Openvpn SIP issues



  • Hi,

    I've setup OpenVPN on pfSense 2.1.4 and my Yealink phone is connecting with the VPN. I can see on my asterisk box that the phone is trying to register, and I can ping the phone from the asterisk box. Therefore I know the VPN is up, and routing is ok.
    However when I try to register the phone, this fails, because the from ip address in the SIP header is from the pfSense box, instead of the phone.
    When I trace the packets on the psSense box entering the openvpn and leaving the openvpn, I can see that the packets entering still have the correct ip addres in the from header (the ip of the phone) , but the ones bound for the asterisk box have a changed to the ip of the pfSense box.
    Of course the asterisk box is sending the packets back to the pfSense box, and thus the phone is failing to register….

    I cannot find anything on the web or in this forums about SIP ALG in pfSense and/or openvpn but maybe someone can help me out here...

    Cheers,

    Leon



  • In asterisk do you have sip.conf (or sip_custom.conf) set up correctly?  Be aware different asterisk distros use different sip config files so make sure you edit the right one.  Usually they are in /etc/asterisk.  Later versions of freepbx let you add these entries from the gui in settings –> asterisk sip settings  (attached picture)

    localnet=192.168.0.0/255.255.0.0 ; or your subnet you can have as many localnets as you need and make sure your vpn trunk is listed
    externip=x.x.x.x  ; your router ip address
    nat=yes
    

    BTW sip alg sucks imo.  pfsense woks fine without it, I have about a dozen yealink phones working great vpn connected to pfsense/piaf




  • Hi BeerCan,

    yes, localnet is in de sip.conf, and no need for natting.
    The device connected through the VPN is fully routable.

    I don't see why I have to look in the Asterisk settings here, the SIP headers are altered in the pfSense box…
    I don't like SIP algs eather, but I would like to know why the headers are changed, even as pfSense says there is no SIP alg..

    Cheers,
    Leon


  • Netgate

    What makes you think pfSense is altering the SIP headers?  Are you running the SIP proxy for some reason?

    I run SIP to asterisk over OpenVPN all day everyday.  Eliminating NAT from SIP is a great thing.



  • Hi Derelict,

    as I wrote…I see the SIP headers from the packets entering the pfSense (over VPN) are changed when they are sent to the PBX.
    I did all the packet capturing on the pfSense box.

    Leon


  • Netgate

    If you have installed siproxd it'll be in System->Packages.



  • Just checked, it's not installed…


  • Netgate

    Are you talking about the addresses in the IP headers or the addresses in the SIP protocol?

    If it's the IP header, I have no idea what you're looking at.  I just ran a packet trace on my OpenVPN interface and all the IP headers are the "real" addresses, meaning the IPs on the two private LANS connected by OpenVPN.  Did you install some NAT rules on the OpenVPN interface or something?

    pfSense over OpenVPN does not, by default, mangle SIP.



  • I know it should leave it in place. As I can succesfully run a ping test from the PBX to the phone, I'm pretty sure all routing is OK…

    See here the capture of the SIP packets on the openVPN, and in the second one the SIP packets in the ethernet interface bound to the pbx:
    phone is 10.254.254.6
    pbx is 192.168.239.5
    pfsense is 192.168.239.250

    10:06:41.965939 IP (tos 0x68, ttl 64, id 41994, offset 0, flags [DF], proto UDP (17), length 585)
        10.254.254.6.5062 > 192.168.239.5.5060: SIP, length: 557
    REGISTER sip:192.168.239.5:5060 SIP/2.0
    Via: SIP/2.0/UDP 10.254.254.6:5062;branch=z9hG4bK1041907595
    From: "Leon" sip:standby4@192.168.239.5;tag=618631739
    To: "Leon" sip:standby4@192.168.239.5Call-ID: 1966889762
    CSeq: 1 REGISTER
    Contact: sip:standby4@10.254.254.6:5062Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
    Max-Forwards: 70
    User-Agent: Tiptel IP 286 2.70.13.18 0015654c29f2
    Expires: 3600
    Allow-Events: talk,hold,conference,refer,check-sync
    Content-Length: 0

    10:07:01.413066 IP (tos 0x68, ttl 63, id 20, offset 0, flags [DF], proto UDP (17), length 965)
        192.168.239.250.13559 > 192.168.239.5.5060: SIP, length: 937
    INVITE sip:*1@192.168.239.5 SIP/2.0
    Via: SIP/2.0/UDP 10.254.254.6:5060;branch=z9hG4bK1581988329
    From: "10.254.254.6" sip:10.254.254.6@10.254.254.6;tag=1329256560
    To: sip:*1@192.168.239.5Call-ID: 1022752797
    CSeq: 1 INVITE
    Contact: sip:10.254.254.6@10.254.254.6Content-Type: application/sdp
    Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
    Max-Forwards: 70
    User-Agent: Tiptel IP 286 2.70.13.18 0015654c29f2
    Supported: replaces
    Allow-Events: talk,hold,conference,refer,check-sync
    Content-Length: 349</sip:10.254.254.6@10.254.254.6></sip:*1@192.168.239.5></sip:10.254.254.6@10.254.254.6></sip:standby4@10.254.254.6:5062></sip:standby4@192.168.239.5></sip:standby4@192.168.239.5>



  • My bad….
    looks like I looked at the wrong line, when setting the extension to NAT=yes (it didn't want the other subnet to register) the phone was working just fine.