Setup Sangoma phone on a vpn

Hi,
I treid to setup an Sangoma IP phone on a remote place with VPN

Here is my config :

Freepbx -(LAN net)- Routeur OpenWRT (IP-PUBLIC-ROUTEROPENWRT) – INTERNET – Router -(REMOTE net)-- IPPHONE SANGOMA.

It used to work for two years but not anymore. I think because of a change in the IP public of the Routeur OpenWRT.

So I reset all from scatch.

• version FreePBX 13.0.197.8 'VoIP Server’

• I update modules (admin/module admin)

• I read and done
  https://wiki.freepbx.org/display/PHON/VPN+Setup
  https://wiki.freepbx.org/display/FPG/System+Admin+-+VPN+Server

• Set Endpoint management / Global setting:
  internal: adress : IP-LAN-SERVER-FREEPBX
  external: set to IP-PUBLIC-ROUTER-OPENWRT using auto

• Set template for the extension
  SIP destination address : internal IP-LAN-SERVER-FREEPBX
  Provisionning address Custom :
  http://‘user’:‘password’@IP-PUBLIC-ROUTEROPENWRT:83
  Save and Rebuild

• I check I got a tun0 interface in the Freepbx server : ifconfig
  tun0 […] inet addr:10.8.0.1 P-t-P:10.8.0.1 Mask:255.255.255.0

• Set the Router Openwrt

  • Check port sysadmin / Port Management on Freepbx
  • Add port forwarding route on the Routeur OpenWRT
    • port 1194 to IP server Freepbx (VPN server)
    • port 1443 to IP server Freepbx (provisionning secure protocole)
    • port 83 to IP server Freepbx (provisionning protocole http)

• Plug the phone on LAN net (of the freepbx server)

• reset to factory (on the phone menu / settings / password / phone setting / Factory reset)

• web gui the phone and set manualy:

  • Firmware server path : http://‘user’:‘password’@IPLANSERVERFREEPBX:83/sangoma/1
  • Config Server Path: http://‘user’:‘password’@IPLANSERVERFREEPBX:83
  • HTTP/FTP/HTTPS UserName: ‘user’
  • HTTP/FTP/HTTPS Password: ‘password’
    SaveSet / Autoprovisionning / restart

-web gui the phone now :
Config Server Path: http://‘user’:‘password’@IP-PUBLIC-ROUTER-OPENWRT:83

• screen phone with the VPN activated notification

• unplug / plug the phone on the REMOTE net

  • on the phone screen during the boot sequence:
    • dhcp ipv4 recieved : IP NET REMOTE
    • LAN TYPE bridge
    • VPN IP : 10.8.0.3
    • retriving config : http://‘user’:‘password’@IP-PUBLIC-ROUTER-OPENWRT:83

• on the freepx server :

  • tail -f /var/log/httpd/accesslog : nothing happen.
  • cat /etc/openvpn/sysadmin_server1-status.log

TITLE	OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
TIME	Fri Nov 15 05:18:59 2019	1573755539
HEADER	CLIENT_LIST	Common Name	Real Address	Virtual Address	Bytes Received	Bytes Sent	Connected Since	Connected Since (time_t)	Username
CLIENT_LIST	client0	IP-PUBLIC-ROUTER-REMOTE:33032	10.8.0.3	27341	29049	Fri Nov 15 05:04:09 2019	1573754649	UNDEF
HEADER	ROUTING_TABLE	Virtual Address	Common Name	Real Address	Last Ref	Last Ref (time_t)
ROUTING_TABLE	10.8.0.3	client0	IP-PUBLIC-ROUTER-REMOTE:33032	Fri Nov 15 05:04:11 2019	1573754651
GLOBAL_STATS	Max bcast/mcast queue length	0

• tail -f /var/log/messages :

Nov 15 05:41:27 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: new session incoming connection from [AF_INET]IP-PUBLIC-ROUTER-REMOTE:33032
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 CRL CHECK OK: CN=FreePBX
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 VERIFY OK: depth=1, CN=FreePBX
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 CRL CHECK OK: CN=client0
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 VERIFY OK: depth=0, CN=client0
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: move_session: dest=TM_ACTIVE src=TM_UNTRUSTED reinit_src=1
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 TLS: tls_multi_process: untrusted session promoted to semi-trusted
Nov 15 05:41:29 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 PUSH: Received control message: 'PUSH_REQUEST'
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 send_push_reply(): safe_cap=940
Nov 15 05:41:34 FreePBX openvpn[21922]: client0/IP-PUBLIC-ROUTER-REMOTE:33032 SENT CONTROL [client0]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.3 255.255.255.0' (status=1)

Every thing seems to work.
- web gui on the phone IP plug in remote lan
- syslog:

[...]
[11-15 06:05:10 50:19:73] ReDialInfo: aid 0, line 67, Number *43
[11-15 06:05:10 50:19:73] SIP: sdp_message_pro: Local IP is 10.8.0.3
[11-15 06:05:10 50:19:73] SIP: SendInvite to *43, cid 2, wIP 0xa080003, port 12102, Interval 2, Codec 0, Audio 0
[...]
[11-15 06:28:44 50:19:73] SIP: aid 0, Re-Register Timer Timeout, Try to Re-Register...
[11-15 06:28:44 50:19:73] SIP: aid 0 Reg Start...
[11-15 06:28:44 50:19:73] SIP: sip_nict_init, no route, req_uri->host:port is 10.66.0.2:5060
[11-15 06:29:48 50:19:73] SIP: aid 0, cid 0, tid 0, did 0, REQUEST: REGISTER, Event: 2
[11-15 06:29:48 50:19:73] SipProc:aid 0 enter NoAnswer SIP_REGISTRATION_FAILURE ====
[...]

- from freepbx server : 
      - ping 10.8.0.3 is OK
      - sip show  peers :  5 (Unspecified)  D  Yes        Yes         A  0        UNKNOWN   

But the ip phone is not connected.

Why do the IP phone get an IP REMOTE LAN ? I understand that it is the DHCP server of the REMOTE ROUTER.

I’m suck now. There is something I don’t undersand.
Is there something I should do, or read.
Thanks for your help.

If OpenVPN is running on FreePBX server, then the VPN IP it receives would have nothing to do with your router.

OK Openvpn seems to work on Freepbx, because I got this

Freepbx# tail -f /var/log/messages

Nov 15 14:14:49 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 TLS: soft reset sec=0 bytes=37381/0 pkts=712/0
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 CRL CHECK OK: CN=FreePBX
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 VERIFY OK: depth=1, CN=FreePBX
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 CRL CHECK OK: CN=client0
Nov 15 14:14:52 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 VERIFY OK: depth=0, CN=client0
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Nov 15 14:14:53 FreePBX openvpn[1508]: client0/IP_PUBLI_REMOTE_ROUTER:44552 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA

And a tun0 interfaces on the freepbx server

With the ip phone pluged in the remote net I got :

103.17.45.190 - a59e816d [15/Nov/2019:15:15:52 +1100] "GET /factory0700.bin HTTP/1.1" 404 292 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:52 +1100] "GET /cfg0700.xml HTTP/1.1" 200 703 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /005058501973.cfg HTTP/1.1" 404 293 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /cfg005058501973 HTTP/1.1" 404 292 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:54 +1100] "GET /cfg005058501973.xml HTTP/1.1" 200 62323 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:57 +1100] "GET /ringtones/formatted/ring4.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:57 +1100] "GET /ringtones/formatted/ring5.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring6.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring7.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring8.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring9.bin HTTP/1.1" 404 306 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /ringtones/formatted/ring10.bin HTTP/1.1" 404 307 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /005058501973-vpn.tar HTTP/1.1" 200 11776 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:15:58 +1100] "GET /cfg5-states.xml HTTP/1.1" 200 6016 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"
103.17.45.190 - a59e816d [15/Nov/2019:15:16:02 +1100] "GET /sangoma/1/fw700.rom HTTP/1.1" 200 18536058 "-" "Sangoma S700 2.0.4.28 00:50:58:50:19:73"

but when I tried to test my port forwarding for VPN port
https://www.yougetsignal.com/tools/open-ports/
IP = IP_PUBLIC_ROUTER_OPENWRT
Port 1194
it is said Closed is it normal?

You are probably testing tcp ports, OpenVPN runs on udp. Since your phone connects to OpenVPN, the port is open.

OK thanks.
I still try to fix my problem.

In the web gui of the phone plug in the remote net I got:

’ Account / Basic :

• Account status Register failed (of course)
• Primary IP-LAN-SERVER-FREEPBX:5060

What should be the address of the sip server for a correct configuration of IP phone over VPN. thanks.

If you are configuring the phone through the commercial endpoint manager, I guess that the values are automatically populated.

Yes configuration by endpoint manager.
If I understand :
if the vpn is OK between the remote phone and the freepbx an internal address of freepbx net should be seen as a local address even if the phone is in a remote place.
So IP_LAN_FREEPBX is OK.

Can you first connect the phone to the same lan where FreePBX is? This way you can get the phone autoprovisioned for the first time in a controlled way so to speak.

Yes This is what I did first.
I explain thoroughly what I did in the first message.
But I will start again from scratch.
I must have miss something but realy don’t know what.

May be it"s a SIP problem.
Whooo…

A question
in Endpoint Manager / Brand / Sangoma
template
what should I choose for SIP destination adress :

• Internal
• External
• Custom
  thanks for your help

endpoint management / brand / sangoma
sip destination address : Internal

From FREEPBX server I can ping 10.8.0.4 ip vpn of the phone.
Nmap -A 10.8.0.4 say it’s a sangoma.
unplug remote phone and can’t ping anymore.
plug again and can ping again from freepbx server .

system admin / VPN server / client / client iP 10.8.0.4 connected.

but web gui ipphone : Account / account status register failed
and sip show peers
5 (Unspecified) D Yes Yes A 0 UNKNOWN

How can I debug this ?
Thank you.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.