I'm using a Fritz!Box in Client Modus behind an OpenWRT Router. On my Android phone I'm using Fritz!App Fon to use the phone functions of the Fritz!Box. This runs normal when my Android phone is in the same network zone as the Fritz!Box and OpenWRT (192.168.10.0), which is LAN zone.
But when I connect from outside via Wireguard from the Wireguard zone 192.168.9.0, the Fritz!App is connecting, I can even access my phone books on the Fritz!Box, but the telephone state never switches to green, that means it doesn't allow me to make a call. For what ever reason it looks, that SIP packages are not going from the Fritz!Box to the Fritz!App phone or vice versa. The funny thing is, that I can reach each LAN client from wireguard zone and each LAN client can reach the wireguard clients outside.
I already add the entry option helper 'sip' to the wireguard zone in the firewall settings as mentioned in a previous post in this forum, but there is no change.
For the allowed_ips part... I think, '::0/0' is also not needed.
Then set up forwarding between the zones.
sip helper is also not needed in a routed setup?
//edit
Well, scratch that.
I installed wireguardto test some things.
Setup almost identical as the one from OP and it simply works.
lan zone: 10.0.0.0/24
wireguard on router:
interface: 192.168.10.254/24
peer: allowed IPs: 192.168.10.1/32
Route Allowed IPs: Unchecked
wireguard on client:
interface: 192.168.10.1/32
peer allowed IPs: 0.0.0.0/0
Router: zone forwards:
wireguard zone <-> lan zone
So the problem must be somewhere else.
Unfortunately, I have no fritzbox to test the fritzbox app (and the sip part)
I found on another forum, that for the sip part the VPN connection must be in transparent mode, what ever it means.
Others say to use an Application Layer Gateway (ALG) for sip, but I don't know how to handle this.
the *1925.eth file is the working one. Please use the following filter for *.1925.eth:
(ip.src == 192.168.10.140 or ip.dst == 192.168.10.140)
and for *.1931.eth:
(ip.src == 192.168.9.2 or ip.dst == 192.168.9.2)
The most remarkable difference what I saw is that "Request: REGISTER sip:192.168.10.100 (which is the Fritz!Box) is unanswered 6 times and thus the phone connection states never turned to enabled.
Maybe the FritzBox is filtering requests that differ from its own (sub)net.
In the options, where you can configure the credentials for the sip phone, there is a check box to allow logins from the internet (and different subnets) did you try to enable that?
On the phone settings there isn't such a checkbox. But in the network configuration there is a check box to allow access for apps (includes Fritz!App Fon). The setting you mean are under Internet settings, here you can allow access to the Fritz!Box from internet. Both are checked of course.
Before I was using Open WRT this Fritz!Box worked as my router. I used the integrated IPSEC VPN Server to connect from internet. With this configuration the Fritz!App Fon worked without problems.
I contacted the AVM support already and send them some support files. They said their App or the Fritz!Box is not the problem because it works in the local network. It must be an issue with the router firewall and told me it's a problem with the routing of the sip port 5060 because of the connection from the different (sub)net.
That's why I opened this chat.
If you read the SIP protocol on port 5060 with Wireshark, you can see that the client is submitting it's IP address (192.168.9.2) and a random port number (42361) using for the further communication in the IP header. That seems to be the problem, the packages through this port never reach the wireguard client. I don't know why, because the access from the lan zone to the wireguard client works If I connect a computer with that wireguard peer, I can browse through it's file system from a lan computer. That means the route in general is working. I also can ping the android phone from the lan zone.
I'm stuck.
The 7412 where I tested this also runs in client mode.
I tried again on a 7490 with Fritz!OS 7.12 (but in ordinary router mode with firewall), the option is also there.
Did you create the SIP phone account using the Android app?
Check if the app allows you to set the option, or create the phone on the Fritz!Box web interface from the start.
The Fritz!App Fon on Android only allows to add a Fritz!Box and it must be in the same lan zone when doing it (I tested with wireguard and it also worked to add). You can't modify any account settings.
I configured the account settings under Eigene Rufnummern-Rufnummer bearbeiten.
But in general it works, means DECT phones work, IP phones in the local net work, but not via wireguard.from outside.
I don't have any clue why you have different options available.
When you run the app for the first time, or add another box, you enter your Fritz!Box login credentials. The app uses these to create a SIP account for itself in the Fritz!Box. This account has some options hidden or read only that would otherwise be available when it was created on the web interface.
I suggest you create another SIP phone account in the Fritz!Box to verify this. I couldn't find a way to enter SIP credentials into the Fritz!App Fon, which means the app cannot be used with a manually created account. Perhaps try another SIP client app, such as Linphone, to use the new account.
Good hint, Linphone works. I had to uninstall Fritz!App phone to make it working, maybe it blocked the SIP port. Thanks for your help.
Nevertheless it would be interesting to know, why the Fritz!App doesn't work.
Well,
Enabling masquerading and using sip helper should also work?
Maybe also use masq_src, use masq_dest to limit the masquerading to the phone and the fritzbox?
I remember that I tried this as well in the past, but with no configuration I could make it work. Linphone works like a charm with the SIP server in the Fritz!Box (same as the Fritz!App is trying to connect to), I recently made some phone calls from Greece over my SIP server in Germany through Wireguard and all worked as it should. So I believe now the Fritz!App has a problem when the SIP phone is in a different subnet and not connected with the VPN server on the Fritz!Box itself. So I stopped trying that because I have a working solution now. It's supporting video calls as well but I didn't try yet.