FreePBX + OpenVPN - Iptables/NAT

Hello everyone, i am getting issue with audio in internal phones conected via OpenVPN.

Freepbx/OpenVPN IP: 192.168.1.250
LocalNetwork: 192.168.1.0/24
VPN Pool: 10.8.0.1/24

The problem is when i turn on iptables the local phones cant hear between two phones, when i turn off, i have audio but dont have network for vpn clients.

There are my iptables:
# Generated by iptables-save v1.4.7 on Fri Oct 11 00:49:51 2019
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [3:779]
:OUTPUT ACCEPT [3:779]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT

Completed on Fri Oct 11 00:49:51 2019

Generated by iptables-save v1.4.7 on Fri Oct 11 00:49:51 2019

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [25:7021]
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i eth0 -p udp -m state --state NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22000 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -i tun+ -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o tun+ -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Completed on Fri Oct 11 00:49:51 2019

Thanks

You probably need to allow the IP range that the VPN uses.

I have allowed, i can ping and trace, but no audio

What phones/softphones are you using? Is the OpenVPN server on the FreePBX server or on a separate server?

I am using Yealink T20P / Yealink W52P Softphones.

Yes, OpenVPN Server and FreePBX are running in same server

If the phones are connecting back to FreePBX through the VPN, they should not be using any kind of NAT. In my experience, there are softphones that need NAT=yes even though the use a VPN, like csipsimple, as they advertise their non-vpn IP to Asterisk.

Okay… So… what is supposed to i do? Enable NAT en softphones connected via OpenVPN?

You should first review your iptables rules. It seems they are messing with your configuration and that seems strange. Are you using the firewall module or are you configuring iptables manually?

I am configuring iptables manually, i already posted my iptables in start of topic.

Any reason you are not using the firewall module?
I could show you my firewall rules, I’m also using iptables manually together with fail2ban.

No, don’t have a reason for don’t use firewall.

Right, the firewall make what?

Install the firewall module and configure the SIP settings correctly with your LAN and VPN networks. Add those networks to the trusted networks in the firewall and try making calls. It should work.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.