asterisk users - Apr 2017 - SIP connections over OpenVPN connection get one-way voice.

You need to ensure that traffic to the SIP box is sent to the correct IP. Also
if you use split-tunnel (eg: not redirect-gateway def1) you must make sure NAT
and traffic redirection works as is so the Asus router knows it should send the
traffic through tunnel and not via WAN.
IMPORTANT: Then you must, in the ASUS RT-N66U make a port forward inwards from
TUN to the phone client.
I would suggest wiresharking on the client side and see which IP Asterisk
suggest the client should connect back to. This should be the internal IP of the
asterisk server as seen from the openvpn server's point of view.
Another important thing: The local network in the Openvpns machine locatiin, may
NOT have same subnet as the network behind the asus.All these must be separate,
like:server network: 192.168.1.0/24Openvpn tunnel network: 192.168.2.0/24Asus
network: 192.168.3.0/24
Else you get bizarre routing problems when states appear in the state table.
-------- Originalmeddelande --------Fr?n: Ernie Dunbar <maillist at
lightspeed.ca> Datum: 2017-04-19  00:25  (GMT+01:00) Till: 'Asterisk
Users Mailing List - Non-Commercial Discussion' <asterisk-users at
lists.digium.com> Rubrik: [asterisk-users] SIP connections over OpenVPN
connection get	one-way voice.

    Hi everyone. I'm having some trouble with an OpenVPN tunnel that
    isn't working *quite* as well as we'd hoped.

    

    First, here's our technical details:

    

    The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT
    router. The router has UDP port 1194 forwarded to our server. This
    server also runs our office Asterisk PBX, so there isn't any
    networking hardware or firewall between the VPN tunnel and the
    Asterisk PBX.

    

    The OpenVPN client is an Asus RT-N66U router, which if I'm not
    mistaken, runs a somewhat modified version of Tomato. 

    

    I've got the VPN tunnel working well enough. I can do practically
    anything from a computer hooked up to the client router as if I were
    in the main office where the server is. But any SIP client I use -
    whether it's a hardware SIP phone or a soft phone like Zoiper, can
    connect to the Asterisk server without issue. Making calls can work,
    accepting calls works, but I only get 1 way voice traffic. I can
    hear voice data coming in FROM the Asterisk PBX, but I cannot send
    any. 

    

    In my experience with SIP, this usually means a firewall is breaking
    the connection from the client phone to the Asterisk server. I just
    can't for the life of me find what could be wrong. None of the other
    traffic is being blocked. The ipfw firewall on the Asterisk PBX is
    extremely open (see below). The firewall on the client router is
    turned off, and as far as I can tell, most NAT routers don't even
    block outbound traffic in the first place.

    

    I can't see how traffic from the TUN interface on the OpenVPN server
    even can be blocked going to another IP address on the same box, but
    here are the IPFW rules:

    

    root at ldinfo:/etc/asterisk# iptables -L -n

    Chain INPUT (policy ACCEPT)

    target prot opt source destination

    ACCEPT all -- 192.168.0.0/24 192.168.0.3

    ACCEPT all -- 192.168.1.0/24 192.168.0.3

    ACCEPT all -- 10.8.0.0/24 192.168.0.3

    ACCEPT all -- X.X.X.X 192.168.0.3

    ACCEPT all -- 192.168.0.3 X.X.X.X

    ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194

    REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with
    icmp-port-unreachable

    

    Chain FORWARD (policy ACCEPT)

    target prot opt source destination

    

    Chain OUTPUT (policy ACCEPT)

    target prot opt source destination

    

    Chain POSTROUTING (0 references)

    target prot opt source destination

    

    192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server
    are on.

    192.168.1.0/24 is the network that the remote router is on.

    10.8.0.0/24 is the network that the TUN device creates.

    X.X.X.X is our datacenter.

    192.168.0.3 is the IP address of our PBX.

    

    Any assistance would be greatly appreciated.

    

    
      
    
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/84dc1850/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6298 bytes
Desc: S/MIME Cryptographic Signature
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/84dc1850/attachment.bin>

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    On 2017-04-18 03:39 PM, Sebastian Nielsen wrote:<br>
    <blockquote
     
cite="mid:576123822.112.1492555173381.JavaMail.djigzo@linuxlite-desktop"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      You need to ensure that traffic to the SIP box is sent to the
      correct IP. Also if you use split-tunnel (eg: not redirect-gateway
      def1) you must make sure NAT and traffic redirection works as is
      so the Asus router knows it should send the traffic through tunnel
      and not via WAN.</blockquote>
    <br>
    I'm not that well versed in OpenVPN, but it's worth noting that we
    have the `push "redirect-gateway def1 bypass-dhcp"` directive set
on
    the server. I have two independent DHCP servers on either side of
    the VPN, so that the clients are getting their IP addresses for
    their appropriate networks - 192.168.0.0/24 on the server side, and
    192.168.1.0/24 on the client side. <br>
    <br>
    <blockquote
     
cite="mid:576123822.112.1492555173381.JavaMail.djigzo@linuxlite-desktop"
      type="cite">
      <div>IMPORTANT: Then you must, in the ASUS RT-N66U make a port
        forward inwards from TUN to the phone client.</div>
    </blockquote>
    <br>
    I'll give that a shot, but it will have to wait until tomorrow.
:)<br>
    <br>
    <blockquote
     
cite="mid:576123822.112.1492555173381.JavaMail.djigzo@linuxlite-desktop"
      type="cite">
      <div><br>
      </div>
      <div>I would suggest wiresharking on the client side and see which
        IP Asterisk suggest the client should connect back to. This
        should be the internal IP of the asterisk server as seen from
        the openvpn server's point of view.</div>
      <div><br>
      </div>
      <div>Another important thing: The local network in the Openvpns
        machine locatiin, may NOT have same subnet as the network behind
        the asus.</div>
      <div>All these must be separate, like:</div>
      <div>server network: 192.168.1.0/24</div>
      <div>Openvpn tunnel network: 192.168.2.0/24</div>
      <div>Asus network: 192.168.3.0/24</div>
    </blockquote>
    <br>
    I'm pretty sure that I've got this subnet separation in place. If I
    didn't cover it in my original post, the network looks like
this:<br>
    <br>
    Server network: 192.168.0.0/24<br>
    OpenVPN network: 10.8.0.0/24<br>
    Asus network: 192.168.1.0/24<br>
    <br>
    The Asterisk SIP registration appears to be responding properly to
    this - this is what I see when I do a 'sip show peer' for an Aastra
    phone that's connecting through the VPN (Asterisk output is
    truncated): <br>
    <br>
      ToHost       : <br>
      Addr->IP     : 10.8.0.6:5060<br>
      Defaddr->IP  : (null)<br>
      Prim.Transp. : UDP<br>
      Allowed.Trsp : UDP<br>
      Def. Username: FrontDesk1<br>
      SIP Options  : (none)<br>
      Codecs       : (ulaw|alaw)<br>
      Codec Order  : (ulaw:20,alaw:20)<br>
      Auto-Framing :  No <br>
      Status       : Unmonitored<br>
      Useragent    : Aastra 6731i/3.2.2.1136<br>
      Reg. Contact : <a class="moz-txt-link-abbreviated"
href="mailto:sip:FrontDesk1@10.8.0.6:5060;transport=udp">sip:FrontDesk1@10.8.0.6:5060;transport=udp</a><br>
    <br>
    <br>
    <blockquote
     
cite="mid:576123822.112.1492555173381.JavaMail.djigzo@linuxlite-desktop"
      type="cite">
      <div><br>
      </div>
      <div>Else you get bizarre routing problems when states appear in
        the state table.</div>
      <div><br>
      </div>
      <div style="font-size:100%;color:#000000"><!--
originalMessage -->
        <div>-------- Originalmeddelande --------</div>
        <div>Från: Ernie Dunbar <a
class="moz-txt-link-rfc2396E"
href="mailto:maillist@lightspeed.ca"><maillist@lightspeed.ca></a>
</div>
        <div>Datum: 2017-04-19 00:25 (GMT+01:00) </div>
        <div>Till: 'Asterisk Users Mailing List - Non-Commercial
          Discussion' <a class="moz-txt-link-rfc2396E"
href="mailto:asterisk-users@lists.digium.com"><asterisk-users@lists.digium.com></a>
</div>
        <div>Rubrik: [asterisk-users] SIP connections over OpenVPN
          connection get one-way voice. </div>
        <div><br>
        </div>
      </div>
      Hi everyone. I'm having some trouble with an OpenVPN tunnel that
      isn't working *quite* as well as we'd hoped.<br>
      <br>
      First, here's our technical details:<br>
      <br>
      The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a
      NAT router. The router has UDP port 1194 forwarded to our server.
      This server also runs our office Asterisk PBX, so there isn't any
      networking hardware or firewall between the VPN tunnel and the
      Asterisk PBX.<br>
      <br>
      The OpenVPN client is an Asus RT-N66U router, which if I'm not
      mistaken, runs a somewhat modified version of Tomato. <br>
      <br>
      I've got the VPN tunnel working well enough. I can do practically
      anything from a computer hooked up to the client router as if I
      were in the main office where the server is. But any SIP client I
      use - whether it's a hardware SIP phone or a soft phone like
      Zoiper, can connect to the Asterisk server without issue. Making
      calls can work, accepting calls works, but I only get 1 way voice
      traffic. I can hear voice data coming in FROM the Asterisk PBX,
      but I cannot send any. <br>
      <br>
      In my experience with SIP, this usually means a firewall is
      breaking the connection from the client phone to the Asterisk
      server. I just can't for the life of me find what could be wrong.
      None of the other traffic is being blocked. The ipfw firewall on
      the Asterisk PBX is extremely open (see below). The firewall on
      the client router is turned off, and as far as I can tell, most
      NAT routers don't even block outbound traffic in the first
place.<br>
      <br>
      I can't see how traffic from the TUN interface on the OpenVPN
      server even can be blocked going to another IP address on the same
      box, but here are the IPFW rules:<br>
      <br>
      root@ldinfo:/etc/asterisk# iptables -L -n<br>
      Chain INPUT (policy ACCEPT)<br>
      target prot opt source destination<br>
      ACCEPT all -- 192.168.0.0/24 192.168.0.3<br>
      ACCEPT all -- 192.168.1.0/24 192.168.0.3<br>
      ACCEPT all -- 10.8.0.0/24 192.168.0.3<br>
      ACCEPT all -- X.X.X.X 192.168.0.3<br>
      ACCEPT all -- 192.168.0.3 X.X.X.X<br>
      ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194<br>
      REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with
      icmp-port-unreachable<br>
      <br>
      Chain FORWARD (policy ACCEPT)<br>
      target prot opt source destination<br>
      <br>
      Chain OUTPUT (policy ACCEPT)<br>
      target prot opt source destination<br>
      <br>
      Chain POSTROUTING (0 references)<br>
      target prot opt source destination<br>
      <br>
      192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server
      are on.<br>
      192.168.1.0/24 is the network that the remote router is on.<br>
      10.8.0.0/24 is the network that the TUN device creates.<br>
      X.X.X.X is our datacenter.<br>
      192.168.0.3 is the IP address of our PBX.<br>
      <br>
      Any assistance would be greatly appreciated.<br>
      <br>
      <p>
        <meta http-equiv="content-type" content="text/html;
          charset=windows-1252">
      </p>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
  </body>
</html>

On 4/18/2017 7:40 PM, Ernie Dunbar wrote:
> Server network: 192.168.0.0/24
> OpenVPN network: 10.8.0.0/24
> Asus network: 192.168.1.0/24
>
> The Asterisk SIP registration appears to be responding properly to 
> this - this is what I see when I do a 'sip show peer' for an Aastra
> phone that's connecting through the VPN (Asterisk output is truncated):
>
>   ToHost       :
>   Addr->IP     : 10.8.0.6:5060
If the Asus network is 192.168.1.0/24, and the phone is registering as 
10.0.8.6, it looks like NAT is taking place. Would your asterisk server 
know how to route traffic to 192.168.1.0/24?

I've always used site-to-site OpenVPN tunnels where the vpn's terminate 
on the gateway for both the phones and the asterisk server. I've always 
had rock solid connections between phones and Asterisk.

Hi Ernie,

When one-way audio appear (no matters if there is a VPN or NAT server on
the diagram) I simply :

* Enable SIP debug on Asterisk server. Excecute 'sip set debug ip
x.x.x.x'
on Astrisk CLI, where x.x.x.x is the IP of the phone or SIP peer you want
to debug.

* Make a test call and replicate the issue.

* Stop debug with 'sip set debug off'.

* Follow the SIP conversation. Verify that the INVITE message has the
correct IP on the contact field and any other related fields.

* On SDP handshake, verify that the ports where the sound is send, is
correct.

Normally, one-way audio is faced when one audio stream (example the called
audio) is send to the correct IP and Port destination, on the other audio
stream (example the caller audio) don't.

Last, if Asterisk is 'behind' another server, you need tell Asterisk
what
is the external IP so it can inform this IP to your clients.

If you dont want to follow the SIP conversation on plain text, you can make
a packet capture on the Asterisk server, instead of SIP debug.

El 19 abr. 2017 16:38, "Mark Wiater" <mark.wiater at
greybeam.com> escribi?:
> On 4/18/2017 7:40 PM, Ernie Dunbar wrote:
>
>> Server network: 192.168.0.0/24
>> OpenVPN network: 10.8.0.0/24
>> Asus network: 192.168.1.0/24
>>
>> The Asterisk SIP registration appears to be responding properly to this
-
>> this is what I see when I do a 'sip show peer' for an Aastra
phone that's
>> connecting through the VPN (Asterisk output is truncated):
>>
>>   ToHost       :
>>   Addr->IP     : 10.8.0.6:5060
>>
>
> If the Asus network is 192.168.1.0/24, and the phone is registering as
> 10.0.8.6, it looks like NAT is taking place. Would your asterisk server
> know how to route traffic to 192.168.1.0/24?
>
> I've always used site-to-site OpenVPN tunnels where the vpn's
terminate on
> the gateway for both the phones and the asterisk server. I've always
had
> rock solid connections between phones and Asterisk.
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/dc5d255d/attachment.html>