Firewall Is Blocking SIP Over OpenVPN



  • I have 2 Hacom Phoenix Unos setup as a CARP gateway/firewall to our local network. On the local network is an Asterisk server, some computers, and some SIP phones. (All phones referenced are Aastra 6757i)

    I also have OpenVPN set up as site-to-site. The server is on the Hacom, and the client is on a linksys e1000 with DD-WRT vpn-small, set up as a gateway on a remote network (configs below). The primary function of this VPN is for VOIP registering to Asterisk server.

    There is no problem on local phones. Remote phones will register just fine, however when a call is placed it will not complete:
    -From the phone it just states the call failed
    -From the asterisk server, nothing ever happens (no call request is received)
    -From openvpn client, nothing looks odd. Other data passes fine(with the exception of http, which I will get into below)
    -From openvpn server, no logs indicate issue.
    -From pfsense, it logs that when the call is attempted, it blocks the OpenVPN connection.

    So:
    WAN = MultiWAN
      WAN1 - CARP
          VIP: x.x.x.194
          pfsense1: x.x.x.195
          pfsense2: x.x.x.196
      WAN2 - Static IP
          IP: x.x.x.8

    NOTE: Right now, OpenVPN is not using WAN2, everything is directed to WAN1 VIP.

    Local LAN: 10.51.1.0/24
    Remote LAN: 10.51.2.0/28

    OpenVPN Port: 20228
    OpenVPN Tunnel: 10.50.28.0/24

    What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

    SERVER (pfsense ovpn gui config):
    Server Mode: Remote Access (SSL/TLS)
    Protocal: UDP
    Device Mode: tun
    Interface: WAN1 CARP
    Local Port: 20228
    TLS Auth: Enable
    Peer Cert Auth: Yes
    Peer CRL: Yes
    Server Cert: Yes
    DH Parameters Length 1024
    Encryption algorithm: AES-128-CBC
    Hardware Crypto: No Hardware Crypto
    Cert Dept: One (Client+Server)
    Tunnel Network: 10.50.28.0/24
    Redirect Gateway: NO
    Local Network: 10.51.1.0/24
    Concurrent Connections: Unlimited
    Compression: No
    Type-of-Server: No
    Inter-client communication: No
    Duplicate Connections: No
    Dynamic IP: No
    Address Pool: YES
    DNS Default Domain: No
    DNS Servers: No
    NTP Servers: No
    NetBIOS Options: No
    Advanced: Verb 4;

    CLIENT (ovpn config file):
    client
    remote x.x.x.194 20228
    proto udp
    dev tun
    nobind
    fast-io
    persist-tun
    persist-key
    cipher AES-128-CBC
    tls-client
    ca ca.crt
    cert cert.crt
    key key.key
    tls-auth TLS.key 1
    log-append /var/log/openvpncl
    verb 4

    Again, I just want to point out that the tunnel comes up just fine, and the phones register just fine. I only see an issue when a call is attempted. I do have one other issue: The Aastra 6757i phones have an http server for configuring them through a browser. When accessing the web interface on a remote phone FROM the local network the page does not come through correctly (sometimes not at all).

    Firewall Logs:
    BLOCKED: Interface WAN1 - From X.X.X.X - To X.X.X.194 UDP
    BLOCKED: Interface WAN1 - From X.X.X.X:32787 - To X.X.X.194:20228 UDP
    These will repeat a couple of times within a second.

    Let me know if you need more info.



  • Anything?



  • What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

    So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

    Are you NAT'ting traffic from your the remote subnet 10.51.2.0/28 ?
    Because I noticed you're using "Server Mode: Remote Access (SSL/TLS)".

    I'd use S2S SSL and just route the remote /28 subnet over OpenVPN tunnel.



  • Someone correct me if I'm wrong, but since the remote side is a DD-WRT box acting as a client, I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

    Also, what do your firewall rules look like on the openvpn tab?



  • So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

    Correct. This setup worked fine for about 5 months without any problems.

    I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT

    I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

    Also, what do your firewall rules look like on the openvpn tab?

    Allow - source:10.51.0.0/18 dest:ANY
    Allow - source:10.50.28.0/24 dest: ANY



  • @kennsington:

    I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

    It may turn out to only be tangential to the root problem, but I suspect that the DDwrt device might be NAT'ting traffic into the OpenVPN tunnel, which may explain why you can't connect to the VoIP phones webGUI.

    What IP address does Asterisk show for the remotely registered VoIP phones ? (CLI "sip show peers") ? Or you can check if DDwrt's iptables do NAT.

    Anyway, finding out what caused the setup to suddenly fail after 5 months sounds like an interesting puzzle, but it's hard to offer any concrete opinions without having access to the actual systems.



  • Here is the nat table in the DDwrt. And just for clarification, I AM actually able to connect to the webGUI, it's just that I usually don't get and styling (although sometimes I do). Only sometimes I cannot connect at all.

    All phones register with the correct IP to the asterisk server.

    What would be odd to me is if the tunnel is set up and happy, why would a NAT cause pfsense to block the connection at the VPN level (it's blocking the VPN packets, rather than the actual traffic). In other words, right at the moment the call is placed, pfsense blocks all connections from the remote site's public IP address. And, for what it's worth, I do not observe this behavior with anything else coming over the VPN. Even when I have the issue with the webGUI, nothing get's blocked (at least on the pfsense side).

    Chain PREROUTING (policy ACCEPT 1162 packets, 304K bytes)
    pkts bytes target    prot opt in    out    source              destination
        4  244 DNAT      icmp –  *      *      0.0.0.0/0            [public_IP]        to:10.51.2.1
      60  8983 TRIGGER    0    –  *      *      0.0.0.0/0            [public_IP]        TRIGGER type:dnat match:0 relate:0

    Chain POSTROUTING (policy ACCEPT 59 packets, 5237 bytes)
    pkts bytes target    prot opt in    out    source              destination
      223 12561 SNAT      0    –  *      vlan2  0.0.0.0/0            0.0.0.0/0          to:[public_IP]
        0    0 RETURN    0    –  *      br0    0.0.0.0/0            0.0.0.0/0          PKTTYPE = broadcast

    Chain OUTPUT (policy ACCEPT 61 packets, 4331 bytes)
    pkts bytes target    prot opt in    out    source              destination


Locked