Using OpenVPN for registration and direct RTP for voice and video

KlausFink · August 6, 2017, 7:12pm

Hello
I have the follwoing netwok toplogy and I need some help if Asterisk can be configured to get connection between all clients:

                               Router1                                             Router2
                         +--------------------+                              +---------------------+
+---------+                                   |                              |                     |            +---------+
| SIP     |  local LAN   |   OpenVPN server   |                              |                     |  local LAN | SIP     |
| client1 +--------------+                    +--------------+---------------+   OpenVPN client    +------------+ Client2 |
|         |              |   Asterisk server  |              |               |                     |            |         |
+---------+              |                    |              |               |                     |            +---------+
                         |                    |              |               |                     |
                         +--------------------+              |               +---------------------+
                                                         Internet
                                                             |                       Router3
                                                             |               +---------------------+
                                                             |               |                     |
                                                             |               |                     |            +---------+
                                                             |               |    OpenVPN clent    |  local LAN | SIP     |
                                                             +---------------+                     +------------+ client3 |
                                                             |               |                     |            |         |
                                                             |               |                     |            +---------+
                                                             |               +---------------------+
                                                             |
                                                             |
                                                             |
                                      Android phone          |         Android phone
                                      +-----------+          |         +------------+
                                      |  OpenVPN  |          |         | OpenVPN    |
                                      |  client   |          |         | client     |
                                      |           +----------+---------+            |
                                      |  SIP      |                    | SIP        |
                                      |  client4  |                    | client5    |
                                      +-----------+                    +------------+

The OpenVPN I can configre that all clients can register to router1 (Asterisk server).
So configuration of the OpenVPN is not the topic here. It should not be a problem. I have it already running so that even all clients can reach each other.
The problem is that OpenVPN is a star confguration that means all traffic e.g. RTP VOIP traffic will be tunneled always via the server. So e.g. if client2 is connected to client4 all the RTP traffic is tunneld via the server (router1) which is then always the bottleneck. The configuration would be easy since there are no NAT issues due to the VPN connection.
So here comes the question:
Is it possible to configure Asterisk to register over OpenVPN but later use direct media connection e.g. using SRTP directly between the clients in this topology? It must be possible between all clients.
Please note that e.g. client 5 could be moved to client 2 if it is at home connected to local LAN using WLAN.
I want to use Linphone on Android phones as well as on the windows clients connected to the routers local LAN.
How has Asterisk and the clients to be configured to cope with the NATs on the routers. Is it possible at all?

Thanks
Stefan

david551 · August 6, 2017, 7:58pm

OpenVPN is invisible to Asterisk. This is purely an OpenVPN question. If the peers use their local addresses, and OpenVPN routes them, there will be no problem. If they are dual homed onto the VPN and the local network and use the VPN address when talking to Asterisk, Asterisk will relay the VPN address when setting up direct media. Basically, Asterisk will pass on the media address the peer gave to it, when setting up direct media. If that is unroutable to the peer, there will be no media. If it is routed over a star, you will get star routing for the media.

Also note that, whilst it is possible to have your combination of SIP clients and servers, the standard SIP call would be SIP client to Asterisk (as SIP server), combined with Asterisk (as SIP client) to SIP server. Asterisk needs to become the client in order to set up direct media, even if was originally the server.

KlausFink · August 7, 2017, 11:38am

Hi david551,

thanks for your fast reply!

I 'm not sure. My idea was to us the OpenVPN network only for SIP registration to the asterisk server. But use media connection outside this network as a peer2peer connection. This cannot be handled by OpenVPN. Maybe with the help of STUN, Siproxd or watever tool or config is needed.
For me it is imortant to know if a direct media connection outside OpenVPN is general possible with this setup (maybe with the help of other tools) and what is needed to get it running or if the setup needs to be changed or if it is not possible at all.
Otherwise the only way I see is to use OpenVPN network for media also with the drawback of star connection but with the benefit of not having any NAT problems.

jcolp · August 7, 2017, 11:42am

Asterisk doesn’t allow encrypted calls or ICE negotiated calls to use direct media. The direct media functionality also generally doesn’t work when both sides are behind NAT.

KlausFink · August 7, 2017, 6:26pm

So you mean ZRTP and SRTP are only possible with Asterisk in between both SIP clients?

jcolp · August 7, 2017, 6:28pm

Asterisk does not support ZRTP at all, but that statement is correct in regards to SRTP. Asterisk will remain in the media path.

KlausFink · August 7, 2017, 6:36pm

But I did run two Linphone windows clients on my local LAN using ZRTP registering to my Asterik server.
But if in case of encrypted media Asterisk will remain always in between then I have no benefit and can also use the OpenVPN network.