Softphones to multiple servers same public ip

I don’t know where to start on this, so here goes. I have a softphone working on one virtual phone server over the OpenVPN app on my android to 1 phone server. I am trying to do the same to two other phone servers within the same network.The first one connects no problem using a self signed certificate, but the others won’t. Server 1 is default SS and works flawlessly. The other two also have SS certificates, but don’t work.
I’m thinking because they are all based within the same network, there will be an issue, because they all seem to be using the same self signed certificate. I could be wrong, but when I try to use the VPN files, associated with a particular client, on a particular server, I get certificate errors (X509). Any idea where to start?

I assume that your phone server VMs are using bridged networking (on same LAN as the host machine), and that there are separate OpenVPN servers, one on each VM. The NAT router, running on separate hardware, has separate port forwards set up, one for each VM. There is a separate config file on the Android device for each phone server, specifying the corresponding port and containing the corresponding certificate.

Have you determined that when you initiate a connection, it’s going to the correct virtual server?

Well when the successful connection is made, on Server A, it is using the DDNS of the server to make the connection. You can see it in the logs of the OpenVPN app. When connection is being made to Server B, the connection is trying to use the public IP of the server. That can also be seen in the logs.

Are you sure that the config file (stored on the client) for server B has the DDNS name? Unless you have a special requirement, I would assume that the config files for all three servers are the same, except for the port numbers (and the certificates, if each server has its own).

On my phone using the ‘OpenVPN Connect’ app, the log shows e.g.

EVENT:RESOLVE
Contacting 1.2.3.4:1194 via TCP
EVENT:WAIT
Connecting to [example.com]:1194 (1.2.3.4) via TCPv4

its trying to use UDPv4, but the failure is at trying to verify certificate. says not correctly signed by trusted CA. Its using a self signed, at least that is what i have on that server.

As for server C, pbx 14.0.3.18 the connection is trying to use the public ip even though ddns is enabled.

Correction to previous post, the connection is trying to use the ddns of server B, pbx 13.0.195.12 but cert is failing

In my OpenVPN setups, I use a self-signed CA certificate and a separate server cert that is signed with the CA cert. The CA cert is physically included in the client.ovpn file that is uploaded to the phone, so the phone sees the server cert as trusted.

I know little about OpenVPN and don’t know whether it’s possible to avoid using a CA cert. Most tutorials use the paradigm described above and I’ve followed them with good results.

I’m not sure what you are saying. The config file on the client should contain the domain name but not the server IP address, so it couldn’t even connect to the server without looking up the name. If you mean that it’s trying to verify the cert subject against an IP address, please provide details (which side has the name and which the address).

the client should have the domain name, but thats not what is going into the config file. The public IP of server C shows up in the config file.
Now server C is using pbx ver. 14, where the others are using version 13. Not sure if that could be an issue either.

Sorry, this is well beyond my expertise. My systems run the VPN server on the firewall or file server, so the mobile user can access other organization resources e.g. intranet, in addition to the phone system. I’ve no experience running it on FreePBX.

Possibly, manually editing the config file on the client will work around your issue. I hope that a Sangoma wizard or another member can jump in and help.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.