Context: I have a Cloudflare tunnel set up to expose a PBX server (Asterisk/FreePBX) through Zero Trust (free plan). Observed Behavior: IAX2 Protocol (UDP): Works correctly (calls are established). SIP Protocol (UDP): SIP registrations and calls do not complete. Has anyone successfully implemented SIP over UDP using the Zero Trust free plan? Does SIP require additional configuration? Note: The IAX2 protocol works, which suggests that the tunnel handles basic UDP traffic, but SIP fails due to specific requirements (e.g., headers, authentication). I would appreciate any technical guidance.
I haven’t tried this kind of setup over cloudflared tunnel yet.
Will try by the end of this week as I do have one campus to manage. Using Yealink phones and Mikrotik (with a switch for a lot of phones), will see if it works or not. Thank you for the idea!
Are you running your VoIP PBX over a Mikrotik router, or?
Are you using a public static IP (despite you want to expose a PBX server, I guess a local one then) or?
Any firewall in between?
Wonder if the IAX2 over UDP (4569) is actually going to work, or rather as you mention signaling typically on UDP 5060, media on RTP range: 10000-20000+
Might need public static IP for that instead.
The NAT might also be a challenge since STUN / TURN.
Might also be cloudflared tunnel is not for SIP compatible, yet
Will check if I might be able somehow to switch SIP to TCP or TLS.
Are these working as Proxy for you?
Despite a costly solution, might be worth at least trying with Cloudflare Spectrum, but only for small portion of traffic or short time, since it’s available on a higher plans, it does support UDP and other protocols as well.
May I ask if you’ve used monitoring where the SIP connection breaks? Like sngrep or with Wireshark?
I have a Cloudflare tunnel (free plan) set up to expose a PBX server (Asterisk/FreePBX) using Zero Trust.
When I make a call using IAX2, it goes through without issues and is handled correctly by the PBX.
But with SIP over UDP, the PBX returns a 401 Unauthorized error.
Using Wireshark (with my local machine as the source and the server as the destination), I can see the 401 response, and the client keeps retrying until the call drops.
of cables on site 
