SIP client over PfSense OpenVPN cannot receive calls (but can make)

I know this is probably an incredibly simple setting I’m missing, but here goes anyway. I’m running FPBX Distro 6.12 with Asterisk 11. I have plenty of remote extensions behind OpenVPN routers that have no issues making or receiving calls. However, if I try to use a Yealink phone with an OpneVPN client, or a softphone on a device with an openVPN client installed remotely (such as Grandstream Wave for Android), the extension registers but cannot receive any calls.

My OpenVPN server is PfSense 2.2, for what it’s worth. I have my VPN network in the local networks in Asterisk and both the SIP and RTP ports are forwarded to the Asterisk server. The issue I see is that when I authenticate remotely, I see the external IP of the device instead of the internal VPN IP and the peer is listed as “UNREACHABLE”. So it seems as though I’ve got some NAT setting wrong or I’m missing something on my firewall. Any ideas?

Hmmmm… OpenVPN can be tricky. Lets try a few basics here.

  1. Did you launch OpenVPN as administrator? It has to be launched this way or else it cannot push routes to your system.

  2. When connected, can you ping the IP? If it resolves a DNS name, can you resolve it?

Review those and let me know!

Currently I’m testing with the OpenVPN client on Android, which doesn’t require anything like that, and traffic gets back and forth just fine. I’ve also tried it under Linux in the past using NetworkManager and same deal. I can get to all internal resources just fine without issue and I can even make outbound calls just fine. But the issue seems to stem from the SIP peer showing up in Asterisk as coming from its external IP vs the internal OpenVPN assigned IP. So when I look at the SIP peers list, I see the extension’s IP as 100.x.x.x vs 10.15.12.x (which is the OpenVPN assigned IP).

So lets try to figure out if it’s configuration of the firewall or otherwise.

By default with OpenVPN on PFSense, the clients can reach the tunneled networks, but the tunneled networks cannot reach the OpenVPN networks without additional rules, which sounds plausible, as android phone initiates connection, FreePBX responds to said connection, but FreePBX cannot initiate a connection.

In PFSense, go to Diagnostics -> Ping
ping a device on the 10.15.12.x network giving you trouble, from the 100.x.x.x network. Note you may need to run OpenVPN on a PC as most android phones won’t respond to ping.

More than likely, it’s the rule I mentioned earlier, preventing FreePBX from initiating the connection

Well, for what it’s worth I’ve been hacking away at this while discussing it with you and I managed to fix it. Apparently all of our extensions were set to “NO” for Nat. Changed it to yes and POOF. Working fine. I inherited this FPBX system and as such, didn’t set ANY of it up. So I guess the key is to have NAT set to Yes instead of No or never if you’re going to have externally connected devices on remote networks.