SIP issues using Wireguard VPN

I'm using a Fritz!Box in Client Modus behind an OpenWRT Router. On my Android phone I'm using Fritz!App Fon to use the phone functions of the Fritz!Box. This runs normal when my Android phone is in the same network zone as the Fritz!Box and OpenWRT (192.168.10.0), which is LAN zone.
But when I connect from outside via Wireguard from the Wireguard zone 192.168.9.0, the Fritz!App is connecting, I can even access my phone books on the Fritz!Box, but the telephone state never switches to green, that means it doesn't allow me to make a call. For what ever reason it looks, that SIP packages are not going from the Fritz!Box to the Fritz!App phone or vice versa. The funny thing is, that I can reach each LAN client from wireguard zone and each LAN client can reach the wireguard clients outside.
I already add the entry option helper 'sip' to the wireguard zone in the firewall settings as mentioned in a previous post in this forum, but there is no change.

Does anyone has an idea how to solve the issue?

Patrick

Did you try to configure a route on the fritzbox to your wireguard zone (192.168.9.0)?

Yes, but no success.

Could you post here the configurations? Use preformatted text, the </> button.

uci show network; uci show firewall

Also one more thing, is the wireguard in Android split-tunnel or routes everything via OpenWrt?

Everything including internet goes through the tunnel.

root@OpenWrt:~# uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd55:c128:a4ee::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0'
network.lan.proto='static'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='64'
network.lan.ipaddr='192.168.10.101'
network.wan=interface
network.wan.proto='pppoe'
network.wan.ipv6='auto'
network.wan.keepalive='0'
network.wan.username='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@t-online.de'
network.wan.password='xxxxxxxxxxxxx'
network.wan.force_link='1'
network.wan.ifname='eth1.7'
network.wan6=interface
network.wan6.ifname='eth1'
network.wan6.proto='dhcpv6'
network.wan6.reqaddress='try'
network.wan6.reqprefix='auto'
network.wgo=interface
network.wgo.proto='wireguard'
network.wgo.private_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.wgo.listen_port='51820'
network.wgo.addresses='192.168.9.101/24'
network.@wireguard_wgo[0]=wireguard_wgo
network.@wireguard_wgo[0].route_allowed_ips='1'
network.@wireguard_wgo[0].persistent_keepalive='25'
network.@wireguard_wgo[0].allowed_ips='192.168.9.2/32' '::0/0'
network.@wireguard_wgo[0].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wgo[0].description='S8 PD'
network.@wireguard_wgo[1]=wireguard_wgo
network.@wireguard_wgo[1].public_key='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
network.@wireguard_wgo[1].persistent_keepalive='25'
network.@wireguard_wgo[1].allowed_ips='192.168.9.3/32' '::0/0'
network.@wireguard_wgo[1].description='Denke-P'
network.@wireguard_wgo[1].route_allowed_ips='1'

firewall.@rule[0]=rule
firewall.@rule[0].name='Allow-DHCP-Renew'
firewall.@rule[0].src='wan'
firewall.@rule[0].proto='udp'
firewall.@rule[0].dest_port='68'
firewall.@rule[0].target='ACCEPT'
firewall.@rule[0].family='ipv4'
firewall.@rule[1]=rule
firewall.@rule[1].name='Allow-Ping'
firewall.@rule[1].src='wan'
firewall.@rule[1].proto='icmp'
firewall.@rule[1].icmp_type='echo-request'
firewall.@rule[1].family='ipv4'
firewall.@rule[1].target='ACCEPT'
firewall.@rule[2]=rule
firewall.@rule[2].name='Allow-IGMP'
firewall.@rule[2].src='wan'
firewall.@rule[2].proto='igmp'
firewall.@rule[2].family='ipv4'
firewall.@rule[2].target='ACCEPT'
firewall.@rule[3]=rule
firewall.@rule[3].name='Allow-DHCPv6'
firewall.@rule[3].src='wan'
firewall.@rule[3].proto='udp'
firewall.@rule[3].src_ip='fc00::/6'
firewall.@rule[3].dest_ip='fc00::/6'
firewall.@rule[3].dest_port='546'
firewall.@rule[3].family='ipv6'
firewall.@rule[3].target='ACCEPT'
firewall.@rule[4]=rule
firewall.@rule[4].name='Allow-MLD'
firewall.@rule[4].src='wan'
firewall.@rule[4].proto='icmp'
firewall.@rule[4].src_ip='fe80::/10'
firewall.@rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.@rule[4].family='ipv6'
firewall.@rule[4].target='ACCEPT'
firewall.@rule[5]=rule
firewall.@rule[5].name='Allow-ICMPv6-Input'
firewall.@rule[5].src='wan'
firewall.@rule[5].proto='icmp'
firewall.@rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.@rule[5].limit='1000/sec'
firewall.@rule[5].family='ipv6'
firewall.@rule[5].target='ACCEPT'
firewall.@rule[6]=rule
firewall.@rule[6].name='Allow-ICMPv6-Forward'
firewall.@rule[6].src='wan'
firewall.@rule[6].dest='*'
firewall.@rule[6].proto='icmp'
firewall.@rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.@rule[6].limit='1000/sec'
firewall.@rule[6].family='ipv6'
firewall.@rule[6].target='ACCEPT'
firewall.@rule[7]=rule
firewall.@rule[7].src='*'
firewall.@rule[7].target='ACCEPT'
firewall.@rule[7].proto='udp'
firewall.@rule[7].name='Allow-Wireguard-Inbound'
firewall.@rule[7].dest_port='51820'
firewall.@defaults[0]=defaults
firewall.@defaults[0].syn_flood='1'
firewall.@defaults[0].input='ACCEPT'
firewall.@defaults[0].output='ACCEPT'
firewall.@defaults[0].forward='REJECT'
firewall.@zone[0]=zone
firewall.@zone[0].name='wan'
firewall.@zone[0].output='ACCEPT'
firewall.@zone[0].forward='REJECT'
firewall.@zone[0].masq='1'
firewall.@zone[0].mtu_fix='1'
firewall.@zone[0].input='REJECT'
firewall.@zone[0].network='wan wan6'
firewall.@include[0]=include
firewall.@include[0].path='/etc/firewall.user'
firewall.@zone[1]=zone
firewall.@zone[1].output='ACCEPT'
firewall.@zone[1].name='Wireguard'
firewall.@zone[1].network='wgo'
firewall.@zone[1].input='ACCEPT'
firewall.@zone[1].forward='ACCEPT'
firewall.@zone[1].helper='sip'
firewall.@zone[2]=zone
firewall.@zone[2].input='ACCEPT'
firewall.@zone[2].output='ACCEPT'
firewall.@zone[2].name='lan'
firewall.@zone[2].network='lan'
firewall.@zone[2].forward='ACCEPT'
firewall.@redirect[0]=redirect
firewall.@redirect[0].target='DNAT'
firewall.@redirect[0].src='wan'
firewall.@redirect[0].dest='lan'
firewall.@redirect[0].src_dport='8443'
firewall.@redirect[0].dest_ip='192.168.10.15'
firewall.@redirect[0].dest_port='8443'
firewall.@redirect[0].name='LinHK'
firewall.@redirect[0].proto='tcp'
firewall.@redirect[1]=redirect
firewall.@redirect[1].target='DNAT'
firewall.@redirect[1].src='wan'
firewall.@redirect[1].dest='lan'
firewall.@redirect[1].proto='tcp udp'
firewall.@redirect[1].src_dport='40443'
firewall.@redirect[1].dest_ip='192.168.10.100'
firewall.@redirect[1].dest_port='40443'
firewall.@redirect[1].name='BoxToGo'
firewall.@redirect[2]=redirect
firewall.@redirect[2].target='DNAT'
firewall.@redirect[2].src='wan'
firewall.@redirect[2].dest='lan'
firewall.@redirect[2].proto='tcp udp'
firewall.@redirect[2].src_dport='5001'
firewall.@redirect[2].dest_ip='192.168.10.222'
firewall.@redirect[2].dest_port='5001'
firewall.@redirect[2].name='Syno'
firewall.@forwarding[0]=forwarding
firewall.@forwarding[0].dest='wan'
firewall.@forwarding[0].src='lan'
firewall.@redirect[3]=redirect
firewall.@redirect[3].target='DNAT'
firewall.@redirect[3].src='wan'
firewall.@redirect[3].dest='Wireguard'
firewall.@redirect[3].proto='udp'
firewall.@redirect[3].src_dport='51820'
firewall.@redirect[3].dest_ip='192.168.10.101'
firewall.@redirect[3].dest_port='51820'
firewall.@redirect[3].name='Wireguard'
firewall.@forwarding[1]=forwarding
firewall.@forwarding[1].dest='Wireguard'
firewall.@forwarding[1].src='lan'
firewall.@forwarding[2]=forwarding
firewall.@forwarding[2].dest='Wireguard'
firewall.@forwarding[2].src='wan'
firewall.@forwarding[3]=forwarding
firewall.@forwarding[3].dest='lan'
firewall.@forwarding[3].src='Wireguard'
firewall.@forwarding[4]=forwarding
firewall.@forwarding[4].dest='wan'
firewall.@forwarding[4].src='Wireguard'
firewall.@rule[8]=rule
firewall.@rule[8].target='ACCEPT'
firewall.@rule[8].proto='udp'
firewall.@rule[8].dest_port='51820'
firewall.@rule[8].src='lan'
firewall.@rule[8].name='Allow-Wireguard-Forward'
firewall.@rule[8].dest='Wireguard'
firewall.@rule[9]=rule
firewall.@rule[9].target='ACCEPT'
firewall.@rule[9].proto='udp'
firewall.@rule[9].src_port='5060'
firewall.@rule[9].dest_port='5060'
firewall.@rule[9].name='Allow SIP Forward'
firewall.@rule[9].family='ipv4'
firewall.@rule[9].dest='*'
firewall.@rule[9].enabled='0'
firewall.@rule[10]=rule
firewall.@rule[10].target='ACCEPT'
firewall.@rule[10].name='bla'
firewall.@rule[10].family='ipv4'
firewall.@rule[10].proto='udp'
firewall.@rule[10].src_port='5060'
firewall.@rule[10].dest_port='5060'
firewall.@rule[10].src='*'
firewall.@rule[10].enabled='0'

Well, I'm not sure but if you want to route traffic between the wireguard zone and the lan zone:

network.wgo.addresses='192.168.9.101/24'

I think this needs to be:

network.wgo.addresses='192.168.9.101/24' '192.168.10.0/24'

For the allowed_ips part... I think, '::0/0' is also not needed.
Then set up forwarding between the zones.
sip helper is also not needed in a routed setup?

The addresses are almost correct.

I don't see the point for that, remove it in case it creates conflicts with your ipv6 routing.
Also

is not needed for the peers.

//edit
Well, scratch that.
I installed wireguardto test some things.
Setup almost identical as the one from OP and it simply works.
lan zone: 10.0.0.0/24
wireguard on router:
interface: 192.168.10.254/24
peer: allowed IPs: 192.168.10.1/32
Route Allowed IPs: Unchecked

wireguard on client:
interface: 192.168.10.1/32
peer allowed IPs: 0.0.0.0/0

Router: zone forwards:
wireguard zone <-> lan zone

So the problem must be somewhere else.

Unfortunately, I have no fritzbox to test the fritzbox app (and the sip part)

I found on another forum, that for the sip part the VPN connection must be in transparent mode, what ever it means.
Others say to use an Application Layer Gateway (ALG) for sip, but I don't know how to handle this.

Please find attached the wireshark protocols on a working connection in the same local network an the one via wireguard which doesn't work.
https://app.box.com/s/0ccrhq2ifr6uy8qw7g6pnimf4wh6zdt9
https://app.box.com/s/5rlus8oh7jb69qkix1wjqmeb15clobxv

the *1925.eth file is the working one. Please use the following filter for *.1925.eth:
(ip.src == 192.168.10.140 or ip.dst == 192.168.10.140)
and for *.1931.eth:
(ip.src == 192.168.9.2 or ip.dst == 192.168.9.2)

The most remarkable difference what I saw is that "Request: REGISTER sip:192.168.10.100 (which is the Fritz!Box) is unanswered 6 times and thus the phone connection states never turned to enabled.

Maybe the FritzBox is filtering requests that differ from its own (sub)net.
In the options, where you can configure the credentials for the sip phone, there is a check box to allow logins from the internet (and different subnets) did you try to enable that?

On the phone settings there isn't such a checkbox. But in the network configuration there is a check box to allow access for apps (includes Fritz!App Fon). The setting you mean are under Internet settings, here you can allow access to the Fritz!Box from internet. Both are checked of course.
Before I was using Open WRT this Fritz!Box worked as my router. I used the integrated IPSEC VPN Server to connect from internet. With this configuration the Fritz!App Fon worked without problems.
I contacted the AVM support already and send them some support files. They said their App or the Fritz!Box is not the problem because it works in the local network. It must be an issue with the router firewall and told me it's a problem with the routing of the sip port 5060 because of the connection from the different (sub)net.
That's why I opened this chat.

Patrick

If you read the SIP protocol on port 5060 with Wireshark, you can see that the client is submitting it's IP address (192.168.9.2) and a random port number (42361) using for the further communication in the IP header. That seems to be the problem, the packages through this port never reach the wireguard client. I don't know why, because the access from the lan zone to the wireguard client works If I connect a computer with that wireguard peer, I can browse through it's file system from a lan computer. That means the route in general is working. I also can ping the android phone from the lan zone.
I'm stuck.

Patrick

"Telefonie" -> "Telefoniegeräte" -> "Bearbeiten" (pencil symbol) -> "Anmeldedaten" -> "Anmeldung aus dem Internet erlauben"

(on a Fritz!Box 7412 with FRITZ!OS 06.86)

phone settings884×437 26.8 KB

7490 with Fritz!OS 7.12. It's different either because of the OS version or because it's in Cliebt-IP mode.

The 7412 where I tested this also runs in client mode.
I tried again on a 7490 with Fritz!OS 7.12 (but in ordinary router mode with firewall), the option is also there.

Did you create the SIP phone account using the Android app?
Check if the app allows you to set the option, or create the phone on the Fritz!Box web interface from the start.

The Fritz!App Fon on Android only allows to add a Fritz!Box and it must be in the same lan zone when doing it (I tested with wireguard and it also worked to add). You can't modify any account settings.
I configured the account settings under Eigene Rufnummern-Rufnummer bearbeiten.
But in general it works, means DECT phones work, IP phones in the local net work, but not via wireguard.from outside.
I don't have any clue why you have different options available.

OK, I tried this app.

When you run the app for the first time, or add another box, you enter your Fritz!Box login credentials. The app uses these to create a SIP account for itself in the Fritz!Box. This account has some options hidden or read only that would otherwise be available when it was created on the web interface.

I suggest you create another SIP phone account in the Fritz!Box to verify this. I couldn't find a way to enter SIP credentials into the Fritz!App Fon, which means the app cannot be used with a manually created account. Perhaps try another SIP client app, such as Linphone, to use the new account.

Good hint, Linphone works. I had to uninstall Fritz!App phone to make it working, maybe it blocked the SIP port. Thanks for your help.
Nevertheless it would be interesting to know, why the Fritz!App doesn't work.

Regards
Patrick

Well,
Enabling masquerading and using sip helper should also work?
Maybe also use masq_src, use masq_dest to limit the masquerading to the phone and the fritzbox?

I remember that I tried this as well in the past, but with no configuration I could make it work. Linphone works like a charm with the SIP server in the Fritz!Box (same as the Fritz!App is trying to connect to), I recently made some phone calls from Greece over my SIP server in Germany through Wireguard and all worked as it should. So I believe now the Fritz!App has a problem when the SIP phone is in a different subnet and not connected with the VPN server on the Fritz!Box itself. So I stopped trying that because I have a working solution now. It's supporting video calls as well but I didn't try yet.