VOIP Desk Phone On VPN?

[PinkFloydEffect]

With the whole COVID thing going around I packed up my desk and started working from home. I was hoping I could get my IP phone working remotely but have not had any luck. I thought if I simply bridged my NICs I could essentially extend the openVPN off my Ethernet jack since I am using WiFi.

I have tried bridging the Ethernet and WiFi NICs, the TAP adapter connection and Ethernet, as well as all 3 together at the same time. With and without a switch between the computer and phone. Any combination of bridging gives me a prompt saying "unexpected error" however it still creates a bridge after I click Ok.

I thought possibly I need to manually configure the Ethernet jack IP setting to extend the openVPN off it?

My only other idea is to run pfSense on a machine at home to create a site-to-site VPN...but I do not want to do anything to risk screwing up the pfSense VPN on the office side. Which is why I also thought about running a second instance of pfSense on another machine at the office and bridge to that, so that I do not risk screwing up our main firewall everyone in the office relies on.

Thoughts?

 

[MichaelCG]

So you are currently using OpenVPN client on your laptop to a pfSense firewall in the office correct? Unlikely you will be able to get any interface bridging to do what you want to another device.

You have the ability and approval to setup a site-to-site VPN from your house to the office? This is your best bet, but brings major security implications if not done correctly. Most companies do not want employees personal networks directly connected to the enterprise network. This is all a risk acceptance issue that needs to be understood and accepted by the appropriate level of management.

I had a similar setup to this at a previous employer. I had my work laptop and a work IP phone sitting on an isolated segment at my house. My m0n0wall firewall had an IPSEC tunnel for that specific segment back to the enterprise firewalls. To limit the security risk, we had the specific segment at my house, as well as required MFA at the firewall before any flows (other than the phone) through the firewall. My desk phone worked great over this tunnel......mostly. There were some challenges with some specific remote sites making phone calls with me since Station to Station network flows weren't working over the VPN for certain IP blocks.

 

[PinkFloydEffect]

Yes that is what I am trying to do.

I do have permission to setup a site-to-site as I am one of the few people working in our IT department but the director told me if I screw it up I would be solely responsible for it. So I thought about running pfSense on a separate machine at the office and tunneling to that instead as not to screw up our main firewall and VPN....but I am not fluent enough to do so. I would not be joining it to my personal network just keeping a virtual network at home isolated from my personal (if done correctly).

Sounds like you setup exactly what I am trying to achieve, but I also have other uses outside my desk phone such as provisioning employee laptops from my home so I can physically deploy them from home (they pick them up as needed from me). The provisioning script needs internal access so that is another important use of the site-to-site. The IT director instructed me to first try enabling IPforwarding in my registry which I did. I then put my desk phone on the same subdomain and mask as my laptops Ethernet adapter, using my Ethernet address as the gateway for my phone. I tried both with and without a switch between my phone and laptop but it did not work. The theory was my computer would act as a router and route the traffic between my Ethernet port and the openVPN TAP adapter....but I was not successfully able to do so. I tried to make sense of the route print but it started getting over my head.

 

[MichaelCG]

Your OpenVPN is setup for a single device. Trying to route or bridge through your adapters on your laptop isn’t going to work. At least not without a lot of additional trickery and work which probably won’t make your desk phone actually work. The VPN tunnel is configured for a single IP. Unless you NAT your phone at your laptop, it isn’t going to get anywhere near the VPN tunnel. Doing NAT on a VoIP phone usually makes it not work the way you want it to.


Sent from my iPhone using Tapatalk

 

[coxhaus]

I thought IP desktop phones were always setup in a separate VLAN voice network from the PC so the traffic can be routed with priority over data traffic. At least this is way it is done in the Cisco world and the way I did it. I see no reason why you could not route the voice traffic network over a VPN. Voice traffic is a small amount of traffic.

I setup a T-Mobil extension box which basically was a VPN with cell voice traffic to T-Mobil. It is provided by T-Mobil when you have trouble picking up their cell towers.

 

[MichaelCG]

I thought IP desktop phones were always setup in a separate VLAN voice network from the PC so the traffic can be routed with priority over data traffic. At least this is way it is done in the Cisco world and the way I did it. I see no reason why you could not route the voice traffic network over a VPN. Voice traffic is a small amount of traffic.

In a properly managed enterprise, yes unique voice VLAN to permit more specific DHCP options, simpler QoS rules, and in modern networks, additional ACLs to properly segment the voice gear from the rest of the enterprise. However modern voice systems now include soft phones which pretty much blow all of that up.

There is absolutely no reason this would no work...if built out properly. It is a matter of getting the VPN built correctly which he hasn't done yet. He has been attempting to piggyback off of his client VPN connection, instead of setting up a dedicated network based VPN. He will NOT have QoS, but as long as his jitter and packet loss aren't horrible, it should be fine.

With the additional use cases he mentioned, he is going to have to do a proper network based VPN anyways since he wants to be able to load other clients from his house. Just note if your provisioning script is using SMB/CIFS for anything, its performance will probably be horrible over a VPN. SMB/CIFS really doesn't take kindly to latency at all....just something to keep in mind as you continue down your journey.

 

[PinkFloydEffect]

I had a similar device sent to me from Sprint, but it turned out to be garbage because WiFi calling did the same exact thing to my knowledge without the need for additional hardware so I sent it back. Plus it did not even support text message data, it was only for voice and also provided WiFi but did not NAT into LTE packets. Essentially my AP was serving the same roles; WiFi for apps and voice calls while SMS is still sent to the local cell tower.

I am really surprised our IT director suggested IP forwarding as a solution, he is a NINJA at this stuff the guy literally has a job role as a CTO I have seen him provide solutions for every in-depth specialized situation we have ever thrown at him. He is so busy that he could not even help me troubleshoot this further than pointing me toward analyzing the route print.

I hear you guys on the VOIP layer of priority, but if you think about it most IP desk phones have an Ethernet pass-through so that if your office only has one Ethernet port you can connect your phone between your desktop and the Ethernet drop. Not sure how this works, but it seems to function without a VLAN using QoS.

I am not familiar with SMB/CIFS but the provisioning I am referring to seems pretty basic, I am not a programmer and I do not write scripts I am simply a general IT support specialist that is studying for my CCNA. The provision just sets up an Ubuntu environment with a organization managed Chrome and its associated tabs, bookmarks, some OS restrictions and general settings.

I may dabble with a site-to-site VPN depending on how long this remote work lasts, using just a spare laptop connected to our core switch running pfSense but I absolutely can not risk screwing anything up and honestly this whole process seems like such a time-sink that I may continue using my cell phone and Google Voice along with stopping by the office after hours to provision machines which is only 10min from my house. I setup more VPNs for new employees than I do provision new laptops, and I already had the CTO hang our "VPN config file folder" outside our firewall so that I am able to run the VPN setup script from outside our network.

 

[coxhaus]

The way to use 1 Ethernet port with a IP phone and a PC is easy. The Ethernet switch port is setup as a trunk port. The IP phone is assigned to a voice VLAN and the PC is assigned to a data VLAN. This allows both VLAN networks to flow through 1 Ethernet port in the switch. I setup priority in the switch for the voice VLAN.

I was told by the T-Mobil user that Wi-Fi calling did not work as well. I was not going to argue as it was one of my daughter's employees. We did not want her to get mad and leave. I thought the Cisco wireless AP worked fine with Wi-Fi calling using my iPhone but I had AT&T. We had about 10 other AT&T users that had no problems using Wi-Fi calling.

PS
You can build office IP phones so they work at home as well as the office. They won't have priority unless you add it to your home network. It may not be needed if you are running only 1 IP phone.

 

[PinkFloydEffect]

Good to know! I knew you could setup physical VLANs on a managed switch, but I never know you could setup virtual VLANs that way sharing a single Ethernet. I guess it just comes down to prioritizing the IPs when the packets make it to the access layer switch? (phone IP packets vs PC IP packets?) I am yet to figure out how to get my desk phone to work at home due to this VPN issue, but I know its possible. So if I am using the Ethernet pass-though on my phone at home I will not get QoS unless the my switch is managed and configured for it? Aka the pass-through is only the hardware I still need the brains to separate the traffic at the switch?

Maybe your client had different hardware as everyone else phone, but I guess QoS is required on an AP that has multiple WiFi calling users. Maybe that is why carriers supply these devices, because it dedicates a radio for voice traffic....but if your AP is configured correctly for QoS and has the necessary streams available it would be the same experience.

 

[MichaelCG]

Don't worry about QoS at home for this use case, the back-haul is over the Internet which has no QoS. QoS is rarely "required" but more to "optimize" things. The VLANs when coming across a single wire is 802.1q "trunking". You tag the Ethernet frames that leave the switch with a VLAN tag. Both sides of the connection need to be aware of the tags and you therefore you can span VLANs across devices on a single network connection. The phone is technically a two-port switch that is VLAN capable.

As for why a carrier home device may be better than WiFi calling? Because consumer WiFi generally sucks for voice traffic. Both WiFi calling and the carrier device will both have to deal with the VPN back-haul (jitter, latency, packet-loss, etc), but if they take WiFi out of the picture and your phone gets to use its native cell radio, it is one less optimization battle.

 

[coxhaus]

Good to know! I knew you could setup physical VLANs on a managed switch, but I never know you could setup virtual VLANs that way sharing a single Ethernet. I guess it just comes down to prioritizing the IPs when the packets make it to the access layer switch? (phone IP packets vs PC IP packets?) I am yet to figure out how to get my desk phone to work at home due to this VPN issue, but I know its possible. So if I am using the Ethernet pass-though on my phone at home I will not get QoS unless the my switch is managed and configured for it? Aka the pass-through is only the hardware I still need the brains to separate the traffic at the switch?

Maybe your client had different hardware as everyone else phone, but I guess QoS is required on an AP that has multiple WiFi calling users. Maybe that is why carriers supply these devices, because it dedicates a radio for voice traffic....but if your AP is configured correctly for QoS and has the necessary streams available it would be the same experience.

Just to make sure you understand they are not virtual VLANs it is trunking VLANs across a trunk port. I think of virtual VLANs as dynamic VLANs which is different.

I had no issues with 6 or 8 people using AT&T Wi-Fi calling at the same time on the Cisco small business AP I setup at my daughter's business. I set it up as 5GHz only no 2.4GHz.