RTP issue, Reverse Proxy using firewalld and OpenVPN

FreePBX Networking
,
1

I am trying to connect my softphone to a remote freepbx installation on a raspberry pi. The raspberry pi is using an OpenVPN client to connect to my cloud server. My cloud server has a static public IP and I use firewalld to forward the required ports to RPi. I have set up port forwarding for UDP ports 5060, 5160, 10000-20000 on my cloud server using firewalld. I am able to connect to the cloud server IP with Zoiper and login with my EXT, but after establishing a call, there is no audio (both ways) and the call disconnects after 30s because of RTP failure.
I have played with various NAT setting in “General SIP Settings”, “chan_pjsip” and “chan_sip”, but I can’t make it work.

Here is how the net looks like:

My PC(Zoiper): 192.168.1.2[Private, DHCP]
===>===
My Modem: 192.168.1.1[Private, Static], 9.8.7.6[Public, Dynamic]
===>===
Cloud Server: 1.2.3.4[Public, Static], 10.8.0.1[Private, OpenVPN]
===>===
Remote Site Modem: 192.168.1.1[Private, Static], 5.6.7.8[Public, Dynamic]
===>===
Rpi Freepbx: 192.168.1.2[Private, DHCP], 10.8.0.4[Private, OpenVPN]

==============================
Zoiper connects directly to 1.2.3.4:5060[chan_pjsip] or 1.2.3.4:5160[chan_sip] without any problem.
RPi connects to cloud server using OpenVPN as I said. When I check my local udp traffic on my PC, i see that zoiper tries to send RTP packets to 10.8.0.4!!! which is the private ip lease from the openvpn server.

Freepbx’s “External Address” is set to 1.2.3.4
“Local Networks” are: 0.0.0.0/1, 10.8.0.0/24, 128.0.0.0/1, 192.168.1.0/24

There is a masquerade rule in firewalld => “firewall-cmd --add-masquerade --permanent”
Forwarded ports:
firewall-cmd --zone=public --add-port=5060/udp --permanent
firewall-cmd --add-forward-port=port=5060:proto=udp:toport=5060:toaddr=10.8.0.4 --permanent
firewall-cmd --zone=public --add-port=5160/udp --permanent
firewall-cmd --add-forward-port=port=5160:proto=udp:toport=5160:toaddr=10.8.0.4 --permanent
firewall-cmd --zone=public --add-port=10000-20000/udp --permanent
firewall-cmd --add-rich-rule ‘rule family=“ipv4” forward-port port=“10000-20000” protocol=“udp” to-port=“10000-20000” to-addr=“10.8.0.4”’ --permanent

A softphone connected directly to RPi works flawlessly with bidirectional audio.

What am I missing here?

2

Just guessing here (because I’m not sure of how the firewalld (iptables) rules behave:
For the Zoiper pjsip extension, set RTP Symmetric to Yes.
Set Local Networks to only 192.168.1.0/24, Submit, Apply Config, then restart Asterisk and test.
If no luck, at the Asterisk command prompt, type
pjsip set logger on
make a failing test call, paste the log for the call at pastebin.freepbx.org and post the link here. If you are too new to the forum to permit links, just post the 8 hex characters after /view/ .

However, please explain all the constraints that led you to do something so convoluted and complex.

For example, why can’t you do one of these?

  1. Run an OpenVPN client on the PC with Zoiper, set client-to-client in the VPN server, have Zoiper register to 10.8.0.4

  2. Run the PBX on the cloud server.

  3. Have Zoiper connect directly to the Pi’s public address, using a dynamic DNS name and forwarding SIP and RTP ports as needed.

Also, what trunks do you have on the Pi? If SIP, are they routed through the VPN and cloud server? If so, why?

3

RTP Symmetric is set to YES, local net to only 192.168.1.0/24, the problem still exists
Here is the pjsip log hex code f8c62d61
pastebin.freepbx.org/view/f8c62d61
I have changed the IPs and Numbers to match my net diagram described above

to answer your questions:

  1. client to client openvpn works fine with audio and everything
  2. I want to use my existing webserver, so I am port forwarding the required ports
  3. The Pi is behind a CGNAT, dynamicDNS is not going to help, thats why I am using a reverse proxy with openvpn and firewalld

I am using a 3g dongle on the Raspberry Pi.

4

Lines 221 and 224 show that Asterisk properly substituted the public IP in the signaling, but line 240 shows that it did not for the media.

Possibly a pjsip bug or limitation (it ‘knows’ that 10.8.0.1 is local), or a FreePBX bug generating the config.

Please post the contents of /etc/asterisk/pjsip.transports.conf .
If you have anything in pjsip.transports_custom.conf or psjip.transports_custom_post.conf, post the contents and explain why you did it.

5

/etc/asterisk/pjsip.transports.conf

[0.0.0.0-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060
external_media_address=1.2.3.4
external_signaling_address=1.2.3.4
allow_reload=no
tos=cs3
cos=3
local_net=192.168.1.0/24

/etc/asterisk/pjsip.transports_custom.conf and /etc/asterisk/psjip.transports_custom_post.conf are empty

6

pjsip.transports.conf looks correct. Try rebooting the Pi, just in case something failed to update. If it still fails, I think this is a pjsip bug, which you may want to report. Possibly, chan_sip will work better in this case.

7

chan_sip has the same issue, my pc tries to connect to 10.8.0.4 for rtp which is a dead end!
tested it with “sip set debug on” and its returning 10.8.0.4 to the client softphone

8

Wow. It seems unlikely that both drivers would have the same bug, unless it was plagiarized (I doubt that).

Possibly, there is something funny about the incoming INVITE that triggers this problem. Could you paste another log that starts with the received INVITE from the trunk?

Do outbound calls have this trouble?

9

Yeah, outbound calls have the same issue.

Here is the outbound call log with the INVITE packet: eca67f45
pastebin.freepbx.org/view/eca67f45

10

I have created an issue in both Freepbx Jira and Asterisk Jira. The guys at freepbx are trying to test the mentioned scenario and said that If media IP is not changing, then it could be an asterisk bug.

11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.