SOLVED! GXV3370 OpenVPN Configuration Help - 2 way no audio


#1

Hoping to get some help.
I have recently had to relocate a user remotely from our site.
The phone is a GXV3370 Firmware 1.0.3.28. PBX is a UCM 6204. This extension had worked fine when it was within the office network.
I’m using a Netgear router (Nighthawn R6900P) with it’s OpenVPN Service enabled at the business. This is a small business, not an enterprise. This business has a static public IP.
The remote site also has a Netgear router (Nighthawk R6700v3)
I’ve setup OpenVPN on the GXV3370 (using the zip file the Netgear generates for mobile devices thinking that since the phone is android, it would support the TUN protocol. NAT Traversal in the account settings is set to OpenVPN. The extension registers. Calls can be made both to and from the extension, however, there is no audio either way.
I’ve read a lot, and learned a lot I didn’t know about SIP/SDP and the dataflow, but still can’t figure this one out.


#2

If the tunnel is essentially a site to site between the routers, then the network setting should not be set to VPN, but to NAT NO. Setting it to VPN is used when the VPN is to the phone directly.


#3

Thank you for commenting, lpneblett!
The OpenVPN server is the business router. There’s no tunnel setup between the routers. I set the OpenVPN options in the GXV3370 (Network Settings - OpenVPN Settings) I had thought that this was for connecting to an OpenVPN Server when you’re on a remote network.
Looking at some packet traces I collected on the UCM, I still see the local IP for the phone in them (eg. “Contact: extension_namesip:_ext_@_localip_:5060)
I feel like I need to configure where the voice packets are going, but don’t see a way to do it.


#4

Did you enter the local IP of the phone in the SIP, NAT settings?


#5

I didn’t, the local IP hasn’t been entered anywhere that I’m aware of. The GXV3370 gets it’s IP from the Netgear Router from DHCP by a reservation.
I should elaborate, the local ip I’m seeing in the packets is the IP from the remote network (the one that the GXV3370 is on), not the VPN ip nor the network that the UCM is on.
I had my ISP give me a static IP (for the remote network WAN) as they use carrier grade NAT, but it made no difference in the symptoms.
I did try entering the public facing IP (the new static IP for the remote network) in the General Settings/Use NAT IP field, as well as the VPN ip, but the symptoms didn’t change, or the extension would not register with the UCM.


#6

OK.

When using a VPN, the devices are not using the WAN, but rather an encrypted tunnel between them. On each side of the tunnel, you would normally be able to ping a device on either side of the tunnel by using the private IP.

The UCM is using SIP and in SIP there is messaging that tells the remote device what IP to use when responding. In the SIP, NAT Settings, you would enter in your external public IP or hostname and then check the SDP box as well. Normally, you would also enter the local LAN segment in at the bottom. What happens is that when the UCM sees a request, it will examine the IP to determine if it is local or remote. SO an an example, let’s assume the UCM private IP is 192.168.1.20 and the public IP is 15.15.15.20. You have populated the fields mentioned earlier with these.

Now then, when the UCM sees a message coming from any IP that is NOT in the 192.168.1.0/24 range, it will assume that the IP is remote and the UCM will formulate the SIP response to have a contact (SIP) and connection (Voice/RTP) headers to indicate that the remote device should use 15.15.15.20 when responding.
As you have a tunnel, the remote device is actually considered as local so you need to input the remote local LAN segment into the NAT settings as well; otherwise the UCM will tell the phone to use 15.15.15.20 instead of its private IP of 192.168.1.20 and this will not work.

Conversely, the phone also needs to tell the UCM what to use when responding. This is done when you set the VPN in the network settings. So, now the phone will tell the UCM to use the VPN address. You need to remove the public IP of the remote site from the NAT, LAN settings.


#7

Thank you for the explanation! I finally have gotten it working!
I added the VPN IP into the UCM’s SIP - NAT - Local Network Address, and tried to place a call. Now I have audio going in both directions.
I may test this with the carrier grade NAT to see if it stays working without a static IP address on the remote side, but for now I can work as if I’m at the office.
Thank you again, @lpneblett, for the thorough explanation. Have a great day!