[asterisk-bugs] [JIRA] (ASTERISK-28778) Public IP in contact URI when softphone traffic goes through VPN

Jib Jab (JIRA) noreply at issues.asterisk.org
Thu Mar 12 00:33:25 CDT 2020


    [ https://issues.asterisk.org/jira/browse/ASTERISK-28778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=249978#comment-249978 ] 

Jib Jab commented on ASTERISK-28778:
------------------------------------

Thank you Joshua. That is good data. Well configuration for sure... The moment I restarted my phone server (which I had to do after hours), the new "local network" took, and the softphones worked through the VPN perfectly. Interestingly, if I do TLS SRTP to the outside IP of the phone server (with my own IP whitelisted), it still only partially works (calling from softphone works, but calling to the softphone doesn't)... but I guess this issue could be boiled down to making sure documentation states that any changes to local networks require an Asterisk restart, and not just a reload. Right?

> Public IP in contact URI when softphone traffic goes through VPN
> ----------------------------------------------------------------
>
>                 Key: ASTERISK-28778
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28778
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/res_pjsip_sdp_rtp
>    Affects Versions: 13.21.1
>         Environment: Baremetal with Sangoma OS with kernel 3.10.0-862.14.4.el7.x86_64
>            Reporter: Jib Jab
>            Assignee: Jib Jab
>
> I posted this with Sangoma issues, but the more I look at it, this is probably an Asterisk issue.
> My phone server is on bare metal. I have a situation where 50+ staff will need to work remotely and need softphone access to the phone server over VPN, but I'm getting a one-way audio issue, that after thorough wiresharking and tcpdumping (detailed below), I've ruled out the router/VPN and the Bria 5 Softphone. It is Asterisk that is putting the public IP into the SDP Contact URI.
> I have a Laptop with Bria 5 Softphone, which VPNs into another network (and given an example IP of 100.100.100.1, and shows up on laptop as another ethernet device, separate from wifi device, so as far as softphone knows, that is the computers IP address) which has access to the phone server dmz (for example is 200.200.200.1). The VPN vlan 100.100.100.1 is listed as one of the local networks on FreePBX portal / Settings / Asterisk SIP Settings / General SIP Settings. I am using PJSIP. If I examine pjsip.conf and pjsip.transports.conf, I see 100.100.100.0/24 listed for each transport (udp, tcp and tls). Several Asterisk reloads have been done since that was local network was added to the list.
> But when a new call is placed by the softphone (for example 9925550000), it has one-way audio (from phone server to softphone only).
> A tcpdump in phone server terminal shows the phone traffic is not natting or doing anything strange with the traffic (more on that later)… server is sending tcp SIP/SDP and RTP just fine… but the softphone just isn’t sending any RTP back.
> I wireshark on the laptop and find it is sending RTP out the wifi device to the public IP (example 111.111.111.111) of the phone server instead of the internal 200.200.200.1. So I inspect the SDP traffic at beginning of call and find the third, and last, SDP (going from phone server to softphone) with a “Contact URI 9925550000 at 111.111.111.111”. So of course the softphone/laptop is sending RTP to the public IP. I backed up to the tcpdump on the phone server, and sure enough, the last SDP packet it sent has that Contact URI. None of the other packets have anything but internal IPs. 
> Somehow the phone server is getting a clue that the phone is external... even though I don't see any indication of such in the SDP traffic before this. As far as I know, asterisk/FreePBX will only do this if the invite came from an IP that doesn’t fall in the “local networks” listed in General SIP Settings (which seems to populate pjsip.transports.conf).
> Note that I do have a few remote Yealink desk phones with their public IPs whitelisted on router, directly to the phone server (only allowing necessary TLS-SIP and SRTP ports), so I can't just remove the public IP from the SIP Settings.
> While I could whitelist every remote softphone's public IP and run TLS SRTP, this doesn't scale well, increases our attack vector, and I would prefer to keep this traffic over our corporate VPN, because I don't want the phone ringing when these employees are not actively working (logged out of the VPN and done for the day).
> I've tried every possible setting in FreePBX for endpoints and Asterisk SIP Settings, I'm now sure its a bug.



--
This message was sent by Atlassian JIRA
(v6.2#6252)



More information about the asterisk-bugs mailing list