Site to Site OpenVPN client registering but audio issues

Hello community.
My setup: I have a tomato router A with ip address I also have a Synology nas in my lan running Asterisk with ip

The tomato router A is also set up as openvpn server. I have another tomato router B at my parents house with as its address.
Router B is set up to connect to my tomato router A via openvpn and the tunnel works fine.

There is also a linksys pap2 at my parents house. It gets as its address from the tomato router B. The pap2 is able to register an extension on my asterisk using as the server address. All seems normal however this is the part where I get stuck.

The phone connected to the pap2 is unable to dial any extensions.
When I call the extension on the pap2 the best I’ve had is where I have gotten it to actually ring but I am unable to hear my parents. They can hear me apparently. This was when I put the pap2 into the dmz (on router B).

I am thinking this must be a firewall issue on the tomato router B, the one at my parents house. I have noticed that the openvpn connection has created 3 routes for tun in the routing table in both router A and B and I presume that is the reason why I can reach the pap2 and other remote resources by just typing 192.168.2.x even though I am in the 192.168.5.x network myself.

iptables commands maybe?
firewall script for router B?

I feel like I am so close to getting it working. Anyone out there that can help me along? It would be greatly appreciated.


It should’nt be a firewall problem as registering works and openvpn establishs the appropriate routes as You wrote.

I think it’s only a RTP-problem I once also encountered while working with VPNs …

Just try to set

in the general section of Your sip.conf and look wheter the RTP flows in both directions.

I made the changes to sip.conf
Previously I had 2 entiries. One for and and another one for
Just before making the changes I noticed the pap2 is suddenly unable to register at the asterisk server. I now see at the pap2 info:
Registration State: Can’t connect to login server
The strange thing is I can reach the webpage for the asterisk or the diskstation (both on from a macbook connected to router B via wifi at my parents house.

I had the pap2 registering for about 2 weeks until earlier this afternoon.

I now am completely lost and out of ideas.

Just look at router B’s logs while the pap2 is attempting to register. If the request passes the router (what it should do once the dest-IP is routable within the VPN) look at router A (samen procedure as on B) and afterwards on Asterisk (sip set debug on).
Anywhere Your packets get lost, without analyzing the logs it’s impossible to solve the problem …