T20P: VPN/OpenVPN - Just SIP or also RTP? - Printable Version +- Yealink Forums (http://forum.yealink.com/forum) +-- Forum: IP Phone Series (/forumdisplay.php?fid=4) +--- Forum: Phone specific topic (/forumdisplay.php?fid=12) +---- Forum: T2xP Series (/forumdisplay.php?fid=21) +---- Thread: T20P: VPN/OpenVPN - Just SIP or also RTP? (/showthread.php?tid=950) |
T20P: VPN/OpenVPN - Just SIP or also RTP? - ruiseixas - 10-25-2013 06:19 AM Hi, I have configured my T20P to use my DD-WRT OpenVPN server. The server indicates that the phone is logged in, however the traffic is small, a few kBytes despite some calls that I'm sure toke some megas of data! So my question is, does RTP stream passes trough the VPN, or only the SIP information? Thanks, Rui Code: Firmware Version 9.71.0.140 RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - ruiseixas - 10-25-2013 09:04 AM Hi, Now I realize that the phone isn't using the VPN for even the registration, so, despite it successfully established the OpenVPN connection the phone isn't using it! I tried 2 configuration files, the first accordingly with the yealink documentation, and the second, that fully works in my PC redirecting all the traffic as expected! Code: # Specify that this is a client configuration: Code: ############################################## The only difference here is the device, that here is 'tun0' while in the documentation is referred as just 'tun'! Does any one knows why the phone doesn't redirects the traffic despite successful VPN connection? Ok, the second version works as intended after all I think the main difference is the 'redirect-gateway' attribute... Thanks any way, Rui RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - Yealink Support - 10-25-2013 04:01 PM Hi ruiseixas, I think the different is the ";comp-lzo". This is relate to the data compression which needs to be supported by server. # Don't enable this unless it is also # enabled in the server config file. Some linux servers need to run plugs to support comp-lzo. Hope above can help you and others. RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - ruiseixas - 10-25-2013 10:00 PM Yes, my server doesn't have the 'comp-lzo' enabled as you can see bellow: Code: push "route 192.168.11.0 255.255.255.0" It is possible to enable it, however because I only use it for voice there is no advantages for extra compression because voice is already extremely compressed. RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - rfrantik@rfcinc.com - 11-09-2013 04:30 AM You've done a good job of posting all your OpenVPN configs... and it looks like you have it right for what you are trying to do. Typically on the Yealink phones you'll see the little VPN icon come up on the LCD screen once the link is established. That's a good sign that it's working. From there it generally comes down to standard networking rules. We generally have our voice server included in the OpenVPN environment... then we just need to specify the voice server's VPN IP address (typically 172.16.0.1) in the phones SIP configuration. By using the VPN IP as the only server address you will force both SIP and RTP traffic across the VPN link as they have no other choice. A common mistake our technicians make is putting the actual Public address of the server in the SIP config of the phone... at that point the phone establishes the VPN link, but then uses it's internet connection to find the voice server. With the OpenVPN config files it may be possible to force a range of traffic out across the VPN link... but the server on the other end would need the same rules in place to send the traffic back... and that is generally the tricky part if it's not really part of the VPN. One question I had with your setup... where is all your equipment located? You mention you have the T20P connecting to your DD-WRT OpenVPN server... is the phone on the internet and your server is behind the firewall on the protected LAN? or vice-versa? Makes a difference whether your DD-WRT should really be in client or server mode. RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - ruiseixas - 11-09-2013 06:55 AM Hi, thanks for the reply, I'm in Algeria using the phone, and the VPN router is in Portugal. The VPN router is behind the ADSL router's firewall with all the respective ports for OpenVPN redirected to the VPN router. The phone is also behind a firewall in another WRT54GL working as gateway! I'm using OpenVPN mainly because here the ISP blocks my local SIP ports after a while, and I always need to change them! I think it's because here they don't like VoIP, and this way the ISP avoids it to be used as an alternative to standard voice communications! By the way, the VPN string appears in the LCD, however, when I didn't put the 'redirect-gateway' attribute the local SIP port remained blocked, only when I added that attribute the problem disappeared, so I think is better to add it! In the end the config was this: Code: # Specify that this is a client configuration: One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal! More explained here: Regards, Rui RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - dlmc - 12-02-2013 06:05 PM (11-09-2013 06:55 AM)ruiseixas Wrote: One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal! same LAN as what ? Your OpenVPN server endpoint, should be running a SIP ALG (thus rewriting the media IPs to that of the OpenVPN server endpoint inside the tunnel) causing all SIP (port 5060) and RTP data to always be inside the tunnel no matter what IPs are given out by upstream SIP server or upstream media proxy server. On Linux (which OpenWRT is based this a pair of kernel modules nf_conntrack_sip and nf_nat_sip) ensure the stream in and out is symetric. For example one common problem for Asterisk is that is does not examine the inbound packet local IP to ensure to reuse it in the reply and ends up using the default IP provided by the kernel in the reply. This can be fixed up using Linux netfilter DNAT and SNAT rules (on the Asterisk box or on the OpenVPN server endpoint box) to help it be symetric allowing SIP ALG kernel modules to work. RE: T20P: VPN/OpenVPN - Just SIP or also RTP? - ruiseixas - 03-08-2014 05:41 AM (12-02-2013 06:05 PM)dlmc Wrote:(11-09-2013 06:55 AM)ruiseixas Wrote: One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal! Same LAN in the sense that I'm using Getonsip.com trough the same gateway, and they force the use of a proxy in that case, so if two phones are in the same LAN, the proxy of Getonsip is used like shown in the next picture: For more details see the next page: One field to consider adding to the Client's VPN config file is this: Code: # Uncomment this section for a more reliable detection when a system This allows the connection to be restarted in case you use Dyndns when your dynamic IP changes, and this way you still connected to the same LAN via VPN! |