NO JOY OpenVPN Client Registered but Unreachable

[dandy_don]

Hello and thanks for reading my (long winded) post. I've searched the related postings but didn't quite find what I was looking for so here goes...

I have had an Incredible PBX running extremely well on a pogoplug for over a year now. Recently I added an OpenVPN server running on a Raspberry PI 2. They are both co-located behind the same hardware firewall on a 10.10.220.x internal lan. The PBX is at 10.10.220.184, and the OpenVPN server at at 10.10.220.10 on port 1194. I have the hardware firewall set to forward UDP port 1194 to the OpenVPN server. All other ports on the firewall are closed.

The OpenVPN server and client(s) were configured using these instructions:
http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing

I have a softphone installed on my laptop. When the laptop is sitting behind the firewall, I can register the softphone with the PBX (pogoplug) and make and receive calls just fine.

While the laptop is outside the firewall and using the OpenVPN client, I can fully access all of the PCs on the internal lan, ssh into them, access files, administer the PBX, etc.

However, while the laptop outside the firewall (on the OpenVPN) the softphone ceases to work properly. I am able to make calls into the PBX to extensions located behind the firewall but there is inbound audio only (audio from the remote laptop to phones inside the firewall). There is no outbound audio (to the remote laptop/softphone from the PBX) and the PBX status shows that the softphone is registered but "unreachable."

Also, while the laptop is outside the firewall I can not ssh into the external laptop from any of the PCs behind the firewall, although the laptop can ssh into any of the PCs behind the firewall on the internal network. IE ssh only works inbound but not outbound.

My thinking was that running the OpenVPN server and client would eliminate all of these problems...

I am ready to throw a bounty on this ($100) -- I have a daughter studying abroad and I want her to be able to "phone home" periodically and I also need to ssh into her PC to maintain it, etc. Any help is MUCH appreciated.

Thanks,
Don

 

[atsak]

Do you have the OpenVPN subnet in the local subnet list on the PBX in SIP settings? There's also some kind of rule you have to set in the OpenVPN config to allow it to pass traffic to the local subnet, not just the local machine.

 

[dandy_don]

Hi Atsak,

Thanks for responding. Actually I was doing something (very stupid) but I'll share my mistake. I had tried this several times and it never worked so I undid what I had been doing... I read that NAT might be the issue since the remote softphone was clearly behind several different firewalls, etc.

Specifically -- This is what I was doing:
1. I would first register the remote softphone. The problems were as I reported (one-way audio and unable to call out to the remote softphone).
2. WHILE (and thats the important bit) the softphone was still registered, I changed the configuration in PIAF from NAT=No-RFC3581 to NAT=Yes, and applied the changes (with the phone still registered) but to no effect.
3. Seeing no change in operation, I changed back to "NAT=No-RFC3581", while the phone was still registered.
4. I did not realize that the phone needed to be unregistered in order for these configuration changes to actually be implemented. IE the registered phone "registration" did not change while the phone was still registered.

5. I tried again, but this time BEFORE registering the phone I changed to NAT=Yes, applied the changes, then registered the phone and Wohoo! -- It works incredible well!

Sorry for my stupidity, but I'm thinking perhaps I can prevent someone else from making the same error(s).

The SSH still isn't working, but that is clearly another issue that I need to resolve.
Thanks again for offering a suggestion.
Don

 

[atsak]

I routinely set nat=yes by default so that didn't occur to me. Good catch.

 

[dandy_don]

Well -- I spoke too soon. The remote vpn client is connected and the remote extension is registered but is again "unreachable", even with NAT=yes. It worked GREAT yesterday.

Would a STUN server help resolve this?
Anyone else using remote extensions via an openvpn tunnel?

Any help is appreciated and the $100 bounty offer still stands.
Thanks,
Don

 

[jroper]

Hi

Anyone else using remote extensions via an openvpn tunnel?

Yes, I am with a great deal of success. I'm using TUN rather than TAP, using instructions detailed here - http://www.bbc.co.uk/news/technology-33548728 - although I changed to TCP on port 443, so I could tunnel through from just about any public broadband, 1194 UDP is not always open outbound.

The only issue I had to solve was adding a route to my PBX server so that my PBX knew where to find my OpenVPN assigned IP range. e.g.

route add -net 10.8.0.0 netmask 255.255.255.0 gw 192.168.101.135 dev eth1

10.8.0.0 is my OpenVPN range and 192.168.101.135 is the internal IP of my VPN server, PBX and other network devices are on 192.168.101.0

Judging by your earlier posts, it sounds as if you have not encountered the same issues as me. but I do hope that this post gives you confidence that it can work. I use an IAX client on my Android with OpenVPN installed (over 3G and Wifi), IAX on Ipad, SIP on OSX using Tunnelblick all via a tunnel with no issues.

Joe

 

[islandtech]

I run openvpn server on my customers routers (Ubiquiti EdgeRouter Lite) and the Yealink vpn client on the remote phones (Yealink)