asterisk users - Mar 2010 - Asterisk 1.6 and OpenVPN RTP problem

Hello All,


I have installed Asterisk 1.6 with openVPN in the same machine. I have set
up a VPN connection between 2 SIP clients and Asterisk using x-lite.


The 2 clients connects to Asterisk. SIP signaling goes ok over the vpn
tunnel.


When attempting to make a call between the clients, the siganling part of
the call goes well. But, when the call is set up, some RTP packets are
exchanged at the beginning and then the RTP flow stops (no RTP is exchangd).


Wireshark demonstrates no problem with SIP signaling.


I am using OpenVPN 2.1.1.


Has anyone had such a problem.


Please help.

-- 
*Please discover scientific miracles of CORAN*

http://www.55a.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100324/1ed8aa7b/attachment.htm

mosbah.abdelkader wrote:
> Hello All,
>
>
> I have installed Asterisk 1.6 with openVPN in the same machine. I have 
> set up a VPN connection between 2 SIP clients and Asterisk using x-lite.
>
Just a guess, set canreinvite=no in the sip.conf for each of the end points

Doug

-- 

Ben Franklin quote:

"Those who would give up Essential Liberty to purchase a little Temporary
Safety, deserve neither Liberty nor Safety."

> Hello All,
> 
> I have installed Asterisk 1.6 with openVPN in the same machine. I have set
> up a VPN connection between 2 SIP clients and Asterisk using x-lite.
> 
> The 2 clients connects to Asterisk. SIP signaling goes ok over the vpn
> tunnel.
> 
> When attempting to make a call between the clients, the siganling part of
> the call goes well. But, when the call is set up, some RTP packets are
> exchanged at the beginning and then the RTP flow stops (no RTP is
exchangd).
> 
> Wireshark demonstrates no problem with SIP signaling.
> 
> I am using OpenVPN 2.1.1.
> 
> Has anyone had such a problem.
I had a vaguely-similar problem, getting a Nokia N810's Telepathy-
based SIP client to talk to Asterisk over an OpenVPN connection.

The problem in that case turned out to be the fact that the
Nokia was sending all of the packets to the Asterisk server,
using its primary-network (WiFi) IP address, rather than the
address to which its end of the OpenVPN tunnel was bound.
The SIP packets from the Asterisk server had no way to get back
to the client.

The fix for this was to stick a couple of scripts into the
Nokia, to be executed when OpenVPN started or stopped the
VPN tunnel.  The "up" script changes the SIP configuration,
setting its "local IP address" parameter to that of the Nokia
end of the tunnel, while the "down" script clears this override.

Works fine.

That doesn't sound like exactly the problem you're having,
though, since you're getting SIP through the tunnel OK.  The
problem sounds more as if the RTP packets from one client are
either not being send through the tunnel at all, or are being
dropped prior to getting to the other.

There may be a couple of ways to fix this:

(1) As another poster suggested, specify "canreinvite=no"
    (or, in 1.6, "directmedia=no") for each of your SIP
    clients.  This will prevent them from trying to send the
    RTP "directly" to one another, instead sending it to
    Asterisk for forwarding.

    This is probably the most reliable approach.  It's also
    probably the only one which will allow reliable connections
    between these clients, and SIP endpoints which aren't part of
    your own local IP-address space.

(2) If you really do want to try to allow directmedia connections
    between the clients, you'll need to make certain of two things:

    [A] Your OpenVPN setup, for each client, must install a route on
        each client which directs the client to send all packets for
        any address on the entire VPN back to the VPN server.

        Without such a route being installed, it's likely that the
        OpenVPN-installed routing would only channel packets for the
        OpenVPN server itself into the tunnel.  Packets for other
        IP addresses in the OpenVPN range would end up being sent out
        through the client's normal IP route, and probably lost forever
        in the grand stew of the Intertube.

    [B] Make sure that your OpenVPN setup allows direct client-to-
        client communications.  There's a parameter which can disable
        this, and permits only client-to-server packets to survive...
        make sure you haven't set this.

(3) You may need to make sure that your iptables (or similar)
    configuration isn't accidentally NAT'ing packets which are trying
    to come in through the OpenVPN tunnel and then go back out through
    another OpenVPN tunnel.

Hello,


Thank you for your reply.


The first proposed solution has resolved the problem for a test in the local
network. Another test is planned today later with a client in the same NAT
and another in the public internet with a public static ip address.

Do you have any advice for that case?


-- 
*Please discover scientific miracles of CORAN*

http://www.55a.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100325/6261e121/attachment.htm

> Thank you for your reply.
> 
> 
> The first proposed solution has resolved the problem for a test in the
local
> network. Another test is planned today later with a client in the same NAT
> and another in the public internet with a public static ip address.
> 
> Do you have any advice for that case?
That case should work out fine if you've specified
"directmedia=no"
for the client(s) on the NAT/OpenVPN side, as long as the Asterisk
server has a public IP address.  Asterisk will forward the RTP
between the client on the public Internet, and the client on
the OpenVPN tunnel. You won't need to have a routable connection
directly between the two clients.

I run my own setup this way.  All clients on my home LAN,
and my OpenVPN'ed mobile (Nokia N810) specify "directmedia=no".
I can make calls (RTP both ways, no trouble) between them, between
one of them and a client on the public Internet, and between them
and various VoIP providers' systems.

Using OpenVPN, and depending on Asterisk to forward the RTP, seems
to be a *lot* more reliable than trying to do direct SIP/RTP and
depending on STUN or SIP-aware NAT gateways.

Hello Platt,


Thank you for help.


I have tested and it works fine.

-- 
Please discover scientific miracles of CORAN

http://www.55a.net/
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://lists.digium.com/pipermail/asterisk-users/attachments/20100326/35db5610/attachment.htm