I’m using 16.0.40.4 and have purchased the SysAdmin module.
I turned on the VPN Server, connected to UCP, downloaded the certificates, installed them into a Grandstream DP752 base station, copied the additional params from the .conf file (I’m a Staff Engineer) into the OpenVPN additional settings in the Grandstream base station, and put in the SIP Credentials.
The OpenVPN connection is established. The server accepted it and it’s registered on the VPN Server administration page of FreePBX. However, SIP Registration cannot happen unless I also add the IP address of the server to the trusted connections portion of the Firewall.
I tried enabling the responsive firewall for PJSIP, but to no avail.
Currently, the only way I can get this base station to connect is to disable the firewall or add an exception for that specific IP address, and then once it’s connected, even if I disable the firewall exception for that IP address, it stays connected even though in the Grandstream settings, it lists all the extensions as offline at that point (if I remove the IP address from “trusted” status after SIP Registration has occurred).
I was hoping to be able to have any OpenVPN client with valid credentials to be able to get connected without having to enter an exception for their IP address since some of them are on Starlink systems with IP addresses that change from day to day.
Okay, I set the server in the base station to the IP address of the server over the VPN connection and that has moved the traffic over the VPN, but it still won’t SIP register without the exception to the public IP address of the device.
I did add 10.8.0.0/24 to the local networks, and I also clicked the Enable toggle for the 10.8.0.0 Route. Server range is configured as: 10.8.0.0/255.255.255.0.
I’ll restart the base station with this configuration and see if it can connect.
Upon reboot, the device registered momentarily on the SIP network, and then deregistered. The OpenVPN connection is active but the SIP extensions are unavailable:
Contact: 2000/sip:[email protected]:5060;x-ast-orig-host=192.168 9d3cef6ef5 Unavail nan
Contact: 2001/sip:[email protected]:5062;x-ast-orig-host=192.168 24adb30c20 Unavail nan
When I unplug the base station from the network that’s trusted I see these lines:
1
[2023-06-24 23:27:46] VERBOSE[24404] res_pjsip/pjsip_configuration.c: Endpoint 2000 is now Unreachable
2
[2023-06-24 23:27:46] VERBOSE[24404] res_pjsip/pjsip_options.c: Contact 2000/sip:[email protected]:5060;x-ast-orig-host=192.168.1.123:5060 is now Unreachable. RTT: 0.000 msec
3
[2023-06-24 23:27:46] VERBOSE[11329] res_pjsip/pjsip_configuration.c: Endpoint 2001 is now Unreachable
4
[2023-06-24 23:27:46] VERBOSE[11329] res_pjsip/pjsip_options.c: Contact 2001/sip:[email protected]:5062;x-ast-orig-host=192.168.1.123:5062 is now Unreachable. RTT: 0.000 msec
So the tunnel is active now, at least. But, when plugging the base station into a foreign network, I don’t see any log lines at all until I add it’s public IP to the list of local connections (and then it SIP registers fine).
Your advice really nailed it! The problem was rooted in the network settings of my device. Originally, I had configured a static IP address which caused a mismatch with the netmask of the foreign network. Consequently, an IP address couldn’t be issued, leading to the absence of an x-ast-orig-host. Despite the successful direct connection to the OpenVPN server via IP address, the device couldn’t establish overall connectivity and made no attempts for SIP Registration.
However, shifting to DHCP, and designating 10.8.0.1 as both the primary DNS server and SIP Registration server, resolved the issue wonderfully.
Also, I must give credit where it’s due - your recommendation to modify the server host to 10.8.0.1 was exactly what was needed. A huge thanks for your help!