Remote extension over VPN

I am using:
FreePBX 2.11.0.43
Firewall with PFSense with OpenVPN Server on the firewall and client on a cell phone
CSipSimple for remote extension on the cell phone

I can make calls to the extension without issue. When I dial another number or internal extension from CSipsimple, the call connects, then terminates within a few seconds. The phone shows 481 / Call / Transaction does not exist. Asterisk shows:

<<<>>>
new stack
– Executing [s@macro-dial-one:9] GotoIf(“SIP/1213-00002f68”, “0?continue”) in new stack
– Executing [s@macro-dial-one:10] Set(“SIP/1213-00002f68”, “EXTHASCW=”) in new stack
– Executing [s@macro-dial-one:11] GotoIf(“SIP/1213-00002f68”, “1?next1:cwinusebusy”) in new stack
– Goto (macro-dial-one,s,12)
– Executing [s@macro-dial-one:12] GotoIf(“SIP/1213-00002f68”, “0?docfu:skip3”) in new stack
– Goto (macro-dial-one,s,16)
– Executing [s@macro-dial-one:16] GotoIf(“SIP/1213-00002f68”, “1?next2:continue”) in new stack
– Goto (macro-dial-one,s,17)
– Executing [s@macro-dial-one:17] GotoIf(“SIP/1213-00002f68”, “1?continue”) in new stack
– Goto (macro-dial-one,s,25)
– Executing [s@macro-dial-one:25] GotoIf(“SIP/1213-00002f68”, “0?nodial”) in new stack
– Executing [s@macro-dial-one:26] GosubIf(“SIP/1213-00002f68”, “1?dstring,1():dlocal,1()”) in new stack
– Executing [dstring@macro-dial-one:1] Set(“SIP/1213-00002f68”, “DSTRING=”) in new stack
– Executing [dstring@macro-dial-one:2] Set(“SIP/1213-00002f68”, “DEVICES=127”) in new stack
– Executing [dstring@macro-dial-one:3] ExecIf(“SIP/1213-00002f68”, “0?Return()”) in new stack
– Executing [dstring@macro-dial-one:4] ExecIf(“SIP/1213-00002f68”, “0?Set(DEVICES=27)”) in new stack
– Executing [dstring@macro-dial-one:5] Set(“SIP/1213-00002f68”, “LOOPCNT=1”) in new stack
– Executing [dstring@macro-dial-one:6] Set(“SIP/1213-00002f68”, “ITER=1”) in new stack
– Executing [dstring@macro-dial-one:7] Set(“SIP/1213-00002f68”, “THISDIAL=SIP/127”) in new stack
– Executing [dstring@macro-dial-one:8] GosubIf(“SIP/1213-00002f68”, “1?zap2dahdi,1()”) in new stack
– Executing [zap2dahdi@macro-dial-one:1] ExecIf(“SIP/1213-00002f68”, “0?Return()”) in new stack
– Executing [zap2dahdi@macro-dial-one:2] Set(“SIP/1213-00002f68”, “NEWDIAL=”) in new stack
– Executing [zap2dahdi@macro-dial-one:3] Set(“SIP/1213-00002f68”, “LOOPCNT2=1”) in new stack
– Executing [zap2dahdi@macro-dial-one:4] Set(“SIP/1213-00002f68”, “ITER2=1”) in new stack
– Executing [zap2dahdi@macro-dial-one:5] Set(“SIP/1213-00002f68”, “THISPART2=SIP/127”) in new stack
– Executing [zap2dahdi@macro-dial-one:6] ExecIf(“SIP/1213-00002f68”, “0?Set(THISPART2=DAHDI/127)”) in new stack
– Executing [zap2dahdi@macro-dial-one:7] Set(“SIP/1213-00002f68”, “NEWDIAL=SIP/127&”) in new stack
– Executing [zap2dahdi@macro-dial-one:8] Set(“SIP/1213-00002f68”, “ITER2=2”) in new stack
– Executing [zap2dahdi@macro-dial-one:9] GotoIf(“SIP/1213-00002f68”, “0?begin2”) in new stack
– Executing [zap2dahdi@macro-dial-one:10] Set(“SIP/1213-00002f68”, “THISDIAL=SIP/127”) in new stack
– Executing [zap2dahdi@macro-dial-one:11] Return(“SIP/1213-00002f68”, “”) in new stack
– Executing [dstring@macro-dial-one:9] Set(“SIP/1213-00002f68”, “DSTRING=SIP/127&”) in new stack
– Executing [dstring@macro-dial-one:10] Set(“SIP/1213-00002f68”, “ITER=2”) in new stack
– Executing [dstring@macro-dial-one:11] GotoIf(“SIP/1213-00002f68”, “0?begin”) in new stack
– Executing [dstring@macro-dial-one:12] Set(“SIP/1213-00002f68”, “DSTRING=SIP/127”) in new stack
– Executing [dstring@macro-dial-one:13] Return(“SIP/1213-00002f68”, “”) in new stack
– Executing [s@macro-dial-one:27] GotoIf(“SIP/1213-00002f68”, “0?nodial”) in new stack
– Executing [s@macro-dial-one:28] GotoIf(“SIP/1213-00002f68”, “0?skiptrace”) in new stack
– Executing [s@macro-dial-one:29] GosubIf(“SIP/1213-00002f68”, “1?ctset,1():ctclear,1()”) in new stack
– Executing [ctset@macro-dial-one:1] Set(“SIP/1213-00002f68”, “DB(CALLTRACE/127)=1213”) in new stack
– Executing [ctset@macro-dial-one:2] Return(“SIP/1213-00002f68”, “”) in new stack
– Executing [s@macro-dial-one:30] Set(“SIP/1213-00002f68”, “D_OPTIONS=Ttr”) in new stack
– Executing [s@macro-dial-one:31] ExecIf(“SIP/1213-00002f68”, “0?SIPAddHeader(Alert-Info: )”) in new stack
– Executing [s@macro-dial-one:32] ExecIf(“SIP/1213-00002f68”, “0?SIPAddHeader()”) in new stack
– Executing [s@macro-dial-one:33] ExecIf(“SIP/1213-00002f68”, “0?Set(CHANNEL(musicclass)=)”) in new stack
– Executing [s@macro-dial-one:34] GosubIf(“SIP/1213-00002f68”, “0?qwait,1()”) in new stack
– Executing [s@macro-dial-one:35] Set(“SIP/1213-00002f68”, “__CWIGNORE=”) in new stack
– Executing [s@macro-dial-one:36] Set(“SIP/1213-00002f68”, “__KEEPCID=TRUE”) in new stack
– Executing [s@macro-dial-one:37] GotoIf(“SIP/1213-00002f68”, “0?usegoto,1”) in new stack
– Executing [s@macro-dial-one:38] GotoIf(“SIP/1213-00002f68”, “0?godial”) in new stack
– Executing [s@macro-dial-one:39] Set(“SIP/1213-00002f68”, “CONNECTEDLINE(name,i)=Nathaniel”) in new stack
– Executing [s@macro-dial-one:40] Set(“SIP/1213-00002f68”, “CONNECTEDLINE(num)=127”) in new stack
– Executing [s@macro-dial-one:41] Set(“SIP/1213-00002f68”, “D_OPTIONS=TtrI”) in new stack
– Executing [s@macro-dial-one:42] Dial(“SIP/1213-00002f68”, “SIP/127,15,TtrI”) in new stack
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
– Called SIP/127
– Connected line update to SIP/1213-00002f68 prevented.
– SIP/127-00002f69 is ringing
– Connected line update to SIP/1213-00002f68 prevented.
– SIP/127-00002f69 answered SIP/1213-00002f68
[2016-12-21 14:04:41] WARNING[5435]: chan_sip.c:3983 retrans_pkt: Retransmission timeout reached on transmission BvEHUG.gRSZPib1NRlgfcDA3jCyQZqWG for seqno 11788 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 11200ms with no response
[2016-12-21 14:04:41] WARNING[5435]: chan_sip.c:4012 retrans_pkt: Hanging up call BvEHUG.gRSZPib1NRlgfcDA3jCyQZqWG - no reply to our critical packet (see https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions).
– Executing [h@macro-dial-one:1] Macro(“SIP/1213-00002f68”, “hangupcall,”) in new stack
– Executing [s@macro-hangupcall:1] GotoIf(“SIP/1213-00002f68”, “1?theend”) in new stack
– Goto (macro-hangupcall,s,3)
– Executing [s@macro-hangupcall:3] ExecIf(“SIP/1213-00002f68”, “0?Set(CDR(recordingfile)=)”) in new stack
– Executing [s@macro-hangupcall:4] Hangup(“SIP/1213-00002f68”, “”) in new stack
== Spawn extension (macro-hangupcall, s, 4) exited non-zero on ‘SIP/1213-00002f68’ in macro ‘hangupcall’
== Spawn extension (macro-dial-one, h, 1) exited non-zero on ‘SIP/1213-00002f68’
== Spawn extension (macro-dial-one, s, 42) exited non-zero on ‘SIP/1213-00002f68’ in macro ‘dial-one’
== Spawn extension (macro-exten-vm, s, 14) exited non-zero on ‘SIP/1213-00002f68’ in macro ‘exten-vm’
== Spawn extension (from-internal, 127, 2) exited non-zero on ‘SIP/1213-00002f68’
[2016-12-21 14:05:39] NOTICE[5435]: chan_sip.c:27043 sip_poke_noanswer: Peer ‘1213’ is now UNREACHABLE! Last qualify: 205
<<<>>>

What IP address do you have set up as your remote extension registering to? PBX IP or the OpenVPN IP?

VPNs are band-aid solutions for poorly secured network resources at a head office.

Setup SIP over TLS and SRTP and save yourslef the trouble of OpenVPN bugs and the increased latency.

You’ll appreciate the reliability of SIP over TLS because it is actually a TCP connection for signalling.

I have virtually 100% error free operation for calls minus the occasional packet loss on mobile networks.

You may need to upgrade to at least FreePBX 5.x or higher and Asterisk 11.

P.S. I tried CSipSimple and I found better audio quality, reliability, and ease of setup with zoiper gold.

P.P.S. pfSense rocks!

The remote extension registers to the PBX IP.

change the registration to the openvpn IP 10.8.0.1 or whatever you have set. Also did you make sure the external IP of the PBX was listed in the VPN.cfg?

Switch off all the NAT traversal techniques on the client.
Configure a client as it would work locally.
Make sure that your ‘IPv4 Tunnel Network’ is configured on the server as additional “localnet=”.
Don’t look into the regular Asterisk logs, sip debug is your only friend.
Don’t listen to people who don’t have the same configuration working :wink:

VPNs are not band-aid solutions. VPNs are the most secure way to connect remote locations to your network.

Have you set-up the Asterisk SIP Settings module to inform FreePBX and Asterisk that the remote subnet is local?

2 Likes

AdHominem, this was the missing step, namely adding the subnet from the VPN to SIP settings. As to trying to secure multiple public Internet facing services inside my network, uh… no. Not interested.