WireGuard - VOIP WiFi Calling Won't Work

Hi,
I have a GL-MT300N-V2 router. I also use Algo VPN on an Amazon AWS Lightsail server that I have WireGuard setup on. My phone through T-Mobile uses WiFi calling. When I try to make a phone call with WireGuard turned on the call goes through but I can’t hear anything. Im thinking it’s a NAT problem.
Things I have tried to diagnose the problem.

  1. Make a call through the router without WireGuard turned on -->WORKS
  2. Make a call through the router with WireGuard turned on -->DOES NOT WORK
  3. Connect to another Wifi router, turn on WireGuard using the Android App and make a call → WORKS

Which tells me it has something to do with the router. I can’t find any settings that I can try.
Can someone direct me to some options to fix this problem?

Thank you in advance!

Sounds like you get the SIP connection, which does the call setup, but that RTSP isn’t being routed correctly…

RTSP is the audio path of the call which typically is UDP traffic (SIP is TCP)

That’s what I thought too. But…it can’t be. Had to be something with the router. Because when I turn on WineGuard with the android app and place a call it works fine. When I turn on WineGuard with the router no audio. When I turn off WineGuard on the router I’m able to do WiFI calling.

Take a look at the IP tables - not running Wireguard here, but you may have to add/change an entry for the UDP/Port number from DROP to ACCEPT

This is most like caused by double NAT, RTP isn’t great with NAT especially without using STUN or TURN.

When you are using the app on android your phone is assigned an IP from Wireguard so it’s only a single NAT.

When connecting through the router, your router is assigned the Wireguard IP and your phone is issued a NAT’d IP from the router. (by default 192.168.8.x)

Ah…yes. That’s what I bet is happening.
Since I’m using T-Mobile WiFi calling there is no way that I know of to assign a STUN/TURN server.
I can’t think of any way to fix this except to turn off WiFi calling.
With my business VOIP I can assign a STUN server

Yeah, that might be it - whether it’s double NAT, or just the split routing with the WG tunnel on, the client has to consider both paths (SIP and RTP)

It’s complicated - but the VoWIFI service sees the end point address and sets up the RTP path according…

So…

Device → NAT Router → VPN → SIP Server (SIP Service sees the VPN end point addr as the originator, not the client or NAT’ed addr)

SIP server then sets up the RTP path back over UDP

SIP Server → VPN addr

(it’s actually much more complicated than this - I’m giving the 10,000 ft view here)

Might be better to set up VPN on the VOIP client directly, as this cuts thru all the BS in the middle - on a smart phone should be easy enough…