Hey FreePBX community! I’m having some trouble with initiating (but not receiving) SIP calls over an OpenVPN connection, and was hoping someone might have some ideas after hearing the problem and perhaps looking at the Wireshark capture screenshots.
I’ve got FreePBX running in a VM at my office, serving VoIP phones and softphones on the local LAN. I have no issues receiving and initiating phone calls from these devices using a variety of softphones.
However, I’ve been trying to set up remote access to the PBX to allow employees to connect from home, and I’m having a weird issue with initiating calls over an OpenVPN connection running on my office LAN’s main pfSense server. Basically, OpenVPN clients are assigned an IP in a subnet reserved for VPN users (which has been declared as a local subnet in FreePBX), and I’ve given this subnet unrestricted access to the IP address of the FreePBX server in the firewall.
When I sign in a softphone offsite that connects via OpenVPN, it registers successfully with Asterisk, but it can only receive incoming calls (with flawless full-duplex audio) - outgoing calls do not start at all. The firewall is set to allow unrestricted communication from the FreePBX server to the OpenVPN subnet and vice versa, and I am able to access the FreePBX console (and register extensions) with no problems, so I’m totally stumped as to why I can’t initiate calls from the softphones.
I did try connecting a softphone offsite to the PBX without using the VPN, connecting directly via the network’s public IPv4 address with port forwarding, and this actually works perfectly - I can make and receive calls with no problem. Of course, best practice is to not leave the PBX exposed to the 'net, so I’d rather not do this.
So, to summarise, I’m having no problems with:
- Initiating and receiving calls on VoIP phones on USER VLAN
- Initiating and receiving calls on softphones on USER VLAN
- Initiating and receiving calls on softphones offsite on the public internet connecting directly to the FreePBX (public IPv4, port forwarding, no VPN)
- Receiving calls on softphones connected to the OpenVPN connection
The ONLY problem I have is:
- Initiating calls on softphones (registered successfully) on the OpenVPN connection.
I have tested this behaviour on Windows (Jitsi, Linphone, MicroSIP), macOS (Linphone, Jitsi) and iOS (Linphone) with identical behaviour everywhere.
Now, to try and actually find the issue, I did WireShark captures of all of the types of calls listed below, which I’ve attached. FreePBX-OpenVPN-PCAPs.tgz (97.6 KB) This can be opened in 7-zip.
For those who don’t want to download the archive with the captures, I’ve made an image gallery showing some data in the WireShark captures. The IPs have been anonymised.
- call successfully initiated on softphone, public internet
- call successfully received on softphone, public internet
- call unsuccessfully initiated on softphone, OpenVPN Problem is here!
- call successfully received on softphone, OpenVPN
The third image (or the capture file called OutgoingFailureVPN-anon shows the unsuccessful call attempt from the softphone via an OpenVPN client, which results in a bunch of “Fragmented IP protocol” messages that seem to be “reassembled” later… but I don’t know why this doesn’t happen when I successfully receive calls via the same VPN connection. These failed calls don’t show up at all in the Call Event Log. I’m using Chan-PJSIP.
If anyone has any ideas what might be causing this, I’d be really grateful to hear them. Cheers!
Edit: Downloadable packet captures removed due to private data that wasn’t scrubbed. Thanks to Stewart1 for pointing me towards steps to confirm the source of the issue. Basically, reducing the number of available codecs in my client softphone (which made the INVITE packet shorter so that it didn’t need to be fragmented) allowed calls to proceed normally, confirming that the issue isn’t a routing issue, but an issue with the large packets. Temporary solution is to simply include fewer codecs, and permanent solution will be to find out why the fragmented packets aren’t getting through. Perhaps they’re not being properly reassembled on the other end!