Using RT-AC86U VPN server to run a phone system. Running two phones at one client site not working.

[coldasice]

I got three RT-AC86U running with Asus-Merlin one serving at a site with a static IP adresse as an VPN-server, the other two are connected to that router over VPN-client connections.
My setting in the VPN-server Router are the standard 10.8.0.0 255.255.255.0 with bi-directional Auth.
The connection is working fine, that means i can't connect pro remote to the vpn-server local network.
At the vpn-server site a miniPC is set up running a phone system.
The phones also get connected fine trough the VPN tunnel to the local network/phone system.

So here is the thing:
When i do a call from one VPN-client site (eg. 10.8.0.2) to the other VPN-client site (eg. 10.8.0.4), the call works fine.
If i want to do a call between two phones situated at the SAME VPN-client site (eg. 10.8.0.2) the phones ring but when the call is answered audio is not transmitted.
Can someone help me how to fix that the call gets routed correctly?
Thanks for the help.

 

[eibgrad]

I assume these two phones that can't communicate are on the same IP network as the OpenVPN client (e.g., 192.168.1.0/24), and are being NAT'd across the tunnel. Is that correct? Or is this perhaps a site to site configuration where you've eliminated the need for NAT?

Also, is the VPN using UDP or TCP? If it's the former, I'd be curious if switching to the latter fixed things.

 

[OzarkEdge]

I got three RT-AC86U running with Asus-Merlin one serving at a site with a static IP adresse as an VPN-server, the other two are connected to that router over VPN-client connections.
My setting in the VPN-server Router are the standard 10.8.0.0 255.255.255.0 with bi-directional Auth.
The connection is working fine, that means i can't connect pro remote to the vpn-server local network.
At the vpn-server site a miniPC is set up running a phone system.
The phones also get connected fine trough the VPN tunnel to the local network/phone system.

So here is the thing:
When i do a call from one VPN-client site (eg. 10.8.0.2) to the other VPN-client site (eg. 10.8.0.4), the call works fine.
If i want to do a call between two phones situated at the SAME VPN-client site (eg. 10.8.0.2) the phones ring but when the call is answered audio is not transmitted.
Can someone help me how to fix that the call gets routed correctly?
Thanks for the help.

I'm out of my depth here...

I wonder if the two user agents at the same site are using UDP and the same local port? If that makes sense, set different local ports or use TCP(?)

I also disable SIP Passthrough in the router to prevent one-way audio, but I don't know what that means to the VPN.

I'll go now!

OE

 

[coldasice]

I assume these two phones that can't communicate are on the same IP network as the OpenVPN client (e.g., 192.168.1.0/24), and are being NAT'd across the tunnel. Is that correct? Or is this perhaps a site to site configuration where you've eliminated the need for NAT?

Also, is the VPN using UDP or TCP? If it's the former, I'd be curious if switching to the latter fixed things.

thx for your help.
Yeah same local nework 192.168.XXX.155 phone 1, 192.168.XXX.156 phone 2 both plugged in directly in the client-Asus Router. Create NAT on tunnel is enabled.
Create NAT on tunnel is enabled in the 'VPN Client Tab'.

Right now it's an UDP Setup. I am a little hesitant switching to TCP because if the connection gets lost by switching to TCP (by locking myself out) i can't get the new certificates because i am not at the VPN server site and i won't be like for 2 weeks.

Meanwile i tired something else. I had the idea to set 2 VPN client connects in the Asus VPN client router to the server. Thereby seperating the two phones in seperate VPN tunnels to the server (using the VPN Director).
The result was that VPN client connection 1 got the VPN server IP (eg. 10.8.0.2) and the VPN client connection 2 got the VPN server IP (eg. 10.8.0.3).
Still the exact same behavior.

Hope that helps to narrow it down. Any ideas what to do?

 

[coldasice]

I'm out of my depth here...

I wonder if the two user agents at the same site are using UDP and the same local port? If that makes sense, set different local ports or use TCP(?)

I also disable SIP Passthrough in the router to prevent one-way audio, but I don't know what that means to the VPN.

I'll go now!

OE

I also disable SIP Passthrough in the router to prevent one-way audio, but I don't know what that means to the VPN. -> Man you did it! went into the 'WAN setting', 'NAT Passthrough' and disabled 'SIP Passthrough' and vola that did it! Now the 2 phones work proptly and both can be heard.

 

[coldasice]

Either way i find the question interesting when should a TCP VPN connection be used instead of an UDP VPN connection or the other way round? What are the different advantages, disadvantages when it comes to audio transmition (SIP calls, video calls) especially when you cascade VPN connections?

So far my experience was that when you cascade UDP connections and then use video calls (no matter which system, cisco jabber, jitsi, MS Teams) then the connection gets gaps in the call like you can't hear the other person for sometimes even a few seconds. While when you put 3 TCP VPN connections in a row (tunnel in/over the tunnel) everything worked fine.

Thanks for sharing your thought on it Great Community/Forum by the way!

 

[OzarkEdge]

I also disable SIP Passthrough in the router to prevent one-way audio, but I don't know what that means to the VPN. -> Man you did it! went into the 'WAN setting', 'NAT Passthrough' and disabled 'SIP Passthrough' and vola that did it! Now the 2 phones work proptly and both can be heard.

Cool! Sounds like two one-way audios add up to no audio in your VPN application.

I guess a VPN doesn't isolate from the router's SIP ALG.

OE

 

[eibgrad]

Meanwile i tired something else. I had the idea to set 2 VPN client connects in the Asus VPN client router to the server. Thereby seperating the two phones in seperate VPN tunnels to the server (using the VPN Director).
The result was that VPN client connection 1 got the VPN server IP (eg. 10.8.0.2) and the VPN client connection 2 got the VPN server IP (eg. 10.8.0.3).
Still the exact same behavior.

The problem there is that presumably both OpenVPN clients have the same IP network established on their respective tunnels, which leads to ambiguous routing.

VPN Director not applying rules to right VPN profile

Hi, I'm running into a routing issue when configuring multiple VPN profiles using VPN Director on my LINKSYS (base model: RT-AC68U) firmware version 386.3_2. I have 2 VPN profiles with the following external addresses: OVPN1) Connected (Local: 10.16.0.43 - Public: 185.240.246.99) OVPN3)...

www.snbforums.com

Granted, in 386.4 Merlin added some mitigation to deal w/ that possibility, but I don't know what version of Merlin you're using. And regardless, it's best to avoid such duplication whenever possible since it will still have negative effects should the router itself need to reference either tunnel.

Anyway, it appears you got it working, so good to hear.

 

[coldasice]

I though it got fixed but it didn't

If i put "SIP Passthrough" to "Disable" actually i can call from one local phone to the other. But then when i get called from a phone outside my local network i can't hear that person anymore.
Whereas when i put "SIP Passthrough" to "Enabled + NAT helper" i can't talk to people in the local network but i can talk to people calling from outside my local network.
Any ideas what to do?

 

[eibgrad]

Try adding the following directive to the OpenVPN server custom config field.

multihome

This only applies to UDP connections, NOT TCP.

 

[coldasice]

I though it got fixed but it didn't

If i put "SIP Passthrough" to "Disable" actually i can call from one local phone to the other. But then when i get called from a phone outside my local network i can't hear that person anymore.
Whereas when i put "SIP Passthrough" to "Enabled + NAT helper" i can't talk to people in the local network but i can talk to people calling from outside my local network.
Any ideas what to do?

I added multihome to the OpenVPN server custom config field but it didn't change anything. I tired setup a TCP instead of an UDP server but i couldn't get it running. (I am running 386.5 Merlin on all routers)

Currently I have set "SIP Passthrough" to "Enabled + NAT helper" so calls from outside my local network are working. That leaves me at the same point as before when two phones are calling in the same local network the people can't hear each other.
Any other ideas?

 

[coldasice]

Maybe this helps.

If i put "SIP Passthrough" to "Disable" actually i can call from one local phone (at same router) to the other. But then when i get called from a phone outside my local network (at another router) i can't hear that person anymore.
Whereas when i put "SIP Passthrough" to "Enabled + NAT helper" i can't talk to people in the local network but i can talk to people calling from outside my local network.

If i put "SIP Passthrough" to "Enable" (without + NAT helper) it causes the same behavior than putting it in "Disable".
Any idea how to solve this?