Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Firewall Is Blocking SIP Over OpenVPN

    OpenVPN
    3
    7
    7.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kennsington
      last edited by

      I have 2 Hacom Phoenix Unos setup as a CARP gateway/firewall to our local network. On the local network is an Asterisk server, some computers, and some SIP phones. (All phones referenced are Aastra 6757i)

      I also have OpenVPN set up as site-to-site. The server is on the Hacom, and the client is on a linksys e1000 with DD-WRT vpn-small, set up as a gateway on a remote network (configs below). The primary function of this VPN is for VOIP registering to Asterisk server.

      There is no problem on local phones. Remote phones will register just fine, however when a call is placed it will not complete:
      -From the phone it just states the call failed
      -From the asterisk server, nothing ever happens (no call request is received)
      -From openvpn client, nothing looks odd. Other data passes fine(with the exception of http, which I will get into below)
      -From openvpn server, no logs indicate issue.
      -From pfsense, it logs that when the call is attempted, it blocks the OpenVPN connection.

      So:
      WAN = MultiWAN
        WAN1 - CARP
            VIP: x.x.x.194
            pfsense1: x.x.x.195
            pfsense2: x.x.x.196
        WAN2 - Static IP
            IP: x.x.x.8

      NOTE: Right now, OpenVPN is not using WAN2, everything is directed to WAN1 VIP.

      Local LAN: 10.51.1.0/24
      Remote LAN: 10.51.2.0/28

      OpenVPN Port: 20228
      OpenVPN Tunnel: 10.50.28.0/24

      What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

      SERVER (pfsense ovpn gui config):
      Server Mode: Remote Access (SSL/TLS)
      Protocal: UDP
      Device Mode: tun
      Interface: WAN1 CARP
      Local Port: 20228
      TLS Auth: Enable
      Peer Cert Auth: Yes
      Peer CRL: Yes
      Server Cert: Yes
      DH Parameters Length 1024
      Encryption algorithm: AES-128-CBC
      Hardware Crypto: No Hardware Crypto
      Cert Dept: One (Client+Server)
      Tunnel Network: 10.50.28.0/24
      Redirect Gateway: NO
      Local Network: 10.51.1.0/24
      Concurrent Connections: Unlimited
      Compression: No
      Type-of-Server: No
      Inter-client communication: No
      Duplicate Connections: No
      Dynamic IP: No
      Address Pool: YES
      DNS Default Domain: No
      DNS Servers: No
      NTP Servers: No
      NetBIOS Options: No
      Advanced: Verb 4;

      CLIENT (ovpn config file):
      client
      remote x.x.x.194 20228
      proto udp
      dev tun
      nobind
      fast-io
      persist-tun
      persist-key
      cipher AES-128-CBC
      tls-client
      ca ca.crt
      cert cert.crt
      key key.key
      tls-auth TLS.key 1
      log-append /var/log/openvpncl
      verb 4

      Again, I just want to point out that the tunnel comes up just fine, and the phones register just fine. I only see an issue when a call is attempted. I do have one other issue: The Aastra 6757i phones have an http server for configuring them through a browser. When accessing the web interface on a remote phone FROM the local network the page does not come through correctly (sometimes not at all).

      Firewall Logs:
      BLOCKED: Interface WAN1 - From X.X.X.X - To X.X.X.194 UDP
      BLOCKED: Interface WAN1 - From X.X.X.X:32787 - To X.X.X.194:20228 UDP
      These will repeat a couple of times within a second.

      Let me know if you need more info.

      1 Reply Last reply Reply Quote 0
      • K
        kennsington
        last edited by

        Anything?

        1 Reply Last reply Reply Quote 0
        • D
          dhatz
          last edited by

          What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

          So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

          Are you NAT'ting traffic from your the remote subnet 10.51.2.0/28 ?
          Because I noticed you're using "Server Mode: Remote Access (SSL/TLS)".

          I'd use S2S SSL and just route the remote /28 subnet over OpenVPN tunnel.

          1 Reply Last reply Reply Quote 0
          • M
            marvosa
            last edited by

            Someone correct me if I'm wrong, but since the remote side is a DD-WRT box acting as a client, I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

            Also, what do your firewall rules look like on the openvpn tab?

            1 Reply Last reply Reply Quote 0
            • K
              kennsington
              last edited by

              So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

              Correct. This setup worked fine for about 5 months without any problems.

              I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT

              I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

              Also, what do your firewall rules look like on the openvpn tab?

              Allow - source:10.51.0.0/18 dest:ANY
              Allow - source:10.50.28.0/24 dest: ANY

              1 Reply Last reply Reply Quote 0
              • D
                dhatz
                last edited by

                @kennsington:

                I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

                It may turn out to only be tangential to the root problem, but I suspect that the DDwrt device might be NAT'ting traffic into the OpenVPN tunnel, which may explain why you can't connect to the VoIP phones webGUI.

                What IP address does Asterisk show for the remotely registered VoIP phones ? (CLI "sip show peers") ? Or you can check if DDwrt's iptables do NAT.

                Anyway, finding out what caused the setup to suddenly fail after 5 months sounds like an interesting puzzle, but it's hard to offer any concrete opinions without having access to the actual systems.

                1 Reply Last reply Reply Quote 0
                • K
                  kennsington
                  last edited by

                  Here is the nat table in the DDwrt. And just for clarification, I AM actually able to connect to the webGUI, it's just that I usually don't get and styling (although sometimes I do). Only sometimes I cannot connect at all.

                  All phones register with the correct IP to the asterisk server.

                  What would be odd to me is if the tunnel is set up and happy, why would a NAT cause pfsense to block the connection at the VPN level (it's blocking the VPN packets, rather than the actual traffic). In other words, right at the moment the call is placed, pfsense blocks all connections from the remote site's public IP address. And, for what it's worth, I do not observe this behavior with anything else coming over the VPN. Even when I have the issue with the webGUI, nothing get's blocked (at least on the pfsense side).

                  Chain PREROUTING (policy ACCEPT 1162 packets, 304K bytes)
                  pkts bytes target    prot opt in    out    source              destination
                      4  244 DNAT      icmp –  *      *      0.0.0.0/0            [public_IP]        to:10.51.2.1
                    60  8983 TRIGGER    0    –  *      *      0.0.0.0/0            [public_IP]        TRIGGER type:dnat match:0 relate:0

                  Chain POSTROUTING (policy ACCEPT 59 packets, 5237 bytes)
                  pkts bytes target    prot opt in    out    source              destination
                    223 12561 SNAT      0    –  *      vlan2  0.0.0.0/0            0.0.0.0/0          to:[public_IP]
                      0    0 RETURN    0    –  *      br0    0.0.0.0/0            0.0.0.0/0          PKTTYPE = broadcast

                  Chain OUTPUT (policy ACCEPT 61 packets, 4331 bytes)
                  pkts bytes target    prot opt in    out    source              destination

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.