OpenVPN: Sangoma S305 setup for VPN from home, can't complete TLS Handshake


(Trevlyng) #1

We have Sangoma S305 phones setup with a VPN using the FreePBX built-in VPN server. We have been able to establish the VPN connection by going out our first WAN (Comcast Business Modem) and back in through the second WAN (Windstream Modem). However the first user we sent a phone to has a Residential Comcast Modem and we are unable to establish a connection. We can see that the VPN is getting to the set destination (the Windstream public IP forwarded to the PBX machine) but gives this message when tailing /var/log/messages:

Mar 26 14:34:59 vox openvpn[17111]: 73.61.35.68:46339 TLS: Initial packet from [AF_INET]73.61.35.68:46339, sid=783cf068 ea63757c
Mar 26 14:35:59 vox openvpn[17111]: 73.61.35.68:46339 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mar 26 14:35:59 vox openvpn[17111]: 73.61.35.68:46339 TLS Error: TLS handshake failed
Mar 26 14:35:59 vox openvpn[17111]: 73.61.35.68:46339 SIGUSR1[soft,tls-error] received, client-instance restarting

It is almost certainly something in the Comcast residential modem as far as we can tell given the relative ease of success with our business modem, has anyone been able to make this work with this ISP? We have tried placing the phone in the DMZ as well as port forwarding 1194 to the phone itself and still no luck, thanks for any advice!


(Chris Dolese) #2

can you dumb down the comcast modem by bridging it ?
bridge it directly to the phone so it gets a public IP … if not a long term solution it would at least settle the question


(Trevlyng) #3

Unfortunately that is not an option as this phone was sent to a remote user and although that may help settle the question it would disrupt their home network too much and would make make the ordeal overly complicated for them once we had to revert the modem back. Thank you for the reply though I can say we hadn’t thought of that and if the situation lent us that ability it would hopefully help us get to the bottom of this.


#4

The Comast resi modems have some modicum of firewall control. You could remote into an on-prem PC and see about tweaking.

I’d also make sure that double-NAT wasn’t an issue. Sometimes people but “my own wifi” not realizing it’s also a router and end up behind double-NAT. Doesn’t matter for browsing, but does for things like IPSec.


(Alejandro) #5

If you cannot remote in, have them do a trace route to help determine if they have a double-NAT.

This, in general, is fairly easy to walk someone through and they can copy and paste the results to whatever communication tool is available.

@trevlyng Since this was your first-person trying remote, I would suggest trying others to make sure it is not something on your end as well. The logs don’t seem to indicate that but it is worth try.


(Trevlyng) #6

We were able to remote in and confirm there is no double-NAT issue going on, I brought home one of the Sangoma S305’s myself (Atlantic Broadband modem instead of Comcast Xfinity) and the phone was able to register and establish the connection just fine with the same firewall port and NAT rules for incoming connections based on users public WAN. We have tried port forwarding within the Comcast Xfinity modem as well as placing the phone as the DMZ host and still received the same error in the log. We will keeping fighting with Comcast and see what can be done to open things up on the modem, thanks all for the feedback!