Hello Asterisk Community,

My setup is :
External SIP Trunk Provider in Germany (Vodafone)
AVM Fritzbox 7530AX as Internet Router
internal Network with Raspbery PI (Asterisk hostet 16.28.0, pjsip-channel)
Glinet AX1800 Wireguard Client/Server.
internal Addresses 192.168.1.0/24 Wireguard Network 10.14.0.0/24

Wireguard works fine for complete Network (Laptops, IoT, …) without any issue
All internal Devices sent/receive their data to Glinet AX1800 Wireguard Router, the Glinet uses the Fritzbox as Internet Gateway.

Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF.
If Wireguard is switched ON no connection is possible → we receive no packets from SIP-Trunk provider, even we do not know if Packets are received by SIP-Trunk provider.
We did many measurements with wireshark (internal and on internet side),
but we are running out of ideas. Also 'm not an SIP nor Wireguard expert.

According to some google searches the “Requirement of SIP Ports 5060” could be a issue?

My question: is it technical wise possible to tunnel SIP traffic via Wireshark protocoll ?
(we found no “Yes I did it” during our searches, maybe some discussions about VPN protocoll)

Are there some tutorials covering this issue (Asterisk/Wireguard/pjsip) ?
Any help would be highly appreciated

br hpm

This is working in single-NAT scenario, but it is failing in double-NAT scenario?

Probably you do not need to adjust SIP port 5060 specifically – your outbound SIP registration to Vodafone will most likely keep the firewall open enough, at least long enough for an outbound test call. Instead, you might try disabling SIP ALG in the Wireguard. You can also try adjusting your NAT-related PJSIP settings in Asterisk.

Hi, sorry, part of mail disapperar when I replied

1. Which are you IP adresses authorized in wireguard client ? Should asterisk go out using the wg VPN ?
2. Port 5060 is not the issue
3. to debug wireguard you should

modprobe wireguard && sudo tee echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

touch /var/log/wireguard.log

dmesg -wT | grep ‘wireguard’ >> /var/log/wireguard.log

4. Our asterisk servers and phones are connected through wg tunnel, so yes it’s possible

…Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF
That’s completely logical because your wan is connected thought a VPN.
With VPN on can you ping to “SIP Trunk Provider in Germany “? if answer is no, you should ask to Wireguard support if and how can set a route to Trunk provider.

Hello Rmcgrath

Yes I can ping my SIP Provider via wireguard tunnel
br
hp

Did you try the debug I gave above ? I would also try to netcat in udp port 5060 using tunnel to check if you can connect. ICMP is not TCP nor UDP. Did you set a source IP in Vodafone account which could be different that the one wg is using ?

if so, how about logs.

Hello,

I tried your advice on my Glinet Slate AX1800 router:

root@GL-AXT1800:/tmp/log# modprobe wireguard && sudo tee echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

but I get →
-ash can’t create /sys/kernel/debug/dynamic_debug/control: nonexistent directory

I’m not a “Linux native Speaker” → how can I support you ?
What “netcat” can I try ?

take care hp

Better way if you can capture packets with tcpdump and afterward open capture file with wireshark and use filters (sip, etc).

Hello

some more insights:

content of → pjsip.conf

;=========== General settings ===========

; our topologoy:
;
; int   : internal
; ext   : external
; wg    : wireguard
; port  : port forwarding
; route : static route
; gw    : gateway
; dns   : dns server
;
;
; EXTERNAL
;
; :---------------------:     :---------------------------:
; : Vodafone            :     : Surfshark                 :
; : 07204.sip.arcor.de  : <-> : de-ber.prod.surfshark.com : <->
; : IpV4 214.144.24.214 :     : ext IpV4 103.124.182.224  :
; :                     :     : wg  IpV4 10.14.0.1/24     :
; :---------------------:     :---------------------------:
;
; INTERNAL :
;
;     :------------------------------:     :-------------------------:     :---------------------------:
;     : Fritzbox (internet Router)   :     : GliNet ATX1800          :     : Asterisk PBX              :
; <-> : www.igb-mauderer.de (DynDNS) : <-> : int IpV4 192.168.1.2/20 : <-> : int IpV4 192.168.1.160/20 :
;     : ext IpV4 92.73.17.45         :     : wg  IpV4 10.14.0.2/24   :     : gw  192.168.1.2           :
;     : int IpV4 192.168.1.1/20      :     : gw  192.168.1.1         :     : dns 192.168.1.5           :
;     : gw  192.168.1.1              :     : dns 192.168.1.5         :     :                           :
;     : dns 192.168.1.5              :     :-------------------------:     :---------------------------:
;     : port 5060 -> 192.168.1.2     :
;     : route 10.14.0.0/24 ->        :
;     ;       192.168.1.2            :
;     :------------------------------:
;
; all internal devices (except Fritzbox) are using GliNet ATX1800 as gateway to the internet
; all internal devices are using local DNS-Server 192.168.1.5 (including an AD-Blocker)

[global]
type=global
user_agent=Asterisk-PBX
endpoint_identifier_order=username,ip

[transport-tcp]
type=transport
protocol=tcp
bind=0.0.0.0:5060
local_net=127.0.0.1
; local network
local_net=192.168.1.0/20
; wireguard tunnel between our router and surfshark.com
local_net=10.14.0.0/24

#include pjsip-vodafone.conf

content of → pjsip-vodafone.conf

; our phone number yyyyyyyy
; login in to 07204.sip.arcor.de
; port to use tcp login -> 5060
; port to use tls login -> 5062
; account  yyyyyyyy
; password xxxxxxxx

[acl]
type = acl
deny = 0.0.0.0/0.0.0.0	; deny everything
permit = 127.0.0.1      ; allow local internal
permit = 192.168.1.0/24 ; allow local network
permit = 10.14.0.0/24   ; allow wg network to surfshark
permit = 212.144.24.214 ; allow sip provider -> nslookup 07204.sip.arcor.de

[reg_arcor]
type = registration
transport = transport-tcp
contact_user = yyyyyyyy
client_uri = sip:yyyyyyyy@07204.sip.arcor.de
server_uri = sip:07204.sip.arcor.de:5060
outbound_auth = auth_arcor
retry_interval = 30
forbidden_retry_interval = 300
max_retries = 10
auth_rejection_permanent = false

[auth_arcor]
type = auth
auth_type = userpass
realm = arcor.de
username = yyyyyyyy
password = xxxxxxxx

[aor_arcor]
type = aor
contact = sip:07204.sip.arcor.de

[id_arcor]
type = identify
match = 07204.sip.arcor.de
endpoint = in_arcor

[in_arcor]
type = endpoint
transport = transport-tcp
context = lantiq1_inbound
disallow = all
allow = alaw,g722,ulaw
disable_direct_media_on_nat = yes
rewrite_contact = yes

[out_arcor]
type = endpoint
transport = transport-tcp
disallow = all
allow = alaw,g722,ulaw
disable_direct_media_on_nat = yes
callerid = yyyyyyyy
from_user = yyyyyyyy
from_domain = 07204.sip.arcor.de
outbound_auth = auth_arcor
aors = aor_arcor
force_rport=true
direct_media=false

grafik1094×494 142 KB

This log is from Glinet Router → all interfaces are captured

1.) SIP Request initiated from Asterisk to SIP Provider
192.168.1.160 → 212.144.24.144
2.) GliNet Router forwards via wg tunnel
10.14.0.2 → 212.144.24.144
3.) some more wg traffic
4.) SIP Provider answers but now SIP Protocol received

What else can I Provide or check ?

Thx’s for your support!

It seems GliNet Router SIP ALG is enable causing Vodafone it´s receiving twice registration request from Asterisk 192.168.1.160 and Glinet 10.14.0.2 .
By the other way, are on the Lan segment using 2 ip address??? Not good ide to use.

Hello Rmcgrath,

the network devices are using only the 192.168.1.x addresses, the 10.14.0.x adresses are only used inside the wireguard tunnel. there is no 10.14.0.1.x address assigned via dhcp or static

the tcpdump was taken by “tcpdump -i any -w file.pcap”
(show all interface including eth0, wg, …)

should I provide a log with tcpdump -i eth0 " → this would show only the packets eth0 interface ?

grafik914×392 98.4 KB

output of “tcpdump -i eth0 -w file.pcap” on GliNet Router AX1800

grafik928×395 98.7 KB

output of “tcpdump -eth0 -w file.pcap” on Asterisk PBX Raspberry

Thx’s hp

has disable on GliNet Router AX1800 SIP ALG???

Another mistake found
[transport-tcp]
type=transport
protocol=tcp;;; should be udp!!!
…
local_net=192.168.1.0/20
; wireguard tunnel between our router and surfshark.com
external_media_address= add ip data and test
external_signaling_address= same.

Hello Rmcgrath

I try to disable SIP ALG in GliNet

I read some posts on their website, I’ve to dig in …

regarding TCP/UDP Transport:

grafik1015×246 30.6 KB

This is from german SIP supplier VODAFONE, means

Port to use for SIP is 5060, bidirectional usage, TCP is preferred one over UDP (UDP should be also possible), Ffor TLS transport → use port 5061 or 5061

I’ give it a try with UDP later on

br hp

Hello Rmcgrath

1. Feedback from GliNet → SIP ALG is not implemented on Slate AX1800
2. Feedback from Vodafone → SIP Login supports both TCP/UDP on Port 5060

I did following test again:
Switching WireGuard-Tunnel in GliNet Router Off

Try to Connect to Vodafone via UDP:5060 → Successful
Try to Connect to Vodafone via TCP:5060 → NOT Successful, no answer from SIP-Server
(same issue like I saw with WireGuard Tunnel)

for the next tests I keep the UDP-Transport and Try to get the WireGuard Tunnel working
br

Have you configured your asterisk to listen on TCP ?