QUESTION Problem with external phone on VPN

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
I'm having a problem with one phone and it has me puzzled. I solved it in a way I don't like, so I'm hoping for some insight.

I have a RentPBX machine with OpenVPN installed. I'm connecting to it from Yealink T46G phones. I have a main office and several home workers; with more home workers coming I see problems in my future.

The one remote user is getting connected and staying connected to the server and the pbx shows his extension connecting via a VPN IP (10.11.12.X). When he RECEIVES calls, all is well. When he makes them he gets cut off very quickly.

Looking at output with SIP/RPT debug on, I'm seeing several curious things. MY_NONVPN_IP is my (poster's) IP - I don't connect via the VPN. REMOTEIP is the public IP address of the remote user. This is for a call TO the remote user:

Code:
pbx*CLI>  [2014-09-15 16:04:07] DEBUG[3557][C-00000053]: res_rtp_asterisk.c:3513 ast_rtcp_read: RTCP NAT: Got RTCP from other end. Now sending to address REMOTEIP:11781
pbx*CLI>        > 0xb7411270 -- Probation passed - setting RTP source address to MY_NONVPN_IP:11800
[2014-09-15 16:04:07] DEBUG[3557][C-00000053]: res_rtp_asterisk.c:3967 ast_rtp_read: RTP NAT: Got audio from other end. Now sending to address MY_NONVPN_IP:11800
Got  RTP packet from    MY_NONVPN_IP:11800 (type 00, seq 000000, ts 3221661647, len 000160)
pbx*CLI>  Sent RTP packet to      10.11.12.38:11780 (type 00, seq 059320, ts 3221661640, len 000160)
pbx*CLI>        > 0xb5775080 -- Probation passed - setting RTP source address to REMOTEIP:11780
[2014-09-15 16:04:08] DEBUG[3557][C-00000053]: res_rtp_asterisk.c:3967 ast_rtp_read: RTP NAT: Got audio from other end. Now sending to address REMOTEIP:11780
Got  RTP packet from    REMOTEIP:11780 (type 00, seq 000000, ts 1638191900, len 000160)
pbx*CLI>  Sent RTP packet to      MY_NONVPN_IP:11800 (type 00, seq 003404, ts 1638191896, len 000160)
      > 0xb7411270 -- Probation passed - setting RTP source address to MY_NONVPN_IP:11800
Got  RTP packet from    MY_NONVPN_IP:11800 (type 00, seq 000001, ts 3221661807, len 000160)
Sent RTP packet to      REMOTEIP:11780 (type 00, seq 059321, ts 3221661800, len 000160)
pbx*CLI>        > 0xb5775080 -- Probation passed - setting RTP source address to REMOTEIP:11780
pbx*CLI>  Got  RTP packet from    REMOTEIP:11780 (type 00, seq 000001, ts 1638192060, len 000160)
Sent RTP packet to      MY_NONVPN_IP:11800 (type 00, seq 003405, ts 1638192056, len 000160)
pbx*CLI>  Got  RTP packet from    MY_NONVPN_IP:11800 (type 00, seq 000002, ts 3221661967, len 000160)
Sent RTP packet to      REMOTEIP:11780 (type 00, seq 059322, ts 3221661960, len 000160)
pbx*CLI>  Got  RTP packet from    MY_NONVPN_IP:11800 (type 00, seq 000003, ts 3221662127, len 000160)
Sent RTP packet to      REMOTEIP:11780 (type 00, seq 059323, ts 3221662120, len 000160)
pbx*CLI>  Got  RTP packet from    REMOTEIP:11780 (type 00, seq 000002, ts 1638192220, len 000160)
Sent RTP packet to      MY_NONVPN_IP:11800 (type 00, seq 003406, ts 1638192216, len 000160)
pbx*CLI>  Got  RTP packet from    REMOTEIP:11780 (type 00, seq 000003, ts 1638192380, len 000160)
Sent RTP packet to      MY_NONVPN_IP:11800 (type 00, seq 003407, ts 1638192376, len 000160)
pbx*CLI>  Got  RTP packet from    MY_NONVPN_IP:11800 (type 00, seq 000004, ts 3221662287, len 000160)

I thought the whole idea of VPN was that all traffic is through 10.11.12.X and the actual IP of the user is NEVER used/seen - just the tunnel?

So why is this substitution being made?

2. Here's more of the info using the VPN connection (this comes earlier, prior to the call):

Code:
<--- Transmitting (NAT) to 10.11.12.38:5062 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.11.12.38:5062;branch=z9hG4bK678706115;received=10.11.12.38;rport=5062
From: "USERNAME" <sip:[email protected]>;tag=1936430616
To: "USERNAME" <sip:[email protected]>;tag=as57b9e839
Call-ID: [email protected]
CSeq: 2 REGISTER
Server: FPBX-2.11.0(11.12.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 3600
Contact: <sip:[email protected]:5062>;expires=3600
Date: Mon, 15 Sep 2014 23:03:01 GMT
Content-Length: 0

So, we're using the VPN.

In a call from Remote User to my cell, I get the following (abbreviated):

Code:
<--- Transmitting (NAT) to 10.11.12.38:5062 --->
SIP/2.0 200 OK
Via: SIP/2.0/UDP 10.11.12.38:5062;branch=z9hG4bK678706115;received=10.11.12.38;rport=5062
From: "USERNAME" <sip:[email protected]>;tag=1936430616
To: "USERNAME" <sip:[email protected]>;tag=as57b9e839
Call-ID: [email protected]
CSeq: 2 REGISTER
Server: FPBX-2.11.0(11.12.0)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Expires: 3600
Contact: <sip:[email protected]:5062>;expires=3600
Date: Mon, 15 Sep 2014 23:03:01 GMT
Content-Length: 0
 
 
pbx*CLI>  Sent RTP packet to      MYCELLIP:25070 (type 00, seq 022064, ts 53074296, len 000160)
pbx*CLI>  [2014-09-15 16:06:40] WARNING[1576]: chan_sip.c:4024 retrans_pkt: Retransmission timeout reached on transmission [email protected] for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 10175ms with no response
[2014-09-15 16:06:40] WARNING[1576]: chan_sip.c:4053 retrans_pkt: Hanging up call [email protected] - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions).

iptables ACCEPTS all traffic on 10.11.12.

To 'fix' the problem, I used /root/add-ip REMOTEUSER IP_Addy, but that's hardly a fix. If I wanted to do that, I wouldn't use the VPN at all.

My concern is that I can't do this 'solution' for all the other users we will be adding to the system.

Happy to post additional info, but I'm confused about where to start.

Thanks for the help.

Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
A thought that occurred to me: all the phones are 'remote', but the VPN should essentially be 'local'. Should I still have NAT = yes in the config for the phone's extension setup?

The main office is set as a trusted user (ACCEPT on almost all ports) so that we can always have access and configure stuff from their. That may be part of why that office doesn't (and won't) have problems.

Before I start bothering this user with - try this, call me again, sorry, let's try this. I'd like to get a better understanding of the 'why' to minimize the disruption.

So, should I have NAT = NO in freepbx?

Andrew
 
Joined
Nov 14, 2008
Messages
1,398
Reaction score
320
As i recall there is an openvpn or client configuration parameter that forces ALL traffic to and from the client (yealink) to go over the vpn. If not then you'll have firewall issues.
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
Brian,

Thanks for the response.

The PBX should only know 10.11.12.x as the connection for the phone - am I 'forcing' it to look for the actual connection by using NAT = YES?

My Server Config reads:

Code:
local RENTPBXIP_Addy
port 1194
proto udp
dev tun
# added based on pbxinaflash.com
daemon
persist-tun
persist-key
cipher BF-CBC
tls-server
#end added
mode server
server 10.11.12.0 255.255.255.0
push "route 10.2.1.0 255.255.255.0"
push "dhcp-option DNS 10.2.1.1"
 
# I have no idea what the two lines above do - Yealink's config had these lines.
 
keepalive 20 60
client-to-client
duplicate-cn
comp-lzo
verb 3
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh1024.pem
log-append /etc/openvpn/openvpn.log

The client code reads:

Code:
client
persist-tun
persist-key
cipher BF-CBC
auth SHA1
tls-client
ns-cert-type server
remote RENTPBX_Addy
nobind
port 1194
proto udp
dev tun
comp-lzo
verb 3
ca /config/openvpn/keys/ca.crt
cert /config/openvpn/keys/client.crt
key /config/openvpn/keys/client.key

I can find nothing on the Yealink which forces traffic over the VPN as a setting in the GUI.

Help?

Andrew
 

AndyInNYC

Active Member
Joined
May 23, 2013
Messages
772
Reaction score
124
ifconfig for the RentPBX machine returns:

Code:
eth0      Link encap:Ethernet  HWaddr AA:00:0E:6A:71:01
          inet addr:RENTPBXIP  Bcast:SOMETHINGALMOSTRENTPBXIP  Mask:255.255.255.192
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1955988 errors:0 dropped:0 overruns:0 frame:0
          TX packets:758695 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:242786373 (231.5 MiB)  TX bytes:182599716 (174.1 MiB)
          Interrupt:17
 
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:188829 errors:0 dropped:0 overruns:0 frame:0
          TX packets:188829 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:14716030 (14.0 MiB)  TX bytes:14716030 (14.0 MiB)
 
tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.11.12.1  P-t-P:10.11.12.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:121414 errors:0 dropped:0 overruns:0 frame:0
          TX packets:46432 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:18705729 (17.8 MiB)  TX bytes:26490305 (25.2 MiB)

should my 'push' commands be 127.0.0.1?????

Appreciate the help - my reading on the push commands was marginally unhelpful.

Andrew
 

Members online

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top