ASL3 registration failed over openvpn

Hey guys good morning

Im using openvpn to open ports because my provider doesn’t allow me, but the ASL3 not update my new public IP, the question is

Is there anyway to force it ? I mean send my new ip,
IPV6 can interfere with that ?

example of my ifconfig, tun0 it;s my public IP

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10
loop txqueuelen 1000 (Local Loopback)
RX packets 222684 bytes 18719998 (17.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 222684 bytes 18719998 (17.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 206.123.132.232 netmask 255.255.255.224 destination 206.123.132.232
inet6 fe80::1657:9d53:9264:6b82 prefixlen 64 scopeid 0x20
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 3012 bytes 373553 (364.7 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2969 bytes 728659 (711.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.100.28 netmask 255.255.255.0 broadcast 192.168.100.255
inet6 fe80::7d6:434a:4f1d:a1a8 prefixlen 64 scopeid 0x20
inet6 2800:bf0:1c2:1142:354f:c16a:68d0:7b02 prefixlen 64 scopeid 0x0
ether e4:5f:01:22:a2:b7 txqueuelen 1000 (Ethernet)
RX packets 262802 bytes 91643390 (87.3 MiB)
RX errors 0 dropped 4 overruns 0 frame 0
TX packets 159811 bytes 68219003 (65.0 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

when I check the url, the old public ip (186.101.135.14) no change to new IP tun0 (206.123.132.232)

root@node596481:/home/kq4hpi# dig 596481.ip.hamvoip.org

; <<>> DiG 9.18.24-1-Debian <<>> 596481.ip.hamvoip.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20494
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;596481.ip.hamvoip.org. IN A

;; ANSWER SECTION:
596481.ip.hamvoip.org. 60 IN A 186.101.135.14

;; Query time: 143 msec
;; SERVER: 192.168.100.1#53(192.168.100.1) (UDP)
;; WHEN: Wed Jul 17 08:30:28 EDT 2024
;; MSG SIZE rcvd: 66

These are DNS names for hamvoip(.)org not AllStarLink. The proper format for DNS Names is NODENUM.nodes.allstarlink.org. For example:

$ dig +short 596481.nodes.allstarlink.org
186.101.135.14

Also, you cannot force Asterisk/ASL to use your VPN tunnel. If you have it up, you have to make sure that you’re routing all traffic out the tunnel for Asterisk.

I don’t know exactly how, I connect vpn and restart asterisk but I don’t know which ip asterisk use, and thx for the information the correct url

there is my traceroute to register server

root@node596481:/etc/asterisk# traceroute register.allstarlink.org
traceroute to register.allstarlink.org (162.248.92.131), 30 hops max, 60 byte packets
1 206.123.132.225 (206.123.132.225) 87.873 ms 89.682 ms 89.772 ms
2 unn-143-244-44-157.datapacket.com (143.244.44.157) 89.786 ms unn-143-244-44-156.datapacket.com (143.244.44.156) 90.524 ms 90.550 ms
3 vl212.nyc-tlx3-core-2.cdn77.com (169.150.194.92) 91.405 ms 91.800 ms 91.889 ms
4 * * *
5 be3363.ccr42.jfk02.atlas.cogentco.com (154.54.3.125) 92.013 ms 92.014 ms 91.916 ms
6 be4985.ccr21.cle04.atlas.cogentco.com (154.54.162.165) 100.617 ms be4986.ccr22.cle04.atlas.cogentco.com (154.54.162.169) 105.126 ms 97.856 ms
7 be2718.ccr42.ord01.atlas.cogentco.com (154.54.7.129) 106.261 ms 106.755 ms be2717.ccr41.ord01.atlas.cogentco.com (154.54.6.221) 106.821 ms
8 be2765.ccr41.ord03.atlas.cogentco.com (154.54.45.18) 106.744 ms be2766.ccr41.ord03.atlas.cogentco.com (154.54.46.178) 106.823 ms be2765.ccr41.ord03.atlas.cogentco.com (154.54.45.18) 106.775 ms
9 cogent.e9.router1.chicago.nfoservers.com (64.74.97.254) 104.824 ms 104.221 ms 106.655 ms
10 v-162-248-92-131.unman-vds.premium-chicago.nfoservers.com (162.248.92.131) 107.125 ms 106.706 ms 106.710 ms

root@node596481:/etc/asterisk# dig +short register.allstarlink.org
162.248.92.131
34.105.111.212

[2024-07-17 10:28:34.002] WARNING[215884] res_rpt_http_registrations.c: SSL connection timeout
[2024-07-17 10:28:34.002] WARNING[215884] res_rpt_http_registrations.c: Failed to curl URL ‘https://register.allstarlink.org/’

So the network it’s ok, sorry for the insistence, in ASL2 haven’t issue, so something happen with asterisk 20 (ASL3)

There is another example of registration using openvpn on ASL2

root@node596481:/home/kq4hpi# dig +short 56502.nodes.allstarlink.org
186.101.135.14
root@node596481:/home/kq4hpi# dig +short 56502.ip.hamvoip.org
104.243.242.233

In Allstarlink registration no change and in dns hamvoip yes

Other thing, maybe the issue happen in node with extensions nxx ?
Because in nodes without extensions, the registration working fine in the same LAN and with the same openvpn file.

ASL3 uses an entirely different HTTP-based registration system. How are you selecting what traffic goes through the VPN? Were you perhaps NATing/mangling on IAX2 packets only? That won’t work with ASL3 in isolation.

I don’t understand what you mean, I cannot select anything, when you running a vpn tun0 is the defautl device and the public ip it’s turn on it, i checking that using this simple line

dig @resolver4.opendns.com myip.opendns.com +short -4

So every service in linux, that require WAN, should be use the tun0 public IP, this is transparent, in fact my DVSwitch installed there use the new public IP automatically

What does rpt show registrations say your perceived IP is?

Jorge:
Does SSL work at all on this VPN endpoint?
I had a problem like this once with Wireguard. Turned out that the MTU size didn’t match on the server and client, which broke SSL, but most other things worked as expected.
If you type
curl https://www.baeldung.com
do you get valid HTML source?
Have you tried using IAX registration in ASL3 instead of the now preferred HTTP?

This is a good point. Make sure your interface MTU size on the OpenVPN tunnel is 1280.

Not issues with the curl you pasted me, and vpn running, see that

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 206.123.132.232 netmask 255.255.255.224 destination 206.123.132.232
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 7 bytes 371 (371.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 16 bytes 1096 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

root@node596481:/etc/openvpn# curl https://www.baeldung.com

Just a moment...*{box-sizing:border-box;margin:0;padding:0}html{line-height:1.15;-webkit-text-size-adjust:100%;color:#313131}button,html{font-family:system-ui,-apple-system,BlinkMacSystemFont,Segoe UI,Roboto,Helvetica Neue,Arial,Noto Sans,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI ......

No, the size is 1500, I will check it out if I can change it

It’s keep the original Ip before vpn is run

node596481*CLI> rpt show registrations
Host Username Perceived Refresh State
162.248.92.131:443 596481 186.101.135.14:4569 179 Registered
1 HTTP registration.

How can I change from HTTP to IAX registration ?

Im setting this values in .ovpn file

proto udp
tun-mtu 1280
mssfix 1240
dev tun

mssfix = mtu - 40

and it’s seem to be working, thanks to @KE4DYI, but by the way tell me how can I change the registration to IAX instead HTTP

node596481*CLI> rpt show registrations
Host                                           Username    Perceived                            Refresh  State
34.105.111.212:443                             596481      206.123.132.232:4569                     179  Registered
1 HTTP registration.

If HTTP registration is working, it’s strongly discouraged to use IAX registration with ASL3.

Always is good have a plan B

Anyway please check the DNS nodes.allstarlink.org process, because the updates not working as ip.hamvoip.org

root@node61630:/home/kq4hpi# dig +short 596481.nodes.allstarlink.org
206.123.132.228
root@node61630:/home/kq4hpi# dig +short 596481.ip.hamvoip.org
186.101.135.14