So I redirect the 1194 openvpn port to the freepbx server with in /etc/config/firewall
config redirect
option target 'DNAT'
option src 'wan'
option dest 'lan'
option proto 'udp'
option name 'FreePBX VPN Server'
option dest_ip '10.66.0.2'
option dest_port '1194'
I can't connect my ip phone. But where is the problem.
I'd like to see if it's the redirect rule.
if I do nmap -sU -v IP_WAN
I get:
Starting Nmap 6.47 ( http://nmap.org ) at 2018-01-11 19:03 +11
[...]
Initiating UDP Scan at 19:20
Scanning IP_WAN [1000 ports]
Completed UDP Scan at 19:20, 31.84s elapsed (1000 total ports)
Nmap scan report for goeen.ddns.net (WAN_IP_OPENWRT)
Host is up (0.035s latency).
rDNS record for IP_WAN
Not shown: 999 open|filtered ports
PORT STATE SERVICE
443/udp closed https
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 33.03 seconds
I don't know exactly what you mean. But the IP phone has an openvpn client.
There is a VPN server on the Freepbx VOIP server. You usully setup a VPN server on the Freepbx VOIP for remote IP phone to connect to the VOIP server.
Okay, thats what I wanted to know. Do you see any non-zero packet counts in iptables -t nat -nvL PREROUTING | grep FreePBX ? Is the FreePBX server using the Chaos Calmer router as default gateway?
Change OpenVPN configs (server and clients) to utilize tcp instead of udp (for troubleshooting)
proto tcp
Change OpenVPN server verbosity to 9
verb 9
Change VPN client configs to verbosity 9
verb 9
Enable logging on the VPN network interfaces on the routers
option log 1
Apply iptables rules for logging traffic to the VPN port #
# Log VPN Traffic #
#---------------------------------------------------
iptables -N LOG-VPN
iptables -I INPUT -p tcp --dport 1194 -m state --state NEW -j LOG-VPN
iptables -I INPUT -p udp --dport 1194 -m state --state NEW -j LOG-VPN
iptables -A LOG-VPN -j LOG --log-prefix "<[[--- VPN Traffic ---]]> : " --log-level 4
iptables -A LOG-VPN
Restart OpenVPN server
/etc/init.d/openvpn restart
Disconnect all clients, then reconnect.
You must disconnect then select connect, and not simply reconnect, as that will utilize the old config.
Try connecting the SIP phone to the VPN, and once it fails, review VPN client, VPN server, and system logs side by side to determine what, if readily apparent, the issue is.
If these do not identify the issue, please post:
OpenVPN Server
Config: /etc/config/openvpn
Log: /tmp/openvpn.log
OpenVPN Client
Config
Log
Firewall Config
LEDE: /etc/config/firewall & /etc/firewall.user
Freepbx
Network Config
LEDE: /etc/config/network
Freepbx
System logs
LEDE: logread
Freepbx
Please ensure you remove any identifying information, such as MAC Addresses, WAN IP, DDNS host name, etc.
It appears the port forward rule is installed fine then. Not sure what the problem is in the end. Can you try to connect with a desktop openvpn client to port 1194?
I forget to say that on the openwrt Main Router there is also an openVPN server running and listening on port 1200.
I change the port 1194 to 1200 so I can make a redirect rule for 1194 port for the IP Phone VPN client to get the VPN server on the Freepbx server
May be this information could change the way you read the log.
I was wondering where I should put this. Cannot find this statement in server.conf on google.
but I find some log:
tail /var/log/messages on the freepbx server said:
tail -f /var/log/messages
Jan 13 03:27:50 localhost openvpn[6538]: UDPv4 link local (bound): [undef]
Jan 13 03:27:50 localhost openvpn[6538]: UDPv4 link remote: [undef]
Jan 13 03:27:50 localhost openvpn[6538]: MULTI: multi_init called, r=256 v=256
Jan 13 03:27:50 localhost openvpn[6538]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jan 13 03:27:50 localhost openvpn[6538]: IFCONFIG POOL LIST
Jan 13 03:27:50 localhost openvpn[6538]: Initialization Sequence Completed
Jan 13 03:27:52 localhost ntpd[1651]: Listen normally on 9 tun0 10.8.0.1 UDP 123
Jan 13 03:27:52 localhost ntpd[1651]: peers refreshed
Jan 13 03:29:33 localhost ntpd[1651]: 0.0.0.0 c612 02 freq_set kernel -17.824 PPM
Jan 13 03:29:33 localhost ntpd[1651]: 0.0.0.0 c615 05 clock_sync
Jan 13 03:32:27 localhost openvpn[6538]: :33032 TLS: Initial packet from [AF_INET]103.17.45.190:33032, sid=5d0e129b 7ada5f29
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 CRL CHECK OK: CN=FreePBX
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 VERIFY OK: depth=1, CN=FreePBX
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 CRL CHECK OK: CN=client0
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 VERIFY OK: depth=0, CN=client0
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 03:32:29 localhost openvpn[6538]:WAN_REMOTE_PUBLIC_IP:33032 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 [client0] Peer Connection Initiated with [AF_INET]103.17.45.190:33032
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 OPTIONS IMPORT: reading client specific options from: ccd/client0
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI: Learn: 10.8.0.2 -> client0/103.17.45.190:33032
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI: primary virtual IP for client0/103.17.45.190:33032: 10.8.0.2
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 send_push_reply(): safe_cap=940
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 SENT CONTROL [client0]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)
cat /etc/openvpn/sysadmin_server1
sysadmin_server1.conf sysadmin_server1.crt sysadmin_server1.key sysadmin_server1-status.log
[root@localhost asterisk]# cat /etc/openvpn/sysadmin_server1-status.log
TITLE OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun 9 2015
TIME Sat Jan 13 08:18:07 2018 1515791887
HEADER CLIENT_LIST Common Name Real Address Virtual Address Bytes Received Bytes Sent Connected Since Connected Since (time_t) Username
CLIENT_LIST client0 WAN_REMOTE_PUBLIC_IP:43632 10.8.0.2 15532 15716 Sat Jan 13 07:41:22 2018 1515789682 UNDEF
HEADER ROUTING_TABLE Virtual Address Common Name Real Address Last Ref Last Ref (time_t)
ROUTING_TABLE 10.8.0.2 client0 WAN_REMOTE_PUBLIC_IP:43632 Sat Jan 13 07:41:26 2018 1515789686
GLOBAL_STATS Max bcast/mcast queue length 0
from freepbx i can ping 10.8.0.2 so everything seems to be ok.
sip show peers
Name/username Host Dyn Forcerport Comedia ACL Port Status Description
1/1 10.66.0.180 D No No A 5060 OK (19 ms)
2/2 10.66.0.235 D No No A 5060 OK (22 ms)
3/3 10.66.0.154 D No No A 5060 OK (8 ms)
4/4 10.66.0.152 D No No A 5060 OK (8 ms)
5 (Unspecified) D No No A 0 UNKNOWN
5 is my phone ip is not registered . I think it's a SIP problem.
I try to find other log files.
Thanks for your help.
Please edit your post and put everything within proper code boxes, not quote boxes, as it's an illegible mess
Code boxes:
Three back ticks on new line, code on next line, finally three more back ticks on a new line
Please also include the sysadmin_server1.conf, as that appears to be your server config.
The server log location will be referenced in that config, and that is the server log we need to see, as the status log is a different log we don't need for troubleshooting.
You will need to change the server and client verbosity setting to 9 (if the OpenVPN server is not on LEDE, as it appears I misread, the verbosity option would beverb 9, with nooptionin front of it). The default verbosity of 3 is too low (minimum to troubleshoot is 5)
FREEBPX# cat /etc/openvpn/sysadmin_server1.
sysadmin_server1.conf sysadmin_server1.crt sysadmin_server1.key
[root@localhost asterisk]# cat /etc/openvpn/sysadmin_server1.conf
# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Fri, 12 Jan 2018 16:27:48 +0000
port 1194
proto udp
dev tun
topology subnet
ca sysadmin_ca.crt
dh sysadmin_dh.pem
crl-verify sysadmin_crl.pem
cert sysadmin_server1.crt
key sysadmin_server1.key
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
#verb 3
verb 9
client-config-dir ccd
ccd-exclusive
status sysadmin_server1-status.log 10
status-version 3
script-security 2
server 10.8.0.0 255.255.255.0
There is no info on the server log file path.
cat /etc/openvpn/clients/sysadmin_client0.conf
# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Fri, 12 Jan 2018 16:27:48 +0000
client
dev tun
proto udp
resolv-retry 60
nobind
persist-key
persist-tun
remote-cert-tls server
ca sysadmin_ca.crt
cert sysadmin_client0.crt
key sysadmin_client0.key
comp-lzo
#verb 3
verb 9
remote goeen.ddns.net 1194
/etc/init.d/openvpn restart
FREEPBX tail -f /var/log/messages
tail -f /var/log/messages
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0000 ev=7 arg=0x0069cf88
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT Tr|Tw|Sr|SW [7/154417]
Jan 13 19:39:53 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x0069d0a8
Jan 13 19:39:53 localhost openvpn[32315]: event_wait returned 1
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT status=0x0002
Jan 13 19:39:53 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 WRITE [53] to [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA 8bacffeb db18fb59 b8bb0506 efa1d974 6f9ea12b 41e3a5a3 d1d81298 5872f75[more...]
Jan 13 19:39:53 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 write returned 53
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [7/154417]
Jan 13 19:39:57 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x0069d0a8
Jan 13 19:39:57 localhost openvpn[32315]: event_wait returned 1
[...]
Jan 13 19:40:03 localhost openvpn[32315]: MULTI: REAP range 176 -> 192
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TLS: tls_pre_encrypt: key_id=0
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT IV: f3f9dc32 d3c32c62
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT FROM: 00000038 fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT TO: f3f9dc32 d3c32c62 44380f1f 51c5a850 34694b21 2a458662 c73ec435 191901cf
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 SENT PING
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TIMER: coarse timer wakeup 10 seconds
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 RANDOM USEC=144132
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 SCHEDULE: schedule_add_modify wakeup=[Sat Jan 13 19:40:14 2018 us=95269] pri=1350140420
Jan 13 19:40:03 localhost openvpn[32315]: SCHEDULE: schedule_find_least wakeup=[Sat Jan 13 19:40:14 2018 us=95269] pri=1959752348
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0002 ev=6 arg=0x0069d0a8
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0000 ev=7 arg=0x0069cf88
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT Tr|Tw|Sr|SW [10/0]
Jan 13 19:40:03 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x0069d0a8
Jan 13 19:40:03 localhost openvpn[32315]: event_wait returned 1
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT status=0x0002
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 WRITE [53] to [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA e5dadb2e 3977869d 4187b703 4936b3d2 2661bf06 f3f9dc32 d3c32c62 44380f1[more...]
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 write returned 53
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [10/0]
Jan 13 19:40:08 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x0069d0a8
Jan 13 19:40:08 localhost openvpn[32315]: event_wait returned 1
Jan 13 19:40:08 localhost openvpn[32315]: I/O WAIT status=0x0001
Jan 13 19:40:08 localhost openvpn[32315]: MULTI: REAP range 192 -> 208
Jan 13 19:40:08 localhost openvpn[32315]: UDPv4 read returned 53
Jan 13 19:40:08 localhost openvpn[32315]: GET INST BY REAL: WAN_IP_IPPHONE_SUBNET:48835 [succeeded]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 READ [53] from [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA f42e5df4 a79d67fb 10992684 b2483b87 e284d083 f4167c34 7862296a c1550c2[more...]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]WAN_IP_IPPHONE_SUBNET:48835
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 DECRYPT IV: f4167c34 7862296a
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 DECRYPT TO: 00000038 fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 PID_TEST [0] [SSL-0] [>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:55 0:56 t=1515832808[0] r=[0,64,15,0,1] sl=[9,55,64,528]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 RECEIVED PING PACKET
Jan 13 19:40:08 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:40:08 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:40:08 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [5/95556]
FREEPBX ping 10.8.0.2 is OK.
I think the VPN is ok. It's aSIP problem maybe.
sip show peers
Name/username Host Dyn Forcerport Comedia ACL Port Status Description
1/1 10.66.0.180 D No No A 5060 OK (17 ms)
2/2 10.66.0.235 D No No A 5060 OK (21 ms)
3/3 10.66.0.154 D No No A 5060 OK (16 ms)
4/4 10.66.0.152 D No No A 5060 OK (15 ms)
5 (Unspecified) D No No A 0 UNKNOWN
Again, please change client and server configs to proto tcp
Logging:
For the server config, add log /var/openvpn.log
For the client config, add the same, however depending on it's filesystem, it may need to be changed to /tmp/openvpn.log
The reason why the logging for OpenVPN is required is it will show precisely what is occurring when the SIP Phone (VPN Client) tries to access the tunnel.
Please go through my previous post and post ALL the requested information, and make ALL the requested changes...
Before doing this, since you don't have CCD properly configured, remove it from your server config, restart the server, and see if that solves the issue.
I misread your original post, so that won't apply since I thought you were running the VPN server on the LEDE router.
However, the iptables rules would allow logging. What's most important at this point is removing the CCD directives and posting the VPN server and client logs with the new verbosity level
-the what I call the LAN subnet:
Main router TPLINK OpenWrt Chaos Calmer 15.05
Switch Cisco L3
VPN server on the openwrt (10.10.0.0 subnet port 1200) AND VPN server on the Freepbx server (10.8.0.0 subnet port 1194)
Current Asterisk Version: 11.23.0
Freepbx FreePBX 13.0.192.19
A firewall rule on the openwrt main router redirect port 1194 to LAN subnet IP of freepbx server for openvpn server on freepbx..
-and a REMOTE subnet where I try to install a S700 sangoma ip phone.
from the REMOTE subnet I can ping any server in the LAN subnet by the openvpn server on the Main Router openvpn server on the LAN.