How to switch from NAT to Routing (advanced) for SIP?

Business solution to host your own OpenVPN server with web management interface and bundled clients.
Post Reply
egtrev
OpenVpn Newbie
Posts: 3
Joined: Thu May 26, 2016 11:12 am

How to switch from NAT to Routing (advanced) for SIP?

Post by egtrev » Thu May 26, 2016 11:39 am

Hello,

I have a OpenVPN AS setup and it works fine on my android device connecting in when not at home.
One thing I want to get working is a SIP softphone connecting to my home PBX from my Android device.
Currently the softphone registers fine with my PBX and can make/receive calls.
The problem I am having is only one way audio - The home PBX can hear the Android softphone, but the Android softphone can't hear them.

After reading/searching I've read this is to do with SIP not playing well with NAT.
Under 'VPN Settings> Routing' I have changed 'Yes, using NAT' to Yes, using routing (advanced), I haven't changed anything else.
Now the VPN connects fine but does not work, I don't have internet access or access to the any devices on the local home network.

My local network is 192.168.0.xxx
I have attached a couple of screenshots of my VPN settings.

Any help is appreciated - Note: I'm a network/VPN newbie.

Below is the OpenVPN log with NAT (this works/connects fine except the one way SIP audio)

Code: Select all

Thu May 26 12:00:58 2016 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Thu May 26 12:00:58 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Thu May 26 12:00:58 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Thu May 26 12:00:58 2016 Need hold release from management interface, waiting...
Thu May 26 12:00:58 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Thu May 26 12:00:58 2016 MANAGEMENT: CMD 'state on'
Thu May 26 12:00:58 2016 MANAGEMENT: CMD 'log all on'
Thu May 26 12:00:58 2016 MANAGEMENT: CMD 'hold off'
Thu May 26 12:00:58 2016 MANAGEMENT: CMD 'hold release'
Thu May 26 12:01:04 2016 MANAGEMENT: CMD 'username "Auth" "admin"'
Thu May 26 12:01:04 2016 MANAGEMENT: CMD 'password [...]'
Thu May 26 12:01:04 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu May 26 12:01:04 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:01:04 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:01:04 2016 Socket Buffers: R=[8192->100000] S=[8192->100000]
Thu May 26 12:01:04 2016 UDPv4 link local: [undef]
Thu May 26 12:01:04 2016 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Thu May 26 12:01:04 2016 MANAGEMENT: >STATE:1464260464,WAIT,,,
Thu May 26 12:01:04 2016 MANAGEMENT: >STATE:1464260464,AUTH,,,
Thu May 26 12:01:04 2016 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=80f63dad 59122785
Thu May 26 12:01:04 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 26 12:01:05 2016 VERIFY OK: depth=1, CN=OpenVPN CA
Thu May 26 12:01:05 2016 VERIFY OK: nsCertType=SERVER
Thu May 26 12:01:05 2016 VERIFY OK: depth=0, CN=OpenVPN Server
Thu May 26 12:01:06 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 26 12:01:06 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:01:06 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 26 12:01:06 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:01:06 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Thu May 26 12:01:06 2016 [OpenVPN Server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Thu May 26 12:01:07 2016 MANAGEMENT: >STATE:1464260467,GET_CONFIG,,,
Thu May 26 12:01:08 2016 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu May 26 12:01:08 2016 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-token SESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.17.0.145,dhcp-option DNS 192.168.0.1,register-dns,block-ipv6,ifconfig 172.17.0.146 255.255.255.248'
Thu May 26 12:01:08 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.8)
Thu May 26 12:01:08 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: explicit notify parm(s) modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: LZO parms modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: route options modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: route-related options modified
Thu May 26 12:01:08 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 26 12:01:08 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 26 12:01:08 2016 MANAGEMENT: >STATE:1464260468,ASSIGN_IP,,172.17.0.146,
Thu May 26 12:01:08 2016 open_tun, tt->ipv6=0
Thu May 26 12:01:08 2016 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{09899D1B-589D-47CB-A3AB-2463078A3D3B}.tap
Thu May 26 12:01:08 2016 TAP-Windows Driver Version 9.21 
Thu May 26 12:01:08 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 172.17.0.144/172.17.0.146/255.255.255.248 [SUCCEEDED]
Thu May 26 12:01:08 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.17.0.146/255.255.255.248 on interface {09899D1B-589D-47CB-A3AB-2463078A3D3B} [DHCP-serv: 172.17.0.150, lease-time: 31536000]
Thu May 26 12:01:08 2016 Successful ARP Flush on interface [15] {09899D1B-589D-47CB-A3AB-2463078A3D3B}
Thu May 26 12:01:08 2016 TAP: DHCP address released
Thu May 26 12:01:12 2016 TAP: DHCP address renewal succeeded
Thu May 26 12:01:17 2016 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Thu May 26 12:01:17 2016 C:\Windows\system32\route.exe ADD XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.43.1
Thu May 26 12:01:17 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Thu May 26 12:01:17 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:01:17 2016 C:\Windows\system32\route.exe ADD 192.168.43.1 MASK 255.255.255.255 192.168.43.1 IF 16
Thu May 26 12:01:17 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=25 and dwForwardType=4
Thu May 26 12:01:17 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:01:17 2016 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:01:17 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:01:17 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:01:17 2016 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:01:17 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:01:17 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:01:17 2016 Initialization Sequence Completed
Thu May 26 12:01:17 2016 MANAGEMENT: >STATE:1464260477,CONNECTED,SUCCESS,172.17.0.146,XXX.XXX.XXX.XXX
Thu May 26 12:01:17 2016 Start net commands...
Thu May 26 12:01:17 2016 C:\Windows\system32\net.exe stop dnscache
Thu May 26 12:01:19 2016 C:\Windows\system32\net.exe start dnscache
Thu May 26 12:01:21 2016 C:\Windows\system32\ipconfig.exe /flushdns
Thu May 26 12:01:21 2016 C:\Windows\system32\ipconfig.exe /registerdns
Thu May 26 12:01:24 2016 End net commands...
Thu May 26 12:02:44 2016 SIGTERM received, sending exit notification to peer
Thu May 26 12:02:45 2016 C:\Windows\system32\route.exe DELETE XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.43.1
Thu May 26 12:02:45 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:02:45 2016 C:\Windows\system32\route.exe DELETE 192.168.43.1 MASK 255.255.255.255 192.168.43.1
Thu May 26 12:02:45 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:02:45 2016 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:02:45 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:02:45 2016 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:02:45 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:02:45 2016 Closing TUN/TAP interface
Thu May 26 12:02:45 2016 TAP: DHCP address released
Thu May 26 12:02:45 2016 SIGTERM[soft,exit-with-notification] received, process exiting
Thu May 26 12:02:45 2016 MANAGEMENT: >STATE:1464260565,EXITING,exit-with-notification,,
This is with NAT changed to routing (advanced) - This connects but does not work at all.

Code: Select all

Thu May 26 12:35:24 2016 OpenVPN 2.3.8 i686-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug  4 2015
Thu May 26 12:35:24 2016 library versions: OpenSSL 1.0.1p 9 Jul 2015, LZO 2.08
Enter Management Password:
Thu May 26 12:35:24 2016 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:25344
Thu May 26 12:35:24 2016 Need hold release from management interface, waiting...
Thu May 26 12:35:25 2016 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:25344
Thu May 26 12:35:25 2016 MANAGEMENT: CMD 'state on'
Thu May 26 12:35:25 2016 MANAGEMENT: CMD 'log all on'
Thu May 26 12:35:25 2016 MANAGEMENT: CMD 'hold off'
Thu May 26 12:35:25 2016 MANAGEMENT: CMD 'hold release'
Thu May 26 12:35:39 2016 MANAGEMENT: CMD 'username "Auth" "admin"'
Thu May 26 12:35:39 2016 MANAGEMENT: CMD 'password [...]'
Thu May 26 12:35:39 2016 Control Channel Authentication: tls-auth using INLINE static key file
Thu May 26 12:35:39 2016 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:35:39 2016 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:35:39 2016 Socket Buffers: R=[8192->100000] S=[8192->100000]
Thu May 26 12:35:39 2016 UDPv4 link local: [undef]
Thu May 26 12:35:39 2016 UDPv4 link remote: [AF_INET]XXX.XXX.XXX.XXX:1194
Thu May 26 12:35:39 2016 MANAGEMENT: >STATE:1464262539,WAIT,,,
Thu May 26 12:35:39 2016 MANAGEMENT: >STATE:1464262539,AUTH,,,
Thu May 26 12:35:39 2016 TLS: Initial packet from [AF_INET]XXX.XXX.XXX.XXX:1194, sid=2610837b a2566a9b
Thu May 26 12:35:39 2016 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu May 26 12:35:39 2016 VERIFY OK: depth=1, CN=OpenVPN CA
Thu May 26 12:35:39 2016 VERIFY OK: nsCertType=SERVER
Thu May 26 12:35:39 2016 VERIFY OK: depth=0, CN=OpenVPN Server
Thu May 26 12:35:43 2016 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 26 12:35:43 2016 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:35:43 2016 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Thu May 26 12:35:43 2016 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Thu May 26 12:35:43 2016 Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-SHA, 2048 bit RSA
Thu May 26 12:35:43 2016 [OpenVPN Server] Peer Connection Initiated with [AF_INET]XXX.XXX.XXX.XXX:1194
Thu May 26 12:35:44 2016 MANAGEMENT: >STATE:1464262544,GET_CONFIG,,,
Thu May 26 12:35:46 2016 SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Thu May 26 12:35:46 2016 PUSH: Received control message: 'PUSH_REPLY,explicit-exit-notify,topology subnet,route-delay 5 30,dhcp-pre-release,dhcp-renew,dhcp-release,route-metric 101,ping 12,ping-restart 50,auth-token SESS_ID,comp-lzo yes,redirect-gateway def1,redirect-gateway bypass-dhcp,redirect-gateway autolocal,route-gateway 172.17.0.145,dhcp-option DNS 192.168.0.1,register-dns,block-ipv6,ifconfig 172.17.0.146 255.255.255.248'
Thu May 26 12:35:46 2016 Unrecognized option or missing parameter(s) in [PUSH-OPTIONS]:18: block-ipv6 (2.3.8)
Thu May 26 12:35:46 2016 OPTIONS IMPORT: timers and/or timeouts modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: explicit notify parm(s) modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: LZO parms modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: --ifconfig/up options modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: route options modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: route-related options modified
Thu May 26 12:35:46 2016 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu May 26 12:35:46 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Thu May 26 12:35:46 2016 MANAGEMENT: >STATE:1464262546,ASSIGN_IP,,172.17.0.146,
Thu May 26 12:35:46 2016 open_tun, tt->ipv6=0
Thu May 26 12:35:46 2016 TAP-WIN32 device [Local Area Connection 2] opened: \\.\Global\{09899D1B-589D-47CB-A3AB-2463078A3D3B}.tap
Thu May 26 12:35:46 2016 TAP-Windows Driver Version 9.21 
Thu May 26 12:35:46 2016 Set TAP-Windows TUN subnet mode network/local/netmask = 172.17.0.144/172.17.0.146/255.255.255.248 [SUCCEEDED]
Thu May 26 12:35:46 2016 Notified TAP-Windows driver to set a DHCP IP/netmask of 172.17.0.146/255.255.255.248 on interface {09899D1B-589D-47CB-A3AB-2463078A3D3B} [DHCP-serv: 172.17.0.150, lease-time: 31536000]
Thu May 26 12:35:46 2016 Successful ARP Flush on interface [15] {09899D1B-589D-47CB-A3AB-2463078A3D3B}
Thu May 26 12:35:46 2016 NOTE: Release of DHCP-assigned IP address lease on TAP-Windows adapter failed: An address has not yet been associated with the network endpoint.   (code=1228)
Thu May 26 12:35:49 2016 TAP: DHCP address renewal succeeded
Thu May 26 12:35:54 2016 TEST ROUTES: 1/1 succeeded len=0 ret=1 a=0 u/d=up
Thu May 26 12:35:54 2016 C:\Windows\system32\route.exe ADD XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.0.1
Thu May 26 12:35:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:35:54 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:35:54 2016 C:\Windows\system32\route.exe ADD 192.168.0.1 MASK 255.255.255.255 192.168.0.1 IF 16
Thu May 26 12:35:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:35:54 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:35:54 2016 C:\Windows\system32\route.exe ADD 0.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:35:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:35:54 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:35:54 2016 C:\Windows\system32\route.exe ADD 128.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:35:54 2016 ROUTE: CreateIpForwardEntry succeeded with dwForwardMetric1=20 and dwForwardType=4
Thu May 26 12:35:54 2016 Route addition via IPAPI succeeded [adaptive]
Thu May 26 12:35:54 2016 Initialization Sequence Completed
Thu May 26 12:35:54 2016 MANAGEMENT: >STATE:1464262554,CONNECTED,SUCCESS,172.17.0.146,XXX.XXX.XXX.XXX
Thu May 26 12:35:54 2016 Start net commands...
Thu May 26 12:35:54 2016 C:\Windows\system32\net.exe stop dnscache
Thu May 26 12:35:57 2016 C:\Windows\system32\net.exe start dnscache
Thu May 26 12:35:59 2016 C:\Windows\system32\ipconfig.exe /flushdns
Thu May 26 12:35:59 2016 C:\Windows\system32\ipconfig.exe /registerdns
Thu May 26 12:36:02 2016 End net commands...
Thu May 26 12:36:17 2016 SIGTERM received, sending exit notification to peer
Thu May 26 12:36:18 2016 C:\Windows\system32\route.exe DELETE XXX.XXX.XXX.XXX MASK 255.255.255.255 192.168.0.1
Thu May 26 12:36:18 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:36:18 2016 C:\Windows\system32\route.exe DELETE 192.168.0.1 MASK 255.255.255.255 192.168.0.1
Thu May 26 12:36:18 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:36:18 2016 C:\Windows\system32\route.exe DELETE 0.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:36:18 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:36:18 2016 C:\Windows\system32\route.exe DELETE 128.0.0.0 MASK 128.0.0.0 172.17.0.145
Thu May 26 12:36:18 2016 Route deletion via IPAPI succeeded [adaptive]
Thu May 26 12:36:18 2016 Closing TUN/TAP interface
Thu May 26 12:36:18 2016 TAP: DHCP address released
Thu May 26 12:36:18 2016 SIGTERM[soft,exit-with-notification] received, process exiting
Thu May 26 12:36:18 2016 MANAGEMENT: >STATE:1464262578,EXITING,exit-with-notification,,

egtrev
OpenVpn Newbie
Posts: 3
Joined: Thu May 26, 2016 11:12 am

Re: How to switch from NAT to Routing (advanced) for SIP?

Post by egtrev » Sat Oct 01, 2016 8:09 am

Just bumping this up, still hoping for any help :)

rsenio
OpenVPN Power User
Posts: 91
Joined: Tue Nov 29, 2011 9:34 pm

Re: How to switch from NAT to Routing (advanced) for SIP?

Post by rsenio » Tue Oct 18, 2016 2:41 pm

Now that you've switched to routing, did you setup a route back to your VPN network on your home router? in other words, aside from SIP can your home network communicate with the VPN client and visa versa? Did this work before you switched to routing?

Have you configured your sip pbx to let it know of the other network using the localnet option for SIP? sip_general_custom.conf?

egtrev
OpenVpn Newbie
Posts: 3
Joined: Thu May 26, 2016 11:12 am

Re: How to switch from NAT to Routing (advanced) for SIP?

Post by egtrev » Wed Feb 01, 2017 4:15 pm

rsenio wrote:Now that you've switched to routing, did you setup a route back to your VPN network on your home router? in other words, aside from SIP can your home network communicate with the VPN client and visa versa? Did this work before you switched to routing?

Have you configured your sip pbx to let it know of the other network using the localnet option for SIP? sip_general_custom.conf?
No I haven't changed anything in the router or PBX.
Yes, everything worked before I switched to routing and I could access everything on my home network, SIP registration worked too, just one way audio. Nothing works now with routing.

rsenio
OpenVPN Power User
Posts: 91
Joined: Tue Nov 29, 2011 9:34 pm

Re: How to switch from NAT to Routing (advanced) for SIP?

Post by rsenio » Mon Feb 13, 2017 4:11 pm

OK well you need to set all that up since you've switched to routing. Each device needs to know how to route packets to and from your VPN subnet

rsenio
OpenVPN Power User
Posts: 91
Joined: Tue Nov 29, 2011 9:34 pm

Re: How to switch from NAT to Routing (advanced) for SIP?

Post by rsenio » Mon Feb 13, 2017 4:17 pm

On your router you'll need a route to your OpenVPN-AS server from your home network subnet

Source Any --> Service Any --> Destination OpenVPN subnet --> Gateway OpenVPN-AS Server Home IP

As for your SIP issue, you'll need to use the localnet option https://www.voip-info.org/wiki/view/Asterisk+SIP+externip

Depending on how your sip.conf gets generated you may need to place that in a different file. Mine is in sip_general_custom.conf

Post Reply