[asterisk-users] SIP connections over OpenVPN connection get one-way voice.

Sebastian Nielsen sebastian at sebbe.eu
Tue Apr 18 17:39:29 CDT 2017


You need to ensure that traffic to the SIP box is sent to the correct IP. Also if you use split-tunnel (eg: not redirect-gateway def1) you must make sure NAT and traffic redirection works as is so the Asus router knows it should send the traffic through tunnel and not via WAN.
IMPORTANT: Then you must, in the ASUS RT-N66U make a port forward inwards from TUN to the phone client.
I would suggest wiresharking on the client side and see which IP Asterisk suggest the client should connect back to. This should be the internal IP of the asterisk server as seen from the openvpn server's point of view.
Another important thing: The local network in the Openvpns machine locatiin, may NOT have same subnet as the network behind the asus.All these must be separate, like:server network: 192.168.1.0/24Openvpn tunnel network: 192.168.2.0/24Asus network: 192.168.3.0/24
Else you get bizarre routing problems when states appear in the state table.
-------- Originalmeddelande --------Från: Ernie Dunbar <maillist at lightspeed.ca> Datum: 2017-04-19  00:25  (GMT+01:00) Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' <asterisk-users at lists.digium.com> Rubrik: [asterisk-users] SIP connections over OpenVPN connection get	one-way voice. 

    Hi everyone. I'm having some trouble with an OpenVPN tunnel that
    isn't working *quite* as well as we'd hoped.

    

    First, here's our technical details:

    

    The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT
    router. The router has UDP port 1194 forwarded to our server. This
    server also runs our office Asterisk PBX, so there isn't any
    networking hardware or firewall between the VPN tunnel and the
    Asterisk PBX.

    

    The OpenVPN client is an Asus RT-N66U router, which if I'm not
    mistaken, runs a somewhat modified version of Tomato. 

    

    I've got the VPN tunnel working well enough. I can do practically
    anything from a computer hooked up to the client router as if I were
    in the main office where the server is. But any SIP client I use -
    whether it's a hardware SIP phone or a soft phone like Zoiper, can
    connect to the Asterisk server without issue. Making calls can work,
    accepting calls works, but I only get 1 way voice traffic. I can
    hear voice data coming in FROM the Asterisk PBX, but I cannot send
    any. 

    

    In my experience with SIP, this usually means a firewall is breaking
    the connection from the client phone to the Asterisk server. I just
    can't for the life of me find what could be wrong. None of the other
    traffic is being blocked. The ipfw firewall on the Asterisk PBX is
    extremely open (see below). The firewall on the client router is
    turned off, and as far as I can tell, most NAT routers don't even
    block outbound traffic in the first place.

    

    I can't see how traffic from the TUN interface on the OpenVPN server
    even can be blocked going to another IP address on the same box, but
    here are the IPFW rules:

    

    root at ldinfo:/etc/asterisk# iptables -L -n

    Chain INPUT (policy ACCEPT)

    target prot opt source destination

    ACCEPT all -- 192.168.0.0/24 192.168.0.3

    ACCEPT all -- 192.168.1.0/24 192.168.0.3

    ACCEPT all -- 10.8.0.0/24 192.168.0.3

    ACCEPT all -- X.X.X.X 192.168.0.3

    ACCEPT all -- 192.168.0.3 X.X.X.X

    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

    REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with
    icmp-port-unreachable

    

    Chain FORWARD (policy ACCEPT)

    target prot opt source destination

    

    Chain OUTPUT (policy ACCEPT)

    target prot opt source destination

    

    Chain POSTROUTING (0 references)

    target prot opt source destination

    

    192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server
    are on.

    192.168.1.0/24 is the network that the remote router is on.

    10.8.0.0/24 is the network that the TUN device creates.

    X.X.X.X is our datacenter.

    192.168.0.3 is the IP address of our PBX.

    

    Any assistance would be greatly appreciated.

    

    
      
    
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/84dc1850/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6298 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/84dc1850/attachment.bin>


More information about the asterisk-users mailing list