Does IPSec WiFi Calling work behind VPN routers?

Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking
Author Message
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Fri Sep 30, 2022 16:25    Post subject: Does IPSec WiFi Calling work behind VPN routers? Reply with quote
Carrier-based WiFi calling uses IPSec and bypasses whichever VPN installed on phone, but what if the router itself is set to use OpenVPN or WireGuard? Would IPSec WiFi Calling go through router's OpenVPN/WireGuard tunnel without issues?
Sponsor
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Fri Sep 30, 2022 17:18    Post subject: Reply with quote
Does it work: yes
Without issues: no

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Fri Sep 30, 2022 19:06    Post subject: Reply with quote
What are the issues and how can they be resolved while maintaining OpenVPN/WireGuard tunneling for all devices (including devices using IPSec WiFi calling)?
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Fri Sep 30, 2022 23:13    Post subject: Reply with quote
STFW RTFM (latency, jitter)
egc
DD-WRT Guru


Joined: 18 Mar 2014
Posts: 12837
Location: Netherlands

PostPosted: Sat Oct 01, 2022 7:46    Post subject: Reply with quote
Latency can be problematic, MTU is critical, also do not use SFE (Shortcut Forwarding Engine)

Search for author Tedm he investigated a lot about running VoIP over OpenVPN e.g.:

https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=329548&highlight=

but there are more also about MTU form him

_________________
Routers:Netgear R7000, R6400v1, R6400v2, EA6900 (XvortexCFE), E2000, E1200v1, WRT54GS v1.
Install guide R6400v2, R6700v3,XR300:https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=316399
Install guide R7800/XR500: https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=320614
Forum Guide Lines (important read):https://forum.dd-wrt.com/phpBB2/viewtopic.php?t=324087
blkt
DD-WRT Guru


Joined: 20 Jan 2019
Posts: 5660

PostPosted: Sat Oct 01, 2022 8:05    Post subject: Reply with quote
OpenVPN defect, bug, on MTU handling - you decide
SIP phone extensions over dd-wrt/openvpn revisited (linked above)
wireguard issue?
Comparison of CHACHA20-POLY1305 vs AES-128-GCM on OpenVPN
Per Yngve Berg wrote:
Tip: Use UDP rather than TCP. OpenVPN have end-to-end control build in. With TCP, you get double end-to-end control that can make packets be transmitted several times.
OpenSource Ghost
DD-WRT User


Joined: 14 Feb 2022
Posts: 50

PostPosted: Sat Oct 01, 2022 14:11    Post subject: Reply with quote
Thanks, I've already seen some of those threads, but I couldn't find anything specific in regards to IPSec WiFi calling running inside OpenVPN or WireGuard tunnel established by router. SIP and IPSec WiFi calling don't use the same protocols.
SurprisedItWorks
DD-WRT Guru


Joined: 04 Aug 2018
Posts: 1444
Location: Appalachian mountains, USA

PostPosted: Sat Oct 01, 2022 19:16    Post subject: Reply with quote
Just a datapoint: I use IPSEC wifi calling on my iPhone XS (iOS 16.0.2) every day over my router (WRT1900ACSv2, on build 49081) with no issues that I'm aware of. Seems fine with either OpenVPN or wireguard tunnels. In fact my typical day has me running the wifi-calling tunnel inside a wireguard tunnel that runs inside an OpenVPN tunnel. No problem.

Last edited by SurprisedItWorks on Sun Oct 09, 2022 22:13; edited 1 time in total
Anoopnk
DD-WRT Novice


Joined: 07 Jun 2021
Posts: 12

PostPosted: Sun Oct 09, 2022 10:01    Post subject: Reply with quote
You can also add PBR to let IPSec through WAN.

I found that for me, it's always the same IP. After adding PBR, never had any issue with WiFi calling. This way only IPSec goes through WAN and all remaining connections goes into VPN.

If you want to intentionally route even IPSec connections then choose the server closest to your location or the server location in order to keep the latency minimal.

Please correct me if I'm wrong.
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> Advanced Networking All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum