Asterisk Wireguard no Connect to external SIP-Trunk

Hello Asterisk Community,

My setup is :
External SIP Trunk Provider in Germany (Vodafone)
AVM Fritzbox 7530AX as Internet Router
internal Network with Raspbery PI (Asterisk hostet 16.28.0, pjsip-channel)
Glinet AX1800 Wireguard Client/Server.
internal Addresses Wireguard Network

Wireguard works fine for complete Network (Laptops, IoT, …) without any issue
All internal Devices sent/receive their data to Glinet AX1800 Wireguard Router, the Glinet uses the Fritzbox as Internet Gateway.

Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF.
If Wireguard is switched ON no connection is possible → we receive no packets from SIP-Trunk provider, even we do not know if Packets are received by SIP-Trunk provider.
We did many measurements with wireshark (internal and on internet side),
but we are running out of ideas. Also 'm not an SIP nor Wireguard expert.

According to some google searches the “Requirement of SIP Ports 5060” could be a issue?

My question: is it technical wise possible to tunnel SIP traffic via Wireshark protocoll ?
(we found no “Yes I did it” during our searches, maybe some discussions about VPN protocoll)

Are there some tutorials covering this issue (Asterisk/Wireguard/pjsip) ?
Any help would be highly appreciated :smile:

br hpm

This is working in single-NAT scenario, but it is failing in double-NAT scenario?

Probably you do not need to adjust SIP port 5060 specifically – your outbound SIP registration to Vodafone will most likely keep the firewall open enough, at least long enough for an outbound test call. Instead, you might try disabling SIP ALG in the Wireguard. You can also try adjusting your NAT-related PJSIP settings in Asterisk.

Hi, sorry, part of mail disapperar when I replied

  1. Which are you IP adresses authorized in wireguard client ? Should asterisk go out using the wg VPN ?
  2. Port 5060 is not the issue
  3. to debug wireguard you should

modprobe wireguard && sudo tee echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

touch /var/log/wireguard.log

dmesg -wT | grep ‘wireguard’ >> /var/log/wireguard.log

  1. Our asterisk servers and phones are connected through wg tunnel, so yes it’s possible :wink:

…Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF
That’s completely logical because your wan is connected thought a VPN.
With VPN on can you ping to “SIP Trunk Provider in Germany “? if answer is no, you should ask to Wireguard support if and how can set a route to Trunk provider.

Hello Rmcgrath

Yes I can ping my SIP Provider via wireguard tunnel

Did you try the debug I gave above ? I would also try to netcat in udp port 5060 using tunnel to check if you can connect. ICMP is not TCP nor UDP. Did you set a source IP in Vodafone account which could be different that the one wg is using ?

if so, how about logs.


I tried your advice on my Glinet Slate AX1800 router:

root@GL-AXT1800:/tmp/log# modprobe wireguard && sudo tee echo module wireguard +p > /sys/kernel/debug/dynamic_debug/control

but I get →
-ash can’t create /sys/kernel/debug/dynamic_debug/control: nonexistent directory

I’m not a “Linux native Speaker” :slight_smile: → how can I support you ?
What “netcat” can I try ?

take care hp

Better way if you can capture packets with tcpdump and afterward open capture file with wireshark and use filters (sip, etc).


some more insights:

content of → pjsip.conf

;=========== General settings ===========

; our topologoy:
; int   : internal
; ext   : external
; wg    : wireguard
; port  : port forwarding
; route : static route
; gw    : gateway
; dns   : dns server
; :---------------------:     :---------------------------:
; : Vodafone            :     : Surfshark                 :
; :  : <-> : : <->
; : IpV4 :     : ext IpV4  :
; :                     :     : wg  IpV4     :
; :---------------------:     :---------------------------:
;     :------------------------------:     :-------------------------:     :---------------------------:
;     : Fritzbox (internet Router)   :     : GliNet ATX1800          :     : Asterisk PBX              :
; <-> : (DynDNS) : <-> : int IpV4 : <-> : int IpV4 :
;     : ext IpV4         :     : wg  IpV4   :     : gw           :
;     : int IpV4      :     : gw         :     : dns           :
;     : gw              :     : dns         :     :                           :
;     : dns              :     :-------------------------:     :---------------------------:
;     : port 5060 ->     :
;     : route ->        :
;     ;            :
;     :------------------------------:
; all internal devices (except Fritzbox) are using GliNet ATX1800 as gateway to the internet
; all internal devices are using local DNS-Server (including an AD-Blocker)


; local network
; wireguard tunnel between our router and

#include pjsip-vodafone.conf

content of → pjsip-vodafone.conf

; our phone number yyyyyyyy
; login in to
; port to use tcp login -> 5060
; port to use tls login -> 5062
; account  yyyyyyyy
; password xxxxxxxx

type = acl
deny =	; deny everything
permit =      ; allow local internal
permit = ; allow local network
permit =   ; allow wg network to surfshark
permit = ; allow sip provider -> nslookup

type = registration
transport = transport-tcp
contact_user = yyyyyyyy
client_uri =
server_uri =
outbound_auth = auth_arcor
retry_interval = 30
forbidden_retry_interval = 300
max_retries = 10
auth_rejection_permanent = false

type = auth
auth_type = userpass
realm =
username = yyyyyyyy
password = xxxxxxxx

type = aor
contact =

type = identify
match =
endpoint = in_arcor

type = endpoint
transport = transport-tcp
context = lantiq1_inbound
disallow = all
allow = alaw,g722,ulaw
disable_direct_media_on_nat = yes
rewrite_contact = yes

type = endpoint
transport = transport-tcp
disallow = all
allow = alaw,g722,ulaw
disable_direct_media_on_nat = yes
callerid = yyyyyyyy
from_user = yyyyyyyy
from_domain =
outbound_auth = auth_arcor
aors = aor_arcor

This log is from Glinet Router → all interfaces are captured

1.) SIP Request initiated from Asterisk to SIP Provider →
2.) GliNet Router forwards via wg tunnel →
3.) some more wg traffic
4.) SIP Provider answers but now SIP Protocol received

What else can I Provide or check ?

Thx’s for your support!

It seems GliNet Router SIP ALG is enable causing Vodafone it´s receiving twice registration request from Asterisk and Glinet .
By the other way, are on the Lan segment using 2 ip address??? Not good ide to use.

Hello Rmcgrath,

the network devices are using only the 192.168.1.x addresses, the 10.14.0.x adresses are only used inside the wireguard tunnel. there is no address assigned via dhcp or static

the tcpdump was taken by “tcpdump -i any -w file.pcap”
(show all interface including eth0, wg, …)

should I provide a log with tcpdump -i eth0 " → this would show only the packets eth0 interface ?

output of “tcpdump -i eth0 -w file.pcap” on GliNet Router AX1800

output of “tcpdump -eth0 -w file.pcap” on Asterisk PBX Raspberry

Thx’s hp

has disable on GliNet Router AX1800 SIP ALG???

Another mistake found
protocol=tcp;;; should be udp!!!

; wireguard tunnel between our router and
external_media_address= add ip data and test
external_signaling_address= same.

Hello Rmcgrath

I try to disable SIP ALG in GliNet

I read some posts on their website, I’ve to dig in …

regarding TCP/UDP Transport:

This is from german SIP supplier VODAFONE, means

Port to use for SIP is 5060, bidirectional usage, TCP is preferred one over UDP (UDP should be also possible), Ffor TLS transport → use port 5061 or 5061

I’ give it a try with UDP later on

br hp

Hello Rmcgrath

  1. Feedback from GliNet → SIP ALG is not implemented on Slate AX1800
  2. Feedback from Vodafone → SIP Login supports both TCP/UDP on Port 5060

I did following test again:
Switching WireGuard-Tunnel in GliNet Router Off

Try to Connect to Vodafone via UDP:5060 → Successful
Try to Connect to Vodafone via TCP:5060 → NOT Successful, no answer from SIP-Server
(same issue like I saw with WireGuard Tunnel)

for the next tests I keep the UDP-Transport and Try to get the WireGuard Tunnel working

Have you configured your asterisk to listen on TCP ?