TLS and SRTP on FreePBX

Hi friends,
I tried to implement TLS and SRTP on FreePBX Distro 10.13.66 (FreePBX using the following help:

In “Chan SIP Settings” --> “TLS/SSL/SRTP Settings” I choose the “default” certificate.
My FreePBX server is behind NAT (MikroTik)

I done the above settings and seems TLS and SRTP works ok in LAN area.

I tried to use TLS and SRTP outside the LAN therefore I set port forwarding of TLS port in MikroTik But when I try to use TLS and SRTP with softphone from outside LAN the extension registered but the call can not be established (without enabling TLS everything is ok from outside LAN with softphone).

Regarding this problem I have 2 questions:

  1. Is it possible to use TLS and SRTP if FreePBX server being behind NAT?
  2. For using TLS is it possible to use the “default” certificate or have to create a new certificate?

Waiting for your helps,

Your default is probably the self signed Linux one.
Create a new certificate with certificate manager. You can use the free Let’s encrypt certificate.

Thanks for your hint.
As my FreePBX server is behind NAT, Is it possible to create a new Let’s encrypt certificate with “Certificate Manager”?

NAT and certificate are unrelated.
I would recommend to test with TCP without SRTP first, then switch to TLS+SRTP with certificates.
Make sure SIP ALG on your Mikrotik is disabled.

@ AndrewZ
Thanks for your reply,
I’m not sure if understand your meaning or not:
For testing to see if TCP is registered and working properly I added tcpenable=yes in the “Other Sip Settings” and changed the “Transport” to “TCP Only” in the extension settings and start testing on my mobile softphone via LTE internet and both registration and callings was ok.

In TLS mode I think my problem is that the TLS doesn’t work with default certificate made by FreePBX during the Distro installation. but I don’t know how to create a new Let’s encrypt certificate with “Certificate Manager”.

All is good. The idea was to separate possible NAT and certificate issues.
You should be able to test with any cert - just disable certificate validation in your softphone .

I found why I couldn’t create a new Let’s Encrypt certificate with “Certificate Manager” behind NAT. I should forward TCP port 80 in MikroTik to the local IP address of FreePBX.

I created a new Let’s Encrypt certificate but still the same problem:
In LAN, extensions in TLS mode registered and calls are ok between them but from outside LAN, extensions in TLS mode registered but there is no voice when calling other extensions inside LAN!

I just forwarding Chan SIP TLS TCP Bind Port in MikroTik to the local IP address of FreePBX. Is it need to forwarding any other ports?

Anybody test this issue?

Are you saying that everything works fine with TCP but with TLS you have one-way or no-audio issue?
The difference between the two is encryption, SIP-over-TCP could be potentially intercepted by the SIP ALG while SIP-over-TLS is not. Again, please make sure that SIP ALG on your Mikrotik is disabled then make a test with TCP. I’m always suggesting to separate the issues that are different by nature, for example NAT and certificates. With TCP transport you or someone else should be able to see all the SIP messages on router’s WAN, how they are going to/from the Internet.
From my perspective this is purely Asterisk+NAT issue which has no relation to FreePBX yet.
I suggest to consider paid support options. Troubleshooting could be very time consuming process and will require working with both client and server configurations, capturing and analyzing traffic, etc.

What was your ticket number? Without a ticket, testing isn’t particularly likely from the Sangoma folks, and the rest of us are only likely to test it if we’re having the same problem…

Kindly tell me if you already resolve no audio, because i have the same issue

Thanks in advance!

A post was split to a new topic: Help tls issues