T20P: VPN/OpenVPN - Just SIP or also RTP?

[ruiseixas]

(12-02-2013 06:05 PM)dlmc Wrote:  

(11-09-2013 06:55 AM)ruiseixas Wrote:  One problem that remains is that if I call a number in the same LAN, the RTP traffic leaves that LAN because the SIP server works as a RTP Proxy, making the RTP traffic available in the Internet, despite being private between Algeria and Portugal!

same LAN as what ?

Your OpenVPN server endpoint, should be running a SIP ALG (thus rewriting the media IPs to that of the OpenVPN server endpoint inside the tunnel) causing all SIP (port 5060) and RTP data to always be inside the tunnel no matter what IPs are given out by upstream SIP server or upstream media proxy server.

On Linux (which OpenWRT is based this a pair of kernel modules nf_conntrack_sip and nf_nat_sip) ensure the stream in and out is symetric. For example one common problem for Asterisk is that is does not examine the inbound packet local IP to ensure to reuse it in the reply and ends up using the default IP provided by the kernel in the reply. This can be fixed up using Linux netfilter DNAT and SNAT rules (on the Asterisk box or on the OpenVPN server endpoint box) to help it be symetric allowing SIP ALG kernel modules to work.

Same LAN in the sense that I'm using Getonsip.com trough the same gateway, and they force the use of a proxy in that case, so if two phones are in the same LAN, the proxy of Getonsip is used like shown in the next picture:



For more details see the next page:

• http://blog.lithiumblue.com/2007/07/unde...n-sip.html

One field to consider adding to the Client's VPN config file is this:

Code:

# Uncomment this section for a more reliable detection when a system
# loses its connection.  For example, dial-ups or laptops that
# travel to other locations.
ping 30
ping-restart 300
persist-key
;persist-tun

This allows the connection to be restarted in case you use Dyndns when your dynamic IP changes, and this way you still connected to the same LAN via VPN!