My setup is :
External SIP Trunk Provider in Germany (Vodafone)
AVM Fritzbox 7530AX as Internet Router
internal Network with Raspbery PI (Asterisk hostet 16.28.0, pjsip-channel)
Glinet AX1800 Wireguard Client/Server.
internal Addresses 192.168.1.0/24 Wireguard Network 10.14.0.0/24
Wireguard works fine for complete Network (Laptops, IoT, …) without any issue
All internal Devices sent/receive their data to Glinet AX1800 Wireguard Router, the Glinet uses the Fritzbox as Internet Gateway.
Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF.
If Wireguard is switched ON no connection is possible → we receive no packets from SIP-Trunk provider, even we do not know if Packets are received by SIP-Trunk provider.
We did many measurements with wireshark (internal and on internet side),
but we are running out of ideas. Also 'm not an SIP nor Wireguard expert.
According to some google searches the “Requirement of SIP Ports 5060” could be a issue?
My question: is it technical wise possible to tunnel SIP traffic via Wireshark protocoll ?
(we found no “Yes I did it” during our searches, maybe some discussions about VPN protocoll)
Are there some tutorials covering this issue (Asterisk/Wireguard/pjsip) ?
Any help would be highly appreciated
This is working in single-NAT scenario, but it is failing in double-NAT scenario?
Probably you do not need to adjust SIP port 5060 specifically – your outbound SIP registration to Vodafone will most likely keep the firewall open enough, at least long enough for an outbound test call. Instead, you might try disabling SIP ALG in the Wireguard. You can also try adjusting your NAT-related PJSIP settings in Asterisk.
…Asterisk can connect to external SIP-Trunk provider if Wirguard is switched OFF
That’s completely logical because your wan is connected thought a VPN.
With VPN on can you ping to “SIP Trunk Provider in Germany “? if answer is no, you should ask to Wireguard support if and how can set a route to Trunk provider.
Did you try the debug I gave above ? I would also try to netcat in udp port 5060 using tunnel to check if you can connect. ICMP is not TCP nor UDP. Did you set a source IP in Vodafone account which could be different that the one wg is using ?
This log is from Glinet Router → all interfaces are captured
1.) SIP Request initiated from Asterisk to SIP Provider
192.168.1.160 → 212.144.24.144
2.) GliNet Router forwards via wg tunnel
10.14.0.2 → 212.144.24.144
3.) some more wg traffic
4.) SIP Provider answers but now SIP Protocol received
It seems GliNet Router SIP ALG is enable causing Vodafone it´s receiving twice registration request from Asterisk 192.168.1.160 and Glinet 10.14.0.2 .
By the other way, are on the Lan segment using 2 ip address??? Not good ide to use.
the network devices are using only the 192.168.1.x addresses, the 10.14.0.x adresses are only used inside the wireguard tunnel. there is no 10.14.0.1.x address assigned via dhcp or static
the tcpdump was taken by “tcpdump -i any -w file.pcap”
(show all interface including eth0, wg, …)
should I provide a log with tcpdump -i eth0 " → this would show only the packets eth0 interface ?
Another mistake found
[transport-tcp]
type=transport
protocol=tcp;;; should be udp!!!
…
local_net=192.168.1.0/20
; wireguard tunnel between our router and surfshark.com
external_media_address= add ip data and test
external_signaling_address= same.
Port to use for SIP is 5060, bidirectional usage, TCP is preferred one over UDP (UDP should be also possible), Ffor TLS transport → use port 5061 or 5061
Feedback from GliNet → SIP ALG is not implemented on Slate AX1800
Feedback from Vodafone → SIP Login supports both TCP/UDP on Port 5060
I did following test again:
Switching WireGuard-Tunnel in GliNet Router Off
Try to Connect to Vodafone via UDP:5060 → Successful
Try to Connect to Vodafone via TCP:5060 → NOT Successful, no answer from SIP-Server
(same issue like I saw with WireGuard Tunnel)
for the next tests I keep the UDP-Transport and Try to get the WireGuard Tunnel working
br