This seems to be a popular topic but nothing I’ve seen posted answers my questions. The main confusion I have is about the networking stuff – when you add a VPN to the mix my head goes funny.
The background: I have a GXP2140 (1.0.8.47) at a remote location. The host location has a UCM6104 behind two routers (two NATs), and a Win7 PC running the OpenVPN server software. The OpenVPN port (I’m using 5566) is forwarded on both routers, from Router #1 to Router #2, and from Router #2 to the PC running OpenVPN. I’ve gotten through the not trivial task of creating an OpenVPN server configuration file, and the various certificates and keys that are needed. I’ve gotten the phone to show an OpenVPN IP address on the Network Status page, though that seems to be broken right now.
[I’m sure that a few people are going to focus on the double NAT as something suspicious. All I know is that it’s been that way for a couple of years, running the phone system and a bunch of other applications, with no trouble.]
Where I’m stuck is in understanding what packets get routed where, and how that is supposed to happen. I’ve been working with Grandstream support but it hasn’t gotten me anywhere so far. The latest from Grandstream is:
1. The OpenVPN IP on the phone is allocated by the OpenVPN server, in this case 10.8.0.6 2. if A device with a browser is on the subnet to which 10.8.0.6 belongs, web access is possible 3. If the syslog server IP belongs to the 10.8.0.6 subnet, logs will be transmitted to it 4. For SIP and RTP traffic to be transmitted through the OpenVPN tunnel make sure the PBX has an IP on 10.8.0.6 subnet, and this IP is configured for the VPN chosen account as the SIP ServerWhat we are conveying here is that GXP VPN implement works but it is limited to a common subnet.
My simpleminded understanding of how it’s supposed to work is that the VPN provides a tunnel that lets the client (phone) see the network that the server sees. The client has an IP address on the server’s network. The 10.8.0.0 subnet is the tunnel itself.
I realize that it’s more complicated than that, and from what Grandstream says, at best I need to configure the VPN to route packets explicitly, and at worst I simply can’t do what I need. I’m hoping that someone with more networking experience than I have can get me pointed in the right direction, specifically what changes I need to make in the OpenVPN server configuration, the GXP2140 settings, and the UCM6104 settings, to get this to work. (And if possible, why.)
I’ve attached a picture of the layout of everything, with all the known IP addresses. What the drawing doesn’t show, is what packets (with what IP addresses) go where, and how that happens.
As usual, I’ll try to put what I learn into a document and share it with everyone. A couple of people have gotten this working, but so far nobody has described the whole process, and I think it’s something that a lot of people want to be able to do.
BTW, I found a really good book on TCP/IP that serves as a guide to the RFCs while reducing their overwhelming detail to a manageable level, and it’s free. The bad news is that it’s 1000 pages. You can get it at http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf.
Thanks!
-jimc