Tap OPENVPN Tunnel to FreePBX Server with NAT

mani9876 · June 16, 2016, 4:58pm

Hello,

I am trying to connect some phones which are outside my company network.
I’ve set up an openvpn tunnel ( bridged ), if I open the tunnel on a notebook, I get an IP Adress inside my company network, and everything works fine. But if I add this tunnel into my firewall, which then makes NAT to several IP Phones and Softphones, I can’t access my FreePBX Server.
It is always stucked at "Rx: REGISTER"
I can access my FreePBX server via GUI, I can ping it. But I can’t register my phones.

Has anyone an idea how to solve this problem, or another idea how to create a suitable Openvpn tunnel? Do I need site to site?

Thank you very much

astbox · June 16, 2016, 5:28pm

Maybe it doesn’t allow udp traffic to pass through, it’s the only thing that doesn’t work.

mani9876 · June 16, 2016, 8:13pm

Hello,

I’ve set protocoll to all, and I can see with show nat translations details, that there are udp translations, also for 5060.

My SIP Server gets the Register request, but I think I can not get an answer back. But how can this happen?

I found out, that as soon as I open my bridge br0, my FreePBX gets another IP Address via DHCP, so it has 2 ip adresses ( on both the webgui is reachable ) and because of that I have problems with the SIP registration.

I’ve used this howto to set up the bridged openvpn tunnel: aaflalo.me/2015/01/openvpn-with-tls-in-bridged-mode/

I can not find the problem, I’ve no dhcp enabled. Any ideas?

ynagy · June 17, 2016, 6:47pm

I had similar problem when I setup my OpenVPN gateway initially couple of years back … if I remember correctly was a routing issue … I would recommend to check this issue on OpenVPN forum and good luck.

mani9876 · June 18, 2016, 8:34pm

Hello,

yes you were right!
I can make outbound calls now, but no inbound.

Am I right, that I has to specify for all phones behind NAT a special SIP Port which I should forward in my Firewall, and tell my FreePBX on which port this phone is reachable? e.g. 5061 ? Or am I absolutely wrong?

astbox · June 19, 2016, 7:20am

Can you make a graph of your network because I don’t understand the topology that you have.
Also in your server run the following commnds and post the output

ip addr

route

mani9876 · June 19, 2016, 9:37am

Hello,

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000
    link/ether b8:27:eb:72:98:17 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::bfa0:96bf:5047:de43/64 scope link
       valid_lft forever preferred_lft forever
3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state DORMANT group default qlen 1000
    link/ether b8:27:eb:27:cd:42 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ba27:ebff:fe27:cd42/64 scope link
       valid_lft forever preferred_lft forever
5: tap0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 100
    link/ether a6:8c:0a:b0:66:9e brd ff:ff:ff:ff:ff:ff
    inet 169.254.37.159/16 brd 169.254.255.255 scope global tap0
       valid_lft forever preferred_lft forever
    inet6 fe80::580d:bfe:e058:fd3/64 scope link
       valid_lft forever preferred_lft forever
6: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether b8:27:eb:72:98:17 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.220/24 brd 192.168.0.255 scope global br0
       valid_lft forever preferred_lft forever
    inet 192.168.0.135/24 brd 192.168.0.255 scope global secondary br0
       valid_lft forever preferred_lft forever

route:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default dsldevice.home 0.0.0.0 UG 0 0 0 br0
default dsldevice.home 0.0.0.0 UG 206 0 0 br0
link-local * 255.255.0.0 U 205 0 0 tap0
192.168.0.0 * 255.255.255.0 U 206 0 0 br0

I don’t understand why I have a secondary IP Adresse on br0. That’s the main problem I think.

astbox · June 19, 2016, 10:05am

Whats the ip that you get at the remote end?

mani9876 · June 19, 2016, 10:45am

I get 192.168.0.220, because this is the ip I am advertising ( I have set this IP in the server.conf )

if I make an arp to the secondary ip, I get the mac address from the br0 interface.
The secondary IP is assigned from my DHCP Server. The other IP 192.168.0.220 is set manually in the bridge br0 configuration

astbox · June 19, 2016, 12:54pm

Hmm ok I am totally confused.

What do you mean with the following

I’ve set up an openvpn tunnel ( bridged ), if I open the tunnel on a notebook, I get an IP Adress inside my company network, and everything works fine. But if I add this tunnel into my firewall, which then makes NAT to several IP Phones and Softphones, I can’t access my FreePBX Server.

Please explain what you are trying to do.