Using Raspberry PI as OpenVPN router for Asterisk

3

1

So, I've been banging my head with this for quite some time.

I have the following configuration:

  • OpenVPN server, IP 1.2.3.1
  • Asterisk server, connected to OpenVPN server, IP 1.2.3.3
  • Raspberry PI, local interface 192.168.0.17, connected to OpenVPN IP 1.2.3.6
  • IP Telephone in the same local network as Raspberry PI, local ip 192.168.0.81

Networks are configured as follows:

  • Local connection on raspberry is eth0
  • Raspberry has additional virtual interface eth0:1 with ip 192.168.0.91
  • OpenVPN connection on raspberry is tun0
  • Telephone has local ip 192.168.0.81 and gateway set to 192.168.0.91 (raspberry)

On the raspberry, iptables is as follows:

#Empty all routing tables
sudo iptables -t nat -F
sudo iptables -F

#Masquerade all traffic leaving tun0 as if coming from 1.2.3.6
sudo iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE

#redirect all traffic coming from eth0:1 to tun0
sudo iptables -A FORWARD -i eth0:1 -o tun0 -j ACCEPT

#redirect all traffic coming from tun0 to eth0:1
sudo iptables -A FORWARD -i tun0 -o eth0:1 -j ACCEPT

#Modify all packets coming to tun0 to forward then to the IP telephone
sudo iptables -t nat -A PREROUTING -i tun0 -j DNAT --to-destination 192.168.0.81

So, I can call and I can receive calls (I have another laptop that is connected directly to VPN server and uses Zoiper for test). I can call the telephone and from telephone and audio from telephone to laptop works, but there is no incoming audio on the telephone whatsoever.

What am I doing wrong?

UPDATE

I also tried the following

  1. Phone has 192.168.200.1 / 255.255.255.0 settings, connected to raspberry which has 192.168.200.2 / 255.255.255.0 (raspberry ip is gateway to phone)

  2. Raspberry pi with tun ip 10.34.87.2 (connected to wifi using wlan0, then to vpn).

  3. IPTables sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT sudo iptables -A FORWARD -i tun0 -o eth0 -j ACCEPT

  4. On VPN server (10.34.87.1)

route add 192.168.200.0/24 10.34.87.2

NOTE: iptables is without the masquerade. Now I managed to get traffic routed from 192.168.200.1 -> 10.34.87.1 (vpn server), but not the other way around.

Any ideas?

dkasipovic

Posted 2018-02-07T22:30:59.353

Reputation: 842

I'm not sure I understand exactly what you are saying works and doesn't work. If you can set up a call from the laptop to the telephone, then the network routing is probably OK. If the call sets up OK, but there is no audio, it might be that you have some filtering set up that allows the call set-up packets through, but not the message (does the VOIP software switch to a different port number?) Alternatively, there might just be a problem with your audio configuration on the laptop. – JRI – 2018-02-13T23:53:59.043

TCP dump showed me that there is no incoming RTP traffic whatsoever, so I think I found the error, but not sure how to solve it. It seems that RTP initiation in itself contains the IP address of the sender (not in the packet header, but in the body), so when packet is being sent from telephone over raspberry to server, raspberry rewrites it as if it has came from raspberry, but inside the packet remains the original IP. So, now I am testing netsed to see if I can rewrite packets on the fly. – dkasipovic – 2018-02-14T11:44:30.093

Can you add the subnet masks you used for the IP addresses configured? – Tim_Stewart – 2018-02-17T00:53:26.963

@Tim_Stewart 255.255.255.0 – dkasipovic – 2018-02-17T13:02:32.583

Answers

-1

Is the masquerading a requirement? if not, as your phones have the Pi as their default gateway they can reach the Server with no additional effort, just make sure that the server can reach the phones back, add a route on the server (if necessary) for 192.168.0.0/24 (adapt it as needed) via the Pi.

Raouf M. Bencheraiet

Posted 2018-02-07T22:30:59.353

Reputation: 104

Yeah but given that VPN has dynamic IP, and that I will have multiple locations with PI which are not known in advance (at least at the moment), I am not really sure how to create routes on the server. Also, this really sounds like a workaround, not a solution that I would like to implement. – dkasipovic – 2018-02-19T08:54:49.020

it is A solution to the problem not THE solution. If I understands what you want is take a pie configure it, and drop it somewhere and it works?

As for the routes on the server if the pi is already the default gateway it should work out of the box. If not : ip route add 192.168.0.0/24 via 1.2.3.1 should do the trick (adjust the network address/mask to your needs). take look here : https://www.voip-info.org/wiki/view/NAT+and+VOIP

– Raouf M. Bencheraiet – 2018-02-20T00:45:27.593

So basically, what you are suggesting is, connect raspberry to vpn server, get IP A.B.C.D, then add that route on server so telephone ip (which is connected to raspberry), and then disable masquerade on the raspberry? That way, I will not need to modify the rtp packets, and the connected device will use it's original ip. The downside of this, if I am right, is that each raspberry should have different local IP range, so I can add multiple routes on the server. – dkasipovic – 2018-02-20T09:27:22.933

In a nutshell, yes! the down side is as you mentioned. – Raouf M. Bencheraiet – 2018-02-20T13:25:34.583

See the edit, if possible – dkasipovic – 2018-02-22T22:39:41.660

routing means that for ex if you ping 10.34.87.1 from 192.168.200.1 you get a reply ?

try tcpdump on the pi and see if packets are flowing from on interface to the other. also the output of 'ip route show' on the server with ip 10.34.87.1 . – Raouf M. Bencheraiet – 2018-02-22T23:23:07.000

No, the ping is not going through, although by all means it should. Other than that, what is strange, when I do iptables -vL it does not show any incoming packets on tun0 interface, whatsoever, even if I do ping 10.34.87.2 from 10.34.87.1, and that's really confusing. – dkasipovic – 2018-02-23T08:38:04.400

last night I saw something that looked like this, vpn connectrion established but no traffic at all even though the routes were ok. turned out to be the client config was wrong, server expected compression but the client didn't logs on the server helped (we're using OpenVPN) – Raouf M. Bencheraiet – 2018-02-23T16:20:17.480

Yeah, but the regular traffic works perfectly, it’s just that it does nothing when passed through iptables – dkasipovic – 2018-02-23T16:21:32.737

Asked: 2018-02-07T22:30:59.353

Viewed: 459 times

Active: 2018-02-22T22:39:07.117