asterisk users - Apr 2017 - SIP connections over OpenVPN connection get one-way voice.

<html>
  <head>

    <meta http-equiv="content-type" content="text/html;
charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    Hi everyone. I'm having some trouble with an OpenVPN tunnel that
    isn't working *quite* as well as we'd hoped.<br>
    <br>
    First, here's our technical details:<br>
    <br>
    The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT
    router. The router has UDP port 1194 forwarded to our server. This
    server also runs our office Asterisk PBX, so there isn't any
    networking hardware or firewall between the VPN tunnel and the
    Asterisk PBX.<br>
    <br>
    The OpenVPN client is an Asus RT-N66U router, which if I'm not
    mistaken, runs a somewhat modified version of Tomato. <br>
    <br>
    I've got the VPN tunnel working well enough. I can do practically
    anything from a computer hooked up to the client router as if I were
    in the main office where the server is. But any SIP client I use -
    whether it's a hardware SIP phone or a soft phone like Zoiper, can
    connect to the Asterisk server without issue. Making calls can work,
    accepting calls works, but I only get 1 way voice traffic. I can
    hear voice data coming in FROM the Asterisk PBX, but I cannot send
    any. <br>
    <br>
    In my experience with SIP, this usually means a firewall is breaking
    the connection from the client phone to the Asterisk server. I just
    can't for the life of me find what could be wrong. None of the other
    traffic is being blocked. The ipfw firewall on the Asterisk PBX is
    extremely open (see below). The firewall on the client router is
    turned off, and as far as I can tell, most NAT routers don't even
    block outbound traffic in the first place.<br>
    <br>
    I can't see how traffic from the TUN interface on the OpenVPN server
    even can be blocked going to another IP address on the same box, but
    here are the IPFW rules:<br>
    <br>
    root@ldinfo:/etc/asterisk# iptables -L -n<br>
    Chain INPUT (policy ACCEPT)<br>
    target prot opt source destination<br>
    ACCEPT all -- 192.168.0.0/24 192.168.0.3<br>
    ACCEPT all -- 192.168.1.0/24 192.168.0.3<br>
    ACCEPT all -- 10.8.0.0/24 192.168.0.3<br>
    ACCEPT all -- X.X.X.X 192.168.0.3<br>
    ACCEPT all -- 192.168.0.3 X.X.X.X<br>
    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194<br>
    REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with
    icmp-port-unreachable<br>
    <br>
    Chain FORWARD (policy ACCEPT)<br>
    target prot opt source destination<br>
    <br>
    Chain OUTPUT (policy ACCEPT)<br>
    target prot opt source destination<br>
    <br>
    Chain POSTROUTING (0 references)<br>
    target prot opt source destination<br>
    <br>
    192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server
    are on.<br>
    192.168.1.0/24 is the network that the remote router is on.<br>
    10.8.0.0/24 is the network that the TUN device creates.<br>
    X.X.X.X is our datacenter.<br>
    192.168.0.3 is the IP address of our PBX.<br>
    <br>
    Any assistance would be greatly appreciated.<br>
    <br>
    <p>
      <meta http-equiv="content-type" content="text/html;
charset=utf-8">
    </p>
  </body>
</html>

------ Original Message ------
From: "Ernie Dunbar" <maillist at lightspeed.ca>
To: "'Asterisk Users Mailing List - Non-Commercial
Discussion'"
<asterisk-users at lists.digium.com>
Sent: 19-Apr-17 10:25:59 AM
Subject: [asterisk-users] SIP connections over OpenVPN connection get 
one-way voice.
>Hi everyone. I'm having some trouble with an OpenVPN tunnel that
isn't
>working *quite* as well as we'd hoped.
>
>First, here's our technical details:
>
>The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT 
>router. The router has UDP port 1194 forwarded to our server. This 
>server also runs our office Asterisk PBX, so there isn't any networking 
>hardware or firewall between the VPN tunnel and the Asterisk PBX.

Asterisk maybe replying from the TUN address which may confuse your sip 
client - if you set the TUN address as a proxy that seems to solve it. 
If asterisk is bound to every address then implicitly it shouldn't 
matter where it replies from, but in the openvpn case it seems to reply 
from a different address to the one it was called on and that can 
definitely fool clients. tcpdump on the tunnel can help you see whats 
happening


The OpenVPN client is an Asus RT-N66U router, which if I'm not mistaken, 
runs a somewhat modified version of Tomato.

I've got the VPN tunnel working well enough. I can do practically 
anything from a computer hooked up to the client router as if I were in 
the main office where the server is. But any SIP client I use - whether 
it's a hardware SIP phone or a soft phone like Zoiper, can connect to 
the Asterisk server without issue. Making calls can work, accepting 
calls works, but I only get 1 way voice traffic. I can hear voice data 
coming in FROM the Asterisk PBX, but I cannot send any.

In my experience with SIP, this usually means a firewall is breaking the 
connection from the client phone to the Asterisk server. I just can't 
for the life of me find what could be wrong. None of the other traffic 
is being blocked. The ipfw firewall on the Asterisk PBX is extremely 
open (see below). The firewall on the client router is turned off, and 
as far as I can tell, most NAT routers don't even block outbound traffic 
in the first place.

I can't see how traffic from the TUN interface on the OpenVPN server 
even can be blocked going to another IP address on the same box, but 
here are the IPFW rules:

root at ldinfo:/etc/asterisk# iptables -L -n
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 192.168.0.3
ACCEPT all -- 192.168.1.0/24 192.168.0.3
ACCEPT all -- 10.8.0.0/24 192.168.0.3
ACCEPT all -- X.X.X.X 192.168.0.3
ACCEPT all -- 192.168.0.3 X.X.X.X
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194
REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (0 references)
target prot opt source destination

192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server are 
on.
192.168.1.0/24 is the network that the remote router is on.
10.8.0.0/24 is the network that the TUN device creates.
X.X.X.X is our datacenter.
192.168.0.3 is the IP address of our PBX.

Any assistance would be greatly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170418/dd919080/attachment.html>

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    On 2017-04-18 03:38 PM, Duncan Turnbull wrote:<br>
    <blockquote
cite="mid:em5e81b46b-ce75-4f26-abeb-d170e7506154@mibble"
      type="cite">
      <style id="eMClientCss">blockquote.cite { margin-left:
5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px
solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px;
padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top:
0px; }
.plain pre, .plain tt { font-family: monospace; font-size: 100%; font-weight:
normal; font-style: normal;}
a img { border: 0px; }body {font-family: Tahoma;font-size: 12pt;}
.plain pre, .plain tt {font-family: Tahoma;font-size: 12pt;}
</style>
      <style></style>
      <div>------ Original Message ------</div>
      <div>From: "Ernie Dunbar" <<a
moz-do-not-send="true"
         
href="mailto:maillist@lightspeed.ca">maillist@lightspeed.ca</a>></div>
      <div>To: "'Asterisk Users Mailing List - Non-Commercial
        Discussion'" <<a moz-do-not-send="true"
         
href="mailto:asterisk-users@lists.digium.com">asterisk-users@lists.digium.com</a>></div>
      <div>Sent: 19-Apr-17 10:25:59 AM</div>
      <div>Subject: [asterisk-users] SIP connections over OpenVPN
        connection get one-way voice.</div>
      <div> </div>
      <div id="xa3f7e734b38b4c5289e7d0c46caa26c9"
style="COLOR: #000000">
        <blockquote class="cite2"
          cite="ff7e561a-bc8b-097d-5b3f-6657ea162b4f@lightspeed.ca"
          type="cite">Hi everyone. I'm having some trouble with
an
          OpenVPN tunnel that isn't working *quite* as well as we'd
          hoped.<br>
          <br>
          First, here's our technical details:<br>
          <br>
          The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind
          a NAT router. The router has UDP port 1194 forwarded to our
          server. This server also runs our office Asterisk PBX, so
          there isn't any networking hardware or firewall between the
          VPN tunnel and the Asterisk PBX.<br>
        </blockquote>
        <div> </div>
        <div> </div>
        <div>Asterisk maybe replying from the TUN address which may
          confuse your sip client - if you set the TUN address as a
          proxy that seems to solve it. If asterisk is bound to every
          address then implicitly it shouldn't matter where it replies
          from, but in the openvpn case it seems to reply from a
          different address to the one it was called on and that can
          definitely fool clients. tcpdump on the tunnel can help you
          see whats happening</div>
        <div> </div>
      </div>
    </blockquote>
    <br>
    I think I'll need a bit more detail about how to set the TUN address
    as a proxy. Is this done on the OpenVPN server, or at the client
    end? I'm also going to tell Asterisk to bind to all IPs and then
    restart it when there's no calls in progress, perhaps that's all I
    need to do?<br>
  </body>
</html>