Ernie Dunbar
2017-Apr-18 23:43 UTC
[asterisk-users] SIP connections over OpenVPN connection get one-way voice.
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 2017-04-18 03:38 PM, Duncan Turnbull wrote:<br>
<blockquote
cite="mid:em5e81b46b-ce75-4f26-abeb-d170e7506154@mibble"
type="cite">
<style id="eMClientCss">blockquote.cite { margin-left:
5px; margin-right: 0px; padding-left: 10px; padding-right:0px; border-left: 1px
solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px;
padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top:
0px; }
.plain pre, .plain tt { font-family: monospace; font-size: 100%; font-weight:
normal; font-style: normal;}
a img { border: 0px; }body {font-family: Tahoma;font-size: 12pt;}
.plain pre, .plain tt {font-family: Tahoma;font-size: 12pt;}
</style>
<style></style>
<div>------ Original Message ------</div>
<div>From: "Ernie Dunbar" <<a
moz-do-not-send="true"
href="mailto:maillist@lightspeed.ca">maillist@lightspeed.ca</a>></div>
<div>To: "'Asterisk Users Mailing List - Non-Commercial
Discussion'" <<a moz-do-not-send="true"
href="mailto:asterisk-users@lists.digium.com">asterisk-users@lists.digium.com</a>></div>
<div>Sent: 19-Apr-17 10:25:59 AM</div>
<div>Subject: [asterisk-users] SIP connections over OpenVPN
connection get one-way voice.</div>
<div> </div>
<div id="xa3f7e734b38b4c5289e7d0c46caa26c9"
style="COLOR: #000000">
<blockquote class="cite2"
cite="ff7e561a-bc8b-097d-5b3f-6657ea162b4f@lightspeed.ca"
type="cite">Hi everyone. I'm having some trouble with
an
OpenVPN tunnel that isn't working *quite* as well as we'd
hoped.<br>
<br>
First, here's our technical details:<br>
<br>
The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind
a NAT router. The router has UDP port 1194 forwarded to our
server. This server also runs our office Asterisk PBX, so
there isn't any networking hardware or firewall between the
VPN tunnel and the Asterisk PBX.<br>
</blockquote>
<div> </div>
<div> </div>
<div>Asterisk maybe replying from the TUN address which may
confuse your sip client - if you set the TUN address as a
proxy that seems to solve it. If asterisk is bound to every
address then implicitly it shouldn't matter where it replies
from, but in the openvpn case it seems to reply from a
different address to the one it was called on and that can
definitely fool clients. tcpdump on the tunnel can help you
see whats happening</div>
<div> </div>
</div>
</blockquote>
<br>
I think I'll need a bit more detail about how to set the TUN address
as a proxy. Is this done on the OpenVPN server, or at the client
end? I'm also going to tell Asterisk to bind to all IPs and then
restart it when there's no calls in progress, perhaps that's all I
need to do?<br>
</body>
</html>
Duncan Turnbull
2017-Apr-19 00:21 UTC
[asterisk-users] SIP connections over OpenVPN connection get one-way voice.
Sent from my iPhone> On 19/04/2017, at 11:43 AM, Ernie Dunbar <maillist at lightspeed.ca> wrote: > >> On 2017-04-18 03:38 PM, Duncan Turnbull wrote: >> ------ Original Message ------ >> From: "Ernie Dunbar" <maillist at lightspeed.ca> >> To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" <asterisk-users at lists.digium.com> >> Sent: 19-Apr-17 10:25:59 AM >> Subject: [asterisk-users] SIP connections over OpenVPN connection get one-way voice. >> >>> Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. >>> >>> First, here's our technical details: >>> >>> The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. >> >> >> Asterisk maybe replying from the TUN address which may confuse your sip client - if you set the TUN address as a proxy that seems to solve it. If asterisk is bound to every address then implicitly it shouldn't matter where it replies from, but in the openvpn case it seems to reply from a different address to the one it was called on and that can definitely fool clients. tcpdump on the tunnel can help you see whats happening >> > > I think I'll need a bit more detail about how to set the TUN address as a proxy. Is this done on the OpenVPN server, or at the client end? I'm also going to tell Asterisk to bind to all IPs and then restart it when there's no calls in progress, perhaps that's all I need to do?Set it as a proxy server in your sip phone client, we found using the tun ip on the vpn server works, we keep the actual asterisk address as the sip server and use the tun ip as the proxy server Asterisk is probably already bound to all the addresses netstat -nupl should show you the addresses it's listening on for udp, if it says 0.0.0.0 it means all addresses sudo tcpdump -i tun0 -s0 -A udp port 5060 Should show you the sip messages going through the tunnel and you can check the reply addresses -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170419/179941aa/attachment.html>
Ernie Dunbar
2017-Apr-19 18:32 UTC
[asterisk-users] SIP connections over OpenVPN connection get one-way voice.
<html>
<head>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On 2017-04-18 05:21 PM, Duncan Turnbull wrote:<br>
<blockquote
cite="mid:525D8AEC-BF64-4086-A5D9-46A6B6D09DD1@e-simple.co.nz"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
<div><br>
<br>
Sent from my iPhone</div>
<div><br>
On 19/04/2017, at 11:43 AM, Ernie Dunbar <<a
moz-do-not-send="true"
href="mailto:maillist@lightspeed.ca">maillist@lightspeed.ca</a>>
wrote:<br>
<br>
</div>
<blockquote type="cite">
<div>
<meta content="text/html; charset=utf-8"
http-equiv="Content-Type">
On 2017-04-18 03:38 PM, Duncan Turnbull wrote:<br>
<blockquote
cite="mid:em5e81b46b-ce75-4f26-abeb-d170e7506154@mibble"
type="cite">
<style id="eMClientCss">blockquote.cite {
margin-left: 5px; margin-right: 0px; padding-left: 10px; padding-right:0px;
border-left: 1px solid #cccccc }
blockquote.cite2 {margin-left: 5px; margin-right: 0px; padding-left: 10px;
padding-right:0px; border-left: 1px solid #cccccc; margin-top: 3px; padding-top:
0px; }
.plain pre, .plain tt { font-family: monospace; font-size: 100%; font-weight:
normal; font-style: normal;}
a img { border: 0px; }body {font-family: Tahoma;font-size: 12pt;}
.plain pre, .plain tt {font-family: Tahoma;font-size: 12pt;}
</style>
<style></style>
<div>------ Original Message ------</div>
<div>From: "Ernie Dunbar" <<a
moz-do-not-send="true"
href="mailto:maillist@lightspeed.ca">maillist@lightspeed.ca</a>></div>
<div>To: "'Asterisk Users Mailing List -
Non-Commercial
Discussion'" <<a moz-do-not-send="true"
href="mailto:asterisk-users@lists.digium.com">asterisk-users@lists.digium.com</a>></div>
<div>Sent: 19-Apr-17 10:25:59 AM</div>
<div>Subject: [asterisk-users] SIP connections over OpenVPN
connection get one-way voice.</div>
<div> </div>
<div id="xa3f7e734b38b4c5289e7d0c46caa26c9"
style="COLOR:
#000000">
<blockquote class="cite2"
cite="ff7e561a-bc8b-097d-5b3f-6657ea162b4f@lightspeed.ca"
type="cite">Hi everyone. I'm having some
trouble with an
OpenVPN tunnel that isn't working *quite* as well as
we'd hoped.<br>
<br>
First, here's our technical details:<br>
<br>
The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box
behind a NAT router. The router has UDP port 1194
forwarded to our server. This server also runs our
office Asterisk PBX, so there isn't any networking
hardware or firewall between the VPN tunnel and the
Asterisk PBX.<br>
</blockquote>
<div> </div>
<div> </div>
<div>Asterisk maybe replying from the TUN address which
may confuse your sip client - if you set the TUN address
as a proxy that seems to solve it. If asterisk is bound
to every address then implicitly it shouldn't matter
where it replies from, but in the openvpn case it seems
to reply from a different address to the one it was
called on and that can definitely fool clients. tcpdump
on the tunnel can help you see whats happening</div>
<div> </div>
</div>
</blockquote>
<br>
I think I'll need a bit more detail about how to set the TUN
address as a proxy. Is this done on the OpenVPN server, or at
the client end? I'm also going to tell Asterisk to bind to all
IPs and then restart it when there's no calls in progress,
perhaps that's all I need to do?<br>
</div>
</blockquote>
<br>
<div>Set it as a proxy server in your sip phone client, we found
using the tun ip on the vpn server works, we keep the actual
asterisk address as the sip server and use the tun ip as the
proxy server</div>
<div><br>
</div>
<div>Asterisk is probably already bound to all the addresses
netstat -nupl should show you the addresses it's listening on
for udp, if it says 0.0.0.0 it means all addresses</div>
<div><br>
</div>
<div>sudo tcpdump -i tun0 -s0 -A udp port 5060</div>
<div><br>
</div>
<div>Should show you the sip messages going through the tunnel and
you can check the reply addresses </div>
</blockquote>
<br>
Hmm. I also can't ping the phone's IP address on the 192.168.1.0/24
network. Perhaps that's the real problem there. This VPN should work
both ways, shouldn't it?<br>
<br>
</body>
</html>