Remote connect fails when VPN is activated on Draytek Router

Good afternoon everyone,

I have a simple question and am hoping some others have also had this issue and been able to resolve it.

Basically I use a UCM6301 behind a Draytek 2865. Evrything has been working perfectly for about 6 months now with no noticeable issues.

Today I activated VPN connection on the Draytek router using a PPTP connection to PureVPN so as to make the link more secure. Everything is still working fine within my premises and also on the UCM6301 apart from remote connect. The Wave app on my mobile devices still connect to GDMS okay but when trying to make a call they just go to air. This includes calls inward and outward to the devices. The UCM6301 also reports that the extensions are still connected.

With the VPN turned off and the remote connect troubleshooting is run, this is the result.

With the VPN switched on, this is the result of the troubleshooting

I am fairly sure I am just overlooking something very simple, but have been trying various solutions over the past few hours to no avail. I do have STUN set within the UCM6301 and just cannot work out why this is the only issue I am getting on my whole network.

If you require any further information, then let me know and I will collate it for you.

Any help or pointers would be greatly appreciated.
Many thanks in advance

Tony.

What type of VPN do you use and which port do you use?
I normally use Vigor 2865 and I don’t have these problems.

Many thanks for the reply damiano70. I am using PureVPN and these are the settings I have created within the 2865.

Screenshot 2022-12-04 153837.png924x877 36.9 KB

I am suspecting that the mode should be set for Routing rather that NAT, which is my next course of investigation.

Tony

Just tried Routing mode and that stopped everything.

This is not Draytek support and you are best to go to there forum not here.

No scottsip, everything in the network is working perfectly apart from the Grandstream Remote Connect, therefore it is a Grandstream issue and nothing to do with Draytek. If I was having loads of issues with other devices in the house, i.e about 20 smart devices, network streamers and servers etc, it would be a Draytek issue. It is just the Remote Connect.

Thanks for the advice anyhow.

PPTP has no security now, you’d better use Draytek’s SSL VPN first

if you already know that the problem is on the Grandstream side, it means that you have already analyzed it and know how to solve it, you don’t need to ask for advice on a forum,
I repeat I have at least 30 Vigor 2865, all with SSL VPN and never had any problems, so the problem is certainly not on the Grandstream side.

Damiano70, it is a Grandstream problem. That is why I put 'everything in the network is working perfectly apart from the Grandstream Remote Connect, ‘therefore it is a Grandstream issue’.

I am also conversent with these infrastructures having been a Cisco Network and VoIP principal consultant in the City of London for 20 years, but the Grandstream architecture is relatively new to me having only worked with it for about 12 months now.

I know that PTPP is a relatively old VPN structure but that is the only protocol that PureVPN supports akin to Draytek,

I only asked if anybody else had this issue so that I could get some pointers as to what could be the issue. I will carry on working through it and if I do get a resolution, I will post it in case anybody else has this issue.

I am pleased to hear that you have never actually had this problem damiano70, your Grandstream configurations obviously are correct unlike mine.

Many thanks again.

I tell you that it’s not a Grandstream problem, also because to be convinced of a problem you have to demonstrate that you have found a bug, but yours are only sensations and deductions that lead nowhere.
but I’ll let you try it yourself.

Damiano70, I have never said it is a bug with the Grandstream. I am saying it is a mistake of my configuration of the UCM6301 and hence asking for advice on this forum for any mistakes I may have made.

I will not ask for advice on this forum anymore, it is just too hard work. I will go elsewhere.

Sorry to have bothered you all and thank you for previous advice, especially lpneblett that has been invaluable.

if you want to do the splendid ok, but you don’t have to be smart, from the beginning you simply wrote that it’s a Grandstream problem, without giving reasons and without giving details about your configuration,
now you completely change your strategy and you want to make me look like an idiot?
I have been fighting in telecommunications for 36 years and where I can I lend a hand, I understand something but I also have a lot to learn,
so if you act humble and seek help ok,
for the rest, I don’t want to deal with people who know everything, and know nothing,
if you need a hand gladly, but don’t even try to make fun of me

good continuation.

Damiano

Dear user,

Thank you for using the UCMRC service! May I ask if we can have the syslog from the UCM63xx? Or, maybe you can send the remote access including admin username and password to us for troubleshooting? You can send them to me through the PM. Thanks for your testing!

Thank you!

I am not familiar with Pure VPN, but I suspect that there is an issue in how the connection is seen versus that of how it was sent. By this I mean that you are relying on the messaging between the UCM and GDMS to be handled correctly as the streams wind their ways through the tunnels and then emerge with messaging that is no longer pertinent to how the streams are seen versus how they were generated.

The UCM has a NAT settings page in PBX settings. This page essentially defines how the messaging will be formulated by the UCM based upon its environment and from what source its sees incoming messaging. On that page there is a place to define the local LAN networks. In the event the UCM sees a message arriving from a LAN device, it will respond to that device and in its SIP messaging will tell the device to use the private IP associated to the UCM. If the message arrives from any IP other than those listed in the local LAN descriptions, then the UCM will tell the device to respond to the public IP of the UCM as defined in the Public IP/FQDN field.

I suspect that yes, Routing is what you want.

Additionally, I note that you have all traffic using the route (VPN), which makes it seems as if masking the Public IP if where the UCM truly resides is the primary goal as I am guessing that the PureVPN service is providing a different public IP.

Part of the function of the remote connect system is to avoid the issues of NAT and at the same time provide a level of security using TLS, so I wonder if you might be over-complicating things for no apparent gain? I am just not sure how the service will function thru PureVPN.

Dear user,

Thanks for your feedback! We want to obtain the remote access from this user so that we can check the UCM settings and ensure that there are no problems about the settings. Then, we can also download the syslog we need from the Web UI of this UCM directly, so we can address this issue accurately. Thanks for your testing!

Thank you!

Many thanks again lpneblett for your brilliant insight and giving the advice that confirms my suspicions with it being my NAT settings within the UCM6301. I have spent the last couple of days looking into this issue and one thing jumps out at me everytime I look at it.

In the NAT settings of the UCM6301 I have my DDNS name as external host. What I have noticed is that when I switch on VPN routing within the Draytek it still advertises my physical address to DDNS and not the VPN acquired address. Therefore I believe that this is maybe causing the issues I am seeing with GSWave not connecting, although I do need to investigate this further when time allows as at the moment I have switched the VPN connection off.

Many thanks for replying GSSupport74, as soon as I have time over the next few days I will do a syslog trace on the UCM6301 to outline the traffic flows when I switch on VPN and also show when the app tries to connect. I will message you the logs as soon as I have them.

Many thanks,

Tony.
P.S. I am sorry to have got annoyed on Sunday but I knew everything was working fine on every device within my network with VPN on, apart from the GSWave app, therefore it has to be an issue with my configuration on the UCM6301.

Thanks for your updates and feedback, Tolc999!

Thank you!

If not mistaken, the DDNS settings in most Vigor routers will allow you to select what IP the router should be using - WAN IP or Internet IP. Look in Applications, Dynamic DNS, then Determine WAN IP.

I have found the setting to be useful when encounting CG NAT (the WAN IP is not the same as the Internet IP).

I have not really looked at the DDNS settings in the UCM, as I always felt that the router, being the first to detect the change, should it occur, would be the better and quicker notifier to the DDNS service.

Just a thought. Try configuring the remote extension to connect via TLS. I have remote phones connecting to a home base pbx behind a router without the need to configure either router. Using GDMS remote connect as well. Side note I also always configure my pbx in route mode and disable local land. I use the wan port of the pbx to connect to the network.

Remote connect used TLS already.