PBX VPN tunnel - connect but no audio

Hi All,

I have the following setup:

Pfsense firewall with public IP in cloud > NAT port forward to FreePBX IP address via Tailscale VPN.

I am using Groundwire softphones on the public internet. I am trying to proxy almost through the cloud firewall for added security.

The soft phone works and can make calls, however when connected the audio channel does not work despite the fact the ports are correctly configured. I can see in pfsense that the audio ports are open, so the connection is obviously correct at least to establish a connection.

If I am connected to the local LAN, everything works fine. This is looking like a NAT issue.

Any ideas? I have tried to play around with the asterisk settings and adjusting the LAN to the public IP of the cloud firewall and also the IP of the Tailscale client.

Nothing appears to work. Any ideas?


1 Like

Have you added the VPN subnet to Settings > Asterisk SIP Settings > Local Networks?

To be more specific, because others have made this mistake, not the subnet of the VPN tunnel network but the subnet of the network that the phone is plugged into.


To the PBX the traffic looks like it’s coming from, which is the IP of the firewall at the PBX site.

The WAN site, has a local IP of, however looking at PfTop in PfSense, this subnet doesn’t appear?

PfSense box 1 WAN = soft phone connection point.

PfSense box 1 > NAT to PfSense box 2 (100.x.x.x > 100.x.x.x - Tailscale addresses).

PfSense box 2 > PBX ( >

To add to this, I’ve now inspected the SIP logs:

SIP initiates correctly to the WAN address of the first firewall.

RTP packets are sent to the local IP of the PBX hence this is why there is no audio.

The question now is why the softphone is trying to send audio to the PBX local IP and not the WAN IP?

Something is not setup correctly for your VPN. The phones shouldn’t be connecting to the PBX with the other end’s WAN address. The phone system should see the internal IP address of the phones on the other side of the VPN connection.

The phones on the other end are soft phones and remote from the LAN. They connect to the PBX via the WAN.

So I guess I don’t understand where the VPN that you posted originally fits into the whole picture.

The VPN links firewall A (the WAN) to firewall B (second location) with a NAT to the PBX.


So I guess why would the softphones connect to the PBX over the WAN address if they have the VPN tunnel to get that connection going? If they are properly using the VPN and the VPN is configured properly then they should be connecting with their respective local LAN IPs to the phone system.

Your architecture is not SIP-friendly. The softphone will send RTP (and subsequent related requests such as BYE) to the address that the PBX supplies in the response to INVITE (SDP and Contact header).

So, the PBX must be configured with the cloud server public IP, and must know when to send it. If your PBX has SIP trunks connected over the public internet, or ‘regular’ external extensions, it is also configured with pfSense box 2’s public IP address and needs to distinguish requests to know which to send. Conceivably, you could do this by using different protocols, or assiging multiple local IP addresses to the PBX.

But IMO, don’t pile kludge on top of kludge. Run a Tailscale client on the PBX, so pfSense box 1 sends directly to the PBX. The PBX will now have an interface with a 100.x.x.x address, which will have its own pjsip transport, configured with the WAN address of pfSense 1.

Another approach is to use the OpenVPN server built into FreePBX. Run an OpenVPN client on the cloud server, which connects to the PBX via a (possibly nonstandard) UDP port forwarded through pfSense 2.

Or, run a PBX in the cloud with a trunk to the on-site one.

Yet another possibility is using client certificates or other means to get the desired security and have the softphones register to the local PBX (no cloud server).

Thanks for your help.

Installing Tailscale on the FreePBX machine isn’t documented so unsure how I’d do this.

I actually have several remote locations that all connect to the PBX via NAT / Tailscale and work fine. I guess the issue is the fact it’s public facing?

Instead of a new PBX, would a cloud based SBC be easier and offer the same level of security?

Update, I’ve managed to install tailscale. I can’t get the remote phones to connect but the devices do ping.

Need to play around with the firewall settings I think.

Thanks for your help.