Asterisk behind OpenVPN

Can Asterisk be run behind OpenVPN ? Can they be both on the same box ? I am on a restrictive network that blocks ports 5060 and other ports, and possibly SIP traffic.

So is it possible to setup the OpenVPN server and have it running on a port like 53 and have it communicate with Asterisk ? Can softphones first connect to the VPN which will then forward the request to Asterisk ?

Any suggestions or opinions ?

In a simple case you will have OpenVPN server on the same LAN or even on the same host with Asterisk.
In the 1st case you will need to establish proper IP routing between the two: Asterisk will need to know how to reach [VPN assigned] client IPs and vice versa.
Softphone will need to have all the NAT traversal techniques switched off.
Asterisk server will need to have the VPN “address pool” declared as “localnet=”.

I get it that all NAT traversal must be switched off for softphones. But why do I need to declare the VPN addresses in localnet ?

I am already using the localnet option to specify my private IP.

Also is it even possible to setup routing between OpenVPN and Asterisk if they are on the same box ?

On the softphones. No changes in Asterisk, assuming you’re just moving a local SIP client to the remote location.

Add another statement for another private subnet which you will use as an address pool for VPN clients.

This is not required.

Why do you say that routing between OpenVPN and Asterisk is not required ?

Let me describe my scenario in more detail to you.

My Asterisk PBX is sitting on the Amazon AWS cloud, I can connect my Asterisk to my ITSP without any problems.

Now, my softphone is sitting on a machine where there is a pretty restrictive network. Ports are blocked, even traditional SIP traffic may be blocked.

So I run OpenVPN alongside Asterisk and I let all the registration requests of my softphone (that would ideally go to Asterisk directly) go to OpenVPN and let it forward to Asterisk.

And all data that is intended for my softphone is sent from Asterisk to OpenVPN and then to my actual softphone.

Correct me if I am wrong, but Asterisk to OpenVPN is the crux of the problem.

Forget about Asterisk for a while, focus on OpenVPN exclusively.
Once you will be able to ping your desired ‘host in a cloud’ IP from your VPN client - then we can talk about Asterisk.

Ok I will return once that is setup.

Ok I have got OpenVPN up and running in the same box that has Asterisk running. I connect to my VPN server up in the cloud, and when I browse my internet and visit sites like I can see my IP address is changed to that of my server up in the cloud.

But, when I connect my softphone while I am connected to my VPN I see that my IP address is still the public IP of my desktop.

Why is that happening ? Shouldn’t all internet traffic be going through the VPN ? I have made no changes to the Asterisk configuration though.

Any help would be appreciated.

Use something simple while you testing, X-Lite is a good choice.
Set “Firewall traversal method: None (use local IP address)”.
Make sure that name resolution works for the client in a right way - it should be able to get private address of your Asterisk. You can test with Asterisk server IP though.
Post clear readable sip debug of client registration along with explanation of your IP address assignments.

No Audio on softphone.

Here is what I have managed so far -:

  1. Got OpenVPN up and running

  2. Can connect to VPN from my home computer.

  3. Can connect my softphone to Asterisk using the VPN tunnel.

But now that I am making calls to my ITSP from my softphone connected through my VPN I am not getting any audio.

Do I have to configure localnet or something ?

Here is what I have in my sip.conf for externip and localnet-:

externip = 54.X.X.X
localnet = 172.X.X.X/255.X.X.X

My VPN is running on the IP The localnet that you see above is the private IP of my PBX.

What am I doing wrong ?

You’re not listening :wink:
As stated above:

Asterisk server will need to have the VPN “address pool” declared as “localnet=”.
Add another statement for another private subnet which you will use as an address pool for VPN clients.

So is this correct ?

context=public                  ; Default context for incoming calls. Defaults to 'default'
allowoverlap=no                 ; Disable overlap dialing support. (Default is yes)
udpbindaddr=             ; IP address to bind UDP listen socket to ( binds to all)
tcpenable=no                    ; Enable server for incoming TCP connections (default is no)
tcpbindaddr=             ; IP address for TCP server to bind to ( binds to all interfaces)
transport=udp                   ; Set the default transports.  The order determines the primary default transport.
localnet =    ; Is this how I declare the localnet ?
srvlookup=yes                   ; Enable DNS SRV lookups on outbound calls

Is the above configuration correct ? I have two localnet options in my general section. Shouldn’t I add the localnet options in the softphone peer rather than in the general section ? Is that even allowed ?

No, although, depending on implementation details it should work.

The second localnet should be, or, or somewhere in between. The second one should be 172.X.X.X/, although, it seems more likely that there would be equivalent numbers of trailing zero bits on both numbers. Looking up thread, and assuming the /8 is more correct, you should have written and used

canreinvite is obsolete and should be replaced by directmedia

tcpbindaddr is redundant if tcpenable=no

(If the VPN is routable to other local networks, and you have devices on those, you should include localnet for those as well.

You should consider whether directmedia=nonat is better than directmedia=nat, as a cloud server is going to be hostile for good quality RTP and offloading as much of it as possible is desirable.

You could not be wrong with


But both ranges are too large for real life home/office use. I would recommend to adjust them later on.

Thanks for the directmedia advice I will implement it as you say.

But can you tell me why you are saying to put the second localnet as or ? I am running OpenVPN with the address so shouldn’t it logically be ?

As per the documentation address specified within localnet will be excluded from NATting by ASterisk. So should’nt it be the VPN address and the VPN CIDR ?

Also the first localnet is -:


The first IP address is the private IP of the server itself.

I mean can you please explain the reasoning behind the localnet addresses that you have specified ?

What if I don’t give any subnet address and in place just give the exact IP address of the VPN server and the PBX private IP.

Sorry if this sounds too novice, but I just can’t understand what is the reasoning behind configuring localnet.

SIP includes the IP address in signaling, for both the messages and the media. Generally one side has to have a routable IP address in it to allow things to work (provided certain tricks are used) unless you are only communicating on the local network. Configuring localnet provides Asterisk the information to know when to put in the value of externip, and when to put in the actual IP address of the machine.

For example if my Asterisk is behind NAT and I don’t configure it to know it has an external IP address of and a localnet of it will proceed to put its internal IP address,, into the signaling. If I’m talking to something that is NOT on the local network that remote device will try to send messages to Asterisk on for certain things and for media. This won’t work.

That is why those options exist.

Okay I get your point, but I have a few questions-:

  1. If I am configuring two localnet options how does Asterisk know to use the correct one at the time of signalling. It would make more sense in my opinion if localnet that only a peer uses are included within the peer configuration rather than the general section.

  2. So why shouldn’t the localnet for my VPN start from the first address that is and use the CIDR of /8 ie. use the address of why as the others have specified ? How is that correct ?

There is no correct one to use - it’s merely a check “is the target IP address of this message within the configured localnets? if not then put in the externip”. I’ll leave the others for answering your specific situation as they’ve been helping.

Is wrong. Depending on the exact way it is implemented, it will either be treated as or will not match anything at all.

This notation first converts the 8 to, then either ands the presented address and compares it to the one on the right, or it exclusive or’s it with the information before the /, and’s it with the and checks for zero.

I guess some implementations, maybe even Asterisk, and both the presented address and the bit before the /, independently with, than compare them, but you should not rely on that. Basically is an invalid subnet specification.