Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default Using VOIP over IPsec VPN

    I just finished configuring two UT servers (one remote) using IPsec VPN for VOIP. It works really well with IPsec VPN but not over OpenVPN.

    Does anyone have any experience using OpenVPN for VOIP?

    I'm using a TrixBox phone system form Fonality.

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    OpenVPN on Untangle 10 imposes NAT. So you'll have to setup all extensions over an OpenVPN tunnel to be remote extensions with NAT controls. You'll need phones with solid STUN support, and a PBX that has a solid STUN implementation or things will get goofy quick.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    I tried with a OpenVPN tunnel with the same UT servers and the phone does not register. No problems doing this over IPsec VPN.

    Then I tested with a softphone using the OpenVPN software client on Windows 7 and that works fine. Call quality is pretty good too.

    Perhaps there is a bug/issue when using untangle to untangle server OpenVPN tunnel for VOIP.

  4. #4
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Please, it's the NAT!

    Soft Clients have an address in the OpenVPN pool, which is 1 hop from the LAN
    Site to site clients have an address on the local network which is 2 hops from the LAN

    That makes all the difference in the world. There is no bug in Untangle, you have to configure your VoIP solution to deal with NAT!
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  5. #5
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    Ah once again. Thanks Rob...I appreciate your help.

  6. #6
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    Quote Originally Posted by gpeters View Post
    I tried with a OpenVPN tunnel with the same UT servers and the phone does not register. No problems doing this over IPsec VPN.
    Actually it was a simple solution and it had nothing to do with NAT, well yes but only as far as NAT functions by default already in UT.

    All that I was missing is to check the group to be a full tunnel that I'm using for the network type remote client.

    OpenVPN on Untangle 10 imposes NAT. So you'll have to setup all extensions over an OpenVPN tunnel to be remote extensions with NAT controls. You'll need phones with solid STUN support, and a PBX that has a solid STUN implementation or things will get goofy quick.
    I did not do anything special. I assume that Trixbox and my Aastra phones I have support this. The 480i Aastra phones I have are at least 8 years old and they works fine.

  7. #7
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Quote Originally Posted by gpeters View Post
    All that I was missing is to check the group to be a full tunnel that I'm using for the network type remote client.
    Which means guess what, NAT is the problem. Because all you did was force all traffic from those soft clients to go back to the LAN to be routed out. That's a band-aide, and while it may have appeared to solve the problem, it also nukes the bandwidth available to the endpoint because now all traffic has to go to Untangle and out, as opposed to simply out if needed.

    But if you're happy with that fine, go for it.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  8. #8
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    I don't understand why that would be a band-aide. I'm just using OpenVPN as a full tunnel. I'm not talking about the soft clients now. I'm talking about a physical hardware phone. Explain to me why that is a band-aide fix

    it also nukes the bandwidth available to the endpoint because now all traffic has to go to Untangle and out, as opposed to simply out if needed.
    I think you are mistaken about this. This is only the case if I select "Push DNS Configuration" for the full tunnel

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,510

    Default

    Full Tunnel means, all traffic over the tunnel no matter what.

    Split Tunnel means, only the traffic that needs to go over the tunnel.

    That's what those terms mean. Also, Full Tunnel as far as I know, doesn't apply to site-to-site connections, only road warrior connections.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Master Untangler
    Join Date
    Aug 2008
    Posts
    370

    Default

    So is my setup a band-aid solution then? If so why?

    I'm I correct then regarding selecting "Push DNS Configuration" in that it would become a full tunnel then?

    Based on my understanding I have a split tunnel then.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2