First post - having some issue with SIP registrations through OpenWRT version 19.07. Setup is as follows:
GL-iNet w/ 19.07 with OpenVPn (client mode) ---OpenVPN server (Ubuntu) ---PFSense 2.6 w/ OpenVPN -- FreePBX
The VPN network is routed and not using NAT..I can see the client IP addresses behind the OpenWRT system from systems behind the PF and vice-versa and I have a number of other openvpn client instances in other locations (not OpenWRT though) configured in a similar manner.
At my other locations, all traffic flows via the VPN as if it were on a conventional routed network; TCP and UDP connections work as advertised, including IP phones. For the OpenWRT system, ping and TCP connections work 100% of the time from the LAN behind the OpenWRT router. Ping works 100% of the time from the PF side and I can access TCP-based systems behind the OpenWRT router. I can also reach the LUCI web UI for the OpenWRT router so routing is working as expected over the VPN.
However, my UDP-based phone behind the OpenWRT is not working consistently. It will not register except occasionally after a reboot of the OpenWRT router and even when it does register it will work for 1 or 2 inbound calls and then not work anymore, de-registering shortly after the failure. Running TCPdump on the OpenWRT router, can see the phone trying to register and on the PBX I see the phone's registration attempt and the initial "401 Unauthorized" message that is part of the normal SIP exchange. However, while I see the 401 message on the PBX, the PF, and the tun adapter on the Ubuntu server I never see the 401 message on the OpenWRT router...only the register messages. The same thing happens (on the rare occasion that the phone does register) with INVITE, OPTIONS, etc....it works for a minute or two and then fails.
I'm not super-familir with OpenWRT's firewall conventions but I have zones for LAN > VPN and VPN > LAN. I also set up a traffic rule for the SIP portion of the connection:
list proto 'udp'
option name 'SIP_IN'
option dest 'lan'
list dest_ip 10.24x.xxx.xxx (ip of VOIP phone)
option target 'ACCEPT'
option src 'vpn'
option family 'ipv4'
option src_port '5060'
option dest_port '5060'
list src_ip 192.168.xxx.xxx (ip of PBX on far side of VPN tunnel)
I did try switching to TCP and there is a back and forth dialog between phone and PBX but similar issue...will occasionally work but not consistently. Any thoughts? I know UDP is stateless so wondering if there's something else that I need to do, firewall-wise, on the OpenWRT router.