Firewall redirect a port

The SIP phone speaks openvpn natively? I do not understand the relation of an openvpn port forward and the sip phone not registering.

I don't know exactly what you mean. But the IP phone has an openvpn client.
There is a VPN server on the Freepbx VOIP server. You usully setup a VPN server on the Freepbx VOIP for remote IP phone to connect to the VOIP server.

Okay, thats what I wanted to know. Do you see any non-zero packet counts in iptables -t nat -nvL PREROUTING | grep FreePBX ? Is the FreePBX server using the Chaos Calmer router as default gateway?

root@OpenWrt /etc/config [#]# iptables -t nat -nvL PREROUTING 
Chain PREROUTING (policy ACCEPT 1404 packets, 199K bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1409  199K delegate_prerouting  all  --  *      *       0.0.0.0/0            0.0.0.0/0       

Yes the Freepbx server using the openwrt chaos calmer router as a default gateway.

Are there any errors reported by fw3 print ?

  1. Change OpenVPN configs (server and clients) to utilize tcp instead of udp (for troubleshooting)

    • proto tcp
  2. Change OpenVPN server verbosity to 9

    • verb 9
  3. Change VPN client configs to verbosity 9

    • verb 9
  4. Enable logging on the VPN network interfaces on the routers

    • option log 1
  5. Apply iptables rules for logging traffic to the VPN port #

    # Log VPN Traffic #
    #---------------------------------------------------
    
      iptables    -N  LOG-VPN
    
      iptables    -I  INPUT     -p  tcp   --dport   1194  -m  state   --state NEW   -j  LOG-VPN
      iptables    -I  INPUT     -p  udp   --dport   1194  -m  state   --state NEW   -j  LOG-VPN
    
      iptables    -A  LOG-VPN                                                       -j  LOG         --log-prefix  "<[[---  VPN Traffic ---]]> : "   --log-level 4
      iptables    -A  LOG-VPN
    
  6. Restart OpenVPN server

    • /etc/init.d/openvpn restart
  7. Disconnect all clients, then reconnect.

    • You must disconnect then select connect, and not simply reconnect, as that will utilize the old config.
  8. Try connecting the SIP phone to the VPN, and once it fails, review VPN client, VPN server, and system logs side by side to determine what, if readily apparent, the issue is.

    • If these do not identify the issue, please post:
      • OpenVPN Server
        • Config: /etc/config/openvpn
        • Log: /tmp/openvpn.log
      • OpenVPN Client
        • Config
        • Log
      • Firewall Config
        • LEDE: /etc/config/firewall & /etc/firewall.user
        • Freepbx
      • Network Config
        • LEDE: /etc/config/network
        • Freepbx
      • System logs
        • LEDE: logread
        • Freepbx
    • Please ensure you remove any identifying information, such as MAC Addresses, WAN IP, DDNS host name, etc.

No

root@OpenWrt /etc/config [#]# fw3 print
Warning: Unable to locate ipset utility, disabling ipset support
iptables -t filter -P INPUT ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
iptables -t filter -N delegate_input
iptables -t filter -N delegate_output
iptables -t filter -N delegate_forward
iptables -t filter -N reject
iptables -t filter -N input_rule
iptables -t filter -N output_rule
iptables -t filter -N forwarding_rule
iptables -t filter -N syn_flood
iptables -t filter -N zone_lan_input
iptables -t filter -N zone_lan_output
iptables -t filter -N zone_lan_forward
iptables -t filter -N zone_lan_src_ACCEPT
iptables -t filter -N zone_lan_dest_ACCEPT
iptables -t filter -N input_lan_rule
iptables -t filter -N output_lan_rule
iptables -t filter -N forwarding_lan_rule
iptables -t filter -A zone_lan_input -m comment --comment "user chain for input" -j input_lan_rule
iptables -t filter -A zone_lan_output -m comment --comment "user chain for output" -j output_lan_rule
iptables -t filter -A zone_lan_forward -m comment --comment "user chain for forwarding" -j forwarding_lan_rule
iptables -t filter -N zone_wan_input
iptables -t filter -N zone_wan_output
iptables -t filter -N zone_wan_forward
iptables -t filter -N zone_wan_src_REJECT
iptables -t filter -N zone_wan_dest_ACCEPT
iptables -t filter -N zone_wan_dest_REJECT
iptables -t filter -N input_wan_rule
iptables -t filter -N output_wan_rule
iptables -t filter -N forwarding_wan_rule
iptables -t filter -A zone_wan_input -m comment --comment "user chain for input" -j input_wan_rule
iptables -t filter -A zone_wan_output -m comment --comment "user chain for output" -j output_wan_rule
iptables -t filter -A zone_wan_forward -m comment --comment "user chain for forwarding" -j forwarding_wan_rule
iptables -t filter -N zone_vpn_input
iptables -t filter -N zone_vpn_output
iptables -t filter -N zone_vpn_forward
iptables -t filter -N zone_vpn_src_ACCEPT
iptables -t filter -N zone_vpn_dest_ACCEPT
iptables -t filter -N zone_vpn_dest_REJECT
iptables -t filter -N input_vpn_rule
iptables -t filter -N output_vpn_rule
iptables -t filter -N forwarding_vpn_rule
iptables -t filter -A zone_vpn_input -m comment --comment "user chain for input" -j input_vpn_rule
iptables -t filter -A zone_vpn_output -m comment --comment "user chain for output" -j output_vpn_rule
iptables -t filter -A zone_vpn_forward -m comment --comment "user chain for forwarding" -j forwarding_vpn_rule
iptables -t filter -D INPUT -j delegate_input
iptables -t filter -A INPUT -j delegate_input
iptables -t filter -D OUTPUT -j delegate_output
iptables -t filter -A OUTPUT -j delegate_output
iptables -t filter -D FORWARD -j delegate_forward
iptables -t filter -A FORWARD -j delegate_forward
iptables -t filter -A delegate_input -i lo -j ACCEPT
iptables -t filter -A delegate_output -o lo -j ACCEPT
iptables -t filter -A delegate_input -m comment --comment "user chain for input" -j input_rule
iptables -t filter -A delegate_output -m comment --comment "user chain for output" -j output_rule
iptables -t filter -A delegate_forward -m comment --comment "user chain for forwarding" -j forwarding_rule
iptables -t filter -A delegate_input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A delegate_forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -j RETURN
iptables -t filter -A syn_flood -j DROP
iptables -t filter -A delegate_input -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn_flood
iptables -t filter -A reject -p tcp -j REJECT --reject-with tcp-reset
iptables -t filter -A reject -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment Allow-DHCP-Renew -j ACCEPT
iptables -t filter -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment Allow-Ping -j ACCEPT
iptables -t filter -A zone_wan_input -p 2 -m comment --comment Allow-IGMP -j ACCEPT
iptables -t filter -A zone_wan_forward -p esp -m comment --comment "@rule[7]" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_wan_forward -p udp -m udp --dport 500 -m comment --comment "@rule[8]" -j zone_lan_dest_ACCEPT
iptables -t filter -A delegate_input -p udp -m udp --dport 1200 -m comment --comment "@rule[9]" -j ACCEPT
iptables -t filter -A zone_wan_input -p tcp -m comment --comment "@rule[10]" -j ACCEPT
iptables -t filter -A zone_wan_input -p udp -m comment --comment "@rule[10]" -j ACCEPT
iptables -t filter -A zone_wan_input -p tcp -m comment --comment "@rule[11]" -j ACCEPT
iptables -t filter -A zone_wan_input -p udp -m comment --comment "@rule[11]" -j ACCEPT
iptables -t filter -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment OpenVPN -j ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "forwarding lan -> wan" -j zone_wan_dest_ACCEPT
iptables -t filter -A zone_vpn_forward -m comment --comment "forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_forward -m comment --comment "forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
iptables -t filter -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_lan_input -j zone_lan_src_ACCEPT
iptables -t filter -A zone_lan_forward -j zone_lan_dest_ACCEPT
iptables -t filter -A zone_lan_output -j zone_lan_dest_ACCEPT
iptables -t filter -D zone_lan_src_ACCEPT -i br-lan -j ACCEPT
iptables -t filter -A zone_lan_src_ACCEPT -i br-lan -j ACCEPT
iptables -t filter -D zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
iptables -t filter -A zone_lan_dest_ACCEPT -o br-lan -j ACCEPT
iptables -t filter -D delegate_input -i br-lan -j zone_lan_input
iptables -t filter -A delegate_input -i br-lan -j zone_lan_input
iptables -t filter -D delegate_output -o br-lan -j zone_lan_output
iptables -t filter -A delegate_output -o br-lan -j zone_lan_output
iptables -t filter -D delegate_forward -i br-lan -j zone_lan_forward
iptables -t filter -A delegate_forward -i br-lan -j zone_lan_forward
iptables -t filter -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_wan_input -j zone_wan_src_REJECT
iptables -t filter -A zone_wan_forward -j zone_wan_dest_REJECT
iptables -t filter -A zone_wan_output -j zone_wan_dest_ACCEPT
iptables -t filter -D zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o pppoe-wan -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i pppoe-wan -j reject
iptables -t filter -A zone_wan_src_REJECT -i pppoe-wan -j reject
iptables -t filter -D zone_wan_dest_REJECT -o pppoe-wan -j reject
iptables -t filter -A zone_wan_dest_REJECT -o pppoe-wan -j reject
iptables -t filter -D delegate_input -i pppoe-wan -j zone_wan_input
iptables -t filter -A delegate_input -i pppoe-wan -j zone_wan_input
iptables -t filter -D delegate_output -o pppoe-wan -j zone_wan_output
iptables -t filter -A delegate_output -o pppoe-wan -j zone_wan_output
iptables -t filter -D delegate_forward -i pppoe-wan -j zone_wan_forward
iptables -t filter -A delegate_forward -i pppoe-wan -j zone_wan_forward
iptables -t filter -D zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
iptables -t filter -A zone_wan_dest_ACCEPT -o eth0 -j ACCEPT
iptables -t filter -D zone_wan_src_REJECT -i eth0 -j reject
iptables -t filter -A zone_wan_src_REJECT -i eth0 -j reject
iptables -t filter -D zone_wan_dest_REJECT -o eth0 -j reject
iptables -t filter -A zone_wan_dest_REJECT -o eth0 -j reject
iptables -t filter -D delegate_input -i eth0 -j zone_wan_input
iptables -t filter -A delegate_input -i eth0 -j zone_wan_input
iptables -t filter -D delegate_output -o eth0 -j zone_wan_output
iptables -t filter -A delegate_output -o eth0 -j zone_wan_output
iptables -t filter -D delegate_forward -i eth0 -j zone_wan_forward
iptables -t filter -A delegate_forward -i eth0 -j zone_wan_forward
iptables -t filter -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "Accept port redirections" -j ACCEPT
iptables -t filter -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "Accept port forwards" -j ACCEPT
iptables -t filter -A zone_vpn_input -j zone_vpn_src_ACCEPT
iptables -t filter -A zone_vpn_forward -j zone_vpn_dest_REJECT
iptables -t filter -A zone_vpn_output -j zone_vpn_dest_ACCEPT
iptables -t filter -D zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
iptables -t filter -A zone_vpn_src_ACCEPT -i tun0 -j ACCEPT
iptables -t filter -D zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
iptables -t filter -A zone_vpn_dest_ACCEPT -o tun0 -j ACCEPT
iptables -t filter -D zone_vpn_dest_REJECT -o tun0 -j reject
iptables -t filter -A zone_vpn_dest_REJECT -o tun0 -j reject
iptables -t filter -D delegate_input -i tun0 -j zone_vpn_input
iptables -t filter -A delegate_input -i tun0 -j zone_vpn_input
iptables -t filter -D delegate_output -o tun0 -j zone_vpn_output
iptables -t filter -A delegate_output -o tun0 -j zone_vpn_output
iptables -t filter -D delegate_forward -i tun0 -j zone_vpn_forward
iptables -t filter -A delegate_forward -i tun0 -j zone_vpn_forward
iptables -t filter -A delegate_forward -j reject
iptables -t nat -N delegate_prerouting
iptables -t nat -N delegate_postrouting
iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule
iptables -t nat -N zone_lan_postrouting
iptables -t nat -N zone_lan_prerouting
iptables -t nat -N prerouting_lan_rule
iptables -t nat -N postrouting_lan_rule
iptables -t nat -A zone_lan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_lan_rule
iptables -t nat -A zone_lan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_lan_rule
iptables -t nat -N zone_wan_postrouting
iptables -t nat -N zone_wan_prerouting
iptables -t nat -N prerouting_wan_rule
iptables -t nat -N postrouting_wan_rule
iptables -t nat -A zone_wan_prerouting -m comment --comment "user chain for prerouting" -j prerouting_wan_rule
iptables -t nat -A zone_wan_postrouting -m comment --comment "user chain for postrouting" -j postrouting_wan_rule
iptables -t nat -N zone_vpn_postrouting
iptables -t nat -N zone_vpn_prerouting
iptables -t nat -N prerouting_vpn_rule
iptables -t nat -N postrouting_vpn_rule
iptables -t nat -A zone_vpn_prerouting -m comment --comment "user chain for prerouting" -j prerouting_vpn_rule
iptables -t nat -A zone_vpn_postrouting -m comment --comment "user chain for postrouting" -j postrouting_vpn_rule
iptables -t nat -D PREROUTING -j delegate_prerouting
iptables -t nat -A PREROUTING -j delegate_prerouting
iptables -t nat -D POSTROUTING -j delegate_postrouting
iptables -t nat -A POSTROUTING -j delegate_postrouting
iptables -t nat -A delegate_prerouting -m comment --comment "user chain for prerouting" -j prerouting_rule
iptables -t nat -A delegate_postrouting -m comment --comment "user chain for postrouting" -j postrouting_rule
iptables -t nat -A zone_wan_prerouting -p tcp -m tcp --dport 443 -m comment --comment odoo -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -A zone_wan_prerouting -p udp -m udp --dport 443 -m comment --comment odoo -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -D zone_lan_prerouting -p tcp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m tcp --dport 443 -m comment --comment "odoo (reflection)" -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -A zone_lan_prerouting -p tcp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m tcp --dport 443 -m comment --comment "odoo (reflection)" -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -D zone_lan_postrouting -p tcp -s 10.66.0.0/255.255.255.0 -d 10.66.0.250/255.255.255.255 -m tcp --dport 443 -m comment --comment "odoo (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -A zone_lan_postrouting -p tcp -s 10.66.0.0/255.255.255.0 -d 10.66.0.250/255.255.255.255 -m tcp --dport 443 -m comment --comment "odoo (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -D zone_lan_prerouting -p udp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m udp --dport 443 -m comment --comment "odoo (reflection)" -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -A zone_lan_prerouting -p udp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m udp --dport 443 -m comment --comment "odoo (reflection)" -j DNAT --to-destination 10.66.0.250:443
iptables -t nat -D zone_lan_postrouting -p udp -s 10.66.0.0/255.255.255.0 -d 10.66.0.250/255.255.255.255 -m udp --dport 443 -m comment --comment "odoo (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.66.0.0/255.255.255.0 -d 10.66.0.250/255.255.255.255 -m udp --dport 443 -m comment --comment "odoo (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -A zone_wan_prerouting -p udp -m udp --dport 1194 -m comment --comment "FreePBX VPN Server" -j DNAT --to-destination 10.66.0.2:1194
iptables -t nat -D zone_lan_prerouting -p udp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m udp --dport 1194 -m comment --comment "FreePBX VPN Server (reflection)" -j DNAT --to-destination 10.66.0.2:1194
iptables -t nat -A zone_lan_prerouting -p udp -s 10.66.0.0/255.255.255.0 -d WAN_IP_OPENWRT/255.255.255.255 -m udp --dport 1194 -m comment --comment "FreePBX VPN Server (reflection)" -j DNAT --to-destination 10.66.0.2:1194
iptables -t nat -D zone_lan_postrouting -p udp -s 10.66.0.0/255.255.255.0 -d 10.66.0.2/255.255.255.255 -m udp --dport 1194 -m comment --comment "FreePBX VPN Server (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -A zone_lan_postrouting -p udp -s 10.66.0.0/255.255.255.0 -d 10.66.0.2/255.255.255.255 -m udp --dport 1194 -m comment --comment "FreePBX VPN Server (reflection)" -j SNAT --to-source 10.66.0.1
iptables -t nat -D delegate_prerouting -i br-lan -j zone_lan_prerouting
iptables -t nat -A delegate_prerouting -i br-lan -j zone_lan_prerouting
iptables -t nat -D delegate_postrouting -o br-lan -j zone_lan_postrouting
iptables -t nat -A delegate_postrouting -o br-lan -j zone_lan_postrouting
iptables -t nat -A zone_wan_postrouting -j MASQUERADE
iptables -t nat -D delegate_prerouting -i pppoe-wan -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i pppoe-wan -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o pppoe-wan -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o pppoe-wan -j zone_wan_postrouting
iptables -t nat -D delegate_prerouting -i eth0 -j zone_wan_prerouting
iptables -t nat -A delegate_prerouting -i eth0 -j zone_wan_prerouting
iptables -t nat -D delegate_postrouting -o eth0 -j zone_wan_postrouting
iptables -t nat -A delegate_postrouting -o eth0 -j zone_wan_postrouting
iptables -t nat -A zone_vpn_postrouting -j MASQUERADE
iptables -t nat -D delegate_prerouting -i tun0 -j zone_vpn_prerouting
iptables -t nat -A delegate_prerouting -i tun0 -j zone_vpn_prerouting
iptables -t nat -D delegate_postrouting -o tun0 -j zone_vpn_postrouting
iptables -t nat -A delegate_postrouting -o tun0 -j zone_vpn_postrouting
iptables -t mangle -N mssfix
iptables -t mangle -N fwmark
iptables -t mangle -D FORWARD -j mssfix
iptables -t mangle -A FORWARD -j mssfix
iptables -t mangle -D PREROUTING -j fwmark
iptables -t mangle -A PREROUTING -j fwmark
iptables -t mangle -D mssfix -p tcp -o pppoe-wan -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o pppoe-wan -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -D mssfix -p tcp -o eth0 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t mangle -A mssfix -p tcp -o eth0 -m tcp --tcp-flags SYN,RST SYN -m comment --comment "wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
iptables -t raw -N delegate_notrack
iptables -t raw -D PREROUTING -j delegate_notrack
iptables -t raw -A PREROUTING -j delegate_notrack

It appears the port forward rule is installed fine then. Not sure what the problem is in the end. Can you try to connect with a desktop openvpn client to port 1194?

I forget to say that on the openwrt Main Router there is also an openVPN server running and listening on port 1200.
I change the port 1194 to 1200 so I can make a redirect rule for 1194 port for the IP Phone VPN client to get the VPN server on the Freepbx server

May be this information could change the way you read the log.

_

Without performing the steps, and posting the information requested, in my previous post, there is no way to help you.

I was wondering where I should put this. Cannot find this statement in server.conf on google.

but I find some log:

tail /var/log/messages on the freepbx server said:
tail -f /var/log/messages
Jan 13 03:27:50 localhost openvpn[6538]: UDPv4 link local (bound): [undef]
Jan 13 03:27:50 localhost openvpn[6538]: UDPv4 link remote: [undef]
Jan 13 03:27:50 localhost openvpn[6538]: MULTI: multi_init called, r=256 v=256
Jan 13 03:27:50 localhost openvpn[6538]: IFCONFIG POOL: base=10.8.0.2 size=252, ipv6=0
Jan 13 03:27:50 localhost openvpn[6538]: IFCONFIG POOL LIST
Jan 13 03:27:50 localhost openvpn[6538]: Initialization Sequence Completed
Jan 13 03:27:52 localhost ntpd[1651]: Listen normally on 9 tun0 10.8.0.1 UDP 123
Jan 13 03:27:52 localhost ntpd[1651]: peers refreshed
Jan 13 03:29:33 localhost ntpd[1651]: 0.0.0.0 c612 02 freq_set kernel -17.824 PPM
Jan 13 03:29:33 localhost ntpd[1651]: 0.0.0.0 c615 05 clock_sync
Jan 13 03:32:27 localhost openvpn[6538]: :33032 TLS: Initial packet from [AF_INET]103.17.45.190:33032, sid=5d0e129b 7ada5f29
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 CRL CHECK OK: CN=FreePBX
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 VERIFY OK: depth=1, CN=FreePBX
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 CRL CHECK OK: CN=client0
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 VERIFY OK: depth=0, CN=client0
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 03:32:29 localhost openvpn[6538]:WAN_REMOTE_PUBLIC_IP:33032 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 2048 bit RSA
Jan 13 03:32:29 localhost openvpn[6538]: WAN_REMOTE_PUBLIC_IP:33032 [client0] Peer Connection Initiated with [AF_INET]103.17.45.190:33032
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 OPTIONS IMPORT: reading client specific options from: ccd/client0
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI_sva: pool returned IPv4=10.8.0.2, IPv6=(Not enabled)
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI: Learn: 10.8.0.2 -> client0/103.17.45.190:33032
Jan 13 03:32:29 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 MULTI: primary virtual IP for client0/103.17.45.190:33032: 10.8.0.2
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 PUSH: Received control message: 'PUSH_REQUEST'
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 send_push_reply(): safe_cap=940
Jan 13 03:32:33 localhost openvpn[6538]: client0/WAN_REMOTE_PUBLIC_IP:33032 SENT CONTROL [client0]: 'PUSH_REPLY,route-gateway 10.8.0.1,topology subnet,ping 10,ping-restart 120,ifconfig 10.8.0.2 255.255.255.0' (status=1)


cat /etc/openvpn/sysadmin_server1
sysadmin_server1.conf        sysadmin_server1.crt         sysadmin_server1.key         sysadmin_server1-status.log  
[root@localhost asterisk]# cat /etc/openvpn/sysadmin_server1-status.log 
TITLE	OpenVPN 2.3.7 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jun  9 2015
TIME	Sat Jan 13 08:18:07 2018	1515791887
HEADER	CLIENT_LIST	Common Name	Real Address	Virtual Address	Bytes Received	Bytes Sent	Connected Since	Connected Since (time_t)	Username
CLIENT_LIST	client0	WAN_REMOTE_PUBLIC_IP:43632	10.8.0.2	15532	15716	Sat Jan 13 07:41:22 2018	1515789682	UNDEF
HEADER	ROUTING_TABLE	Virtual Address	Common Name	Real Address	Last Ref	Last Ref (time_t)
ROUTING_TABLE	10.8.0.2	client0	WAN_REMOTE_PUBLIC_IP:43632	Sat Jan 13 07:41:26 2018	1515789686
GLOBAL_STATS	Max bcast/mcast queue length	0

from freepbx i can ping 10.8.0.2 so everything seems to be ok. 

sip show peers 
Name/username             Host                                    Dyn Forcerport Comedia    ACL Port     Status      Description                      
1/1                       10.66.0.180                              D  No         No          A  5060     OK (19 ms)                                   
2/2                       10.66.0.235                              D  No         No          A  5060     OK (22 ms)                                   
3/3                       10.66.0.154                              D  No         No          A  5060     OK (8 ms)                                    
4/4                       10.66.0.152                              D  No         No          A  5060     OK (8 ms)                                    
5                         (Unspecified)                            D  No         No          A  0        UNKNOWN


5 is my phone  ip is not registered . I think it's a SIP problem.

I try to find other log files.  

Thanks for your help.

Please edit your post and put everything within proper code boxes, not quote boxes, as it's an illegible mess

  • Code boxes:
    • Three back ticks on new line, code on next line, finally three more back ticks on a new line

Please also include the sysadmin_server1.conf, as that appears to be your server config.

  • The server log location will be referenced in that config, and that is the server log we need to see, as the status log is a different log we don't need for troubleshooting.

You will need to change the server and client verbosity setting to 9 (if the OpenVPN server is not on LEDE, as it appears I misread, the verbosity option would be verb 9, with no option in front of it). The default verbosity of 3 is too low (minimum to troubleshoot is 5)

Is it syntax like markdown?

FREEBPX# cat /etc/openvpn/sysadmin_server1.
sysadmin_server1.conf  sysadmin_server1.crt   sysadmin_server1.key   
[root@localhost asterisk]# cat /etc/openvpn/sysadmin_server1.conf
# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Fri, 12 Jan 2018 16:27:48 +0000
port 1194
proto udp
dev tun
topology subnet
ca sysadmin_ca.crt
dh sysadmin_dh.pem
crl-verify sysadmin_crl.pem
cert sysadmin_server1.crt
key sysadmin_server1.key
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
persist-key
persist-tun
#verb 3
verb 9
client-config-dir ccd
ccd-exclusive
status sysadmin_server1-status.log 10
status-version 3
script-security 2
server 10.8.0.0 255.255.255.0

There is no info on the server log file path.

 cat /etc/openvpn/clients/sysadmin_client0.conf
# Configuration automatically generated via Sysadmin RPM
# MODIFICATIONS TO THIS FILE WILL BE OVERWRITTEN.
# Generated at: Fri, 12 Jan 2018 16:27:48 +0000
client
dev tun
proto udp
resolv-retry 60
nobind
persist-key
persist-tun
remote-cert-tls server
ca sysadmin_ca.crt
cert sysadmin_client0.crt
key sysadmin_client0.key
comp-lzo
#verb 3
verb 9
remote goeen.ddns.net 1194

/etc/init.d/openvpn restart

FREEPBX tail -f /var/log/messages

 tail -f /var/log/messages
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0000 ev=7 arg=0x0069cf88
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT Tr|Tw|Sr|SW [7/154417]
Jan 13 19:39:53 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x0069d0a8 
Jan 13 19:39:53 localhost openvpn[32315]:  event_wait returned 1
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT status=0x0002
Jan 13 19:39:53 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 WRITE [53] to [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA 8bacffeb db18fb59 b8bb0506 efa1d974 6f9ea12b 41e3a5a3 d1d81298 5872f75[more...]
Jan 13 19:39:53 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 write returned 53
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:39:53 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:39:53 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [7/154417]
Jan 13 19:39:57 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x0069d0a8 
Jan 13 19:39:57 localhost openvpn[32315]:  event_wait returned 1
[...]
Jan 13 19:40:03 localhost openvpn[32315]: MULTI: REAP range 176 -> 192
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TLS: tls_pre_encrypt: key_id=0
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT IV: f3f9dc32 d3c32c62
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT FROM: 00000038 fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 ENCRYPT TO: f3f9dc32 d3c32c62 44380f1f 51c5a850 34694b21 2a458662 c73ec435 191901cf
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 SENT PING
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TIMER: coarse timer wakeup 10 seconds
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 RANDOM USEC=144132
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 SCHEDULE: schedule_add_modify wakeup=[Sat Jan 13 19:40:14 2018 us=95269] pri=1350140420
Jan 13 19:40:03 localhost openvpn[32315]: SCHEDULE: schedule_find_least wakeup=[Sat Jan 13 19:40:14 2018 us=95269] pri=1959752348
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0002 ev=6 arg=0x0069d0a8
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0000 ev=7 arg=0x0069cf88
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT Tr|Tw|Sr|SW [10/0]
Jan 13 19:40:03 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000004 rwflags=0x0002 arg=0x0069d0a8 
Jan 13 19:40:03 localhost openvpn[32315]:  event_wait returned 1
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT status=0x0002
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 WRITE [53] to [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA e5dadb2e 3977869d 4187b703 4936b3d2 2661bf06 f3f9dc32 d3c32c62 44380f1[more...]
Jan 13 19:40:03 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 write returned 53
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:40:03 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:40:03 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [10/0]
Jan 13 19:40:08 localhost openvpn[32315]: PO_WAIT[0,0] fd=6 rev=0x00000001 rwflags=0x0001 arg=0x0069d0a8 
Jan 13 19:40:08 localhost openvpn[32315]:  event_wait returned 1
Jan 13 19:40:08 localhost openvpn[32315]: I/O WAIT status=0x0001
Jan 13 19:40:08 localhost openvpn[32315]: MULTI: REAP range 192 -> 208
Jan 13 19:40:08 localhost openvpn[32315]: UDPv4 read returned 53
Jan 13 19:40:08 localhost openvpn[32315]: GET INST BY REAL: WAN_IP_IPPHONE_SUBNET:48835 [succeeded]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 UDPv4 READ [53] from [AF_INET]WAN_IP_IPPHONE_SUBNET:48835: P_DATA_V1 kid=0 DATA f42e5df4 a79d67fb 10992684 b2483b87 e284d083 f4167c34 7862296a c1550c2[more...]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 TLS: tls_pre_decrypt, key_id=0, IP=[AF_INET]WAN_IP_IPPHONE_SUBNET:48835
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 DECRYPT IV: f4167c34 7862296a
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 DECRYPT TO: 00000038 fa2a187b f3641eb4 cb07ed2d 0a981fc7 48
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 PID_TEST [0] [SSL-0] [>EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE] 0:55 0:56 t=1515832808[0] r=[0,64,15,0,1] sl=[9,55,64,528]
Jan 13 19:40:08 localhost openvpn[32315]: client0/WAN_IP_IPPHONE_SUBNET:48835 RECEIVED PING PACKET
Jan 13 19:40:08 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=6 arg=0x0069d0a8
Jan 13 19:40:08 localhost openvpn[32315]: PO_CTL rwflags=0x0001 ev=7 arg=0x0069cf88
Jan 13 19:40:08 localhost openvpn[32315]: I/O WAIT TR|Tw|SR|Sw [5/95556]

FREEPBX ping 10.8.0.2 is OK.

I think the VPN is ok. It's aSIP problem maybe.

sip show peers
Name/username Host Dyn Forcerport Comedia ACL Port Status Description
1/1 10.66.0.180 D No No A 5060 OK (17 ms)
2/2 10.66.0.235 D No No A 5060 OK (21 ms)
3/3 10.66.0.154 D No No A 5060 OK (16 ms)
4/4 10.66.0.152 D No No A 5060 OK (15 ms)
5 (Unspecified) D No No A 0 UNKNOWN

5 is my remote IP phone

Again, please change client and server configs to proto tcp

  • Logging:

    • For the server config, add log /var/openvpn.log
    • For the client config, add the same, however depending on it's filesystem, it may need to be changed to /tmp/openvpn.log
  • The reason why the logging for OpenVPN is required is it will show precisely what is occurring when the SIP Phone (VPN Client) tries to access the tunnel.

Please go through my previous post and post ALL the requested information, and make ALL the requested changes...

  • Before doing this, since you don't have CCD properly configured, remove it from your server config, restart the server, and see if that solves the issue.
    • Remove: client-config-dir ccd & ccd-exclusive

Where should I put this ?

I misread your original post, so that won't apply since I thought you were running the VPN server on the LEDE router.

  • However, the iptables rules would allow logging. What's most important at this point is removing the CCD directives and posting the VPN server and client logs with the new verbosity level

OK
My config:

My config:

-the what I call the LAN subnet:
Main router TPLINK OpenWrt Chaos Calmer 15.05
Switch Cisco L3
VPN server on the openwrt (10.10.0.0 subnet port 1200)
AND VPN server on the Freepbx server (10.8.0.0 subnet port 1194)
Current Asterisk Version: 11.23.0
Freepbx FreePBX 13.0.192.19
A firewall rule on the openwrt main router redirect port 1194 to LAN subnet IP of freepbx server for openvpn server on freepbx..

-and a REMOTE subnet where I try to install a S700 sangoma ip phone.
from the REMOTE subnet I can ping any server in the LAN subnet by the openvpn server on the Main Router openvpn server on the LAN.

None of that is useful, and since I no longer have the patience to ask for a fourth time for what you need to post, someone else can help you. Best of luck =]

  • One cannot help when one refuses to help themselves...

I just repost that because you said you misread my post.
Just for that.
And yes I am running an openvpn server on the lede main router and
an other one on the freepbx server with different port.
And I really thank you for the time you spent helping me.

Then where are the logs and configs? This will be my last post, but you need to realize none of us have access to your systems and the only way anyone can determine where the issue is at is by viewing the all the logs and the relevant configs.

When users are trying to help you by requesting configs and logs that are necessary to troubleshoot and you repeatedly ignore what needs to be shared, why should one take the time to help you?

  • It's entirely possible all the logs and configs I requested may not be necessary (same goes for the high verbosity), however, in order to make it more convenient for you, I requested all at once so you don't have to be repeatedly posting new information that may be needed.

You know what's needed to be shared because I asked for it in posts #9, #15, #17, #20... perhaps someone else will have more patience than I. Best of luck =]