FreePBX 17 - Just Wont' Call or Receive Calls / OpenVPN

imrah · March 7, 2025, 5:38pm

Hi. I hope someone can help. I’ve spent days trying to get this to work.

I started with a clean Debian 12 install and clean FreePBX on a Linode(Akamai) VPS with no firewall other than the Sangoma within FPBX and a public IP address. I configured the trunk to Clone Line / VOISIP using the pjsip module per normal. I configured outbound routes and inbound routes.

I setup a GXP2160 Grandstream phone with a configured OpenVPN to the server. The server has 10.8.0.1 & the phone 10.8.0.2.

The very first time I dialed out, it dialed and has not done so since. It also will not ring on a dial in, just disconnects immediately.

From sngrep I can see the invite (SDP), a 401 unauthorized response, followed by an ACK. The Invite is being sent sip:[email protected] (openvpn server IP).

And that’s all it does until it eventually releases the line.

I have assumed that the use of OpenVPN should circumvent any natting and double natting issues (it does for everything else I use it for) and the FreePBX should treat the OpenVPN network as local (it looks that way in the configuration) and should use the assigned trunk route per the outbound routes.

It did just once when I first set it up. Now nothing. I’ve tried about everything I can think of at this point.

Any suggestions will be gratefully accepted.

arielgrin · March 8, 2025, 1:53pm

Have you added the OpenVPN network to the trusted networks on the FreePBX firewall configuration?

imrah · March 8, 2025, 2:10pm

Hi. Thanks for replying.
Yes. I did. The extension registers / subscribes fine.

This isn’t my first rodeo with asterisk but the last one was a long time ago (before freepbx existed) and I managed to get everything working.

The REGISTER and OPTIONS work fine but not the INVITE which is rejected every time.

I did also disable the firewall for a bit to test functionality and it’s basically the same.

If I understand the docs. correctly, asterisk rejects the first attempt and then authorizes the second but there is no second ? Am I correct there ?

david55 · March 8, 2025, 3:27pm

That typically means that the what is sending the INVITE has no password to give. If it shouldn’t be being asked for a password, what is supposed to be accepting the INVITE either has failed to identify the requester, or has been misconfigured to require a password.

Note that 401 is not a rejection, it is a way of giving information on how to authenticate, and also of giving a unique challenge that protects against replay attacks.

david55 · March 8, 2025, 3:29pm

Note that it is difficult or impossible to debug something like this without the Asterisk full logs, including PJSIP protocol logs.

imrah · March 8, 2025, 3:48pm

Thanks David.

So, I installed ZOIPER on my Ubuntu desktop and created an extension for it and dials out fine. I did not try dialing in because it is not running through the VPN, just over my (definitely natted) ISP.

The thing that I notice is different is that ZOIPER responds to the initial INVITE (SDP), 401 Unauthorized, ACK with another INVITE (SDP) which is followed by a 100 Trying and then session in progress, but the Grandstream phone does not.

I’ve been trying to figure out how to get the GXP to respond with another INVITE but so far no luck. I did also try the GXP over my natted connection and it still does not authorize so whatever is coming back from the asterisk is not triggering the GXP to resend the INVITE (SDP).

I tried to keep “custom” configuration to a minimum so I am going to look into that password issue. If FPBX is requiring a password and ZOIPER is providing it but the GXP doesn’t think it has to send one is a good place to start.

imrah · March 8, 2025, 3:52pm

I have set debugging on and pjsip logging. I’ll take a look at the logs and see if I can understand them.

Stewart1 · March 8, 2025, 3:59pm

Just guessing, the INVITE with the Authorization header is too big and there is a fragmentation issue.
Try enabling only ulaw (PCMU, g.711u) and alaw (PCMA, g.711a) codecs in the Grandstream.

imrah · March 8, 2025, 4:08pm

OK, I definitely have fragmentation which I can see from tshark…

1 0.000000000     10.8.0.2 → 10.8.0.1     SIP/SDP 1262 Request: INVITE sip:[email protected] | 
    2 0.000983015     10.8.0.1 → 10.8.0.2     SIP 505 Status: 401 Unauthorized | 
    3 0.048884011     10.8.0.2 → 10.8.0.1     SIP 304 Request: ACK sip:[email protected] | 
    4 0.049419833     10.8.0.2 → 10.8.0.1     IPv4 53 Fragmented IP protocol (proto=UDP 17, off=1480, ID=aadd)
    5 0.549094779     10.8.0.2 → 10.8.0.1     IPv4 53 Fragmented IP protocol (proto=UDP 17, off=1480, ID=aade)
    6 1.553863880     10.8.0.2 → 10.8.0.1     IPv4 53 Fragmented IP protocol (proto=UDP 17, off=1480, ID=aadf)
    7 3.554657664     10.8.0.2 → 10.8.0.1     IPv4 53 Fragmented IP protocol (proto=UDP 17, off=1480, ID=aae0)
    8 7.568810730     10.8.0.2 → 10.8.0.1     IPv4 53 Fragmented IP protocol (proto=UDP 17, off=1480, ID=aae1)
    9 9.223833489     10.8.0.2 → 10.8.0.1     SIP 852 Request: REGISTER sip:10.8.0.1  (1 binding) | 
   10 9.224536703     10.8.0.1 → 10.8.0.2     SIP 508 Status: 401 Unauthorized |

I have PCMU enabled. I’ll disable the other stuff and see how that goes.

Thanks

imrah · March 8, 2025, 4:13pm

OK. That fixed the outward dialing ! Thanks very much. I just took out all the other codecs and set the phone to use first matching codec (PCMU) and set the only alternative to PCMA.

Now to work on the incoming