Hi!
So it doesn’t access port 5060 or has it opened through/from the Internet?
What firewall (or firewalls) are you using?
It sounds like they are directly contacting your phone…
There’s one thing I don’t get here, it sounds like the phone is directly accessing port 5060 (and opening a hole back to it in the firewall) but isn’t it supposed to access your PBX through OpenVPN so why should it do that?
Sounds like you have the same problem that is described here:
(Crappy firewalls which open holes back to them when they access an outside server without restricting the traffic to only the IP of the server they contacted…)
They probably don’t know that they are accessing a phone and are simply trying to do toll fraud…
Good luck and have a nice day!
Nick