Firewall Is Blocking SIP Over OpenVPN

kennsington

I have 2 Hacom Phoenix Unos setup as a CARP gateway/firewall to our local network. On the local network is an Asterisk server, some computers, and some SIP phones. (All phones referenced are Aastra 6757i)

I also have OpenVPN set up as site-to-site. The server is on the Hacom, and the client is on a linksys e1000 with DD-WRT vpn-small, set up as a gateway on a remote network (configs below). The primary function of this VPN is for VOIP registering to Asterisk server.

There is no problem on local phones. Remote phones will register just fine, however when a call is placed it will not complete:
-From the phone it just states the call failed
-From the asterisk server, nothing ever happens (no call request is received)
-From openvpn client, nothing looks odd. Other data passes fine(with the exception of http, which I will get into below)
-From openvpn server, no logs indicate issue.
-From pfsense, it logs that when the call is attempted, it blocks the OpenVPN connection.

So:
WAN = MultiWAN
  WAN1 - CARP
      VIP: x.x.x.194
      pfsense1: x.x.x.195
      pfsense2: x.x.x.196
  WAN2 - Static IP
      IP: x.x.x.8

NOTE: Right now, OpenVPN is not using WAN2, everything is directed to WAN1 VIP.

Local LAN: 10.51.1.0/24
Remote LAN: 10.51.2.0/28

OpenVPN Port: 20228
OpenVPN Tunnel: 10.50.28.0/24

What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

SERVER (pfsense ovpn gui config):
Server Mode: Remote Access (SSL/TLS)
Protocal: UDP
Device Mode: tun
Interface: WAN1 CARP
Local Port: 20228
TLS Auth: Enable
Peer Cert Auth: Yes
Peer CRL: Yes
Server Cert: Yes
DH Parameters Length 1024
Encryption algorithm: AES-128-CBC
Hardware Crypto: No Hardware Crypto
Cert Dept: One (Client+Server)
Tunnel Network: 10.50.28.0/24
Redirect Gateway: NO
Local Network: 10.51.1.0/24
Concurrent Connections: Unlimited
Compression: No
Type-of-Server: No
Inter-client communication: No
Duplicate Connections: No
Dynamic IP: No
Address Pool: YES
DNS Default Domain: No
DNS Servers: No
NTP Servers: No
NetBIOS Options: No
Advanced: Verb 4;

CLIENT (ovpn config file):
client
remote x.x.x.194 20228
proto udp
dev tun
nobind
fast-io
persist-tun
persist-key
cipher AES-128-CBC
tls-client
ca ca.crt
cert cert.crt
key key.key
tls-auth TLS.key 1
log-append /var/log/openvpncl
verb 4

Again, I just want to point out that the tunnel comes up just fine, and the phones register just fine. I only see an issue when a call is attempted. I do have one other issue: The Aastra 6757i phones have an http server for configuring them through a browser. When accessing the web interface on a remote phone FROM the local network the page does not come through correctly (sometimes not at all).

Firewall Logs:
BLOCKED: Interface WAN1 - From X.X.X.X - To X.X.X.194 UDP
BLOCKED: Interface WAN1 - From X.X.X.X:32787 - To X.X.X.194:20228 UDP
These will repeat a couple of times within a second.

Let me know if you need more info.

kennsington

Anything?

dhatz

What is odd to me is that it started happening suddenly. I had not made any config change in quite a while.

So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

Are you NAT'ting traffic from your the remote subnet 10.51.2.0/28 ?
Because I noticed you're using "Server Mode: Remote Access (SSL/TLS)".

I'd use S2S SSL and just route the remote /28 subnet over OpenVPN tunnel.

marvosa

Someone correct me if I'm wrong, but since the remote side is a DD-WRT box acting as a client, I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_PKI_(SSL)#iroutes

Also, what do your firewall rules look like on the openvpn tab?

kennsington

So this setup with remote extensions connecting to Asterisk over OpenVPN used to work fine, but has failed recently ?

Correct. This setup worked fine for about 5 months without any problems.

I believe you will have to add an iroute for that client in order to properly route to the remote network behind the DD-WRT

I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

Also, what do your firewall rules look like on the openvpn tab?

Allow - source:10.51.0.0/18 dest:ANY
Allow - source:10.50.28.0/24 dest: ANY

dhatz

@kennsington:

I do have iroute setup. Pings, traceroutes, even the actual SIP registration, pretty much anything else works just fine.

It may turn out to only be tangential to the root problem, but I suspect that the DDwrt device might be NAT'ting traffic into the OpenVPN tunnel, which may explain why you can't connect to the VoIP phones webGUI.

What IP address does Asterisk show for the remotely registered VoIP phones ? (CLI "sip show peers") ? Or you can check if DDwrt's iptables do NAT.

Anyway, finding out what caused the setup to suddenly fail after 5 months sounds like an interesting puzzle, but it's hard to offer any concrete opinions without having access to the actual systems.

kennsington

Here is the nat table in the DDwrt. And just for clarification, I AM actually able to connect to the webGUI, it's just that I usually don't get and styling (although sometimes I do). Only sometimes I cannot connect at all.

All phones register with the correct IP to the asterisk server.

What would be odd to me is if the tunnel is set up and happy, why would a NAT cause pfsense to block the connection at the VPN level (it's blocking the VPN packets, rather than the actual traffic). In other words, right at the moment the call is placed, pfsense blocks all connections from the remote site's public IP address. And, for what it's worth, I do not observe this behavior with anything else coming over the VPN. Even when I have the issue with the webGUI, nothing get's blocked (at least on the pfsense side).

Chain PREROUTING (policy ACCEPT 1162 packets, 304K bytes)
pkts bytes target    prot opt in    out    source              destination
    4  244 DNAT      icmp –  *      *      0.0.0.0/0            [public_IP]        to:10.51.2.1
  60  8983 TRIGGER    0    –  *      *      0.0.0.0/0            [public_IP]        TRIGGER type:dnat match:0 relate:0

Chain POSTROUTING (policy ACCEPT 59 packets, 5237 bytes)
pkts bytes target    prot opt in    out    source              destination
  223 12561 SNAT      0    –  *      vlan2  0.0.0.0/0            0.0.0.0/0          to:[public_IP]
    0    0 RETURN    0    –  *      br0    0.0.0.0/0            0.0.0.0/0          PKTTYPE = broadcast

Chain OUTPUT (policy ACCEPT 61 packets, 4331 bytes)
pkts bytes target    prot opt in    out    source              destination