SIP via VPN (WireGuard)¶
Overview¶
xynap provides a dedicated SIP access point via the internal WireGuard VPN (wg0). This allows softphones like MicroSIP to make calls directly through the VPN tunnel — without exposing SIP ports to the public internet.
Prerequisite: Active WireGuard connection to the xynap server (IP in the 10.100.x.x range).
Supported Transport Protocols¶
| Transport | Port | Encryption | Recommendation |
|---|---|---|---|
| UDP | 5060 | None (VPN tunnel only) | Default — lowest latency |
| TCP | 5060 | None (VPN tunnel only) | For NAT issues |
| TLS | 5061 | TLS + optional SRTP | Maximum security |
Security
Since all traffic is already encrypted through the WireGuard tunnel, UDP provides sufficient security. TLS/SRTP adds an additional encryption layer.
Client Configuration¶
General Settings¶
| Setting | Value |
|---|---|
| SIP Server | 10.100.0.1 |
| SIP Proxy | (leave empty) |
| Domain / Realm | 10.100.0.1 |
| Username | Your extension number (e.g. 1000) |
| Password | The SIP password configured in the Platform |
| Transport | UDP, TCP or TLS |
| Port | 5060 (UDP/TCP) · 5061 (TLS) |
| SRTP | Optional (recommended with TLS) |
| Register Refresh | 300 seconds |
| Keep Alive | 15 seconds |
| ICE | Off (0) |
| Publish | On (1) |
Extension & Password
You can find your credentials in the xynap Platform under Telephony → Extensions. The same accounts are used for WebRTC.
MicroSIP (Windows)¶
[Account1]
label=xynap VPN
server=10.100.0.1
proxy=
domain=10.100.0.1
username=1000
password=<your SIP password>
authID=
displayName=Your Name
dialingPrefix=
dialPlan=11[02]|115|116xxx|118xx|0800xxxxxxx|0180xxxxxxx|<:+49345>[2-9]xxxxxx|<00:+>x.|<0:+49>x.|<+49(0):+49>x.|+x.|x.
hideCID=0
voicemailNumber=
transport=udp
publicAddr=
SRTP=
registerRefresh=300
keepAlive=15
publish=1
ICE=0
allowRewrite=0
disableSessionTimer=0
MicroSIP with TLS¶
For encrypted signaling, change:
TLS Certificate
With self-signed certificates, disable Verify Server in MicroSIP under Settings → TLS.
Universal SIP Client Settings¶
These settings work with any standards-compliant SIP client:
- Registrar / Outbound Proxy:
10.100.0.1 - Username: Extension number
- Auth Username: (same as username)
- Domain:
10.100.0.1
Dial Plan¶
Recommended dial plan for German numbers:
11[02]|115|116xxx|118xx|0800xxxxxxx|0180xxxxxxx|<:+49345>[2-9]xxxxxx|<00:+>x.|<0:+49>x.|<+49(0):+49>x.|+x.|x.
| Pattern | Description |
|---|---|
11[02] |
Emergency (110, 112) |
0800xxxxxxx |
Toll-free numbers |
<:+49345>[2-9]xxxxxx |
Local area Halle (Saale) without area code |
<0:+49>x. |
National numbers → E.164 |
<00:+>x. |
International numbers → E.164 |
Technical Details¶
FreeSwitch VPN Profile¶
FreeSwitch runs a dedicated Sofia profile vpn on the WireGuard interface:
- SIP-IP / RTP-IP:
10.100.0.1 - Context:
default(same dialplan as internal extensions) - Auth: Via Platform API (
mod_xml_curl) - Codecs: opus, G722, PCMU, PCMA
Firewall Rules (UFW)¶
10.100.0.1 5060/tcp on wg0 ALLOW Anywhere # SIP TCP via VPN
10.100.0.1 5060/udp on wg0 ALLOW Anywhere # SIP UDP via VPN
10.100.0.1 5061/tcp on wg0 ALLOW Anywhere # SIP TLS via VPN
Rules are restricted to the wg0 interface — only VPN clients have access.
Architecture¶
┌─────────────┐ WireGuard ┌──────────────┐
│ Softphone │◄──────────────────►│ wg0 │
│ (MicroSIP) │ 10.100.x.x │ 10.100.0.1 │
└─────────────┘ └──────┬───────┘
│
┌──────▼───────┐
│ FreeSwitch │
│ vpn Profile │
│ :5060 / :5061│
└──────┬───────┘
│
┌──────▼───────┐
│ Platform API │
│ xml_curl Auth│
└──────┬───────┘
│
┌──────▼───────┐
│ SIP Trunks │
│ (Plusnet/1&1) │
└──────────────┘
Troubleshooting¶
| Problem | Solution |
|---|---|
| Registration failed | Check VPN connection (ping 10.100.0.1), verify extension/password in Platform |
| No audio | UDP port 5060 + RTP ports must be reachable via VPN, disable ICE |
| One-way audio | Leave publicAddr empty, disable NAT traversal |
| TLS error | Disable certificate validation in client (self-signed) |
| Registration expires | Set keepAlive=15 and registerRefresh=300 |