Community discussions

MikroTik App
 
reetp
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2017 12:55 am

Mikrotik as OpenVPN client is almost perfect

Wed Feb 28, 2024 8:23 pm

Running a Mikrotik Hex S/RB760iGS just upgraded to 7.13.5

This is sat behind a nat'ed ISP (long range wifi) router.

I am using the Mikrotik to create a OpenVPN tunnel to a remote server/network as I need a SIP phone to connect to a SIP server.

I have the tunnel up with using a ovpn file with certificates and tls-auth and zero issues. Came up immediately and very stable.

(No I can't use Wireguard as I need to use certificates, and likely it wouldn't solve the issue, and I can't use my normal poison of ipsec as the ISP router is DHCP and the ipsec server only allows connections from static IPs)

Via the OpenVPN tunnel I can:

ssh to the VPN server then SSH back to the Mikrotik box
ssh to the VPN server and then ssh to the SIP phone
ssh -L to the VPN server then winbox to Mikrotik (yes I was impressed with myself!)

What I can't do:

Get the SIP phone behind the Mikrotik to register

I can see the packets hit the SIP server but get "SIP/2.0 401 Unauthorized"

Here are the packets from behind the Mikrotik as seen on the OpenVPN server. I *think* there should be an 'acknowledge' after the first packet but I can't see it on the router.

https://sipp.readthedocs.io/en/v3.6.1/s ... pauth.html
<recv response="407" auth="true">
</recv>

Packets

18:54:01.278428 IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 710)
    192.168.29.2.28753 > 192.168.98.1.5060: SIP, length: 682
	REGISTER sip:192.168.98.1 SIP/2.0
	Via: SIP/2.0/UDP 192.168.88.254:28753;branch=z9hG4bK1080569586;rport
	Route: <sip:192.168.98.1:5060;lr>
	From: <sip:8105@192.168.98.1>;tag=1511247845
	To: <sip:8105@192.168.98.1>
	Call-ID: 1594717855-55190-1@BJC.BGI.II.CFE
	CSeq: 2091 REGISTER
	Contact: <sip:8105@192.168.88.254:28753>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-C074AD6CBFEA>"
	X-Grandstream-PBX: true
	Max-Forwards: 70
	User-Agent: Grandstream 
	Supported: path
	Expires: 3600
	X-switch-info: mac=78:9a:18:e2:9d:ce,port=bridge/ether2
	Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
	Content-Length: 0
	
18:54:01.278556 IP (tos 0x60, ttl 64, id 48979, offset 0, flags [none], proto UDP (17), length 557)
    192.168.29.1.5060 > 192.168.29.2.28753: SIP, length: 529
	SIP/2.0 401 Unauthorized
	Via: SIP/2.0/UDP 192.168.88.254:28753;branch=z9hG4bK1080569586;received=192.168.29.2;rport=28753
	From: <sip:8105@192.168.98.1>;tag=1511247845
	To: <sip:8105@192.168.98.1>;tag=as2951980b
	Call-ID: 1594717855-55190-1@BJC.BGI.II.CFE
	CSeq: 2091 REGISTER
	Server: FPBX-15.0.37.4(16.30.1)
	Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
	Supported: replaces, timer
	WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2e0bed5f"
	Content-Length: 0

This compares to a phone on a different subnet (connected via ipsec)

This sends Register, then Register with the Authorization: And then gets OK.

14:50:16.777627 IP (tos 0x68, ttl 63, id 3589, offset 0, flags [none], proto UDP (17), length 638)
    10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 610
	REGISTER sip:192.168.98.1 SIP/2.0
	Via: SIP/2.0/UDP 10.0.0.68:53873;branch=z9hG4bK2096057734;rport
	Route: <sip:192.168.98.1:5060;lr>
	From: <sip:3001@192.168.98.1>;tag=1646123957
	To: <sip:3001@192.168.98.1>
	Call-ID: 1544210849-53873-1@BA.A.A.GI
	CSeq: 2000 REGISTER
	Contact: <sip:3001@10.0.0.68:53873>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B82B17AC7>"
	X-Grandstream-PBX: true
	Max-Forwards: 70
	User-Agent: Grandstream 
	Supported: path
	Expires: 3600
	Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
	Content-Length: 0

should be an ack of some from here?

Then we can see the Auth

14:50:16.800548 IP (tos 0x68, ttl 63, id 3590, offset 0, flags [none], proto UDP (17), length 796)
    10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 768
	REGISTER sip:192.168.98.1 SIP/2.0
	Via: SIP/2.0/UDP 10.0.0.68:53873;branch=z9hG4bK389415048;rport
	Route: <sip:192.168.98.1:5060;lr>
	From: <sip:3001@192.168.98.1>;tag=1646123957
	To: <sip:3001@192.168.98.1>
	Call-ID: 1544210849-53873-1@BA.A.A.GI
	CSeq: 2001 REGISTER
	Contact: <sip:3001@10.0.0.68:53873>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B82B17AC7>"
	Authorization: Digest username="3001", realm="asterisk", nonce="7b87e373", uri="sip:192.168.98.1", response="a4b717f643a47bc17a3dcba60ab3f5bc", algorithm=MD5
	X-Grandstream-PBX: true
	Max-Forwards: 70
	User-Agent: Grandstream 
	Supported: path
	Expires: 3600
	Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
	Content-Length: 0
	
14:50:16.821359 IP (tos 0x68, ttl 63, id 3591, offset 0, flags [none], proto UDP (17), length 489)
    10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 461
	SIP/2.0 200 OK
	Via: SIP/2.0/UDP 192.168.98.1:5060;branch=z9hG4bK562ed84b;rport=5060
	From: "Unknown" <sip:Unknown@192.168.98.1>;tag=as45b69b2c
	To: <sip:3001@10.0.0.68:53873>;tag=1786554733
	Call-ID: 2ed7f17a5f91789c42ef97093859ec2c@192.168.98.1:5060
	CSeq: 102 OPTIONS
	Supported: replaces, path, timer
	User-Agent: Grandstream 
	Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
	Content-Length: 0

ISP router -> DHCP
Mikrotik DHCP -> ISP router
192.168.0.x - > 192.168.0.1

Mikrotik LAN 192.168.88.0
SIP Phone 192.168.88.254 via DHCP

OpenVPN tunnel 192.168.29.x
Remote VPN server LAN 192.168.98.x

So packets flow roughly like this

192.168.88.254 -> -> 192.168.88.1 -> 192.168.29.2 -> 192.168.29.1 -> 192.168.98.1

OpenVPN has an iroute set so it knows where to route packets destined for 192.168.88.x

All other traffic appears to flow pretty normally across the VPN.

I can post the rules that I have but wondered if anyone has any ideas?
 
User avatar
pants6000
Frequent Visitor
Frequent Visitor
Posts: 87
Joined: Fri Sep 26, 2014 5:30 am

Re: Mikrotik as OpenVPN client is almost perfect

Wed Feb 28, 2024 9:39 pm

Do you have the SIP helper disabled?

Can you sniff closer to the SIP sever, like on the ingress interface to the openvpn server?
 
reetp
just joined
Topic Author
Posts: 23
Joined: Tue Jan 24, 2017 12:55 am

Re: Mikrotik as OpenVPN client is almost perfect

Thu Feb 29, 2024 2:54 am

Do you have the SIP helper disabled?
Yup.
Can you sniff closer to the SIP sever, like on the ingress interface to the openvpn server?
Packets are from tcpdump on the (linux) SIP server - for which I have total control.

Tried to see a relevant ACK but must me misssing something

Who is online

Users browsing this forum: No registered users and 72 guests