WebRTC behind firewall (SQUID Reverse Proxy / Sophos UTM Help)

VitXi WebRTC
1

Hello,

I installed VitalPBX with VitXi (Starter license) on my LAN.
I have installed real SSL Certificat (wildcard).

All works on my LAN.

I would like acces Vitxi from outside.
I use Sophos UTM as gateway and firewall.

I setup reverse proxy on it (with SSL).
I setup NAT for port 8089.

I can access VitXI login page , I can log in … but after I get a RED pop up with message :

The connection to your server could not be established.

Please, contact the administrator.

So could you help me ?
Is it possible to use Reverse proxy to secure access to Vitxi ?

Which port should I forward to my vitalpbx/vitxi server ?

Thanks for your help.

Regards

2

Hi,

did you really do ALL of this?

And look into settings of Vitxi. I think you can enter Hostname there.
So you should use a dyndns in your case?

KR

3

Hello,

I did everything written on your Wiki guide.

All work perfectly on LAN.
I can access my Vitxi without any problem :
https://vitxi.MYdomain.fr/webrtc/

I can log in and use it. (receive call …)

I use split DNS to use DNS on my LAN and from OUTSIDE.

on my LAN:
vitxi.MYDOMAIN.fr resolve LAN ADDRESS

Outside :
vitxi.MYDOMAIN.fr resolve WAN ADDRESS

But I want to be able to use it outside my LAN , so I used Sophos UTM (which use SQUID as Reverse proxy) to access VitXi.
I added a NAT rule for 8089 port.

From outside , when I try to access VitXi , I use :
https://vitxi.MYDOMAIN.fr/webrtc/

I can log in , but I get a red popup :

The connection to your server could not be established

and I’m not able to make a call or receive a call.

Regards
David

4

So I moved forward.
I allowed “websocket” on firewall , and now , I can send or receive call.

But … I have no sound.

On my laptop , it’s ringing … I answer … but I can’t hear something … no sound.
Same thing on other way.

Do you have any idea ?

Regards

5

Go to RTP settings
In ICE settings

Put the local host the ip adress of the local network and in advertised adress put the public ip

Then Make DNAT rule on the firewall to forward port 443 and 8089

Make sure to disable the reflexive rule if you have internal routing

6

Hi,

Thanks for your help.
I will try this evening.

Regards

7

Two things to note here.

  1. Wildcard SSL certificate only recently got support in Asterisk, I’m not sure if VitalPBX is already running the version that supports it. (I can check later what version has support. The reason why it wasn’t in Asterisk, is because wildcard SSL certs in SIP are against the RFC rules. But hey, everyone is doing it anyway, so they decided to add it)
  2. We are also using WebRTC behind a NGINX proxy and experience the same issue.
    In the past, it was working fine, but around 6 months ago there was some update to VitXi and since then we started having issues. @maynor kept on saying that the new update requires the server hostname and the domain name to match, which is super annoying as we have multi tenancy with a unique domain for each tenant… As well as the hostname and domain matching isn’t a WebRTC standard requirement.

I also think that because the browser SSL and Asterisk SSL are not the same, that’s probably what’s causing it. Meaning, Asterisk uses the SSL configured on the PBX and the WebRTC client uses your proxy’s SSL.

I think that if VitalPBX offers multi tenancy, they MUST support using different WebRTC domains as well as wildcard SSLs. Additionally, it would be nice if they test it behind a popular proxies such as NGINX, Caddy, HAProxy etc. Since proxies are today everywhere for security reasons.

2 Likes
8

We can make this available on VitalPBX 4. Even though, this only applies to TLS and not to WSS, which is the protocol that uses the WebRTC applications.

image
image1522×619 56.4 KB

1 Like
9

So why isn’t wildcard SSLs allowed with WebRTC then?

2 Likes
10

Hello Sir,

We are going to perform tests on our development servers. Any news about this will be posted in this topic.

Regards,

1 Like
11

Hi @maynor,

We have tried copying the SSL from the NGINX reverse proxy to the PBX, but we still get the error. However, we did not restart Asterisk after setting the SSL on the PBX.

Let me know if you need any additional information or if you want me to test something

Thank you

1 Like
12

Hi PitzKey,

For me , All works fine (except VitalPBX Mobile , I opened a case about it on helpdesk).
I use same Wildcard on VitalPBX and Sophos UTM (to protect access to it).

VitalPBX WebRTC works fine.

I didn’t tested with real phone (Yealink or anything else, I don’t need it now).

Regards

13

Did you do ALL this?

Allow the IP on your UTM as well!

14

I can register an extension on VitalPBX Mobile.
(I use latest version of VitalPBX server : 3.2.3-5))

  • Outside Network (on 4G/5G Mobile Network for exemple)
    RTP doesn’t work on iPhone.
    So no sound/voice.

  • Inside Network (on same LAN)
    RTP works without any issues.

I can make or receive call … but without sound.

Regards

1 Like
15

Hello Sir,

Can you access https://server-address:8089/ws ?

Could you please send a screenshot (without showing sensitive data) of your Nginx proxy configuration?

Regards,

16

Does the VitXi WebRTC not have audio either?

You can check that the “Ice Support” option is enabled. This option can be found in the “RTP Settings” module.

Regards,

17

ICE Hosts
add the advertised address and the local adress

18

This got solved during a remote support session!!

1 Like
19

Please can share the solution for learning purpose :pray:

20

What fixed it? Thanks