VPN

How to forward SIP using iptables between two VPNs?

Good afternoon. I have never dealt with iptables and here again))

The situation is this: There is a machine with UBUNTU, it is behind the router, there is a white IP on the router. Two VPNs are up on this machine, one to the kvnet enterprise network (10.10.0.0/24), the second to the wghub smartphone (10.20.0.0/24) and the enp0s3 local interface (192.168.0.0/24).

Enable forwarding:

sudo sysctl -q -w net.ipv4.ip_forward=1 Enable

forwarding between VPN interfaces (but it looks like it's not necessary):

sudo iptables -A FORWARD -i wghub -o kvnet -j ACCEPT
sudo iptables -A FORWARD -i kvnet -o wghub -j ACCEPT Turn

on full masquerade)):

sudo iptables -t nat -A POSTROUTING -o wghub -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o kvnet -j MASQUERADE
sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE

As a result, I have:

All machines on the home and all machines on the work network are pinged from the smartphone. RDP is working. Part of the task completed.

But I want the Voip dialer to work on a smartphone, connected to the company's PBX, but she doesn't want that. The call goes through and even the interlocutor hears me, but I don’t. The call statistics show that there are no incoming packets at all. I conclude that SIP needs an incoming connection and it won’t get through my impromptu NAT, the server sends packets to UBUNTU, and then it doesn’t know what to do with them. And then I would have calmed down, but here's a strange thing, I managed to make several calls with two-way communication, while I still didn’t understand how it happened, I couldn’t figure out how to repeat this))

I tried to prescribe strict rules instead of a masquerade, but it did not work.
Enable NAT:
sudo iptables -t nat -A POSTROUTING -s 10.20.0.0/24 -o kvnet -j SNAT --to-source 10.10.0.2

Rules for forwarding sip and rtp ports to a smartphone:
sudo iptables -t nat -A PREROUTING -i kvnet -p udp -m udp --dport 5004:5089 -j DNAT --to-destination 10.20.0.2:5004-5089
sudo iptables -t nat -A PREROUTING -i kvnet -p udp -m udp --dport 10000:20000 -j DNAT --to-destination 10.20.0.2:10000-20000

Please push in the right direction, no experience with iptables at all ((

UPD: Issue resolved. I looked at open connections in my direction from the enterprise’s VPN server and saw that RTP packets were not going through ports in the range 10000-20000, but through one port 8000. I don’t know why, the standard range is indicated in the PBX settings, but that’s not the point anymore. As a result, I wrote one single rule: sudo iptables -t nat -A PREROUTING -i kvnet -p udp -m udp --dport 8000 -j DNAT --to-destination 10.20.0.2:8000 and everything went as it should.

Thanks to all!