediator config file (e.g. /etc/openli/mediator-config.yaml) as shown below:

    RMQinternalpass: <secretpassword>

The second is to create a file at /etc/openli/rmqinternalpass that contains ONLY the password that the mediator should use for internal RabbitMQ interactions. Make sure that the file is only readable by t

OpenLI-NZ

View profile

View on GitHub
GitHub Stars108
CategoryDevelopment
Updated3d ago
Forks32
OpenLI-NZ/openli

Languages

C

Security Score

95/100

Audited on Mar 27, 2026

No findings