Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
Hi Ernie, When one-way audio appear (no matters if there is a VPN or NAT server on the diagram) I simply : * Enable SIP debug on Asterisk server. Excecute 'sip set debug ip x.x.x.x' on Astrisk CLI, where x.x.x.x is the IP of the phone or SIP peer you want to debug. * Make a test call and replicate the issue. * Stop debug with 'sip set debug off'. * Follow the SIP conversation. Verify that the INVITE message has the correct IP on the contact field and any other related fields. * On SDP handshake, verify that the ports where the sound is send, is correct. Normally, one-way audio is faced when one audio stream (example the called audio) is send to the correct IP and Port destination, on the other audio stream (example the caller audio) don't. Last, if Asterisk is 'behind' another server, you need tell Asterisk what is the external IP so it can inform this IP to your clients. If you dont want to follow the SIP conversation on plain text, you can make a packet capture on the Asterisk server, instead of SIP debug. El 19 abr. 2017 16:38, "Mark Wiater"escribió: > On 4/18/2017 7:40 PM, Ernie Dunbar wrote: > >> Server network: 192.168.0.0/24 >> OpenVPN network: 10.8.0.0/24 >> Asus network: 192.168.1.0/24 >> >> The Asterisk SIP registration appears to be responding properly to this - >> this is what I see when I do a 'sip show peer' for an Aastra phone that's >> connecting through the VPN (Asterisk output is truncated): >> >> ToHost : >> Addr->IP : 10.8.0.6:5060 >> > > If the Asus network is 192.168.1.0/24, and the phone is registering as > 10.0.8.6, it looks like NAT is taking place. Would your asterisk server > know how to route traffic to 192.168.1.0/24? > > I've always used site-to-site OpenVPN tunnels where the vpn's terminate on > the gateway for both the phones and the asterisk server. I've always had > rock solid connections between phones and Asterisk. > > -- > _ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users > -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
On 4/18/2017 7:40 PM, Ernie Dunbar wrote: Server network: 192.168.0.0/24 OpenVPN network: 10.8.0.0/24 Asus network: 192.168.1.0/24 The Asterisk SIP registration appears to be responding properly to this - this is what I see when I do a 'sip show peer' for an Aastra phone that's connecting through the VPN (Asterisk output is truncated): ToHost : Addr->IP : 10.8.0.6:5060 If the Asus network is 192.168.1.0/24, and the phone is registering as 10.0.8.6, it looks like NAT is taking place. Would your asterisk server know how to route traffic to 192.168.1.0/24? I've always used site-to-site OpenVPN tunnels where the vpn's terminate on the gateway for both the phones and the asterisk server. I've always had rock solid connections between phones and Asterisk. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
On 2017-04-18 05:21 PM, Duncan Turnbull wrote: Sent from my iPhone On 19/04/2017, at 11:43 AM, Ernie Dunbarwrote: On 2017-04-18 03:38 PM, Duncan Turnbull wrote: -- Original Message -- From: "Ernie Dunbar" To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" Sent: 19-Apr-17 10:25:59 AM Subject: [asterisk-users] SIP connections over OpenVPN connection get one-way voice. Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. First, here's our technical details: The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. Asterisk maybe replying from the TUN address which may confuse your sip client - if you set the TUN address as a proxy that seems to solve it. If asterisk is bound to every address then implicitly it shouldn't matter where it replies from, but in the openvpn case it seems to reply from a different address to the one it was called on and that can definitely fool clients. tcpdump on the tunnel can help you see whats happening I think I'll need a bit more detail about how to set the TUN address as a proxy. Is this done on the OpenVPN server, or at the client end? I'm also going to tell Asterisk to bind to all IPs and then restart it when there's no calls in progress, perhaps that's all I need to do? Set it as a proxy server in your sip phone client, we found using the tun ip on the vpn server works, we keep the actual asterisk address as the sip server and use the tun ip as the proxy server Asterisk is probably already bound to all the addresses netstat -nupl should show you the addresses it's listening on for udp, if it says 0.0.0.0 it means all addresses sudo tcpdump -i tun0 -s0 -A udp port 5060 Should show you the sip messages going through the tunnel and you can check the reply addresses Hmm. I also can't ping the phone's IP address on the 192.168.1.0/24 network. Perhaps that's the real problem there. This VPN should work both ways, shouldn't it? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
Sent from my iPhone > On 19/04/2017, at 11:43 AM, Ernie Dunbarwrote: > >> On 2017-04-18 03:38 PM, Duncan Turnbull wrote: >> -- Original Message -- >> From: "Ernie Dunbar" >> To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" >> >> Sent: 19-Apr-17 10:25:59 AM >> Subject: [asterisk-users] SIP connections over OpenVPN connection get >> one-way voice. >> >>> Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't >>> working *quite* as well as we'd hoped. >>> >>> First, here's our technical details: >>> >>> The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. >>> The router has UDP port 1194 forwarded to our server. This server >>> also runs our office Asterisk PBX, so there isn't any networking hardware >>> or firewall between the VPN tunnel and the Asterisk PBX. >> >> >> Asterisk maybe replying from the TUN address which may confuse your sip >> client - if you set the TUN address as a proxy that seems to solve it. If >> asterisk is bound to every address then implicitly it shouldn't matter where >> it replies from, but in the openvpn case it seems to reply from a different >> address to the one it was called on and that can definitely fool clients. >> tcpdump on the tunnel can help you see whats happening >> > > I think I'll need a bit more detail about how to set the TUN address as a > proxy. Is this done on the OpenVPN server, or at the client end? I'm also > going to tell Asterisk to bind to all IPs and then restart it when there's no > calls in progress, perhaps that's all I need to do? Set it as a proxy server in your sip phone client, we found using the tun ip on the vpn server works, we keep the actual asterisk address as the sip server and use the tun ip as the proxy server Asterisk is probably already bound to all the addresses netstat -nupl should show you the addresses it's listening on for udp, if it says 0.0.0.0 it means all addresses sudo tcpdump -i tun0 -s0 -A udp port 5060 Should show you the sip messages going through the tunnel and you can check the reply addresses -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
On 2017-04-18 03:38 PM, Duncan Turnbull wrote: -- Original Message -- From: "Ernie Dunbar"To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" Sent: 19-Apr-17 10:25:59 AM Subject: [asterisk-users] SIP connections over OpenVPN connection get one-way voice. Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. First, here's our technical details: The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. Asterisk maybe replying from the TUN address which may confuse your sip client - if you set the TUN address as a proxy that seems to solve it. If asterisk is bound to every address then implicitly it shouldn't matter where it replies from, but in the openvpn case it seems to reply from a different address to the one it was called on and that can definitely fool clients. tcpdump on the tunnel can help you see whats happening I think I'll need a bit more detail about how to set the TUN address as a proxy. Is this done on the OpenVPN server, or at the client end? I'm also going to tell Asterisk to bind to all IPs and then restart it when there's no calls in progress, perhaps that's all I need to do? -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
On 2017-04-18 03:39 PM, Sebastian Nielsen wrote: You need to ensure that traffic to the SIP box is sent to the correct IP. Also if you use split-tunnel (eg: not redirect-gateway def1) you must make sure NAT and traffic redirection works as is so the Asus router knows it should send the traffic through tunnel and not via WAN. I'm not that well versed in OpenVPN, but it's worth noting that we have the `push "redirect-gateway def1 bypass-dhcp"` directive set on the server. I have two independent DHCP servers on either side of the VPN, so that the clients are getting their IP addresses for their appropriate networks - 192.168.0.0/24 on the server side, and 192.168.1.0/24 on the client side. IMPORTANT: Then you must, in the ASUS RT-N66U make a port forward inwards from TUN to the phone client. I'll give that a shot, but it will have to wait until tomorrow. :) I would suggest wiresharking on the client side and see which IP Asterisk suggest the client should connect back to. This should be the internal IP of the asterisk server as seen from the openvpn server's point of view. Another important thing: The local network in the Openvpns machine locatiin, may NOT have same subnet as the network behind the asus. All these must be separate, like: server network: 192.168.1.0/24 Openvpn tunnel network: 192.168.2.0/24 Asus network: 192.168.3.0/24 I'm pretty sure that I've got this subnet separation in place. If I didn't cover it in my original post, the network looks like this: Server network: 192.168.0.0/24 OpenVPN network: 10.8.0.0/24 Asus network: 192.168.1.0/24 The Asterisk SIP registration appears to be responding properly to this - this is what I see when I do a 'sip show peer' for an Aastra phone that's connecting through the VPN (Asterisk output is truncated): ToHost : Addr->IP : 10.8.0.6:5060 Defaddr->IP : (null) Prim.Transp. : UDP Allowed.Trsp : UDP Def. Username: FrontDesk1 SIP Options : (none) Codecs : (ulaw|alaw) Codec Order : (ulaw:20,alaw:20) Auto-Framing : No Status : Unmonitored Useragent : Aastra 6731i/3.2.2.1136 Reg. Contact : sip:FrontDesk1@10.8.0.6:5060;transport=udp Else you get bizarre routing problems when states appear in the state table. Originalmeddelande Från: Ernie DunbarDatum: 2017-04-19 00:25 (GMT+01:00) Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' Rubrik: [asterisk-users] SIP connections over OpenVPN connection get one-way voice. Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. First, here's our technical details: The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. The OpenVPN client is an Asus RT-N66U router, which if I'm not mistaken, runs a somewhat modified version of Tomato. I've got the VPN tunnel working well enough. I can do practically anything from a computer hooked up to the client router as if I were in the main office where the server is. But any SIP client I use - whether it's a hardware SIP phone or a soft phone like Zoiper, can connect to the Asterisk server without issue. Making calls can work, accepting calls works, but I only get 1 way voice traffic. I can hear voice data coming in FROM the Asterisk PBX, but I cannot send any. In my experience with SIP, this usually means a firewall is breaking the connection from the client phone to the Asterisk server. I just can't for the life of me find what could be wrong. None of the other traffic is being blocked. The ipfw firewall on the Asterisk PBX is extremely open (see below). The firewall on the client router is turned off, and as far as I can tell, most NAT routers don't even block outbound traffic in the first place. I can't see how traffic from the TUN interface on the OpenVPN server even can be blocked going to another IP address on the same box, but here are the IPFW rules: root@ldinfo:/etc/asterisk# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
You need to ensure that traffic to the SIP box is sent to the correct IP. Also if you use split-tunnel (eg: not redirect-gateway def1) you must make sure NAT and traffic redirection works as is so the Asus router knows it should send the traffic through tunnel and not via WAN. IMPORTANT: Then you must, in the ASUS RT-N66U make a port forward inwards from TUN to the phone client. I would suggest wiresharking on the client side and see which IP Asterisk suggest the client should connect back to. This should be the internal IP of the asterisk server as seen from the openvpn server's point of view. Another important thing: The local network in the Openvpns machine locatiin, may NOT have same subnet as the network behind the asus.All these must be separate, like:server network: 192.168.1.0/24Openvpn tunnel network: 192.168.2.0/24Asus network: 192.168.3.0/24 Else you get bizarre routing problems when states appear in the state table. Originalmeddelande Från: Ernie DunbarDatum: 2017-04-19 00:25 (GMT+01:00) Till: 'Asterisk Users Mailing List - Non-Commercial Discussion' Rubrik: [asterisk-users] SIP connections over OpenVPN connection getone-way voice. Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. First, here's our technical details: The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. The OpenVPN client is an Asus RT-N66U router, which if I'm not mistaken, runs a somewhat modified version of Tomato. I've got the VPN tunnel working well enough. I can do practically anything from a computer hooked up to the client router as if I were in the main office where the server is. But any SIP client I use - whether it's a hardware SIP phone or a soft phone like Zoiper, can connect to the Asterisk server without issue. Making calls can work, accepting calls works, but I only get 1 way voice traffic. I can hear voice data coming in FROM the Asterisk PBX, but I cannot send any. In my experience with SIP, this usually means a firewall is breaking the connection from the client phone to the Asterisk server. I just can't for the life of me find what could be wrong. None of the other traffic is being blocked. The ipfw firewall on the Asterisk PBX is extremely open (see below). The firewall on the client router is turned off, and as far as I can tell, most NAT routers don't even block outbound traffic in the first place. I can't see how traffic from the TUN interface on the OpenVPN server even can be blocked going to another IP address on the same box, but here are the IPFW rules: root@ldinfo:/etc/asterisk# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.0.0/24 192.168.0.3 ACCEPT all -- 192.168.1.0/24 192.168.0.3 ACCEPT all -- 10.8.0.0/24 192.168.0.3 ACCEPT all -- X.X.X.X 192.168.0.3 ACCEPT all -- 192.168.0.3 X.X.X.X ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (0 references) target prot opt source destination 192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server are on. 192.168.1.0/24 is the network that the remote router is on. 10.8.0.0/24 is the network that the TUN device creates. X.X.X.X is our datacenter. 192.168.0.3 is the IP address of our PBX. Any assistance would be greatly appreciated. smime.p7s Description: S/MIME Cryptographic Signature -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] SIP connections over OpenVPN connection get one-way voice.
-- Original Message -- From: "Ernie Dunbar"To: "'Asterisk Users Mailing List - Non-Commercial Discussion'" Sent: 19-Apr-17 10:25:59 AM Subject: [asterisk-users] SIP connections over OpenVPN connection get one-way voice. Hi everyone. I'm having some trouble with an OpenVPN tunnel that isn't working *quite* as well as we'd hoped. First, here's our technical details: The OpenVPN server (v2.3.4-5+deb8u1) is a Debian 8 box behind a NAT router. The router has UDP port 1194 forwarded to our server. This server also runs our office Asterisk PBX, so there isn't any networking hardware or firewall between the VPN tunnel and the Asterisk PBX. Asterisk maybe replying from the TUN address which may confuse your sip client - if you set the TUN address as a proxy that seems to solve it. If asterisk is bound to every address then implicitly it shouldn't matter where it replies from, but in the openvpn case it seems to reply from a different address to the one it was called on and that can definitely fool clients. tcpdump on the tunnel can help you see whats happening The OpenVPN client is an Asus RT-N66U router, which if I'm not mistaken, runs a somewhat modified version of Tomato. I've got the VPN tunnel working well enough. I can do practically anything from a computer hooked up to the client router as if I were in the main office where the server is. But any SIP client I use - whether it's a hardware SIP phone or a soft phone like Zoiper, can connect to the Asterisk server without issue. Making calls can work, accepting calls works, but I only get 1 way voice traffic. I can hear voice data coming in FROM the Asterisk PBX, but I cannot send any. In my experience with SIP, this usually means a firewall is breaking the connection from the client phone to the Asterisk server. I just can't for the life of me find what could be wrong. None of the other traffic is being blocked. The ipfw firewall on the Asterisk PBX is extremely open (see below). The firewall on the client router is turned off, and as far as I can tell, most NAT routers don't even block outbound traffic in the first place. I can't see how traffic from the TUN interface on the OpenVPN server even can be blocked going to another IP address on the same box, but here are the IPFW rules: root@ldinfo:/etc/asterisk# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- 192.168.0.0/24 192.168.0.3 ACCEPT all -- 192.168.1.0/24 192.168.0.3 ACCEPT all -- 10.8.0.0/24 192.168.0.3 ACCEPT all -- X.X.X.X 192.168.0.3 ACCEPT all -- 192.168.0.3 X.X.X.X ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1194 REJECT all -- 112.220.127.26 0.0.0.0/0 reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (0 references) target prot opt source destination 192.168.0.0/24 is the network the Asterisk PBX and OpenVPN server are on. 192.168.1.0/24 is the network that the remote router is on. 10.8.0.0/24 is the network that the TUN device creates. X.X.X.X is our datacenter. 192.168.0.3 is the IP address of our PBX. Any assistance would be greatly appreciated. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users