This is sat behind a nat'ed ISP (long range wifi) router.
I am using the Mikrotik to create a OpenVPN tunnel to a remote server/network as I need a SIP phone to connect to a SIP server.
I have the tunnel up with using a ovpn file with certificates and tls-auth and zero issues. Came up immediately and very stable.
(No I can't use Wireguard as I need to use certificates, and likely it wouldn't solve the issue, and I can't use my normal poison of ipsec as the ISP router is DHCP and the ipsec server only allows connections from static IPs)
Via the OpenVPN tunnel I can:
ssh to the VPN server then SSH back to the Mikrotik box
ssh to the VPN server and then ssh to the SIP phone
ssh -L to the VPN server then winbox to Mikrotik (yes I was impressed with myself!)
What I can't do:
Get the SIP phone behind the Mikrotik to register
I can see the packets hit the SIP server but get "SIP/2.0 401 Unauthorized"
Here are the packets from behind the Mikrotik as seen on the OpenVPN server. I *think* there should be an 'acknowledge' after the first packet but I can't see it on the router.
https://sipp.readthedocs.io/en/v3.6.1/s ... pauth.html
Code: Select all
<recv response="407" auth="true">
</recv>
Packets
Code: Select all
18:54:01.278428 IP (tos 0x68, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 710)
192.168.29.2.28753 > 192.168.98.1.5060: SIP, length: 682
REGISTER sip:192.168.98.1 SIP/2.0
Via: SIP/2.0/UDP 192.168.88.254:28753;branch=z9hG4bK1080569586;rport
Route: <sip:192.168.98.1:5060;lr>
From: <sip:8105@192.168.98.1>;tag=1511247845
To: <sip:8105@192.168.98.1>
Call-ID: 1594717855-55190-1@BJC.BGI.II.CFE
CSeq: 2091 REGISTER
Contact: <sip:8105@192.168.88.254:28753>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-C074AD6CBFEA>"
X-Grandstream-PBX: true
Max-Forwards: 70
User-Agent: Grandstream
Supported: path
Expires: 3600
X-switch-info: mac=78:9a:18:e2:9d:ce,port=bridge/ether2
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 0
18:54:01.278556 IP (tos 0x60, ttl 64, id 48979, offset 0, flags [none], proto UDP (17), length 557)
192.168.29.1.5060 > 192.168.29.2.28753: SIP, length: 529
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 192.168.88.254:28753;branch=z9hG4bK1080569586;received=192.168.29.2;rport=28753
From: <sip:8105@192.168.98.1>;tag=1511247845
To: <sip:8105@192.168.98.1>;tag=as2951980b
Call-ID: 1594717855-55190-1@BJC.BGI.II.CFE
CSeq: 2091 REGISTER
Server: FPBX-15.0.37.4(16.30.1)
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2e0bed5f"
Content-Length: 0
This compares to a phone on a different subnet (connected via ipsec)
This sends Register, then Register with the Authorization: And then gets OK.
Code: Select all
14:50:16.777627 IP (tos 0x68, ttl 63, id 3589, offset 0, flags [none], proto UDP (17), length 638)
10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 610
REGISTER sip:192.168.98.1 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.68:53873;branch=z9hG4bK2096057734;rport
Route: <sip:192.168.98.1:5060;lr>
From: <sip:3001@192.168.98.1>;tag=1646123957
To: <sip:3001@192.168.98.1>
Call-ID: 1544210849-53873-1@BA.A.A.GI
CSeq: 2000 REGISTER
Contact: <sip:3001@10.0.0.68:53873>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B82B17AC7>"
X-Grandstream-PBX: true
Max-Forwards: 70
User-Agent: Grandstream
Supported: path
Expires: 3600
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 0
should be an ack of some from here?
Then we can see the Auth
Code: Select all
14:50:16.800548 IP (tos 0x68, ttl 63, id 3590, offset 0, flags [none], proto UDP (17), length 796)
10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 768
REGISTER sip:192.168.98.1 SIP/2.0
Via: SIP/2.0/UDP 10.0.0.68:53873;branch=z9hG4bK389415048;rport
Route: <sip:192.168.98.1:5060;lr>
From: <sip:3001@192.168.98.1>;tag=1646123957
To: <sip:3001@192.168.98.1>
Call-ID: 1544210849-53873-1@BA.A.A.GI
CSeq: 2001 REGISTER
Contact: <sip:3001@10.0.0.68:53873>;reg-id=1;+sip.instance="<urn:uuid:00000000-0000-1000-8000-000B82B17AC7>"
Authorization: Digest username="3001", realm="asterisk", nonce="7b87e373", uri="sip:192.168.98.1", response="a4b717f643a47bc17a3dcba60ab3f5bc", algorithm=MD5
X-Grandstream-PBX: true
Max-Forwards: 70
User-Agent: Grandstream
Supported: path
Expires: 3600
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 0
14:50:16.821359 IP (tos 0x68, ttl 63, id 3591, offset 0, flags [none], proto UDP (17), length 489)
10.0.0.68.53873 > 192.168.98.1.5060: SIP, length: 461
SIP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.98.1:5060;branch=z9hG4bK562ed84b;rport=5060
From: "Unknown" <sip:Unknown@192.168.98.1>;tag=as45b69b2c
To: <sip:3001@10.0.0.68:53873>;tag=1786554733
Call-ID: 2ed7f17a5f91789c42ef97093859ec2c@192.168.98.1:5060
CSeq: 102 OPTIONS
Supported: replaces, path, timer
User-Agent: Grandstream
Allow: INVITE, ACK, OPTIONS, CANCEL, BYE, SUBSCRIBE, NOTIFY, INFO, REFER, UPDATE, MESSAGE
Content-Length: 0
ISP router -> DHCP
Mikrotik DHCP -> ISP router
192.168.0.x - > 192.168.0.1
Mikrotik LAN 192.168.88.0
SIP Phone 192.168.88.254 via DHCP
OpenVPN tunnel 192.168.29.x
Remote VPN server LAN 192.168.98.x
So packets flow roughly like this
192.168.88.254 -> -> 192.168.88.1 -> 192.168.29.2 -> 192.168.29.1 -> 192.168.98.1
OpenVPN has an iroute set so it knows where to route packets destined for 192.168.88.x
All other traffic appears to flow pretty normally across the VPN.
I can post the rules that I have but wondered if anyone has any ideas?