Digital Ocean, Floating IP and VoIP


Digital Ocean (here is an referral link, claim your $100 credit) were introduced floating IP in the 2015, but I never use it with VoIP. Time to fix it.

(Dear hackers, at the moment of publishing all the IP addresses releases and data vanished)

Droplet and floating IP

Floating IP 206.189.246.114 pointed in the Digital Ocean console to the newly created droplet with Debian linux. IP addresses of test droplet:

[email protected]:~# /sbin/ifconfig | grep -B 1 'inet '

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 206.189.20.174  netmask 255.255.240.0  broadcast 206.189.31.255
--
eth0:1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.16.0.5  netmask 255.255.0.0  broadcast 10.16.255.255

SIP configuration

For test purpose I’ve installed Asterisk from the OS repository (apt-get install -yqq asterisk) and configured SIP client to register on 206.189.246.114. No luck as expected, SIP packets does not flowing properly:

/images/floating-ip/1-failure.png

Okay, lets try to update sip.conf with following. It’s typical setup for asterisk behind NAT (there is description notes in default sip.conf about externip, externhost and externaddr)

externip=206.189.246.114
nat=force_rport,comedia

And get random results, but in most of cases SIP registration did not worked.

/images/floating-ip/2-ok-but.png

After quick investigation (why there is 3rd IP in the SIP dump), I decided to change SIP bind address to the private IP:

udpbindaddr=10.16.0.5
tcpenable=yes
tcpbindaddr=10.16.0.5
; ...
externip=206.189.246.114
nat=force_rport,comedia

Now all right

/images/floating-ip/3-ok.png

Calls also working

/images/floating-ip/4-call-ok.png

Docker setup

Let’s try to get the same result with docker.

It works if asterisk can bind to the same private IP address where floating IP points, but requires to run container with --net=host option:

docker run -ti --rm \
  --net=host \
  --name asterisk \
  -v /etc/asterisk/sip.conf:/etc/asterisk/sip.conf \
  andrius/asterisk \
  asterisk -vvvddddc

Technically that’s enough for most of use cases, but such Asterisk won’t fit well into development environment with docker-compose; other containers won’t “see” it. I’ll be digging this little bit more. Perhaps if I would pass NET_ADMIN capability or will start container in privileged mode, I would be able to do necessary trick with iptables.