PJSip VPN phones all disconnect

freepbx
Tags: #<Tag:0x00007f70261c3a98>

#1

FreePBX Distro 15
Asterisk 13
PJSip
FreePBX VPN Server
EPM with DPMA
Sangoma D65 and D62 phones

Set up a new system using EPM with DPMA and Digium D65 and D62 phones. All phones set to use the built in VPN server. Phones connected and were working fine for about 24 hours and then all phones went offline.

reboot the phones and they won’t connect. Take them off VPN and they do.

Brand new phone, set up, get’s initial config, set it to use VPN, it reboots then times out contacting sip proxy@10.8.0.1;transport=udp

Nothing I do will get them to connect to the VPN again. Go into EPM > Extension mapping > VPN Client = none

Reset phones to factory, they boot and connect.

One odd thing I see is in Admin > VPN Server > Clients there are duplicate client entries not sure if that’s the issue or not.

It seems like the OpenVPN server on the PBX just stopped working. I’ve rebooted the PBX, made sure it’s up to date. Nothing in any of the logs that I can see.

ideas?


#2

/var/log/messages shows:

Apr 29 20:43:53 freepbx openvpn: Thu Apr 29 20:43:53 2021 xxx.xxx.xxx.xxx:39024 TLS: Initial packet from [AF_INET]47.xxx.xxx.xxx:39024, sid=fd8d957c a4c423ac
Apr 29 20:43:53 freepbx openvpn: Thu Apr 29 20:43:53 2021 xxx.xxx.xxx.xxx:39024 CRL: loaded 1 CRLs from file sysadmin_crl.pem
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 VERIFY OK: depth=1, CN=FreePBX
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 VERIFY OK: depth=0, CN=client42
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 peer info: IV_VER=2.3.2
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 peer info: IV_PLAT=linux
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 Outgoing Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 Outgoing Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 Incoming Data Channel: Cipher ‘BF-CBC’ initialized with 128 bit key
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 Incoming Data Channel: Using 160 bit message hash ‘SHA1’ for HMAC authentication
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 xxx.xxx.xxx.xxx:39024 [client42] Peer Connection Initiated with [AF_INET]xxx.xxx.xxx.xxx:39024
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 client42/xxx.xxx.xxx.xxx:39024 OPTIONS IMPORT: reading client specific options from: ccd/client42
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 client42/xxx.xxx.xxx.xxx:39024 MULTI: Learn: 10.8.0.15 -> client42/xxx.xxx.xxx.xxx:39024
Apr 29 20:43:54 freepbx openvpn: Thu Apr 29 20:43:54 2021 client42/xxx.xxx.xxx.xxx:39024 MULTI: primary virtual IP for client42/xxx.xxx.xxx.xxx:39024: 10.8.0.15
Apr 29 20:43:56 freepbx openvpn: Thu Apr 29 20:43:56 2021 client42/xxx.xxx.xxx.xxx:39024 PUSH: Received control message: ‘PUSH_REQUEST’
Apr 29 20:43:56 freepbx openvpn: Thu Apr 29 20:43:56 2021 client42/xxx.xxx.xxx.xxx:39024 SENT CONTROL [client42]: ‘PUSH_REPLY,route 10.8.0.0 255.255.255.0,route 68.232.175.0 255.255.255.0,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.15 255.255.255.0’ (status=1)
Apr 29 20:47:56 freepbx openvpn: Thu Apr 29 20:47:56 2021 client42/xxx.xxx.xxx.xxx:39024 [client42] Inactivity timeout (–ping-restart), restarting
Apr 29 20:47:56 freepbx openvpn: Thu Apr 29 20:47:56 2021 client42/xxx.xxx.xxx.xxx:39024 SIGUSR1[soft,ping-restart] received, client-instance restarting