Incredible PBX – Page 20

Lessons Learned: Circling Back for a Second Look at OpenSIPS

Monday, June 24, 2019

Whenever we tackle a new VoIP platform especially for deployment on the open Internet, we think it’s prudent to circle back after a few weeks to review lessons learned and tie up all the loose ends. Today we’ll introduce a number of new KVM cloud providers around the globe at rock-bottom prices plus some new additions to enhance our OpenSIPS firewall design. If you’re just getting started with OpenSIPS, check out the new KVM offerings below and then hop over to our original article which now incorporates all of today’s enhancements. For those that already have deployed OpenSIPS using our previous tutorial, continue reading, and we’ll show you how to deploy the latest and greatest additions.

While we were in the midst of deploying OpenSIPS, Netflix also disclosed four TCP networking kernel vulnerabilities which are especially important to those of us using hosted cloud platforms. Depending upon your provider, these may or may not be patched promptly.

We were reminded this month that reinventing the wheel isn’t always the best solution when it comes to VoIP security. While we’re not throwing in the towel on our BadGuys list, we do want to show you how to supplement it with the VoIP Blacklist from voipbl.org. It adds over 80,000 crowd-sourced IP addresses from around the world. The other lesson learned was that blacklists invariably include some IP addresses of good guys that you actually depend upon. These typically are added to the blacklist by, you guessed it, the bad guys.

With IPtables, the first matching rule always wins so it’s important in structuring firewall rules to insert whitelisted IP addresses BEFORE the blacklist entries so you don’t inadvertently block yourself or some other resource that you actually need. This whitelist should include the IP addresses of your server and workstations as well as the IP addresses of VoIP providers upon whom you rely for communications services. With our OpenSIPS design, the firewall order of preference looks like this: (1) whitelisted IP addresses get full access, (2) blacklisted IP addresses are blocked and get no access, (3) everybody else gets SIP access.

Rather than attempting to patch the Linux kernel on all of the platforms that are being deployed, we think the prudent first step is to narrow the TCP footprint of all public-facing servers. As part of the original OpenSIPS deployment, we already had hidden web access behind the firewall except for specifically enumerated IP addresses. The second most likely TCP vulnerability would be the TCP SIP ports. While we prefer to use UDP ports for SIP access, some prefer TCP. Until the “SACK Panic” vulnerability is patched, we would strongly recommend at least temporarily discontinuing use of TCP as your SIP transport. After all, OpenSIPS is a SIP server, and the TCP SIP port would be the most likely target for mischief.

Turning back to blacklists for a moment, we’ve put together a few simple bash scripts which make it easy to deploy and update your VoIP blacklists. We’ve also developed a script that lets you move IP addresses flagged by Fail2Ban into the ipset SIPFLOOD blacklist while easing the pain of uploading your own blacklisted IP addresses to the voipbl.org site for inclusion in their list. In this way, they will be added in the next day’s blacklist collection for everyone to use. To give you a point of reference, on our half dozen, publicly-exposed honey pot servers, today’s additions to the OpenSIPS firewall have reduced attacks to less than one a day.

Choosing a KVM Platform for OpenSIPS

For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM cloud platform is a must since OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. While we previously have identified OpenVZ providers for our Incredible PBX platforms protected by the Travelin’ Man 3 firewall, pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS. So we went on the hunt to identify KVM cloud providers around the world that could offer a KVM VPS with 1GB RAM, 20GB storage, and 1TB of monthly bandwidth for about $25 a year. No small feat! But our friends at LowEndTalk have come through. Read the message thread and find an offer with a site that best meets your requirements. Many of the KVM offers require you to open a ticket to get the special pricing and configuration outlined above. Here’s a short list of our favorites, but remember to only use the KVM offerings below for OpenSIPS!

Provider	RAM	Disk	Bandwidth	Performance as of 12/1/19	Cost
CrownCloud KVM (LA)	1GB	20GB + Snapshot	1TB/month	598Mb/DN 281Mb/UP 2CPU Core	$25/year Best Buy!
Naranjatech KVM (The Netherlands)	1GB	20GB	1TB/month	Hosting since 2005 VAT: EU res.	20€/year w/code: SBF2019
BudgetNode KVM (LA)	1GB	40GB RAID10	1TB/month	Also available in U.K PM @Ishaq on LET before payment	$24/year
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)	1GB	20GB SSD	3TB/month	Pick EGG loc'n Open ticket for last 5GB SSD	$30/year w/code: LEBEGG30

Introducing the VoIP Blacklist

We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. We’ve made this easy in two ways. First, the list gets populated every night while you sleep. At last count, there were 84,504 IP addresses. And, second, to contribute to the blacklist, run iptables -nL weekly to see if Fail2Ban has snagged any bad guys. If so, simply run the new /root/blacklist utility which will move them into your local blacklist and also format the entries for easy submission to voip.bl whenever you feel the urge. Simply issue the command cat /root/blcklist.txt to display the entries you just blacklisted. Then cut-and-paste the results and post them to the VoIP Blacklist. The whole process takes less than a minute, and you’ll be contributing to a very valuable VoIP resource while also using it.

Upgrading Existing OpenSIPS KVM/OVZ7 Platforms

If you already have installed OpenSIPS using the previous Nerd Vittles tutorial on a KVM or OVZ7 platform, then the rest of today’s article is for you. If you’re just getting started, hop over to our original article which now incorporates all of today’s enhancements including the VoIP Blacklist.

We’ve made today’s upgrade easy. Just download the OpenSIPS upgrade tarball, untar it, and run the included installer. In less than a minute, you’ll have all the new pieces without disturbing your existing configuration.

To get started, log into your KVM or OVZ7 server as root using SSH or Putty and issue these commands:

cd /
wget http://incrediblepbx.com/opensips-upgrade1.tar.gz
tar zxvf opensips-upgrade1.tar.gz
rm -f opensips-upgrade1.tar.gz
/root/opensips-upgrade1

Originally published: Monday, June 24, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Virtual Paradise: It’s Incredible PBX 13-13.10 for VMware

Monday, June 17, 2019 / 6 Comments on Virtual Paradise: It’s Incredible PBX 13-13.10 for VMware

Let’s face it. Virtual Machines are the future of server administration. Whether you prefer your own dedicated hardware or cloud-based resources managed by you or someone else, virtual platforms are the way to go. You get more bang for the buck out of your hardware by pooling resources for multiple tasks. VMware® and VirtualBox® make it easy. Today we’re pleased to introduce our latest build for VMware. It provides the latest Asterisk® 13 and FreePBX® 13 GPL components from source in about 15 minutes.

Just download the VMware .zip image from SourceForge to your desktop and unzip it. Fire up your browser and login to your VMware Web Console. With a few mouse clicks, you’ll have a CentOS 6.10 platform in place with Incredible PBX® just a single keystroke away. It doesn’t get much easier. And, you get the very latest release of Asterisk 13 compiled from source code that you can actually examine, enhance, and share… just like the GPL license says.

Choosing a Virtual Machine Platform

Making the right deployment choice for your virtual machine platform depends upon a number of factors. We initially started out with Proxmox 4 which looked promising. After all, we had used and recommended earlier releases of Proxmox for many years until some security vulnerabilities caused us to look elsewhere. Those kernel issues are now a thing of the past, but Proxmox 4 introduced some new wrinkles. First, to stay current with software fixes and updates, you have to pay the piper by signing up for the annual support license. This turned out to be a deal breaker for a couple of reasons. It was expensive since it’s based upon the number of CPUs in your platform. In the case of the hardware shown below, that turned out to be 4 CPUs (by Proxmox’s calculation) which meant the annual support license would run nearly $400 per year. That buys an enormous number of cloud-based virtual machines without having to babysit hardware at all. So we’ve reluctantly concluded that Proxmox 4 isn’t a particularly good fit for development or production use.

We’ve already sung the praises of VirtualBox so we wont’ repeat it here. VMware also is rock-solid and has been for more than fifteen years. VMware typically runs on dedicated hardware. If you don’t have the funds for a hardware purchase to support your virtualization requirements, then VirtualBox on your desktop machine is a no-brainer. For many, however, some separation of the virtualization environment from your desktop computing environment is desirable. That choice is equally easy. VMware wins, hands down. Better yet, you can make snapshot backups of your virtual machines in seconds with a single button click. If you’ve wrestled with backups on standalone hardware with Linux, you’ll quickly appreciate the difference.

Getting Started with VMware ESXi

Many of you have VMware platforms already in place at work. For you, installing Incredible PBX 13-13.10 is as simple as downloading the image to your desktop and importing it into your existing platform. Better yet, your system administrator can do it for you. If you’re new to VMware, here’s an easy way to get started, and the software won’t cost you a dime. VMware offers a couple of free products that will give you everything you need to run a robust VMware platform on relatively inexpensive hardware. The choice is up to you.

A Free VMware Platform for SOHO Apps

Before you can download the components for the free VMware ESXi platform, you’ll need to sign up for a free account at my.vmware.com. Once you’re signed up, log in and follow these simple steps to sign up for a free ESXi license key and download the ESXi version 6 software:

Write down your assigned License Key
Manually download the VMware vSphere Hypervisor 6.5 ISO
Manually download the VMware vSphere Client 6.5

Next, burn the ISO to a CD/DVD and boot your dedicated VM hardware platform with it. Follow the instructions to complete the install. Next install the vSphere Client on a Windows computer. Don’t forget to add your ESXi License Key when you complete the installation. Once the ESXi server is up and running, you can stick the hardware on a shelf somewhere out of the way. You will rarely interact with it. That’s all handled using either the VMware vSphere Client on your Windows Desktop or the VMware Web Console. Don’t forget to apply your License Key once VMware ESXi is up: Virtual Machines -> Licensing -> Apply License.

Deploy VMware Template with vSphere Client

Deploying an Incredible PBX template takes about two minutes, but first you need to download the Incredible PBX 13-13.10 template from SourceForge onto your Windows Desktop and unzip it.

Once the Incredible PBX template components are on your desktop, here are the deployment steps:

1. Login to the vSphere Client on your Windows Desktop using the root account you set up when you installed ESXi. Choose File, Deploy OVF Template.

2. Select the two Incredible PBX components from your desktop PC.

3. Click Next.

4. Give the new Virtual Machine a name.

5. IMPORTANT: Choose Thin Provision option and click Next.

6. Review your entries and click Next to create the new Virtual Machine.

7. It only takes a couple minutes to create the new Virtual Machine.

8. The Main Client window will redisplay and your new VM should now be shown in the left panel. (1) Click on it. (2) Then click the Green start icon. (3) Then click the Console Window icon.

9. When the VM’s Console Window opens, click in the window in the black area. Log into your virtual machine as root using the default password: password.

10. To complete the Incredible PBX setup, you will automatically be walked through the short installation procedure when you start the virtual machine. Following the automatic reboot, just log in a second time as root and the install will complete.

11. To add Incredible Fax support with HylaFax and AvantFax, run: /root/incrediblefax13.sh.

12. Set up the proper time zone for your server: /root/timezone-setup.

13. Next, reset your root password and make it very secure: passwd.

14. Finally reset your admin password for web access to your server: /root/admin-pw-change.

15. Reset Enchilada passwords at any time by running: /root/update-passwords.

Press Ctrl-Alt to get your mouse and keyboard out of the console window.

Installing the vSphere Web Client

If you’re lucky, you may not have a Windows machine. The downside is that the vSphere Client described above only works on the Windows platform. After a good bit of searching, we finally uncovered a simple way to install the latest vSphere Web Client. It is pure HTML5 with no Flash code! While still under development, VMware has made progress, and it shows. Most of the feature set of vSphere Client now is available from the convenience of your browser. Just point it to the IP address of your VMware server like this: https://ip-address/ui/.

Here’s how to install the vSphere Web Client:

1. Log into the console of your ESXi server as root using your root password.

2. Press F2 to Customized System.

3. Choose Troubleshooting Options.

4. Choose Enable SSH.

5. Using a Terminal window on a Mac or Linux machine or using Putty with Windows, log into the IP address of your ESXi server as root.

6. Issue the following commands to install the latest vSphere Web Client vib and disable http firewall blockage:

esxcli software vib install -v http://download3.vmware.com/software/vmw-tools/esxui/esxui-signed-latest.vib
esxcli network firewall ruleset set -e true -r httpClient

7. Using a web browser, login to the web client as root at https://ESXi-server-IP-address/ui/

8. Should you ever wish to remove the web client from your server:

esxcli software vib remove -n esx-ui

9. You may wish to disable SSH access when you’re finished. Just repeat steps 1-4 above.

Here’s what a typical Incredible PBX Virtual Machine looks like in the web client once you’ve added the VMware Tools to your virtual machine as documented below. There’s even a Console window.

Under the Virtual Machines tab, you now can manage and add new VMs directly.

Installing VMware Tools in a Virtual Machine

If you plan to manage your virtual machines using the vSphere Web Client and a browser, then you definitely will want to install the VMware Tools in each of your virtual machines.

For ESXi 6.0, your only choice is VMwareTools. Here’s how to install:

1. Start up your VM and login as root.

2. From the Windows vSphere Client, right click on virtual machine you started.

3. Choose Guest:Install VMware Tools.

4. Return to the Linux CLI of your virtual machine and issue the following commands. Accept all of the defaults in the installation script when it is run in the final step below:

mkdir /mnt/cdrom
mount /dev/cdrom /mnt/cdrom
ls /mnt/cdrom
cd /tmp
tar -zxvf /mnt/cdrom/VMwareTools*
umount /mnt/cdrom
cd vmware-tools-distrib
./vmware-install.pl

For ESXi 6.5, we prefer the new GPL VMware open-vm-tools. Here’s how to install:

1. Start up your VM and login to the VM as root using SSH or Putty.

2. From the Linux CLI, issue the following commands:

yum -y install --enablerepo=epel open-vm-tools
reboot

Special thanks to John Borhek (@unsichtbarre on the PIAF Forum) for the VMware lessons. 🙂

That should be enough tutorial for today. Enjoy your new VMware platform.

Continue Reading: Configuring Extensions, Trunks & Routes

Don’t Miss: Incredible PBX Application User’s Guide covering the 31 Whole Enchilada apps

Originally published: Monday, December 18, 2017 Updated: Monday, June 17, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Safely Deploying Incredible PBX on the Wide Open Internet

Monday, June 3, 2019 / 1 Comment on Safely Deploying Incredible PBX on the Wide Open Internet

We’ve previously documented the benefits of SIP URI calling. Because the calls are free from and to anywhere in the world, the use case is compelling. The drawbacks, particularly with Asterisk® servers, have primarily centered around the security implications of exposing SIP on a publicly-accessible server. Today we want to take another look at an open Internet SIP implementation for Asterisk based upon the pioneering work of Dr. Lin Song back in the PBX in a Flash heyday. We’ve embellished Lin’s original IPtables creation and our original article with some additional security mechanisms for Fail2Ban, Asterisk, FreePBX®, and Travelin’ Man 3. Special thanks also for a terrific tutorial from JavaPipe. All of today’s implementation is open source code which you are more than welcome to use or improve pursuant to GPL3.

July 22 UPDATE: New Incredible PBX 16-15-PUBLIC deployment tutorial is now available here.

Consider this. If everyone in the world had an accessible SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends upon your platform. With Asterisk they look like this: SIP/somebody@FQDN.yourdomain.com. On SIP phones, SIP URIs look like this: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have “dialed” a SIP URI, the destination SIP device will ring just as if the called party had a POTS phone. Asterisk® processes SIP URIs in much the same way as calls originating from commercial trunk providers except anonymous SIP calls are blocked.

While we have tested today’s design extensively including implementation of a cloud-based server with no security issues since deployment over four months ago, we still don’t recommend this SIP design for mission-critical PBXs because there remain some security risks with denial of service attacks and zero-day vulnerabilities. For these deployments, Incredible PBX® coupled with the Travelin’ Man 3 firewall which blocks SIP access except from whitelisted IP addresses and FQDNs has no equal. When properly deployed, the bad guys cannot even see your server much less attack it. A typical use case for today’s new SIP design would be a public Asterisk server that provides anonymous SIP access to the general public without any exposure to the corporate jewels. For example, we’ve put up a demonstration server that provides news and weather reports. In the corporate world, an equivalent deployment might provide access to a product database with pricing and availability details. Our rule of thumb before deploying today’s platform would be to ask yourself what damage could be inflicted if your server were totally compromised. If the answer is zero, then proceed. Otherwise, stick with Incredible PBX and the Travelin’ Man 3 firewall. The ideal platform for deployment using the same rule of thumb as above is one of the $1 a month cloud platforms.

Provider	RAM	Disk	Bandwidth	Performance as of 12/1/19	Cost
CrownCloud KVM (LA)	1GB	20GB + Snapshot	1TB/month	598Mb/DN 281Mb/UP 2CPU Core	$25/year Best Buy!
Naranjatech KVM (The Netherlands)	1GB	20GB	1TB/month	Hosting since 2005 VAT: EU res.	20€/year w/code: SBF2019
BudgetNode KVM (LA)	1GB	40GB RAID10	1TB/month	Also available in U.K PM @Ishaq on LET before payment	$24/year
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)	1GB	20GB SSD	3TB/month	Pick EGG loc'n Open ticket for last 5GB SSD	$30/year w/code: LEBEGG30

Overview. There are a number of moving parts in today’s implementation. So let’s briefly go through the steps. Begin with a cloud-based installation of Incredible PBX. Next, we’ll upgrade the Fail2Ban setup to better secure a publicly-accessible Asterisk server. We’ll also customize the port for SSH access to reduce the attack rate on the SSH port. You’ll need a fully-qualified domain name (FQDN) for your server because we’ll be blocking all access to your server by IP address. If you want to allow SIP URI calls to your server, you’ll need this FQDN. If you want to also allow SIP registrations from this same FQDN, then a single FQDN will suffice; however, with OpenVZ platforms, we recommend using a different (and preferably more obscure) FQDN for SIP registrations since registered users have an actual extension on your PBX that is capable of making outbound calls which usually cost money. In this case, the obscure FQDN performs double-duty as the equivalent of a password to your PBX. For example, an FQDN such as hk76dl34z.yourdomain.com would rarely be guessed by an anonymous person while sip.yourdomain.com would be fairly obvious to attempted intruders. But that’s your call.

Using whatever FQDN you’ve chosen for SIP registrations, we’ll add an entry to /etc/asterisk/sip_custom.conf that looks like this: domain=hk76dl34z.yourdomain.com. That will block all SIP registration attempts except from that domain. It will not block SIP invitations! The next step will be to add a new [from-sip-external] context to extensions_override_freepbx.conf. Inside that context, we’ll specify the FQDN used for public SIP URI connections to your server, e.g. sip.yourdomain.com. This will block SIP invitations except SIP URIs containing that domain name. We’ll also define all of the extensions on your Asterisk server which can be reached with SIP URI invitations. These could be actual extensions, or ring groups, or IVRs, or Asterisk applications. The choice is yours. These SIP URI authorizations can be either numeric (701@sip.yourdomain.com) or alpha (weather@sip.yourdomain.com) or alphanumeric (channel7@sip.abc.com). Finally, we’ll put the new IPtables firewall rules in place and adjust your existing iptables-custom setup to support the new publicly-accessible PBX. For example, we’ll still use whitelist entries for web access to your server since anonymous users would cause nothing but mischief if TCP ports 80 and 443 were exposed. It’s worth noting that KVM platforms provide a more robust implementation of IPtables that can block more types of nefarious traffic. We’ve supplemented the original article with a KVM update below. With OpenVZ platforms, we have to rely upon Asterisk to achieve IP address blocking and some types of packet filtering. So why not choose a KVM platform? It’s simple. These platforms typically cost twice as much as equivalent OpenVZ offerings. With this type of deployment, KVM is worth it.

Installing Incredible PBX Base Platform

Today’s design requires an Incredible PBX platform on a cloud-based server. Start by following this tutorial to put the pieces in place. We recommend you also install the Whole Enchilada addition once the base install is finished. Make sure everything is functioning reliably before continuing.

Upgrading the Fail2Ban Platform

Because this will be a publicly-accessible server, we’re going to tighten up the Asterisk configuration in Fail2Ban and lengthen the bantime and findtime associated with Fail2Ban’s Asterisk log monitoring. We also recommend that you whitelist the IP addresses associated with your server and PCs from which you plan to access your server so that you don’t inadvertently block yourself.

Log into your server as root and issue the following commands. When the jail.conf file opens in the nano editor, scroll down to line 34 and add the IP addresses you’d like to whitelist to the existing ignoreip settings separating each IP address with a space. Then press Ctrl-X, Y, then Enter to save your changes. Verify that Fail2Ban restarts successfully.

cd /etc/fail2ban
wget http://incrediblepbx.com/fail2ban-public.tar.gz
tar zxvf fail2ban-public.tar.gz
rm -f fail2ban-public.tar.gz
nano -w jail.conf
service fail2ban restart

If you ever get locked out of your own server, you can use the Serial Console in your VPS Control Panel to log into your server. Then verify that your IP address has been blocked by issuing the command: iptables -nL. If your IP is shown as blocked, issue this command with your address to unblock it: fail2ban-client set asterisk unbanip 12.34.56.78

Obtaining an FQDN for Your Server

Because we’ll be blocking IP address SIP access to your server, you’ll need to obtain one or perhaps two FQDNs for your server. If you manage DNS for a domain that you own, this is easy. If not, you can obtain a free FQDN from ChangeIP here. Thanks, @mbellot.

For the FQDN that you’ll be using for SIP registrations on your server, configure Asterisk to use it by logging into your server as root and issuing the following command using your new FQDN, e.g. xyz.yourdomain.com. Thanks, @ou812.

echo "domain=xyz.yourdomain.com" >> /etc/asterisk/sip_custom.conf

SECURITY ALERT: Never use the SIP URI MOD on a server such as this one with a publicly-exposed SIP port as it is possible for some nefarious individual to spoof your FQDN in the headers of a SIP packet and easily gain outbound calling access using your server’s trunk credentials.

Customizing the [sip-external-custom] Context

All FreePBX-based servers include a sip-external-custom context as part of the default installation; however, we need a customized version to use for a publicly-accessible PBX. You can’t simply update the context in /etc/asterisk/extensions.conf because FreePBX will overwrite the changes the next time you reload your dialplan. Instead we have to copy the context into extensions_override_freepbx.conf and make the changes there. So let’s start by copying the new template there with the following commands:

cd /tmp
wget http://incrediblepbx.com/from-sip-external.txt
cd /etc/asterisk
cat /tmp/from-sip-external.txt >> extensions_override_freepbx.conf
rm -f /tmp/from-sip-external.txt
nano -w extensions_override_freepbx.conf

When the nano editor opens the override file, navigate to line #10 of the [from-sip-external] context and replace xyz.domain.com with the FQDN you want to use for SIP invites to your server. These are the connections that are used to actually connect to an extension on your server (NOT to register). As noted previously, this can be a different FQDN than the one used to actually register to an extension on your server. Next, scroll down below line #27, and you will see a series of lines that actually authorize anonymous SIP connections with your server. There are two numeric entries and also two alpha entries to access the News and Weather apps on your server. The 13th position in the dialplan is required for all authorized calls.

exten => 947,13,Dial(local/947@from-internal)
exten => 951,13,Dial(local/951@from-internal)
exten => news,13,Dial(local/951@from-internal)
exten => weather,13,Dial(local/947@from-internal)

You can leave these in place, remove them, or add new entries depending upon which extensions you want to make publicly accessible on your server. Here are some syntax examples for other types of server access that may be of interest.

; Call VoIP Users Conference
exten => 882,13,Dial(SIP/vuc@vuc.me)
exten => vuc,13,Dial(SIP/vuc@vuc.me)
; Call Default CONF app
exten => 2663,13,Dial(local/${EXTEN}@from-internal)
exten => conf,13,Dial(local/2663@from-internal)
; Call Bob at Local Extension 701
exten => 701,13,Dial(local/${EXTEN}@from-internal)
exten => bob,13,Dial(local/701@from-internal)
; Call Default Inbound Route thru Time Condition
exten => home,13,Goto(timeconditions,1,1)
; Call Inbound Trunk 8005551212
exten => 8005551212,13,Goto(from-trunk,${DID},1)
; Call Lenny
exten => 53669,13,Dial(local/${EXTEN}@from-internal)
exten => lenny,13,Dial(SIP/2233435945@sip2sip.info)
; Call any toll-free number (AT&T Directory Assistance in example)
exten => information,13,Dial(SIP/18005551212@switch.starcompartners.com)

Once you’ve added your FQDN and authorized SIP URI extensions, save the file: Ctrl-X, Y, then Enter.

One final piece is required to enabled anonymous SIP URI connections to your server:

echo "allowguest=yes" >> /etc/asterisk/sip_general_custom.conf

Now restart Asterisk: amportal restart

UPDATE for DialPlan Junkies: We received a few inquiries following publication inquiring about the dialplan design. We’ve taken advantage of a terrific feature of Asterisk which lets calls fall through to the next line of a dialplan if there is no match on a Goto(${EXTEN},13) command. For example, if a caller dials ward@sip.domain.com and there is a line 12 in the dialplan directing the call to ward,13 which exists, call processing will continue there. However, if the extension does not exist, the call will not be terminated. Instead, if there exists a more generic line 13 in the dialplan, e.g. exten => _X.,13,Goto(s,1), call processing will continue there. We use this trick to then redirect the call to an ‘s’ extension sequence to announce that the called extension could not be reached. It’s the reason all of the whitelisted extensions have to have the same line 13 designation so that call processing can continue with the generic line 13 when a specific extension match fails.

Configuring IPtables for Public SIP Access

You may recall that, with Incredible PBX, we bring up the basic IPtables firewall using the /etc/sysconfig/iptables rules. Then we add a number of whitelist entries using /usr/local/sbin/iptables-custom. We’re going to do much the same thing with today’s setup except the rule sets are a bit different. Let’s start by putting the default iptables-custom file in place:

cd /usr/local/sbin
wget http://incrediblepbx.com/iptables-custom-public.tar.gz
tar zxvf iptables-custom-public.tar.gz
rm -f iptables-custom-public.tar.gz
nano -w iptables-custom

When the nano editor opens, scroll to the bottom of the file. You’ll note that we’ve started a little list of notorious bad guys to get you started. Fail2Ban will actually do a pretty good job of managing these, but for the serious recidivists, blocking them permanently is probably a good idea. In addition to the bad guys, you’ll want to whitelist your own IP addresses and domains so that you don’t get blocked from FreePBX web access to your server. The syntax looks like the following two examples:

/usr/sbin/iptables -I INPUT -s pbxinaflash.dynamo.org -j ACCEPT
/usr/sbin/iptables -I INPUT -s 8.8.8.8                -j ACCEPT

Whenever you make changes to your IPtables configuration, remember to restart IPtables using the following command ONLY: iptables-restart

Now let’s put the final IPtables piece in place with the default IPtables config file:

cd /etc/sysconfig
wget http://incrediblepbx.com/iptables-public.tar.gz
tar zxvf iptables-public.tar.gz
rm -f iptables-public.tar.gz
nano -w iptables

When the nano editor opens the file, scroll down to line 55 which controls the TCP port for SSH access to your server. We strongly recommend you change this from 22 to something in the 1000-2000 range. HINT: Your birth year is easy to remember. In the next step, we’ll make the change in your SSH configuration as well.

Next, scroll down to lines 148 and 149. Replace YOUR_HOSTNAME.no-ip.com on both lines with the FQDN of your server that will be used to accept SIP invitations (connections) on your server. These entries have no effect on SIP registrations which we covered above!

Once you’ve made these changes, save the file BUT DO NOT RESTART IPTABLES JUST YET.

Securing the SSH Access Port

TCP port 22 is probably one of the most abused ports on the Internet because it controls access to SSH and the crown jewels by default. Assuming you changed this port in the IPtables firewall setup above, we now need to change it in your SSH config file as well. Edit /etc/ssh/sshd_config and scroll down to line 12. Change the entry to: Port 1999 assuming 1999 is the port you’ve chosen. Be sure to remove the comment symbol (#) at the beginning of the line if it exists. Then save the file.

You’ll also want to update the SSH port in Fail2Ban. Edit /etc/fail2ban/jail.conf and search for port=ssh. In the [ssh-iptables] context, change the entry to port=1999 assuming 1999 is your chosen port. Save the file and reboot your server. Then you should be all set.

Dealing with the Bad Guys

You’ll be amazed how quickly and how many new friends you’ll make on the public Internet within the first few hours. You can watch the excitement from the Asterisk CLI by logging into your server as root and issuing the command: asterisk -rvvvvvvvvvv. Another helpful tool is to monitor your IPtables status which will show IP addresses that have been temporarily blocked by Fail2Ban: iptables -nL. This will catch most of the bad guys and block them. But some are smarter than others, and many know how to spoof IP addresses in SIP packets as you will quickly see. Unlike on KVM platforms, IPtables on most OpenVZ platforms cannot search packets for text strings which is a simple way to block many of these attackers. HINT: You get what you pay for. And, in some cases, attackers disguise their address or use yours. We’ve now found that ${SIPURI} holds the caller’s true identity so we’ve updated the code accordingly. Whether to permanently block these guys is completely up to you. A typical SIP INVITE before such a call is dropped only consumes about 100 bytes so it’s usually not a big deal. You also can manually block callers using the Fail2Ban client with the desired IP address: fail2ban-client set asterisk banip 12.34.56.78.

Additional Security on KVM Platforms

As we mentioned above, a KVM platform provides considerably more security for your public-facing server because you can block entire countries using the ipset extension to IPtables. You can read all about it here. After considerable discussion and suggestions on the PIAF Forum, we would offer the following code which blocks the countries we have identified as causing the majority of problems. First, modify your /etc/sysconfig/iptables configuration and insert the following code in the IPSPF section of the script around line 93. You can change the list of blocked countries to meet your own needs. Just be sure to make the same country-code changes in the blockem.sh script which we will cover in step 2. A list of available country codes can be found here. Save your changes, but do NOT restart IPtables just yet.

-A IPSPF -m set --match-set cn src -j DROP
-A IPSPF -m set --match-set ru src -j DROP
-A IPSPF -m set --match-set ps src -j DROP
-A IPSPF -m set --match-set kp src -j DROP
-A IPSPF -m set --match-set ua src -j DROP
-A IPSPF -m set --match-set md src -j DROP
-A IPSPF -m set --match-set nl src -j DROP
-A IPSPF -m set --match-set fr src -j DROP
-A IPSPF -m set --match-set SIPFLOOD src -j DROP

Second, we want to add a new /etc/blockem.sh script and make it executable (chmod +x /etc/blockem.sh). With the exception of the SIPFLOOD entry which is our custom Bad Guys List, make sure the country list in line #5 below matches the dropped countries list you added to IPtables in step #1 above.

#!/bin/bash
cd /etc
wget -qO - http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz| tar zxvf -
for i in \\
cn ru ps kp ua md nl fr
do
/usr/sbin/ipset create -exist $i hash:net
for j in $(cat $i.zone); do /usr/sbin/ipset add -exist $i $j; done
done
wait
sleep 5
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz
/usr/sbin/ipset restore -! < /etc/SIPFLOOD.zone
wait
sleep 5
service iptables restart
wait
sleep 5
/usr/local/sbin/iptables-custom
wait
sleep 5
service fail2ban restart
wait
exit 0

Third, try things out by running the script: /etc/blockem.sh. Verify that IPtables is, in fact, blocking the listed countries: iptables -nL.

Finally, we recommend adding the script to /etc/rc.d/rc.local replacing the existing iptables-restart line. In that way, it gets run whenever you reboot your server.

In choosing a KVM platform, we've had good luck with the $5/month Digital Ocean platform where you still can get a $50 credit to kick the tires for 60 days, Vultr (similar pricing to D.O. also with a $50 credit). With either of these providers, you can add automatic backups for an extra dollar a month. In the bargain basement (may not be here tomorrow) category, we like the following providers. Many other low-cost options are documented on the LowEndBox site. Just don't invest more than you can afford to lose... and make a backup.¹

Connecting a SIP Phone to OpenSIPS or LinPhone

If you followed along in our OpenSIPS adventure, then it's easy to test some SIP URI calls to your new server. You can connect virtually any kind of SIP telephone or endpoint to OpenSIPS. Another easy way to try out SIP calling is to first set up a free LinPhone Account.

You can find dozens of recommendations for hardware-based SIP phones both on Nerd Vittles and the PIAF Forum. For today we'll get you started with one of our favorite (free) softphones, YateClient. It's available for almost all desktop platforms. Download YateClient from here. Run YateClient once you’ve installed it and enter the credentials for your OpenSIPS or LinPhone account you've previously created. You’ll need the IP address of your OpenSIPS server or LinPhone's FQDN (sip.linphone.org) plus your account’s password. Fill in the Yate Client template using the IP address or FQDN as well as your Username and whatever Password you assigned to the account when you created it. Click OK to save your entries.

Once the Yate softphone shows that it is registered, try a test call to one of the SIP URIs you authorized on your new Asterisk server or try ours:

If you don't happen to have an OpenSIPS server or a LinPhone SIP account to play with but you have another Asterisk server, then the simple way to enable SIP URI extensions is by editing /etc/asterisk/extensions_custom.conf. In the [from-internal-custom] context, add an extension that can be used to contact any desired SIP URI. Then reload your dialplan: asterisk -rx "dialplan reload". Now dial that extension (2468 in the following example) from any phone connected to your Asterisk server. The entry would look something like this to call our SIP URI for the latest weather forecast:

NEWS FLASH: A new One-Minute Installer to use Incredible PBX on the open Internet is now available here.

Originally published: Monday, June 3, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Digital Ocean and Vultr provide modest referral credits to Nerd Vittles for those that use our referral code. It in no way colors our recommendations regarding these two providers, both of whom we use extensively. [↩]

Skyetel Introduces a Spring Boatload of New VoIP Features

Tuesday, May 28, 2019

Spring is sprung and what better time for our Platinum Sponsor, Skyetel, to introduce a boatload of new features for their already outstanding, triple-redundant VoIP platform. Better yet, you still can take advantage of their half-price VoIP offer on up to $500 of communications services. Whether your wish list included SMS and MMS messaging , or faxing, or SPAM call filtering, or endpoint monitoring, or call recording and transcription, today’s your lucky day. You get all of them in the same familiar Dashboard you’ve been using. Let’s begin with a quick pricing overview and the sign up procedure, then on to the good stuff.

Skyetel Pricing Overview

This summary is not intended to be an exhaustive listing of all Skyetel services. Follow this link for a complete summary of fees and services. Incoming conversational calls are a penny a minute. Traditional DIDs are $1 per month. Toll free numbers are an additional 20¢ per month. Outbound conversational calls are $0.012 per minute. DIDs can be SMS/MMS enabled for 10¢ per month. Incoming SMS messages are a half penny apiece. Outbound SMS messages are a penny. MMS messages are 2¢ each. E911 service is $1.50 per month. CallerID lookups are $0.004 per call. Spam call filtering is $0.006 per inbound call. Voicemail transcription is available for 10¢ per message. Call recording is $.0025/minute. Call transcription is an additional $.005/minute. Storage of call recordings for up to 30 days is free. Effective 10/1/2023, $25/month minimum spend required.

Divide all these prices by 2 when you take advantage of the Nerd Vittles BOGO special below.

Signing Up for Skyetel Service

So here’s the drill to sign up for Skyetel service and take advantage of the Nerd Vittles special. First, complete the Prequalification Form here. You then will be provided a link to the Skyetel site to complete your registration. Once you have registered on the Skyetel site and your account has been activated, open a support ticket and request the BOGO credit for your account by referencing the Nerd Vittles special offer. Greed will get you nowhere. Credit is limited to one per person/company/address/location. If you want to take advantage of the 10% discount on your current service, open another ticket and attach a copy of your last month’s bill. See footnote 1 for the fine print.¹ If you have high call volume requirements, document these in your Prequalification Form, and Skyetel will be in touch.

Original Skyetel Deposit	Skyetel Deposit Match	Available SIP Service $'s
$20	$20	$40
$50	$50	$100
$100	$100	$200
$200	$200	$400
$250	$250	$500

SMS and MMS Messaging with Postcards

In our original Skyetel article, we documented a simple way to send and receive SMS messages using your Skyetel DIDs. Now Skyetel has released a terrific, open source Docker app, Postcards, that lets you build an SMS and MMS messaging platform for your entire organization. Suffice it to say, anything you ever wanted to do with SMS and MMS messaging, you can do with Postcards. We won’t repeat Skyetel’s excellent tutorial, but you certainly need to visit their site and take Postcards for a spin.

Introducing Skyetel’s New Fax Platform

Every time we read an article predicting the demise of fax technology, we have to chuckle. We’ve been reading the articles for about 30 years now, and fax still is the goto solution for many organizations. Can you spell HIPPA? Finally, Skyetel has dipped its toes in the fax waters by offering an easy-to-use fax solution for receipt of traditional and T.38 faxes. Simply purchase a Skyetel DID and configure it for vFax routing. Enter an email address for delivery of the faxes, and you’re done.

Sending faxes from the Skyetel portal still is on the drawing boards, but it’s coming. In the meantime, Incredible Fax™ which is bundled with all Incredible PBX® platforms will let you send faxes ’til the cows come home with our easy-to-use Hylafax/AvantFax implementation.

Implementing the New Spam Call Filter

One of the most often requested features for any PBX is spam call filtering. Skyetel takes it to the next level by dealing with the spammers before the calls ever reach your PBX. For each of your Skyetel phone numbers, click on the Features tab and set the Spam Call Filter as desired.

Recording and Transcribing Skyetel Calls

As with spam call filtering, recording and/or transcribing Skyetel calls is only a click away. For each of your Skyetel phone numbers, click on the Features tab and set the option desired for Recording and/or Transcribing calls. Recordings and Transcriptions can be managed from your Skyetel Dashboard. Storage is free for up to 30 days, after which they are deleted.

Skyetel Expansion for Canadian Users

Here’s some great news for our Canadian friends. Skyetel has been listening!

Porting to Skyetel in Canada now is significantly easier and faster
Awesome reductions in audio round trip times
Epic reductions in time-to-deliver
Faster response times to technical issues (and fewer of them!)
Audio for Canadian calls will now originate from Canadian data centers
SMS and MMS available on Canadian ported numbers

Skyetel Monitoring of Endpoint Health

In addition to monitoring and reporting the health of all Skyetel services in your web portal, today’s addition allows you to configure Skyetel to not only monitor the State of every registered endpoint but also its Health with realtime metrics of the Latency, Packet Loss, and Jitter of each of your endpoints. Simply check the Network QOS options desired.

Don’t forget to whitelist all of the Skyetel data centers in Incredible PBX:

/root/add-ip Skyetel-NW 52.41.52.34
/root/add-ip Skyetel-SW 52.8.201.128
/root/add-ip Skyetel-NE 52.60.138.31
/root/add-ip Skyetel-SE 50.17.48.216
/root/add-ip Skyetel-EU 35.156.192.164

Continue reading the original Nerd Vittles Skyetel tutorial.

Originally published: Tuesday, May 28, 2019 Updated: Wednesday, June 12, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

In the unlikely event that Skyetel cannot provide a 10% reduction in your current origination rate and/or DID costs, Skyetel will give you an additional $50 credit to use with the Skyetel service. [↩]

Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS

Monday, May 20, 2019 / 2 Comments on Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS

Photo credit: Asad Photo Maldives/pexels and digium.com

Last week we introduced OpenSIPS, the multi-functional, multi-purpose signaling SIP server which can fulfill almost any communications function one can dream up except the unified communications tasks typically performed with a PBX such as Asterisk®. Today we want to marry the two platforms to give you the best of both worlds. For Incredible PBX® users, the primary advantage of adding an OpenSIPS front end is the elimination of the complexities associated with interacting with your PBX from remote sites with ever changing, dynamic IP addresses coupled with NAT firewalls over which you have no control. While there are many approaches to interconnecting the two platforms, we’re not comfortable with the exposure that a simple registration passthrough design introduces for many Asterisk users. Instead we prefer a model that lets everybody contact you and your users without providing the world the access necessary to allow anonymous strangers a platform from which to launch endless attempts to compromise your Asterisk server and individual Asterisk accounts.

Not all users on an Asterisk PBX need anonymous lurkers to have worldwide, public access to their individual phones. For most, DIDs suffice for public access. For users that do need such access, we will begin by creating a SIP account on your OpenSIPS server that is separate and apart from your Asterisk user account or extension. Also keep in mind that anonymous SIP calls require a match on the SIP URI to reach the person or function desired. You can enable and disable these SIP URI-accessible functions on your OpenSIPS server as desired. And you can determine how obscure to make each of the SIP URIs. Security through obscurity works and deters many SIP attacks. Now let’s address what you can and cannot do with this setup.

Using a SIP phone from anywhere in the world, any SIP user CAN:

Make SIP URI calls to authorized extensions and ring groups on your Asterisk PBX
Make SIP URI calls to authorized clients registered to a 3CX PBX with a SIP UUID
With a legitimate password, make DISA-like calls with Asterisk trunks, if enabled
With an invalid DISA password, converse with Lenny
With a legitimate password, check and manage authorized Asterisk voicemail accounts
With a legitimate password, participate in authorized Asterisk conferences
Access other authorized Asterisk applications available from Asterisk extensions

Using a SIP phone from anywhere in the world, an OpenSIPS-registered User also CAN:

Make PSTN calls from OpenSIPS-registered SIP phones, if enabled
Receive calls from Asterisk forwarded to any OpenSIPS-registered SIP phone
Receive calls from Asterisk forwarded to any 3CX-registered client or SIP phone

Using any SIP phone registered to a SIP proxy, you CANNOT:

Log into any Asterisk user account without whitelist permission and credentials
Make 911 calls

Prerequisites: To complete today’s setup, we’re assuming you have (1) an Incredible PBX server running Asterisk 13, (2) an OpenSIPS server built with version 1.2.0 or later of the Incredible PBX for OpenSIPS installer, and (3) either a registered SIP account and SIP URI on your OpenSIPS PBX or a SIP account with a provider such as a free linphone.org account.

Running pbxstatus on your OpenSIPS server will tell you which version you have. If you don’t have pbxstatus or the version is below 1.2.0, please initialize your Debian 8 platform, download the latest release, and reinstall following the our OpenSIPS tutorial here. There were major changes in the OpenSIPS configuration to support Asterisk connectivity which made an in place upgrade too complex. Our apologies.

Before creating user accounts on your OpenSIPS server, give some thought to a numbering scheme that won’t conflict with extension registrations on your Asterisk server. For example, if your Asterisk server uses extensions 701 through 750, then you may wish to consider using 7701 through 7750 on your OpenSIPS server. The one-to-one match keeps things simple without running into conflicts between the Asterisk extension numbers and the OpenSIPS user accounts. We’ll use the 700 (Asterisk) and 7700 (OpenSIPS) extension ranges in our examples which follow. And we’ve reworked the original OpenSIPS tutorial in keeping with this design to simplify Asterisk integration for new readers just joining the party.

We want to express our sincere appreciation to Bill Simon for his patient tutelage in walking us through some of the potential landmines in marrying an OpenSIPS server with Asterisk. Should your organization ever need professional help with a SIP deployment, there is no finer SIP authority than Simon Telephonics.

1. Configuring Asterisk for Inbound OpenSIPS Calls

Assuming you have an Incredible PBX 13 platform, open the GUI as admin using a browser from your desktop. First, let’s create a Trunk for the OpenSIPS server. Choose Connectivity -> Trunks -> Add SIP (chan_sip) Trunk. For Trunk Name, use opensips. Next, click on the SIP Settings tab in the dialog. For Trunk Name, again use opensips. In PEER DETAILS, enter the following and replace xxx.xxx.xxx.xxx twice with the actual IP address of your OpenSIPS server. Then click Submit and Reload Dialplan when prompted.

type=peer
host=xxx.xxx.xxx.xxx
context=from-opensips
insecure=port,invite
disallow=all
allow=ulaw
deny=0.0.0.0/0.0.0.0
permit=xxx.xxx.xxx.xxx/255.255.255.255

Next, using SSH or Putty, login to your Asterisk server as root and issue these commands replacing xxx.xxx.xxx.xxx with the IP address of your OpenSIPS server (choose option 0 when prompted for access type):

cd /root
./add-ip opensips xxx.xxx.xxx.xxx
wget http://incrediblepbx.com/from-opensips.tar.gz
tar zxvf from-opensips.tar.gz
rm -f from-opensips.tar.gz
nano -w from-opensips.txt

When the editor opens, scroll down to line 16 and enter a very secure PIN (up to 10 digits) for access to the DISA-like service to make outbound calls via SIP URI. It’s your phone bill so make it long (up to 10 digits) and something that is not easily guessed. On line 20, we have configured DISA for numbers up to 11 digits. If your dialplan requires international dialing support, you can adjust 11 to the desired number of digits. Then save the file and copy the dialplan code into extensions_custom.conf and reload your dialplan:

cd /etc/asterisk
cat /root/from-opensips.txt >> extensions_custom.conf
asterisk -rx "dialplan reload"

IMPORTANT NOTE: Just because you have configured this DISA option on your Asterisk server does not mean it is available via SIP URI. In fact, no SIP URI access to your Asterisk server is enabled at this juncture. You still must set up the SIP URI connections on your OpenSIPS server. Whether to do that and which features to activate are completely up to you.

2. Configuring OpenSIPS for Asterisk Connectivity

Beginning with version 1.2.0 of the Incredible PBX installer for OpenSIPS, the server itself is preconfigured to support Asterisk connectivity using AVPs. Implementation only requires command line execution of an AVP script to enable each feature you wish to activate. A similar script can be used to deactivate any AVP feature previously activated. To install the scripts on your OpenSIPS server, log in as root using SSH or Putty and issue these commands:

cd /root
wget http://incrediblepbx.com/asterisk-features-for-opensips.tar.gz
tar zxvf asterisk-features-for-opensips.tar.gz
rm -f asterisk-features-for-opensips.tar.gz

The function of each of the Asterisk scripts is self-explanatory from the script names:

asterisk-add-forward
asterisk-delete-forward
asterisk-list-forwards

Three pieces of information are required to add a SIP URI forward from OpenSIPS to your Asterisk server using the AVP asterisk-add-forward script:

UUID of SIP URI (from any SIP phone, dial UUID@opensips.yourdomain.com to connect)
Asterisk Extension (destination where incoming OpenSIPS call should be forwarded)
Asterisk Public IP Address

To add a SIP URI for extension 701 on your Asterisk server at xx.xx.xx.xx reachable at 701@opensips.yourdomain.com, the command would look like this where xx.xx.xx.xx is the public IP address of your Asterisk server and opensips.yourdomain.com is the FQDN of your OpenSIPS server: /root/asterisk-add-forward 701 701 xx.xx.xx.xx

CAUTION: Other than for forwards like this, do NOT set up User accounts in the OpenSIPS Control Panel using the same numbers as existing extensions on your Asterisk server. Otherwise, if your SIP phone is registered to a 701 user account on your OpenSIPS server, you lose the ability to connect to any extension on your Asterisk server if a 701 account requiring registration also existed on the Asterisk platform.

To use a name in the SIP URI or enable a second SIP URI for the same Asterisk 701 extension (jdoe@opensips.yourdomain.com): /root/asterisk-add-forward jdoe 701 xx.xx.xx.xx

Simply repeat the steps above for every SIP URI you wish to enable for an Asterisk extension.

To enable DISA-like access via SIP URI using dial as UUID (dial@opensips.yourdomain.com): /root/asterisk-add-forward dial *1 xx.xx.xx.xx

Keep in mind that you need not use "dial" as the UUID. You can make up any name you like. So long *1 is the DISA extension, the UUID can be as obscure as desired e.g. disa5038now.

For voicemail access via SIP URI, you can do it in two ways. For generic access triggering prompts for both the voice mailbox number and the mailbox PIN, use the following: /root/asterisk-add-forward vm *98 xx.xx.xx.xx

For voicemail access to a specific mailbox (701) with only a prompt for the mail PIN, use: /root/asterisk-add-forward vm701 *98701 xx.xx.xx.xx

For access to a specified conference (2663) with a prompt for the conference PIN, use: /root/asterisk-add-forward conf2663 2663 xx.xx.xx.xx

For access to Weather Reports (947) with a prompt for the ZIP Code, use something like this: /root/asterisk-add-forward weather 947 xx.xx.xx.xx

For News Headlines (951), use: /root/asterisk-add-forward news 951 xx.xx.xx.xx

To delete any previously created UUID forward: /root/asterisk-delete-forward

To list existing UUID forwards for SIP URIs: /root/asterisk-list-forwards

Calling Tip: If your softphone is registered to an OpenSIPS User account, you can call any of the enabled forwarding entries by entering the UUID without @opensips.yourdomain.com, e.g. dialing vm would connect to the Asterisk voicemail system with a prompt for mailbox.

3. Enabling Inbound Calls from Asterisk to a SIP Phone

In today’s design, incoming calls to your Asterisk PBX can be forwarded to a user account on your OpenSIPS server or a free linphone.org user account by (1) creating a free User account in the OpenSIPS Control Panel or at linphone.org, (2) logging into that user account with a SIP phone or softphone, (3) creating a custom extension in the Incredible PBX GUI that points to the SIP URI of your user account on the OpenSIPS server or your free linphone.org SIP user account or a 3CX client, and (4) adding that custom extension to either a Ring Group that includes your Asterisk extension or enabling FindMe/FollowMe for your Asterisk extension and designating the custom extension as the No Answer Destination. Need support for multiple Asterisk users? Not a problem. Repeat the drill for each user.

The procedure for adding a User Account in the OpenSIPS Control Panel was covered in last week’s article. The procedure for creating a free Linphone User Account was covered in an earlier article so we won’t repeat it here. Another obvious SIP URI destination is any 3CX Client if you’ve previously set up a free 3CX server following our 3CX tutorial. Refer back to those articles if you need a refresher.

On the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension and Display Name, we recommend using the 7701 numbering scheme for remote accounts. Then click on the Advanced tab and enter the SIP URI of your OpenSIPS, Linphone, or 3CX User account as the Dial option, e.g. SIP/yourname@sip.linphone.org or SIP/7701@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

To assure that incoming calls ring on both your Asterisk phone (701) and your registered SIP phone, we recommend setting up a Ring Group on the Asterisk side that includes both the 701 extension and the new 7701 custom extension. Then adjust your Inbound Routes to point to the number of this Ring Group instead of to 701. In this way, you can preserve the voicemail functionality associated with your 701 extension. FYI: None of these servers proxy audio and video of your calls. They provide a SIP registration service only.

The other alternative to a Ring Group is to enable FindMe/FollowMe in the 701 extension settings and then specify Extension:701 as the No Answer Destination. With this approach, voicemail will never be triggered on calls sent to extension 701 on your PBX. Since OpenSIPS lacks voicemail, you would lose calls not answered on your registered SIP phone or softphone.

TIP: We use 3CX clients exclusively for inbound calls on iPhones and Android devices because we have found they are far superior in dealing with both push notifications and NAT routing. 3CX clients actually ring when someone calls AND you can hear both sides of every call.

4. Outbound PSTN Calling from OpenSIPS

The DISA setup documented above allows your existing Trunks to continue to be managed and secured exclusively on your Asterisk server with no trunk exposure on the OpenSIPS platform at all. Thus, if either your public-facing OpenSIPS server or Linphone is ever compromised, nobody will be able to make any calls on your nickel because there will be no trunks available to process the outbound calls. Your DISA password is never exposed.

For some (like us), a two-step outbound calling procedure is just too painful. In that case, with providers such as Skyetel, you can deploy a PSTN calling platform on both your Asterisk server and on OpenSIPS. We documented the Skyetel trunk setup for OpenSIPS in our tutorial last week. The good news is nothing precludes deployment of Skyetel at multiple sites even if you only use Skyetel on the OpenSIPS platform for outbound calling. And this completely avoids implementing a DISA solution which has security implications of its own. Effective 10/1/2023, $25/month minimum spend at Skyetel is required.

Enabling direct PSTN calling with OpenSIPS means nobody can ever make PSTN calls merely by guessing a SIP URI. It requires an actual SIP registration to OpenSIPS, and you have Fail2Ban to assist with securing that process. So the outbound calling design is completely up to you. Direct PSTN calling from OpenSIPS is no less safe so long as none of your OpenSIPS User account passwords are compromised.

5. Enabling Calls from Asterisk to OpenSIPS Users

For OpenSIPS AVP forwards that have been enabled to Asterisk extensions, you probably will also want to provide a way for Asterisk users to return those calls directly to OpenSIPS users since that will be the CallerID that displays when an OpenSIPS user places a call directly to a forwarded Asterisk extension. Assuming a SIP phone has been registered to User account 7709, when that OpenSIPS user places a call to a forwarded Asterisk extension 701, it means the Asterisk user will see 7709 displayed as the CallerID for the incoming call even though the User of the OpenSIPS 7709 extension may also be associated with extension 709 on the Asterisk side. If the Asterisk callee attempts to return the call by dialing 7709 instead of 709, the call would fail. To avoid confusion by Asterisk users, the simple solution is to add an additional Custom SIP extension for every OpenSIPS User account.

For example, on the Asterisk side, login to the Incredible PBX GUI as admin with your favorite browser. Then choose Applications -> Extensions -> Add Custom Extension. For the User Extension, enter 7709. For the Display Name, enter the name of the person using that OpenSIPS user account. Next, click on the Advanced tab and enter the SIP URI for this OpenSIPS User account as the Dial option, e.g. SIP/7709@opensips.yourdomain.com. Click Submit and Apply Config to reload dialplan.

FYI: Matching Custom Extension numbers on the Asterisk platform to identical extensions on your OpenSIPS server does not create the registration problems we cautioned against earlier. Only Asterisk extensions requiring actual SIP registration need to remain unique from accounts on your OpenSIPS platform.

6. A Few Words About Security

If you’ve been using Incredible PBX with its Travelin’ Man 3 firewall, it’s not unlike living in a gated community where most of the outside world doesn’t even know you exist. Adding a "second home" with OpenSIPS is not unlike buying a summer place next door to Fred Sanford in Watts. You might as well have set up shop in the middle of Russia because, for all intents and purposes, you have. Anybody in the world can guess your IP address and spend the day trying to break into your server. So the name of the game is vigilance. Especially for the first few weeks, you need to run iptables -nL regularly and see how quickly your Fail2Ban blacklist is filling up. If you heeded our advice and set up your OpenSIPS server on a KVM platform (instead of OpenVZ), we’ve got a handy little script that will let you move bad guys snagged by Fail2Ban to the permanent IPset blacklist. Just download the script and run it daily to move the Fail2Ban entries to permanent block status in the IPset blacklist:

cd /root
wget http://incrediblepbx.com/move-fail2bans-to-ipset.tar.gz
tar zxvf move-fail2bans-to-ipset.tar.gz
rm -f move-fail2bans-to-ipset.tar.gz
./move-fail2bans-to-ipset

Once you have verified that the IP addresses actually are being populated in the IPset blacklist table (ipset list | sort), you can add the script to /etc/crontab to run automatically each night:

echo "2 4 * * * root /root/move-fail2bans-to-ipset > /dev/null 2>&1" >> /etc/crontab

If you’d like a head start on your IPset blacklist, simply download our latest list and then reboot your server:

cd /etc
wget http://incrediblepbx.com/badguys.tar.gz
tar zxvf badguys.tar.gz
rm -f badguys.tar.gz

Another potential vulnerability is SSH. This command will tell you who has attempted to login to your server as root: cat /var/log/auth.log | grep password. If you ever see a failed login and it wasn’t a mistake on your part, change your SSH access port immediately if not sooner: nano -w /etc/ssh/sshd_config. Then restart SSH: /etc/init.d/ssh restart. Better yet, set up SSH public key authentication.

The other major consideration is the number of holes you punch into the security of your Asterisk server using the OpenSIPS asterisk-add-forward script. Every time you add an extension to this list, you open another (read-only) window into your Asterisk communications world. And anybody can connect to these extensions using either the FQDN of your OpenSIPS server or its IP address. Even though we don’t practice what we preach, we strongly recommend using alphanumeric UUIDs instead of numbers for these access points. That at least avoids random calls from bad guys that are accustomed to numeric numbers only in SIP URIs. Regularly review your OpenSIPS log for unusual strings of forwarded calls and adjust your forwarding UUIDs accordingly: cat /var/log/opensips.log | grep forwarded.

In our previous article, we’ve already addressed how important it is to limit User accounts to your FQDN and never the IP address of your OpenSIPS server. In this way, you limit OpenSIPS registration exposure to your FQDN and never the IP address of your server. Fail2Ban also assists here by blocking failed login attempts after a single failure unless you have whitelisted the IP address in Fail2ban’s ignoreip list in /etc/fail2ban/jail.conf and restarted Fail2Ban with this command: /etc/init.d/fail2ban restart. These are the only entry points that offer the ability to actually register to your server. AVPs never do. Obviously, a successful SIP registration is much more dangerous than a random phone call on a SIP URI set up using AVP extension forwarding.

Finally, passwords now matter on your Asterisk PBX for any port forward you’ve established with OpenSIPS. For example, if you’ve set up a generic forward to access voicemail, then it means anybody guessing the SIP URI you created can spend the day (at no cost) attempting to break into ANY voicemail account on your Asterisk server by guessing the PIN. Fail2Ban will not protect you here. If you’ve set up DISA-like access to your Asterisk server on OpenSIPS, then the same applies except now the attacker gets a blank check to make commercial calls if they can guess your access PIN. Worried yet? We hope so. Sure beats a $100,000 phone bill.

7. Taking OpenSIPS for a Test Drive

We usually provide a Demo Line for readers to try out our latest creations. For obvious reasons, we prefer not to disclose our OpenSIPS FQDN to the general public. But we have set up a port forward from a DID that we temporarily configured on our OpenSIPS server. So, if you’d like to sample the voice quality of placing a call to a DID in Atlanta forwarded to an OpenSIPS server in New York forwarded to an Asterisk server in Miami and then back to you, try calling 843-606-0555 for a weather report in your favorite ZIP code. We’re betting you will be dumbfounded by the quality of the call. Enjoy!

Originally published: Monday, May 20, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

The 5-Minute Wonder: OpenSIPS Server Takes the Cake

Monday, May 13, 2019 / 9 Comments on The 5-Minute Wonder: OpenSIPS Server Takes the Cake

Photo credit: Archie Binamira/pexels and OpenSIPS.org

We covered Kamailio in our Part I article. And we’ve skipped writing about SIP server contestants two, three, and four because they each had a healthy dose of insurmountable problems… at least for us. So today we’re pleased to present Part V in our SIP server series. And, as the headline exclaims, with OpenSIPS we’ve found a platform that finally is worthy of your attention. Our requirements were fairly straightforward. We wanted an open source SIP server to which we could connect users to make and receive free as well as commercial calls worldwide. We also wanted a SIP server with good documentation that was simple to install and to integrate into our existing Asterisk platforms without hiring a consultant. And finally we were searching for a SIP server that could be secured easily without providing free phone service to every bad guy on the planet. OpenSIPS has it all.

OpenSIPS is a multi-functional, multi-purpose signaling SIP server used by carriers, telecoms or ITSPs for solutions like Class4/5 Residential Platforms, Trunking / Wholesale, Enterprise / Virtual PBX Solutions, Session Border Controllers, Application Servers, Front-End Load Balancers, IMS Platforms, Call Centers, and many others. Source: opensips.org

We’ve often complained that the problem with many open source projects is that the developers get so focused on making money that they skimp on the documentation to encourage consulting work or participation in expensive conferences. We have found just the opposite with OpenSIPS. In fact, much of today’s implementation is based upon an excellent tutorial by the folks at PowerPBX. Down the road, if you find yourself in need of a consultant, their services would be a good place to start. What we’ve added to the PowerPBX design is security, support for clients behind NAT-based routers, and an integration scheme for Asterisk®, FreePBX®, and Incredible PBX® platforms so that you get the best of both worlds, a public facing SIP server with the UC feature set that most organizations expect. Last but not least, our turnkey GPL installer will get you up and running in about 5 minutes.

Choosing a KVM/OVZ7 Platform for OpenSIPS

Let’s begin by addressing the appropriate platform for an OpenSIPS server. The server needs to have a public IP address that is static, and the server should not be situated behind a NAT-based router. It only complicates things and is beyond the scope of what we plan to address. For those that are frequent visitors, you already know that we’ve been pushing everyone to kiss their local hardware goodbye and join the cloud revolution. When it comes to public-facing VoIP platforms like OpenSIPS, most of us don’t have a choice. You need a static IP address on the open Internet. And, for the sake of security, a KVM or OVZ7 cloud platform is a must since older OpenVZ platforms don’t support the ipset component of IPtables which makes it easy to block hundreds of thousands of IP addresses without a performance hit on your server. While we previously have identified older OpenVZ providers for our Incredible PBX platforms protected by the Travelin’ Man 3 firewall, pure whitelist access simply isn’t an option if you wish to retain the functionality of a VoIP application such as OpenSIPS.

Ten to twenty gigabytes of disk space should be more than ample for OpenSIPS. The amount of RAM in your server depends upon the volume of calls your server will be handling. If it’s a dozen simultaneous calls then 1GB of RAM will suffice. If it’s 100,000 calls, then take a look at this article for tips on sizing your server. For today’s implementation, we’ll be using Debian 8 so any low-cost provider or KVMs at Digital Ocean, Vultr, and OVH should be fine.¹

We recently went on the hunt to identify KVM or OVZ7 cloud providers around the world that could offer a KVM VPS with 1GB RAM, 20GB storage, and 1TB of monthly bandwidth for about $25 a year. No small feat! But our friends at LowEndTalk have come through. Read the message thread and find an offer with a site that best meets your requirements. Many of the KVM offers require you to open a ticket to get the special pricing and configuration outlined above. Here’s a short list of our favorites, but remember to only use the KVM or OVZ7 offerings below for OpenSIPS!

Provider	RAM	Disk	Bandwidth	Performance as of 12/1/19	Cost
CrownCloud KVM (LA)	1GB	20GB + Snapshot	1TB/month	598Mb/DN 281Mb/UP 2CPU Core	$25/year Best Buy!
Naranjatech KVM (The Netherlands)	1GB	20GB	1TB/month	Hosting since 2005 VAT: EU res.	20€/year w/code: SBF2019
BudgetNode KVM (LA)	1GB	40GB RAID10	1TB/month	Also available in U.K PM @Ishaq on LET before payment	$24/year
FreeRangeCloud KVM (Ashburn VA, Winnipeg, Freemont CA)	1GB	20GB SSD	3TB/month	Pick EGG loc'n Open ticket for last 5GB SSD	$30/year w/code: LEBEGG30

Choosing OpenSIPS Components to Deploy

We’ve divided up today’s tutorial into bite-sized pieces so that you can pick and choose where to stop implementing and start using. You do not need to have an Asterisk server to make and receive calls with OpenSIPS. However, OpenSIPS lacks voicemail and AutoAttendant/IVR components so, if those are a requirement, then you either need a VoIP service provider that offers them, or deploy a $50 Incredible PBX for the Raspberry Pi to add the missing pieces.

What OpenSIPS offers is a free server platform for worldwide SIP communications so that you, your friends, and business associates can call or connect from anywhere using freely available SIP softphones or any of dozens of SIP telephone instruments. We’ll stick with softphones for today, but hardware-based SIP telephones are equally simple to deploy.

This is not a criticism because it is one of the best tutorials we’ve ever used but, if you want to see how complex a typical OpenSIPS server deployment is, take a look at the PowerPBX tutorial we used as a starting point with OpenSIPS. We’ve compressed most of those procedures into a turnkey installer that only requires you to enter a MySQL root password of passw0rd (with a zero) once you have your Debian 8/64 platform up and running.

Deploying a Debian 8 Server Platform

Start by choosing a cloud provider that offers the 64-bit Debian 8 minimal platform as a deployment option. Most do. As noted, we recommend a KVM or OVZ7 platform, but older OpenVZ platforms perform equally well minus support for ipset which makes it easy to block entire countries overrun with bad guys. Choose offerings with at least 1GB RAM and a 10GB drive to get started. Configure your Debian 8 server with a fully-qualified domain name (FQDN). This is critically important with our security design because we will assign all OpenSIPS users/extensions to this FQDN and reserve your server’s IP address purely for connections from service providers and Asterisk servers. This makes it all but impossible for anyone to hack into your server since most script kiddies launch attacks on IP addresses, not FQDNs. Using an unusual FQDN adds an extra layer of security, but that’s your call. If you lack the ability to assign FQDN aliases to a domain which you own, you can obtain a free FQDN from numerous sources including ChangeIP and point it to the IP address of your OpenSIPS server.

Installing OpenSIPS on a Debian 8 Server

Now the fun begins. Log into your Debian 8 server as root and issue the following commands to prepare for the OpenSIPS install:

cd /root
wget http://incrediblepbx.com/opensips.tar.gz
tar zxvf opensips.tar.gz
rm -f opensips.tar.gz

After untarring opensips.tar.gz above, there’s one extra step for those using KVM or OVZ7 platforms. Do NOT make this change if you’re on an older OpenVZ-based server (not recommended!) that shares its kernel with the host machine. Otherwise, the firewall startup will always fail. For KVM and OVZ7 platforms only, issue the following command: cp -p /root/kvm/* /root

Make sure you have logged into your Debian 8 server as root using SSH or Putty from a desktop PC that you will use to manage OpenSIPS with a browser. The reason is because this IP address automatically will be whitelisted in the OpenSIPS firewall as part of the install process. Otherwise, you will need to manually log into SSH and whitelist the IP address of your desktop PC using /root/add-ip each time you wish to access the OpenSIPS Control Panel since TCP port 80 (HTTP) is not exposed to the public Internet as a security precaution.

To begin the install, issue this command: /root/install

As the install progresses, you’ll be prompted several times to assign and then to use the MySQL root password. Please use passw0rd (with a zero) as your MySQL password, or the install will fail. This is NOT a security risk unless your Debian 8 root user account is compromised. And, in that case, it won’t matter anyway since the MySQL password could easily be changed. The rest of the install is self-explanatory. There are a couple of steps where you will be prompted for input. Correct responses are indicated before the various prompts. Pay particular attention when you are prompted to change the SSH port from TCP 22 to a port number in the 1000-2020 range as a security precaution. We recommend using the year you were born because it will be easy for you to remember. When the install finishes and you log out of your server, the next SSH login will look like this where XXXX is the SSH port you chose and yyy.yyy.yyy.yyy is the OpenSIPS server address: ssh -p XXXX root@yyy.yyy.yyy.yyy

Although most of the configuration of your OpenSIPS server will be handled using a web browser and the OpenSIPS Control Panel GUI, we’ve included a few scripts in /root to assist with maintenance of your server platform. Here’s a brief summary of the script functions:

pbxstatus – Status of your OpenSIPS server (image sample above)
add-ip – Temporarily WhiteList IP address until next iptables-restart
ban-ip – Permanently Ban an IP address
unban-ip – Unban a previously banned IP address
log-purge – Zero out all of the major Linux log files
opensips-check – Assures OpenSIPS and RTPproxy are running (runs automatically)
Fail2Ban BlackLists – iptables -nL | grep -A100000 "opensips ("
IPset BlackList (KVM/OVZ7 platforms only) – ipset list | sort

We secure your server in several ways: (1) by disguising the SSH port, (2) by locking down almost every port on your server with the IPtables firewall with the exception of the SIP ports, (3) by deploying Fail2Ban to scan your OpenSIPS log for errors and lock out attackers for an extended period of time, and (4) by deploying the IPset blacklist on KVM/OVZ7 platforms. With this design, there is a symbiotic relationship between IPtables, Fail2Ban, and IPset. Therefore, it is critically important that you only restart these services using the iptables-restart command. NEVER issue other IPtables commands to restart or save your firewall settings.

Activating a SIP Server with OpenSIPS Control Panel

We don’t want to overload you on the first day with your new OpenSIPS platform so we’ll walk you through the preliminary setup steps to create your SIP Domain. Then we’ll show you how to set up user accounts (also known as extensions). Finally we’ll walk you through setting up a trunk to make and receive calls from a commercial SIP provider. When we’re finished today, you’ll be able to make and receive calls using SIP URIs or DIDs which you have purchased from a provider. Then next week we’ll focus on integration of OpenSIPS with an Asterisk platform of your choice using Incredible PBX and FreePBX as an example. Once we’re finished, you’ll be able to handle user account registrations exclusively on your OpenSIPS server while leaving your Asterisk platform completely hidden from public exposure.

Logging into the OpenSIPS Control Panel

As deployed, the OpenSIPS Control Panel is accessible via web browser. As noted previously, HTTP Port 80 access is blocked by default unless the IP address of your desktop PC has been whitelisted either as part of the initial install or using the add-ip script in /root. Once your desktop PC’s IP address is whitelisted, point your browser to http://xxx.xxx.xxx.xxx/cp

The default Username is admin, and the default password is opensips. Once you’re logged in, immediately click on the Users icon in the upper-right corner of the dashboard. Then click the Edit Info pencil icon for user Admin and change your password. Click Save when done.

Creating Domains with OpenSIPS Control Panel

In the Left column of the Dashboard, you’ll see two tabs: Users and System. Click on the System tab to expose the available choices. Then choose the Domains option.

Domains are the essential building blocks in OpenSIPS. You can manage one or a hundred domains on a single OpenSIPS server, and each domain can have its own set of Users, Trunks/Gateways, and Dialplan rules. We’re actually going to create two domains, one for the IP Address of your OpenSIPS server and a second one for the FQDN of your OpenSIPS server. For added security, we will create all User accounts under the FQDN Domain. And we’ll reserve the IP Address Domain for DID Trunks/Gateways from registered, commercial SIP providers. This design allows attackers to attempt to register to accounts on your IP Address Domain until the cows come home, and they will never be successful because there are no existing SIP user accounts there. Keep it that way! With our OpenSIPS design, Fail2Ban will block attackers after a single failed registration attempt. And OpenSIPS itself will identify and block all SIP flood attacks using either Fail2Ban or IPset (on KVM and OVZ7 platforms only).

Now that you understand the design, let’s set up your domains. After choosing System -> Domains, enter the IP Address of your OpenSIPS server at the SIP Domain prompt. Then click Add New Domain followed by Reload on Server. Repeat the same steps to enter the fully-qualified domain name (FQDN) of your OpenSIPS server. When finished, you should see:

Creating Users with OpenSIPS Control Panel

We’ve already explained the security implications and reason for creating User accounts with your FQDN Domain only. Click on Users -> User Management -> Add New to get started. You can use Numbers (what we call Extensions in Asterisk) or Names. Our preference is to use Numbers for the User accounts and then to create Alias Names (as desired) for each User account. You can’t dial names from most SIP telephones. This also keeps the design similar to what many are used to coming from the Asterisk environment. A completed dialog would look something like the following. Use the Domain pull-down to choose your FQDN. Obviously, the passwords must be secure and must match. Then the Register button will be enabled to save. The actual Numbers used for Usernames are completely up to you.

Create at least a couple User accounts so that you can set up two SIP phones to call yourself and verify that everything is working. These User accounts become an integral part of the SIP URI to receive calls from any SIP phone in the world: 7701@opensips.yourdomain.com

Before you can actually answer an incoming call to your SIP URI, you’ll need to register the User account using either a softphone or SIP phone. We’ll do that next. But, first, let’s create an Alias to 7701 User so that folks can reach you by calling joe@opensips.yourdomain.com

Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the example below. Make sure that you select your FQDN Domain using the pull-downs for BOTH the Domain and Alias Domain fields. Then click Add to save.

Registering a Softphone to an OpenSIPS User Account

There are literally dozens of free SIP soft phones from which to choose. We covered some of our favorites for every platform in previous articles. For our purposes today, we recommend you choose one of the Linphone softphones which are available for the PC, Mac, Linux, Android, and iOS platforms. We also recommend signing up for a free Linphone.org SIP account which doesn’t cost you anything. For today, we will be configuring the softphone to register to your new OpenSIPS server.

Once you have downloaded and installed the Linphone client, go into the Preferences menu and make the following changes. Some depend upon your calling platform.

Audio Codecs: PCMU, G722, PCMA
Video Codecs: VP8, H264
Call Encryption: None
DTMF: RFC2833 only
Send InBand DTMF: OFF
Send SIP INFO DTMF: OFF
SIP UDP 5060: Enabled
SIP TCP 5060: Enabled
Allow IPv6: Disabled

Then set up a new SIP Proxy account: Username (7701), Password (as defined), Domain: your FQDN not IP address, Transport: UDP, Outbound Proxy: OFF, Stun Server: stun.linphone.org, ICE: ON, AVPF: OFF, Push Notification: ON, Country Code Prefix: 1 (if required by your commercial SIP provider), Register: YES, Account Enabled: YES. HINT: You can call Alias Names via SIP URI, but you can only register to a SIP account using its actual Username.

Avoiding Lockouts with NeoRouter VPN

By design, Fail2Ban is unforgiving when it comes to failed registrations. A single failed registration will get an IP address banned for a full week. The reason is because the new bad guy strategy is to hit your server once to determine whether anybody is home. Then the creep bombards you later with an endless stream of registration attempts. With our design, nobody will be home when they return. The bad news is a single failed registration attempt by you or your users will also trigger a ban. There are several workarounds. The easiest is to set up the NeoRouter client on each of your machines including your OpenSIPS server and use the 10.0.0.x private network for access. These IP addresses never get banned. Our previous tutorial will walk you through setting up a free NeoRouter server and installing the free NeoRouter clients on your machines. The client software already is installed and running on your OpenSIPS server. It only requires that you log in using nrclientcmd and register to your NeoRouter server to obtain a private IP address.

There are other options to unban an IP address which has accidentally been snagged. First, almost all of the cloud providers include a Console option in their web portals. Second, you can log into your server via SSH from any non-blacklisted IP address to remove the banned IP address. Once you’re logged in, simply run this command using the IP address you wish to unban: /root/unban-ip xxx.xxx.xxx.xxx

Choosing Commercial SIP Providers

Recall that you cannot register to a SIP alias on your OpenSIPS server. We’ll take advantage of this restriction in setting up incoming calls from commercial providers’ DIDs. To set up Trunks from commercial providers so that you can not only receive incoming calls but also make outbound calls over their PSTN network connections, you must use providers that support IP address authentication rather than a SIP registration. Many providers support this including our platinum sponsor, Skyetel, as well as providers such as VoIP.ms, Anveo Direct, V1VoIP, and many others. In our OpenSIPS design, you also can use DIDs from providers that support SIP URI forwarding such as CallCentric and LocalPhone; however, you are limited to receiving inbound calls only. VoIP communications really shines here because you don’t have to choose a single provider to meet all of your communications requirements.

Skyetel is by far the easiest provider to set up with OpenSIPS. See our earlier tutorial for a special offer that will get you half-price calling for up to $500. Effective 10/1/2023, $25/month minimum spend required. Once you’re registered on the Skyetel site, add a new EndPoint Group using the IP address of your OpenSIP server and designate UDP 5060 as the access port. Sign up for a DID and map it to the OpenSIPS Endpoint Group. Done. In the OpenSIPS Control Panel, navigate to System -> Dynamic Routing and click Add Gateway. Using the template below, create 5 Proxy gateways for the following Skyetel data centers:

skyetel-NW 52.41.52.34
skyetel-SW 52.8.201.128
skyetel-NE 52.60.138.31
skyetel-SE 50.17.48.216
skyetel-EU 35.156.192.164

The latest installer will automatically whitelist the Skyetel IP addresses in /etc/iptables/rules.v4 just below the existing 10.8.0.0/24 rule. This will protect you in the event that one or more of the Skyetel IP addresses gets blacklisted inadvertently. You should also add the IP addresses of any other providers you need and then issue the command: iptables-restart

Next, we need to create what Asterisk users know as an Outbound Route. This tells OpenSIPS to send dialed numbers in 11-digit format to Skyetel for termination. We’ve already created the Dial Plan rule for calling out by dialing 1 plus a 10-digit number. So, while you’re still in the Dynamic Routing section of the OpenSIPS Control Panel, click on the Rules tab at the top of the template. Then click Add Rule. Begin by clicking Add ID button and choosing Group ID 0. In the Prefix field, type 1. Now click the Add GW button 3 times after choosing the Skyetel gateways in the following order from the GW pull-down list: skyetel-nw, skyetel-sw, and skyetel-se. Those are the three currently operational Skyetel gateways. When you’re finished, your template should look like the following. Then click the Add button to save the new rule. Click Reload Server to load the new rule into OpenSIPS. Then repeat this procedure leaving the Prefix field blank so that you can make 10-digit calls as well.

Finally, we need to create what Asterisk users know as an Inbound Route. This tells OpenSIPS where to send incoming calls from our Skyetel DID. OpenSIPS handles inbound routes by defining a User Alias for the Username to which you want to route the incoming DID calls. Click on Users -> Alias Management -> Add New Alias to get started. Fill in the form using the following template and then click Add.

Username: 7701 (the extension to which to route the incoming calls)
Domain: opensips.xyz.com (the FQDN of your OpenSIPS server)
Alias Username: 18435551212 (the 11-digit Skyetel DID)
Alias Domain: 11.12.13.14 (the IP address of your OpenSIPS server)
Alias Type: dbaliases

Introducing the VoIP Blacklist

We’ve always dreamed of an effective VoIP Blacklist, and many have tried. But the crowd-sourced VoIP Blacklist at voipbl.org is the real deal. Everybody can post entries (including the bad guys) and, magically, most of the illegitimate entries get sifted out before the next day’s list is released. We’ve made this easy in two ways. First, the list gets populated every night while you sleep. At last count, there were 84,504 IP addresses. And, second, to contribute to the blacklist, run iptables -nL weekly to see if Fail2Ban has snagged any bad guys. If so, simply run the new /root/blacklist utility which will move them into your local blacklist and also format the entries for easy submission to voip.bl whenever you feel the urge. Simply issue the command cat /root/blcklist.txt to display the entries you just blacklisted. Then cut-and-paste the results and post them to the VoIP Blacklist. The whole process takes less than a minute, and you’ll be contributing to a very valuable VoIP resource while also using it.

Congratulations! You now have a functioning OpenSIPS server that can process incoming calls from SIP URIs as well as DIDs. And you can make SIP URI and 11-digit PSTN calls using your SIP softphone that’s registered to your OpenSIPS server. See you next week. Enjoy!

Continue Reading: Best of Both Worlds: Safely Marrying Asterisk to OpenSIPS

Originally published: Monday, May 13, 2019 Updated: Monday, June 24, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Nerd Vittles receives referral fees from some VoIP service providers to help cover the costs of our blog. We never recommend particular companies solely to generate commissions. We also test all services that we recommend. [↩]

Meet Linphone: Free Worldwide Calling to Anybody with SIP

Monday, April 29, 2019

Earlier this year we demonstrated how to set up a publicly-accessible Asterisk® server to enable free worldwide calling using SIP URIs which are email-like addresses for VoIP and video calls. But not everyone has an Asterisk server so today’s tutorial extends free calling to everyone with a Windows or Linux PC, a Mac, or any smartphone or tablet. All you need is a desktop computer with wired or wireless Internet access or, on a smartphone or tablet, a cell data plan or WiFi connection will suffice. When friends sign up, their calls also will be free.

The secret sauce on all of these platforms is the Linphone app (shown above) which can be downloaded and used at no cost. Source code is available for those that want it. Use it as often and for as long as you like. Here are the Linphone download links for each of the platforms:

Windows
Mac
Linux
Web Browser (Chrome, Edge, Firefox, Safari)
Android via Google Play
iOS via App Store

The only other piece you’ll need to get started is a free Linphone SIP account. Sign up here. Once you’ve signed up, simply respond to the confirmation email to activate your account. Your registration gets you credentials to plug into your Linphone app that you downloaded above. In addition, it gets you a free Linphone SIP URI which looks something like this: yourname@sip.linphone.org. This is the SIP URI address that anyone in the world can use to contact you. Here are the pieces you’ll need to plug into your desktop or smartphone app:

Account Name
Account Password
Domain: sip.linphone.org

Be very careful not to lose your password. You can’t retrieve it, and you can’t change it without knowing the original password. All you can do is delete your account and start over.

The Linphone feature set is downright impressive. Here’s what you and your friends will be using at zero cost:

IMPORTANT TIP: Missing audio or one-way audio is a common problem on SIP calls. For best results, configure your account in the Linphone app to use UDP for the Transport, disable the Outbound Proxy, configure stun.linphone.org as the Stun Server, and enable ICE. In Network settings, turn off IPv6 and Media Encryption. In Audio settings, enable Opus, G.722, PCMU, and PCMA only. In Video settings, enable both VP8 and H.264. Then close the app and reopen it.

Once you have your Linphone credentials, another option in addition to using one of the SIP clients above is to acquire a stand-alone SIP telephone which can easily be connected to your Linphone SIP account. While there are literally hundreds of SIP telephones from which to choose, here’s a $35 offering from Grandstream that we use. It’s available from Amazon.¹

Unlike other proprietary communications apps, the beauty of using Linphone with its native SIP URI support is you can call any SIP phone in the world for free whether the recipient uses Linphone or not. For example, to annoy your friends and spammers, you can transfer their calls to Lenny: 2233435945@sip2sip.info or 883510001198938@sip.inum.net. And here are some other SIP URI calls you might want to try. Store them in your Linphone Phonebook.

Yahoo News Headlines - news@demo.nerdvittles.com
Yahoo News Headlines - 951@demo.nerdvittles.com
Weather by Zip Code  - weather@demo.nerdvittles.com
Weather by Zip Code  - 947@demo.nerdvittles.com
Directory Assistance - information@demo.nerdvittles.com
Directory Assistance - 411@demo.nerdvittles.com
Lenny for Spammers   - 53669@demo.nerdvittles.com
Technical Support    - 0@sip.incrediblepbx.com
Call Any TollFree #  - **1800XXXXXXX@tollfree.future-nine.com

There are now more than 2,000 VoIP networks worldwide that support SIP URI access. Any person or organization with an account on any of these networks can be reached at no cost via SIP URI or via several hundred PSTN numbers. Using a SIP URI dialing prefix, you can call any referenced network@sipbroker.com. For example, *656news@sipbroker.com would reach the Nerd Vittles News Headlines from Yahoo. Or choose a local access number from the SipBroker worldwide directory, e.g. 702-789-0530 and then dial *656951 at the prompt.

Of course, every 3CX platform provides dedicated SIP URIs for every extension on the PBX. Our recent article covers adding SIP URI access to any Asterisk PBX.

If you want to associate a phone number with your Linphone SIP URI, you can do it in a couple of ways. First, using a smartphone, you can link your cell number to Linphone within the Linphone app itself. If you have a free DID from IPComms, you can point it to your Linphone SIP URI. If you have a $1/month CallCentric DID, it can also be pointed to your Linphone SIP URI. A 25¢/month iNum DID from LocalPhone.com also can be pointed to your SIP URI. LocalPhone supports Nerd Vittles through referral revenue from your 25¢ investment. 🙂

Speaking of iNUMs, you can reach anyone with an iNUM DID by dialing the iNUM number in SIP URI format: 8835100xxxxxxxx@sip.inum.net. One of the real beauties of signing up for an iNUM number as well is that it can be reached in most places around the globe by dialing a local number from any telephone. As part of the iNum initiative, local access numbers have been established in more than 50 countries around the globe. By placing a local call from any telephone to one of these local access numbers, any individual with an iNum phone number anywhere in the world can be reached without further cost. Here is a current list of the local access numbers. If the link is down (frequently), try here or here or the iNUM listing here. Once your call is answered, simply enter the 15-digit iNum phone number you wish to reach, and you will be connected. It’s worth pointing out that iNUMs aren’t as unwieldy as they may appear. The numbers always begin with 8835100 followed by 8 digits starting with a zero.

And another iNUM listing from DSL Reports:

Country             City                     Access Number
------------------- ------------------------ ---------------
Argentina           Buenos Aires             +54 1159839500
Australia           Sydney                   +61 280148200
Austria                                      +43 720880500
Bahrain                                      +973 16199200
Belgium             Brussels                 +32 28081771
Brazil              Brasilia                 +556135500791
Brazil              Florianopolis            +554840420809
Brazil              Rio De Janeiro           +552135006959
Brazil              Sao Paulo                +551146803621
Bulgaria            Sofia                    +359 24917555
Canada              Calgary                  (403) 775-1446
Canada              Edmonton                 (780) 669-9257
Canada              Halifax                  (902) 982-6937
Canada              London                   (519) 488-9336
Canada              Montreal                 (514) 907-7500
Canada              Ottawa                   (613) 686-4519
Canada              Quebec City              (418) 800-0384
Canada              St. Johns, Newfoundland  (709) 757-0060
Canada              Regina                   (306) 988-1600
Canada              Toronto                  (416) 800-4303
Canada              Toronto                  (647) 724-8777
Canada              Vancouver                (778) 786-3497
Canada              Winnipeg                 (204) 272-8182
Chile               Santiago                 +56 25813444
Croatia             Zagreb                   +385 17776363
Cyprus              Nicosia                  +357 22030500
Czech Republic      Prague                   +420 246019777
Denmark                                      +45 69918686
Dominican Republic  Santiago                 (829) 947-9610
El Salvador                                  +503 21131899
Estonia                                      +372 6681881
Finland             Helsinki                 +358 942419200
France              Paris                    +33 170619800
Germany             Frankfurt                +4969257385876
Germany             Frankfurt                +4969257380439
Greece              Athens                   +30 2111768444
Hungary             Budapest                 +36 14088951
Ireland             Dublin                   +353 15262600
Israel              Tel Aviv                 +972 37219555
Italy               Rome                     +39 0662207777
Japan               Tokyo                    +81 345209777
Latvia              Vilnius                  +370 52059090
Lithuania                                    +371 67652500
Luxembourg                                   +352 20880108
Malta                                        +35627780107
Mexico              Guadalajara              +52 3346242977
Mexico              Mexico City              +52 5511678222
Mexico              Monterrey                +52 8141703540
Netherlands         Amsterdam                +31 208080808
New Zealand         Auckland                 +64 99250499
Norway              Oslo                     +47 21031306
Panama                                       +507 8322488
Peru                Lima                     +51 17085500
Poland              Warsaw                   +48 223982688
Portugal            Lisbon                   +351 308803219
Puerto Rico         Bayamon Norte            (787) 395-7140
Romania                                      +40 318103500
Singapore                                    +65 31581212
Slovakia            Bratislava               +421 233002555
Slovenia            Ljubljana                +386 16001422
South Africa        Johannesburg             +27105002854
South Africa        Pretoria                 +27120042701
Spain               Barcelona                +34 931815653
Spain               Madrid                   +34 911883777
Sweden              Stockholm                +46 852500111
Switzerland         Zurich                   +41 435006262
United Kingdom      London                   +44 2033556363
United States       Albuquerque              (505) 225-8243
United States       Charlotte                (980) 202-0283
United States       Charlotte                (980) 236-0398
United States       Kansas City              (913) 951-0932
United States       Chicago                  (312) 253-4880
United States       Houston                  (713) 474-2323
United States       Los Angeles              (213) 221-3799
United States       New York                 (646) 843-6969
United States       Phoenix                  (602) 354-9444
United States       San Diego                (619) 330-9640
United States       San Francisco            (650) 360-0999
United States       Santa Barbara            (805) 308-9649
United States       Seattle                  (206) 420-5904
United States       Spokane, WA              (509) 931-0459
United States       Tacoma, WA               (253) 343-1529

More iNUM details are available here. If sip.inum.net is down, try 81.201.82.50.

Let’s tie all the pieces together now. Linphone gives you and your friends a free SIP URI as well as a SIP client for any platform to make and receive SIP voice and video calls. You can associate this SIP URI with your cellphone number as well as a free or almost free phone number (DID) that’s available from IPComms, CallCentric, and other providers. If you sign up for a LocalPhone iNUM number, you also can associate it with your Linphone SIP URI. So you can be reached on your Linphone client by SIP URI, by iNUM, and by regular phone numbers. You can place unlimited calls to any SIP URI or iNUM worldwide at no cost. What’s not to like?

Deploying Linphone as an Asterisk Trunk

If you don’t have an Asterisk PBX, you can stop reading here. The good news is you can also use a Linphone SIP account as a SIP trunk on your Asterisk PBX. Once configured, you can add an Incoming Route and send the incoming Linphone SIP URI calls to any destination desired: an extension, a ring group, an IVR, or even a Conference Room. Using the FreePBX® or Incredible PBX® GUI, create a chan_SIP Trunk and name it linphone. In the PEER DETAILS, enter the following using your actual Linphone username and password:

type=friend
qualify=yes
insecure=port,invite
host=sip.linphone.org
disallow=all
context=from-trunk
dtmfmode=rfc2833
allow=g722&ulaw
fromuser=your-username
defaultuser=your-username
secret=your-password

For the Registration String: your-username:your-password@sip.linphone.org/99999

Next, create an Inbound Route using 99999 as the DID entry. Route the call to your desired destination, SAVE your settings, and you’re in business.

There’s one more nice surprise. Linphone accounts work much like the old key telephones and Google Voice setup that we all knew and loved. What that means is you can register the same Linphone account in multiple places, e.g. as an Asterisk trunk and elsewhere using one of the Linphone softphone apps. When incoming calls to your SIP URI arrive, they will ring on both your Asterisk PBX and your Linphone softphone as long as you haven’t routed the Linphone trunk to a destination that automatically answers the calls such as an IVR.

HINT: If you’re using dual registrations and routing the Linphone trunk to an extension, we recommend disabling voicemail on that extension so that Asterisk doesn’t automatically answer the call and send it to voicemail when the extension is not registered or answered.

To make outbound calls from extensions on your PBX using the Linphone trunk, the easiest way is to create custom extensions in the [from-internal-custom] context in /etc/asterisk/ extensions_custom.conf. Make up an unused extension number (90210 in this example), enter the Linphone account name you wish to call (acctname in this example), save the file, and reload your dialplan: exten => 90210,1,Dial(SIP/acctname@linphone).

Another way to create a Custom Extension is using the FreePBX or Incredible PBX GUI. Under Applications -> Extensions -> Add Custom Extension, assign an extension number for the extension. Click on the Advanced tab and enter SIP/acctname@linphone in the Dial field. Click Submit button and reload the dialplan at the prompt. Enjoy your worldwide free calling.

Originally published: Monday, April 29, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

This phone requires a wired network connection. Some of our purchase links refer users to Amazon when we find their prices are competitive for the recommended products. Nerd Vittles receives a small referral fee from Amazon to help cover the costs of our blog. We never recommend particular products solely to generate Amazon commissions. However, when pricing is comparable or availability is favorable, we support Amazon because Amazon supports us. [↩]

Interconnecting a Mobile PBX to the Asterisk Mothership

Monday, April 22, 2019 / 1 Comment on Interconnecting a Mobile PBX to the Asterisk Mothership

The Holy Grail for a mobile VoIP solution is a simple way to connect back to your primary Asterisk® PBX via Wi-Fi from anywhere in the world to make and receive calls as if you never left. Let’s tick off the potential problems. First, many home-based PBXs are sitting behind NAT-based routers. Second, almost all remote Wi-Fi connections are made through a NAT-based router. Third, chances are the remote hosting platform blocks outgoing email from downstream servers such as a mobile PBX. Fourth, deciphering the IP address of your remote connection can be problematic. Fifth, the chances of experiencing one-way audio or no audio on your VoIP calls is high because of NAT-based routers at both ends of your connection.

Last week we introduced OpenVPN as a solution for those with multiple VoIP sites to interconnect. But there’s a much simpler solution for those that travel regularly and want to avoid the complexity of configuring OpenVPN. Here is a quick thumbnail of the setup we recommend as your mobile companion, and you’ll never have a one-way audio problem again. In terms of hardware, you’ll need a Raspberry Pi 3B+ with its native WiFi support and a Windows or Mac notebook computer for traveling. You’ll also need a NeoRouter VPN server to make this process seamless. If you’ve already set up an OpenVPN server platform, it will work equally well. One advantage of NeoRouter is that clients can be added from the client side without having to create a config file on the VPN server. All you need is a username and password. But the choice of VPN platform is totally a matter of preference. The objective using either OpenVPN or NeoRouter is secure communications to your home base. We don’t want to have to reconfigure either your home PBX or your traveling PBX or your notebook PC based upon changes in your public and private IP addresses.

Today we’ll walk you through the easiest way to set up a (free) NeoRouter server on the Internet. It can be used to connect up to 254 devices on an encrypted private LAN. We’re delighted to have finally found a perfect use for the (free) Google Cloud instance.

Using a RaspberryPi 3B+, build an Incredible PBX 13-13.10 platform by following our previous tutorial. We’ll set this up on your home WiFi network so that you only have to throw the Raspberry Pi and its power supply in your suitcase when you travel. As part of the setup, we’ll download NeoRouter and activate private IP addresses for your notebook computer as well as both of your PBXs (using nrclientcmd). Next, we’ll interconnect the two PBXs using SIP trunks and the NeoRouter private LAN IP addresses. We’ll take advantage of a neat little Raspberry Pi trick by storing a wpa_supplicant.conf template on your PC for the remote WiFi setup even though we don’t yet know anything about the remote LAN. Once we know the SSID and password at the remote destination, we’ll use your notebook computer to edit the template and transfer the file to the /boot folder of your RasPi’s microSD card. When the card then is inserted and the RasPi is booted, it will automatically move the template to the proper /etc/wpa_supplicant folder to successfully activate your WiFi connection. We’ll also load links, a fast text-based browser, just in case you encounter a hotel that requires some sort of acknowledgement or password before establishing your WiFi connection to the Internet.

Star VPN Topology. Photo courtesy of ankara-gtug.org.

Setting Up a (free) NeoRouter Server in the Cloud

Because NeoRouter uses a star-based VPN architecture, that means the NeoRouter Server must always be available at the same IP address for all of the NeoRouter Clients (aka Nodes) to talk to. If you already have a cloud-based server that has a static IP address and can handle the traffic cop duties of NeoRouter Server, then that’s an ideal place to install NeoRouter Server. Simply download the Free flavor of NeoRouter Server that matches your existing platform and install it. Add an FQDN for your server’s IP address, and you’re all set. A detailed summary of available management options is included in our previous NeoRouter v2 article.

We devoted a couple weeks to Google Cloud instances last month, and it turned out to be a pretty awful platform for hosting Asterisk. But the free offering looks to be a perfect fit as a hosting platform for NeoRouter Server. You also won’t have to worry about Google going out of business anytime soon. So let us walk you through an abbreviated setup process on the Google Cloud platform. If you’re just getting started with Google Cloud, read our previous article to take advantage of Google’s generous $300 offer to get you started and to generally familiarize yourself with the mechanics of setting up an instance in the Google Cloud.

For NeoRouter Server, navigate to https://console.cloud.google.com. Click the 3-bar image in the upper left corner of your Dashboard. This exposes the Navigation Menu. In the COMPUTE section of the Dashboard, click Compute Engine -> VM Instances. Then click CREATE PROJECT and name it. Now click CREATE INSTANCE and Name it nrserver. The instance name becomes the hostname for your virtual machine. If you want to remain in the Free Tier, choose f1-micro instance as the Machine Type and choose a U.S. Region (us-central1, us-east1 or us-west1). For the Boot Disk, choose CentOS 6 and expand the disk storage to at least 20GB (30GB is available with the Free Tier). For the Firewall setting, leave HTTP and HTTPS disabled. Check your entries carefully and then click the Create button.

When your virtual machine instance comes on line, jot down the assigned public IP address. We’ll need it in a minute. Now click on the SSH pull-down tab and choose Open in a Browser Window. Now we need to set a root password and adjust the SSH settings so that you can login from your desktop computer using SSH or Putty:

sudo passwd root
su root
nano -w /etc/ssh/sshd_config

When the editor opens the SSH config file, add the following entries. Then save the file and restart SSH: service sshd restart

PermitRootLogin yes
PasswordAuthentication yes

You now should be able to log in to your instance as root from your desktop computer using SSH or Putty. Test it to be sure: ssh root@server-IP-address

Before we leave the Google Cloud Dashboard, let’s make the assigned public IP address permanent so that it doesn’t get changed down the road. Keep in mind that, if you ever delete your instance, you also need to remove the assigned static IP address so you don’t continue to get billed for it. From Home on the Dashboard, scroll down to the NETWORKING section and choose VPS Network -> External IP Addresses. Change the Type of your existing address to Static and Name it staticip. Next, choose Firewall Rules in the VPS Network section and click CREATE FIREWALL RULE. Fill in the template like the following leaving the other fields with their default entries. Then click CREATE.

Name: neorouter
Target Tags: neorouter
Source IP Range: 0.0.0.0/0
Protocols/Ports: check tcp: 32976

CAUTION: Before this firewall rule will be activated for your instance, it also must be specified in the Network Tags section for your instance. Shut down your instance and add the neorouter tag by editing your instance. Then restart your instance.

Now we’re ready to install NeoRouter Free v2 Server on your instance. Be sure to choose the Free v2 variety. Log back into your server as root using SSH/Putty and issue these commands:

yum -y update
yum -y install nano
wget http://download.neorouter.com/Downloads/NRFree/Update_2.3.1.4360/Linux/CentOS/nrserver-2.3.1.4360-free-centos-x86_64.rpm
rpm -Uvh nrserver-2.3.1.4360-free-centos-x86_64.rpm
/etc/rc.d/init.d/nrserver.sh restart
nrserver -setdomain <DOMAINNAME> <DOMAINPASSWORD>
nrserver -adduser <USERNAME> <PASSWORD> admin
nrserver -enableuser <USERNAME>
nrserver -showsettings

Finally, add the following command to /etc/rc.local so that NeoRouter Server gets started whenever your instance is rebooted:

echo "/etc/rc.d/init.d/nrserver.sh start" >> /etc/rc.local

Installing Incredible PBX 13-13.10 on a Raspberry Pi

We won’t regurgitate our Raspberry Pi tutorial. Simply follow the steps outlined there to acquire the necessary components and to get Incredible PBX 13-13.10 installed. We do want to stress the importance of getting WiFi working, configuring SendMail to use your Gmail credentials as a smarthost, and making sure you added the email addition to /etc/rc.local so that you receive IP address information about your PBX whenever it is rebooted. If you skipped any of these steps, stop here and revisit the RasPi tutorial to complete those items.

Configuring NeoRouter Client on Your Computers

All flavors of Incredible PBX come with the NeoRouter client preinstalled. If your Asterisk-based home PBX is of another variety, you can install the NeoRouter Client matching the architecture of your server from here. Be sure to click on the NeoRouter Free v2 tab before making your selection. The other varieties are incompatible with the Free NeoRouter v2 Server installed above and are not free. Also be sure you match both the operating system and architecture of your server platform. Finally, make certain that TCP 32976 is whitelisted in your firewalls.

On Linux-based (non-GUI) platforms, setting up the NeoRouter Client is done by issuing the command: nrclientcmd. You’ll be prompted for your NeoRouter Server FQDN as well as your username and password credentials. Perform this procedure on both your home PBX and the Raspberry Pi.

To add your Windows or Mac notebook to the NeoRouter VPN, download the appropriate client and run the application which will prompt for your NeoRouter Server FQDN as well as your NeoRouter credentials. Once completed, you should see all three machines in your NeoRouter Free Client Dashboard: your PC as well as your home PBX and Raspberry Pi-based Incredible PBX. Make note of the private VPN addresses (10.0.0.X) of both your home PBX and your Raspberry Pi. These VPN addresses never change, and we’ll need them to interconnect your PBXs and to set up a softphone on your notebook computer.

Admininistrative Tools to Manage NeoRouter

Here are a few helpful commands for monitoring and managing your NeoRouter VPN.

To access your NeoRouter Linux client: nrclientcmd

To restart NeoRouter Linux client: /etc/rc.d/init.d/nrservice.sh restart

To restart NeoRouter Linux server: /etc/rc.d/init.d/nrserver.sh restart

To set domain: nrserver -setdomain YOUR-VPN-NAME domainpassword

For a list of client devices: nrserver -showcomputers

For a list of existing user accounts: nrserver -showusers

For the settings of your NeoRouter VPN: nrserver -showsettings

To add a user account: nrserver -adduser username password user

To add admin account: nrserver -adduser username password admin

For a complete list of commands: nrserver –help

Interconnecting Your Raspberry Pi and Home PBX

To keep things simple, our setup examples below assume the following NeoRouter VPN addresses: Home PBX (10.0.0.1) and Raspberry Pi (10.0.0.2). Using a browser, you’ll need to login to the GUI of your Home PBX and Raspberry Pi and add a Trunk to each PBX. Be sure to use the same secret on BOTH trunk setups. We don’t recommend forwarding incoming calls from your Home PBX to your Raspberry Pi because most folks won’t be sitting in their hotel room all day to answer incoming calls. Instead, add the number of your smartphone to a Ring Group on the Home PBX and don’t forget the # symbol at the end of the number. On the Raspberry Pi side, we are assuming that whenever a call is dialed from a registered softphone with the 9 prefix, the call will be sent to the Home PBX for call processing (without the 9). For example, 98005551212 would send 800-555-1212 to the Home PBX for outbound routing and 9701 would send 701 to the Home PBX for routing to the 701 extension. You can obviously adjust your dialplan to meet your own local requirements.

On the Home PBX, the chan_sip trunk entries should look like this:

Trunk Name: raspi-remote

PEER DETAILS

host=10.0.0.2
type=friend
context=from-internal
username=home-pbx
fromuser=home-pbx
secret=some-password
canreinvite=no
insecure=port,invite
qualify=yes
nat=yes

On the Raspberry Pi, the chan_sip trunk entries should look like this:

Trunk Name: home-pbx

PEER DETAILS

host=10.0.0.1
type=friend
context=from-internal
username=raspi-remote
fromuser=raspi-remote
secret=some-password
canreinvite=no
insecure=port,invite
qualify=yes
nat=yes

On the Raspberry Pi, add an Outbound Route named Out9-home-pbx pointed to home-pbx Trunk with the following Dial Patterns. For each Dial Pattern, prepend=blank and prefix=9:

dial string: 1NXXNXXXXXX  
dial string: NXXNXXXXXX  
dial string: *98X.
dial string: XXX
dial string: XXXX
dial string: XXXXX

Tweaking Your Raspberry Pi for WiFi Mobility

Typically, you don’t know the WiFi SSID or password of your destination location before you travel. Because you won’t be traveling with a monitor and keyboard for your Raspberry Pi, we needed some way to adjust the WiFi credentials on the microSD card to accommodate the destination WiFi network when you arrive. Luckily, the Raspberry Pi folks thought of a clever way to handle this. You can simply plug your microSD card into your notebook PC (Mac ALERT: Don’t forget your SD card dongle!) and add a wpa_supplicant.conf config file to the /boot directory on the card once you arrive at your destination and know the SSID and password of the local WiFi network. When the Raspberry Pi is subsequently booted, the operating system will move the config file to the /etc/wpa_supplicant directory so that your WiFi network will come on line. Here’s what a typical wpa_supplicant.conf file should look like using your actual credentials. The last network section handles open WiFi network connections (think: McDonald’s) if you want to enable them:

country=US
update_config=1

network={
 ssid="your-SSID"
 psk="your-SSID-password"
 key_mgmt=WPA-PSK
 scan_ssid=1
 priority=5
}

network={
 key_mgmt=NONE
 priority=1
}

The other gotcha is that some public WiFi networks require some type of web login procedure before you can actually access the Internet even though an IP address may have been assigned to your Raspberry Pi. To handle this situation, you’ll need a text-based web browser on the Raspberry Pi that can be accessed through your notebook PC using SSH and your Raspberry Pi’s VPN address. Our favorite is links which can be installed on your Raspberry Pi before you pack up.

apt-get install links -y

Once you arrive at your destination, connect both your notebook PC and Raspberry Pi to the same WiFi network, login to the RasPi with SSH at the VPN address assigned to your RasPi, and run links to start the browser. Press <esc> to access the links menu options. If you can’t access your RasPi at the VPN IP address, try its WiFi-assigned local IP address.

Adding a Softphone to Your Notebook PC

Last, but not least, you obviously need a way to make and receive calls once your Raspberry Pi is up and running at the remote site. We recommend installing a softphone on your Mac or PC notebook that connects to an extension on your Raspberry Pi using the VPN IP address of the Raspberry Pi. Using the VPN address assures that the connection will always be available regardless of the WiFi network’s local IP addresses. Everyone has their own favorite softphone, but here are some suggestions.

We recommend YateClient which is free. Download it from here. Run YateClient once you’ve installed it and enter the credentials for an extension on your Raspberry Pi. Then enter the VPN IP address of your server plus your extension’s password. Click OK to save your entries.

If you are a Mac user, another great no-frills softphone is Telephone. Just download and install it from the Mac App Store.

Adding a Softphone to Your Smartphone

We actually prefer adding a free softphone app to our smartphone. There are a number of alternatives on both the iOS and Android platforms. With iPhones and iPads, we’ve had great success with Acrobits Softphone, Grandstream Wave, Linphone, and Zoiper Lite. All are available in the App Store. For Android devices, Acrobits Groundwire is our favorite. But Grandstream Wave, Linphone, and Zoiper Lite also are available. Keep in mind that Zoiper also supports IAX connections to simplify NAT connections. And, on both platforms, don’t forget that Google now lets you make and receive calls using the new Google Voice app using your old Google Voice numbers that no longer work directly with Asterisk.

Enjoy your pain-free traveling!

Originally published: Monday, April 22, 2019

Need help with Asterisk? Visit the VoIP-info Forum.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.

The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.

VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!

Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.

Category Archives: Incredible PBX

The Most Versatile VoIP Provider: FREE PORTING

Links

Follow us

Recent Posts

Choosing a KVM Platform for OpenSIPS

Introducing the VoIP Blacklist

Upgrading Existing OpenSIPS KVM/OVZ7 Platforms

Special Thanks to Our Generous Sponsors

Choosing a Virtual Machine Platform

Getting Started with VMware ESXi

A Free VMware Platform for SOHO Apps

Deploy VMware Template with vSphere Client

Installing the vSphere Web Client

Installing VMware Tools in a Virtual Machine

Special Thanks to Our Generous Sponsors

Installing Incredible PBX Base Platform

Upgrading the Fail2Ban Platform

Obtaining an FQDN for Your Server

Customizing the [sip-external-custom] Context

Configuring IPtables for Public SIP Access

Securing the SSH Access Port

Dealing with the Bad Guys

Additional Security on KVM Platforms

Connecting a SIP Phone to OpenSIPS or LinPhone

Special Thanks to Our Generous Sponsors

Skyetel Pricing Overview

Signing Up for Skyetel Service

SMS and MMS Messaging with Postcards

Introducing Skyetel’s New Fax Platform

Implementing the New Spam Call Filter

Recording and Transcribing Skyetel Calls

Skyetel Expansion for Canadian Users

Skyetel Monitoring of Endpoint Health

Special Thanks to Our Generous Sponsors

1. Configuring Asterisk for Inbound OpenSIPS Calls

2. Configuring OpenSIPS for Asterisk Connectivity

3. Enabling Inbound Calls from Asterisk to a SIP Phone

4. Outbound PSTN Calling from OpenSIPS

5. Enabling Calls from Asterisk to OpenSIPS Users

6. A Few Words About Security

7. Taking OpenSIPS for a Test Drive

Special Thanks to Our Generous Sponsors

Choosing a KVM/OVZ7 Platform for OpenSIPS

Choosing OpenSIPS Components to Deploy

Deploying a Debian 8 Server Platform

Installing OpenSIPS on a Debian 8 Server

Activating a SIP Server with OpenSIPS Control Panel

Logging into the OpenSIPS Control Panel

Creating Domains with OpenSIPS Control Panel

Creating Users with OpenSIPS Control Panel

Registering a Softphone to an OpenSIPS User Account

Avoiding Lockouts with NeoRouter VPN

Choosing Commercial SIP Providers

Introducing the VoIP Blacklist

Special Thanks to Our Generous Sponsors

Deploying Linphone as an Asterisk Trunk

Special Thanks to Our Generous Sponsors

Setting Up a (free) NeoRouter Server in the Cloud

Installing Incredible PBX 13-13.10 on a Raspberry Pi

Configuring NeoRouter Client on Your Computers

Admininistrative Tools to Manage NeoRouter

Interconnecting Your Raspberry Pi and Home PBX

Tweaking Your Raspberry Pi for WiFi Mobility

Adding a Softphone to Your Notebook PC

Adding a Softphone to Your Smartphone

Special Thanks to Our Generous Sponsors

Post navigation

Support Nerd Vittles

Free Asterisk Solutions

Tags