Getting an extension to register over a VPN tunnell

I have an OpenVPN tunnel set up to utilize for extensions offsite. It has been tested with softphones running on computers connected to the VPN and they work fine. I want to use desk phones, connecting through pi or linux based gateways running ufw/iptables. The gateway computers connect and forward traffic per the ruleset below. I can access the web interface of the phones from inside the network with the PBX. I can ping the PBX on its LAN interface through the VPN tunnel from the phone. But the extensions do not register.

my rules


-A PREROUTING -p udp --dport 5060:5082 -j DNAT --to-destination
-A PREROUTING -p tcp --dport 10000:20000 -j DNAT --to-destination
-A PREROUTING -p udp --dport 80 -j DNAT --to-destination


don’t delete the ‘COMMIT’ line or these rules won’t be processed


RTP uses UDP, not TCP, so it’s UDP ports 10000-20000 that would have to be forwarded. However, that doesn’t explain your problem; registration does not depend on RTP at all. I suspect that the DNAT setup is insufficient to handle traffic originated by the phones (such as registration), but don’t know the details. You can troubleshoot by running tcpdump on the gateway, capturing on all interfaces. You can see the REGISTER request coming in, the mapped request sent to the tunnel, any response from the PBX received from the tunnel, and how it is sent to the phone.

However, you seem to be attempting a very strange setup. One common way of connecting a branch office with headquarters is a site-to-site VPN. The sites use different LAN subnets. Each site routes the other’s subnet through the VPN tunnel (which uses a separate subnet). In most cases, the router/firewall at each end acts as the VPN client or server, though sometimes a separate box does the VPN. In this scheme, individual computers and phones do not require any VPN logic.

A second common approach, where the VPN is just for phones, is to run an OpenVPN server on the PBX itself, with each remote phone having its own OpenVPN client. Most modern deskphones, including Yealink, Sangoma, Polycom and Grandstream have built-in OpenVPN clients and would not require a gateway.

If for some reason you must set up a gateway, try to avoid NAT. If you have multiple phones connected via a gateway with a single tunnel address, it would take a complex port mapping setup to allow each phone to register (source port rewriting) and also allow their web interfaces to be accessed from the PBX LAN.

To be clear, this is a site to site VPN doing everything you described, except… there is only a single extension offsite, and the Pi computer is the client, not the phone. The traffic to/from the phone is to travel over the tunnel established on the Pi. I’ll try using tcdump, as you suggest.

If there’s only a single extension offsite, why not do a phone to PBX VPN with the built in OpenVPN server on FreePBX? Or have the phone connect with TLS?

The only issue I’ve found with phones connecting directly to the OpenVPN server on the PBX is every 2 years or so when you have to renew the certificate it’s a PITA if you have a lot of extensions connecting that way. You have to re-configure them with so they get the proper OpenVPN Config with the new certificate info.

I’m doing all new remote phones with TLS and haven’t had an issue.

1 Like

The attraction for the current approach is based on my experience with OpenVPN and established infrastructure that must already be maintained, versus adding another piece. That, and the need to upgrade the PBX too, which is still version 12.

well if you’re on 12 your options are indeed limited. I would get that up to current versions before anything else, if for security reasons if nothing else… 12 is ancient history. But I understand these situations are not always straight forward.

That said, once that’s done I’d suggest just getting that extension (and probably all of them) on TLS.

I wouldn’t see it as “adding another piece” as much as simplifying the architecture.

1 Like

I ran tcpdump on the pi and monitored tun0 to the PBX host. I had to set transport to the SIP host to TCP in order to get any traffic heading that way on register attempts. I set the extension also to TCP to match. Register still failed. Giving this up.

Does this add cpontext ?

Why VPN tunneling over TCP sucks! – VPN Tracker Blog.

1 Like

The tunnel is all UDP.

Then I give up also :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.