SIP and VPN

system · December 2, 2011, 12:53am

So here’s my situation. We have an asterisk server at school. This server has some extensions configured that playback a sound to the caller. The server is only accessible locally (no public ip), so in order to connect to it from my home, I need to connect to my school’s VPN.

If I use a softphone (Twinkle) and connect directly to this server, everything works fine.

However, I need to setup a local asterisk server for my assignment. This local server register itself to the school’s server and provide simple routing. For the moment, I route (almost) everything to the school’s server. When I try to connect to my server using Twinkle, I can dial an extension managed by the school’s server, the server answer, but I have no sound. If I dial an extension that is not routed to the school’s server (i.e. it’s managed at my server), I do get sound. What’s wrong?

Note : the assignment is usually done in class, so the VPN stuff is not part of it.

system · December 2, 2011, 2:00am

I’ve found a way around my problem. My client was connecting to my local asterisk server using its local IP. Instead, if I use the IP assigned to my computer by the VPN router, I get audio!

However, this is a bit restrictive, since my server AND my client needs to be connected to the VPN. Is there any way I can only have the server connected to the VPN and have my client(s) connected to my server locally? Basically creating a NAT between my VPN address and my LAN?

david55 · December 2, 2011, 7:56am

Yes. There is a lot of material available on using Asterisk in a NAT environment as that is a very common way of using it.

dalenoll · December 2, 2011, 11:59am

If your Asterisk server has a VPN client to connect, is it also setup as a router/gateway to the school network?

You could try directmedia=no in your sip.conf file

You could also set the * server as a router and forward packet between the local and remote networks. Then set the routing tables on the endpoints to know about it. This would need to be done on both ends of the VPN so each side can route the audio. (Just because your endpoint can route to end points does not mean that they know how to get back to you.)

system · December 2, 2011, 3:23pm

Thanks. I’ll try the directmedia option when I get home.

system · December 3, 2011, 1:27am

The directmedia did the job!

I guess the RTP connection passes by my server instead of being peer-to-peer. Is that it?

dalenoll · December 3, 2011, 11:46am

Glad to hear that it is working.

You are correct. With directmedia=no, it forces the endpoints not to pass the media directly between themselves and leave the Asterisk server in the media path. That way, Asterisk can do things with the audio. The side benefit is that the media connections got through the server so VPNs and firewalls have an easier time with it.