OpenVPN Connects but No SIP Registration

I’m using and have purchased the SysAdmin module.

I turned on the VPN Server, connected to UCP, downloaded the certificates, installed them into a Grandstream DP752 base station, copied the additional params from the .conf file (I’m a Staff Engineer) into the OpenVPN additional settings in the Grandstream base station, and put in the SIP Credentials.

The OpenVPN connection is established. The server accepted it and it’s registered on the VPN Server administration page of FreePBX. However, SIP Registration cannot happen unless I also add the IP address of the server to the trusted connections portion of the Firewall.

I tried enabling the responsive firewall for PJSIP, but to no avail.

Currently, the only way I can get this base station to connect is to disable the firewall or add an exception for that specific IP address, and then once it’s connected, even if I disable the firewall exception for that IP address, it stays connected even though in the Grandstream settings, it lists all the extensions as offline at that point (if I remove the IP address from “trusted” status after SIP Registration has occurred).

I was hoping to be able to have any OpenVPN client with valid credentials to be able to get connected without having to enter an exception for their IP address since some of them are on Starlink systems with IP addresses that change from day to day.

Here’s some additional details:

pjsip show contacts

Contact: <Aor/ContactUri…> <Hash…> <RTT(ms)…>

Contact: 2000/sip:2000@REAL-IP-1:5060;x-ast-orig-host 955316f362 Avail 49.169
Contact: 2001/sip:2001@REAL-IP-2:5060;x-ast-orig-host 080c908b80 Avail 86.046
Contact: 2002/sip:2002@REAL-IP-3:26578;x-ast-orig-hos f514234fcc Avail 301.448
Contact: 2003/sip:2003@REAL-IP-4:53929;x-ast-orig-hos 1e92b5f53c Avail 234.558
Contact: 2004/sip:2004@REAL-IP-5:43878;x-ast-orig-hos 8636731d9b Avail 287.528
Contact: 2005/sip:2005@REAL-IP-6:22420;x-ast-orig-hos cd218e8fa3 Avail 211.941
Contact:[email protected]:5060 63ca9faadb Avail 3.463

Objects found: 7

So, it would seem that none of the connected systems are making use of their VPN credentials even though they are, in fact, connected.

Please confirm that in the DP752, you have set SIP Server to (for example)

(Replace with the OpenVPN tunnel address of the PBX, and 5060 with the value of Port to Listen On on in the relevant pjsip transport.)

Also, confirm that in Asterisk SIP Settings, Local Networks includes (for example)

1 Like

Okay, I set the server in the base station to the IP address of the server over the VPN connection and that has moved the traffic over the VPN, but it still won’t SIP register without the exception to the public IP address of the device.

I did add to the local networks, and I also clicked the Enable toggle for the Route. Server range is configured as:

I’ll restart the base station with this configuration and see if it can connect.

Upon reboot, the device registered momentarily on the SIP network, and then deregistered. The OpenVPN connection is active but the SIP extensions are unavailable:

Contact: 2000/sip:[email protected]:5060;x-ast-orig-host=192.168 9d3cef6ef5 Unavail nan
Contact: 2001/sip:[email protected]:5062;x-ast-orig-host=192.168 24adb30c20 Unavail nan

When I unplug the base station from the network that’s trusted I see these lines:

1 [2023-06-24 23:27:46] VERBOSE[24404] res_pjsip/pjsip_configuration.c: Endpoint 2000 is now Unreachable
2 [2023-06-24 23:27:46] VERBOSE[24404] res_pjsip/pjsip_options.c: Contact 2000/sip:[email protected]:5060;x-ast-orig-host= is now Unreachable. RTT: 0.000 msec
3 [2023-06-24 23:27:46] VERBOSE[11329] res_pjsip/pjsip_configuration.c: Endpoint 2001 is now Unreachable
4 [2023-06-24 23:27:46] VERBOSE[11329] res_pjsip/pjsip_options.c: Contact 2001/sip:[email protected]:5062;x-ast-orig-host= is now Unreachable. RTT: 0.000 msec

So the tunnel is active now, at least. But, when plugging the base station into a foreign network, I don’t see any log lines at all until I add it’s public IP to the list of local connections (and then it SIP registers fine).

Your advice really nailed it! The problem was rooted in the network settings of my device. Originally, I had configured a static IP address which caused a mismatch with the netmask of the foreign network. Consequently, an IP address couldn’t be issued, leading to the absence of an x-ast-orig-host. Despite the successful direct connection to the OpenVPN server via IP address, the device couldn’t establish overall connectivity and made no attempts for SIP Registration.

However, shifting to DHCP, and designating as both the primary DNS server and SIP Registration server, resolved the issue wonderfully.

Also, I must give credit where it’s due - your recommendation to modify the server host to was exactly what was needed. A huge thanks for your help!

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.