Keeping Asterisk Traffic Inside the VPN


I’m setting up a new PBX in a Flash (PiaF) machine running Asterisk I’m testing it by calling in with SJPhone across a VPN (the PiaF machine is at a client site). When I dial 7777, I get my top-level IVR, but when I press a number, nothing happens. If I dial into a voicemail box, the * and # keys have no effect. It seems PiaF is not hearing my DTMF tones at all.

Unexpected Public Traffic

I ran Ethereal to make sure the DTMF digits were being generated, and sure enough, they were. But what’s this? In spite of using a VPN, the RTP traffic was re-routed to the public Internet address, i.e. to Since the hardware firewall in front of the PiaF machine does not allow inbound RTP traffic from the public Internet, no tones were getting through. But how does it even know to re-route the traffic to the external IP?

I remembered that, based on the Part 2 of the setup instructions, the section “Getting Rid of One-Way Audio” calls for the following modification to /etc/asterisk/sip_custom.conf:


I don’t really need that now, since I’m only using analog lines. Commenting out the “externip” line does solve the DTMF problem, but what if I want to use a VoIP provider in the future?

Keep It Inside the VPN

A glance at Voip-Info’s Asterisk SIP externip article gave me the clue I needed:  all that is required is to add a second localnet line identifying the IP range of the computers at the other end of the VPN. That allows the RTP traffic to stay inside the VPN, and PiaF was again able to “hear” DTMF digits. So my sip_custom.conf now looks like this:

localnet= ; address range of local computers
localnet= ; address range of VPN-connected computers

If I decide to add VoIP providers in the future, “all” I’ll have to do is to get the firewall set up to allow external (encrypted?) VoIP traffic.

Update December 19, 2012

I’m now on Asterisk 1.8 and using a VoIP provider. With a registered connection (as opposed to direct routing from/to a fixed IP), externip does not seem to be required. However, the localnet settings, or at least the one pointing to the foreign address range, are still required to allow 2-way audio across the VPN.

Leave a Reply

Your email address will not be published. Required fields are marked *

Notify me of followup comments via e-mail. You can also subscribe without commenting.

This site uses Akismet to reduce spam. Learn how your comment data is processed.