[asterisk-users] Asterisk 1.6 and OpenVPN RTP problem

[Dave Platt]

> Hello All,
> 
> I have installed Asterisk 1.6 with openVPN in the same machine. I have set
> up a VPN connection between 2 SIP clients and Asterisk using x-lite.
> 
> The 2 clients connects to Asterisk. SIP signaling goes ok over the vpn
> tunnel.
> 
> When attempting to make a call between the clients, the siganling part of
> the call goes well. But, when the call is set up, some RTP packets are
> exchanged at the beginning and then the RTP flow stops (no RTP is exchangd).
> 
> Wireshark demonstrates no problem with SIP signaling.
> 
> I am using OpenVPN 2.1.1.
> 
> Has anyone had such a problem.

I had a vaguely-similar problem, getting a Nokia N810's Telepathy-
based SIP client to talk to Asterisk over an OpenVPN connection.

The problem in that case turned out to be the fact that the
Nokia was sending all of the packets to the Asterisk server,
using its primary-network (WiFi) IP address, rather than the
address to which its end of the OpenVPN tunnel was bound.
The SIP packets from the Asterisk server had no way to get back
to the client.

The fix for this was to stick a couple of scripts into the
Nokia, to be executed when OpenVPN started or stopped the
VPN tunnel.  The "up" script changes the SIP configuration,
setting its "local IP address" parameter to that of the Nokia
end of the tunnel, while the "down" script clears this override.

Works fine.

That doesn't sound like exactly the problem you're having,
though, since you're getting SIP through the tunnel OK.  The
problem sounds more as if the RTP packets from one client are
either not being send through the tunnel at all, or are being
dropped prior to getting to the other.

There may be a couple of ways to fix this:

(1) As another poster suggested, specify "canreinvite=no"
    (or, in 1.6, "directmedia=no") for each of your SIP
    clients.  This will prevent them from trying to send the
    RTP "directly" to one another, instead sending it to
    Asterisk for forwarding.

    This is probably the most reliable approach.  It's also
    probably the only one which will allow reliable connections
    between these clients, and SIP endpoints which aren't part of
    your own local IP-address space.

(2) If you really do want to try to allow directmedia connections
    between the clients, you'll need to make certain of two things:

    [A] Your OpenVPN setup, for each client, must install a route on
        each client which directs the client to send all packets for
        any address on the entire VPN back to the VPN server.

        Without such a route being installed, it's likely that the
        OpenVPN-installed routing would only channel packets for the
        OpenVPN server itself into the tunnel.  Packets for other
        IP addresses in the OpenVPN range would end up being sent out
        through the client's normal IP route, and probably lost forever
        in the grand stew of the Intertube.

    [B] Make sure that your OpenVPN setup allows direct client-to-
        client communications.  There's a parameter which can disable
        this, and permits only client-to-server packets to survive...
        make sure you haven't set this.

(3) You may need to make sure that your iptables (or similar)
    configuration isn't accidentally NAT'ing packets which are trying
    to come in through the OpenVPN tunnel and then go back out through
    another OpenVPN tunnel.