Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

OpenSips behind NAT and NAT traversal

2012-06-19
2013-05-09
  • Hi all,
    I want to configure an OpenSips proxy which has to work behind NAT, too.
    I have already configured a proxy with NAT traversal and rtpproxy and it works fine if the server has public address.
    BUT
    If I put the server behind a router with NAT and I set port forwarding and set advertised_address and advertised_port to the router public address, it works but only if all clients are in same NAT with the server. If a client is on public IP or on other NATed ip, it can authenticate, but the INVITE doesn't arrive to the proxy. If this client is called by another client, it receives the call. I use Linphone for testing.
    Any ideas?
    Thanks,
    Hunor

     
  • Cloud sip
    Cloud sip
    2012-07-27

    Hi Hunor,

    Need your help (am newbie to opensips). Can you please help me setting up opensips with nat traversal with the server having a public ip? Clients are behind NATs and want to use the public-space server that I am setting up with rtpproxy. Please help me.

    Thanks,
    Sipuser

     
  • Hello Sipuser,
    You can consult the following book on NAT traversal problems: "Building Telephony Systems with OpenSIPS 1.6" (you will find it using Google). It contains all the necessary information for you to be able to set up a NAT traversal.
    You can also get good use of the script generator provided with OpenSIPS, or, as a last resort alternative, you can download the OpenSIPS LiveVM from here: http://www.opensips.org/Resources/LiveVM. You will need VMPlayer to run this virtual machine. It has OpenSIPS installed and a fully functional script.

    Good luck,
    Hunor

     
  • Hi,

    I have been trying to achieve NAT traversal with the OpenSIPS server behind NAT. My situation is somewhat special, because some of the clients are behind NAT, while others have public IPs. I've tried using advertised_address and advertised_port in order to put the public IP of the NAT in the SIP header. This method works when all the clients are in the same network with the server (behind NAT). However, even in this case I cannot call one user from another.
    When the client tries to join an external network, where it gets a public IP I get the error: "Too many hops".
    My first question would be: what is the correct procedure to configure the OpenSIPS server? The second question refers to the domain and proxy addresses? Until this point I've used the NAT's public IP as the proxy address and the server's private IP as the domain address. Is this a correct assumption? If not, how should they be configured, if it is possible at all?

    Any help is greatly appreciated!

     
  • Hi,

    I made some tests with ngrep and below are the results. The proxy server behind the NAT has the IP 192.168.1.10, the external IP is 193.231.162.101. The IP of Client1 is 192.168.1.124 and the IP of Client2 is 192.168.1.139. The sip address of the clients are:
    Client1: sip:test5@192.168.1.10
    Client2: sip:test2@192.168.1.10
    Both of them have set the proxy as 193.231.162.101.
    The following sequence describes an attempt of Client1 to call Client2.
    After the ACK message there are only INVITEs, similar to the last one.

    INVITE sip:test2@192.168.1.10 SIP/2.0..Via: SIP/2.0/UDP 192.168.1.124:2269;rport;branch=z9hG4bK756463193..From: <sip:test5@192.168.1.10>;tag=1158432959.
      .To: <sip:test2@192.168.1.10>..Call-ID: 714656011..CSeq: 20 INVITE..Contact: <sip:test5@192.168.1.1:2269>..Content-Type: application/sdp..Allow: INVITE,
       ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..Max-Forwards: 70..User-Agent: Linphone/3.4.0 (eXosip2/unknown)..Subject: Phone call
      ..Content-Length:   321….v=0..o=test5 693 693 IN IP4 192.168.1.124..s=Talk..c=IN IP4 192.168.1.124..b=AS:256..t=0 0..m=audio 7076 RTP/AVP 111 110 100
      3 0 8 101..a=rtpmap:111 speex/16000..a=fmtp:111 vbr=on..a=rtpmap:110 speex/8000..a=fmtp:110 vbr=on..a=rtpmap:100 iLBC/8000..a=fmtp:100 mode=30..a=rtpmap
      :101 telephone-event/8000..a=fmtp:101 0-11..                                                                                                           
    Proxy authorize error
    #
    U 192.168.1.10:5060 -> 192.168.1.1:2269
      SIP/2.0 407 Proxy Authentication Required..Via: SIP/2.0/UDP 192.168.1.124:2269;received=192.168.1.1;rport=2269;branch=z9hG4bK756463193..From: <sip:test5
      @192.168.1.10>;tag=1158432959..To: <sip:test2@192.168.1.10>;tag=0ea86e9237480d326a1ba5873424d1c6.9558..Call-ID: 714656011..CSeq: 20 INVITE..Proxy-Authen
      ticate: Digest realm="192.168.1.10", nonce="501a2fb100000001b149a0d67fc414212f54792d0324c626"..Server: OpenSIPS (1.8.0-notls (i386/linux))..Content-Leng
      th: 0….                                                                                                                                              
    #
    U 192.168.1.1:2269 -> 192.168.1.10:5060
      ACK sip:test2@192.168.1.10 SIP/2.0..Via: SIP/2.0/UDP 192.168.1.124:2269;rport;branch=z9hG4bK756463193..Route: <sip:193.231.162.101;lr>..From: <sip:test5
      @192.168.1.10>;tag=1158432959..To: <sip:test2@192.168.1.10>;tag=0ea86e9237480d326a1ba5873424d1c6.9558..Call-ID: 714656011..CSeq: 20 ACK..Content-Length:
       0….
    #
    U 192.168.1.1:2269 -> 192.168.1.10:5060
      INVITE sip:test2@192.168.1.10 SIP/2.0..Via: SIP/2.0/UDP 192.168.1.124:2269;rport;branch=z9hG4bK1271756846..From: <sip:test5@192.168.1.10>;tag=1158432959
      ..To: <sip:test2@192.168.1.10>..Call-ID: 714656011..CSeq: 21 INVITE..Contact: <sip:test5@192.168.1.1:2269>..Proxy-Authorization: Digest username="test5"
      , realm="192.168.1.10", nonce="501a2fb100000001b149a0d67fc414212f54792d0324c626", uri="sip:test2@192.168.1.10", response="cd401a58a04146489914b9c35dcfa6
      c9", algorithm=MD5..Content-Type: application/sdp..Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO..Max-Forwards: 70..
      User-Agent: Linphone/3.4.0 (eXosip2/unknown)..Subject: Phone call..Content-Length:   321….v=0..o=test5 693 693 IN IP4 192.168.1.124..s=Talk..c=IN IP4
      192.168.1.124..b=AS:256..t=0 0..m=audio 7076 RTP/AVP 111 110 100 3 0 8 101..a=rtpmap:111 speex/16000..a=fmtp:111 vbr=on..a=rtpmap:110 speex/8000..a=fmtp
      :110 vbr=on..a=rtpmap:100 iLBC/8000..a=fmtp:100 mode=30..a=rtpmap:101 telephone-event/8000..a=fmtp:101 0-11..

     
  • Hello,

    Does somebody have any idea about the problem presented above? I'm really stuck with it.
    I've found a possibility to make a modification to rtpproxy to include the -A switch in order to specify the external address, but even with that setting it wouldn't work.

    Regards,
    Hunor

     
  • Hi Hunor,

    if you get a "Too many hops", usually means your dialled domain is not recognised by opensips . Line your opensips does not consider the "192.168.1.10" domain as being its own, so it fwd the call as a call to foreign domain.
    When checking for local/foreign domains, do you use the "myself" test or domain module?

    Regards,
    Bogdan

     
  • Hi Bogdan,

    When I check the method not to be REGISTER, I also check (from_uri==myself). This is where proxy authorization is required and, in case of error, "403 forbidden" is issued.
    The domain needs to be set somewhere in the configuration file? When I made experiments with public IPs nothing special was necessary. The domain name was simply the server's IP.

    Thank you,
    Hunor

     
  • but you never check the RURI for routing ? like (uri==myself) ?

    Regards,
    Bogdan

     
  • Yes, I have that too:.

    if (!uri==myself) {
    send_reply("403", "Rely forbidden");
    exit;
    }

    Regards,
    Hunor

     
  • Hi,

    I made a few changes to the configuration script, so now I'm using a registered domain name, instead of an address. I still have the SIP server behind a NAT, and there are clients both outside the NAT and behind it. I have added a SIP doorphone to the system, which is outside the NAT (it has public IP). The problem is that whenever I try to communicate with the doorphone with a client that is behind the NAT, the client can send audio data to the doorphone, but the reverse is never true: no audio or video data arrives to the client.
    I can't think of anything that can cause this malfunction in the system, so I would be grateful for any kind of ideas.

    Thank you,
    Hunor

     
  • Hello again,

    I have made some tests regarding the audio/video traffic through the rtpproxy. In the case of a user residing behind a NAT, the rtpproxy takes the audio and video streams and forwards them to the user which is outside the NAT. Unfortunately the inverse of this scenario never happens.
    This is the way I started RTPProxy: rtpproxy -l 192.168.1.10 -s udp:127.0.0.1:7890 -F
    RTPProxy is behind the NAT as well as the OpenSIPS server.
    Is there a configuration parameter I miss?

    Regards,
    Hunor

     
  • Hi Hunor,

    But is RTPproxy receiving traffic from the public user ?

    Regards,
    Bogdan

     
  • Hi Bogdan,

    It doesn't seem to receive any kind of traffic from the public user. Before I wrote my previous post, I was able to extract 4 port numbers from the RTPProxy debug messages (by starting it with the -f flag, in verbose mode). I verified all of those 4 ports: two of them were responsible for forwarding the audio and video from the device behind the NAT to the RTPProxy and the other two forwarded the audio and video traffic from the RTPProxy to the public device. Neither of them had any packets from the public device.

    Hunor

     
  • Well, no receiving traffic for one end is a problem, as RTPproxy will wait for inbound traffic to learn where to send traffic.
    A work around is to use the trust flag ( see "r" flag - http://www.opensips.org/html/docs/modules/1.8.x/rtpproxy.html#id292744) - use this flag on the side towards the public entity.

    Regards,
    Bogdan

     
  • Hello Bogdan,

    Thank you for your answer. I am already using the "r" flag with the rtpproxy_offer() and rtpproxy_answer() functions. I have the following code:

    if (is_method("INVITE")) {
        if (isflagset(5)) {
            if (has_body("application/sdp")) {
            rtpproxy_offer("ro");
            }
        }
        t_on_branch("2");
        t_on_reply("2");
        t_on_failure("1");
    }
    

    in the route and

    if (nat_uac_test("1")) {
        fix_nated_contact();
    }
    if ( isflagset(5) ) {
        if (has_body("application/sdp")) {
        rtpproxy_answer("ro");
        }
    }
    

    in onreply_route, respectively. Is this the way you recommended?

    Regards,
    Hunor

     
  • Hi again,

    Things have become complicated. I have tried a different client outside the NAT, I called it from the client which is behind the NAT, and the video traffic is normal in both directions, though there is still no audio from the public device to the internal one.
    The device that I have tried is an Asus tablet, running Linphone (actually make my tests with Linphone, except the doorphone unit, which has its own firmware). Can this be the fault of the doorphone?

    Regards,
    Hunor