I’m trying to register a ChanSIP extension with TLS on port 5161.
The PBX has a self signed certificate.
When registering locally, (against the LAN IP) it works fine. But when trying to register against the WAN IP, it does not register at all. It just says timeout.
I have the following ports forwarded:
5060-5062 (UDP & TCP)
5161 (UDP & TCP)
10k-20k (UDP & TCP)
For testing purposes I tried doing a regular not encrypted registration, and it works fine.
I am obviously missing something…
TL;DR Can’t register externally, but successfully registering locally, using TLS.
I’ll be very honest, this is my first time playing with SIP TLS…
All I did was, installed on the same LAN a Micro SIP client, set that it should use TLS and it registered successfully. (I obviously configured the extension on the PBX to use TLS)
Then I tried doing the same thing with a Micro SIP client and a Yealink phone from a remote office. It doesn’t work.
Old memory… I recall something about TCP vs. UDP and that you needed to use signaling on TCP for that to work. I might have dreamt that, though, so don’t waste a lot of time on it if it doesn’t make any difference.
TLS is a TCP protocol. So you have to have it forwarded correctly for a remote device to work.
Yealink phones, of certain models, have known issues with some certificates, notably LE as issued by FreePBX 14. I’ve posted about it more than once with my findings.
So stick with your known working soft phone to validate the process first. Then work with the Yealink to resolve certificate issues.
I do see that when doing a call with no TLS, it sets the WAN address as the remote RTP address instead of the LAN address at the beginning of the call.
0x319c070 -- Strict RTP learning after remote address set to: 72.14.67.184:12374