Openvpn SIP issues

lblokland

Hi,

I've setup OpenVPN on pfSense 2.1.4 and my Yealink phone is connecting with the VPN. I can see on my asterisk box that the phone is trying to register, and I can ping the phone from the asterisk box. Therefore I know the VPN is up, and routing is ok.
However when I try to register the phone, this fails, because the from ip address in the SIP header is from the pfSense box, instead of the phone.
When I trace the packets on the psSense box entering the openvpn and leaving the openvpn, I can see that the packets entering still have the correct ip addres in the from header (the ip of the phone) , but the ones bound for the asterisk box have a changed to the ip of the pfSense box.
Of course the asterisk box is sending the packets back to the pfSense box, and thus the phone is failing to register….

I cannot find anything on the web or in this forums about SIP ALG in pfSense and/or openvpn but maybe someone can help me out here...

Cheers,

Leon

BeerCan

In asterisk do you have sip.conf (or sip_custom.conf) set up correctly?  Be aware different asterisk distros use different sip config files so make sure you edit the right one.  Usually they are in /etc/asterisk.  Later versions of freepbx let you add these entries from the gui in settings –> asterisk sip settings  (attached picture)

localnet=192.168.0.0/255.255.0.0 ; or your subnet you can have as many localnets as you need and make sure your vpn trunk is listed
externip=x.x.x.x  ; your router ip address
nat=yes

BTW sip alg sucks imo.  pfsense woks fine without it, I have about a dozen yealink phones working great vpn connected to pfsense/piaf

lblokland

Hi BeerCan,

yes, localnet is in de sip.conf, and no need for natting.
The device connected through the VPN is fully routable.

I don't see why I have to look in the Asterisk settings here, the SIP headers are altered in the pfSense box…
I don't like SIP algs eather, but I would like to know why the headers are changed, even as pfSense says there is no SIP alg..

Cheers,
Leon

Derelict

What makes you think pfSense is altering the SIP headers?  Are you running the SIP proxy for some reason?

I run SIP to asterisk over OpenVPN all day everyday.  Eliminating NAT from SIP is a great thing.

lblokland

Hi Derelict,

as I wrote…I see the SIP headers from the packets entering the pfSense (over VPN) are changed when they are sent to the PBX.
I did all the packet capturing on the pfSense box.

Leon

Derelict

If you have installed siproxd it'll be in System->Packages.

lblokland

Just checked, it's not installed…

Derelict

Are you talking about the addresses in the IP headers or the addresses in the SIP protocol?

If it's the IP header, I have no idea what you're looking at.  I just ran a packet trace on my OpenVPN interface and all the IP headers are the "real" addresses, meaning the IPs on the two private LANS connected by OpenVPN.  Did you install some NAT rules on the OpenVPN interface or something?

pfSense over OpenVPN does not, by default, mangle SIP.

lblokland

I know it should leave it in place. As I can succesfully run a ping test from the PBX to the phone, I'm pretty sure all routing is OK…

See here the capture of the SIP packets on the openVPN, and in the second one the SIP packets in the ethernet interface bound to the pbx:
phone is 10.254.254.6
pbx is 192.168.239.5
pfsense is 192.168.239.250

10:06:41.965939 IP (tos 0x68, ttl 64, id 41994, offset 0, flags [DF], proto UDP (17), length 585)
    10.254.254.6.5062 > 192.168.239.5.5060: SIP, length: 557
REGISTER sip:192.168.239.5:5060 SIP/2.0
Via: SIP/2.0/UDP 10.254.254.6:5062;branch=z9hG4bK1041907595
From: "Leon" sip:standby4@192.168.239.5;tag=618631739
To: "Leon" sip:standby4@192.168.239.5Call-ID: 1966889762
CSeq: 1 REGISTER
Contact: sip:standby4@10.254.254.6:5062Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Tiptel IP 286 2.70.13.18 0015654c29f2
Expires: 3600
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 0

10:07:01.413066 IP (tos 0x68, ttl 63, id 20, offset 0, flags [DF], proto UDP (17), length 965)
    192.168.239.250.13559 > 192.168.239.5.5060: SIP, length: 937
INVITE sip:*1@192.168.239.5 SIP/2.0
Via: SIP/2.0/UDP 10.254.254.6:5060;branch=z9hG4bK1581988329
From: "10.254.254.6" sip:10.254.254.6@10.254.254.6;tag=1329256560
To: sip:*1@192.168.239.5Call-ID: 1022752797
CSeq: 1 INVITE
Contact: sip:10.254.254.6@10.254.254.6Content-Type: application/sdp
Allow: INVITE, INFO, PRACK, ACK, BYE, CANCEL, OPTIONS, NOTIFY, REGISTER, SUBSCRIBE, REFER, PUBLISH, UPDATE, MESSAGE
Max-Forwards: 70
User-Agent: Tiptel IP 286 2.70.13.18 0015654c29f2
Supported: replaces
Allow-Events: talk,hold,conference,refer,check-sync
Content-Length: 349</sip:10.254.254.6@10.254.254.6></sip:*1@192.168.239.5></sip:10.254.254.6@10.254.254.6></sip:standby4@10.254.254.6:5062></sip:standby4@192.168.239.5></sip:standby4@192.168.239.5>

lblokland

My bad….
looks like I looked at the wrong line, when setting the extension to NAT=yes (it didn't want the other subnet to register) the phone was working just fine.