Practicing Safe SIP: Adding SIP URI and Free DID Connectivity to Asterisk

Last year, we began our exploration of safe SIP options for Asterisk® by introducing a hybrid solution using VoIP.ms for a registered SIP trunk and IPkall for a free DID. Today, in addition to a free IPkall DID to accept incoming PSTN calls, we have a slightly different approach that provides a direct SIP URI address from Sip2Sip.info for your server. As with the original tutorial, today’s implementation preserves our Zero Internet Footprint™ design for total SIP insulation of your server from the Internet. And all of the components to deploy today’s solution are completely free.

PBX in a Flash™ has a long (safe) history in the VoIP community, and the major reason is that we constantly preach never directly exposing any ports on your Asterisk server to the Internet without implementing a WhiteList of safe IP addresses. This Zero Internet Footprint™ design keeps everybody out except a trusted, defined group on your WhiteList. For everyone else, they never see your server. So how do you receive calls?

You do it with phone numbers (DIDs) or SIP URIs tied to registered Google Voice, SIP, and IAX trunks from reputable providers. Because these trunks have constant registrations with safe service providers on the Internet, calls to these DIDs and SIP URIs can flow in and out of your server without exposing your server directly to the Internet. Callers still can contact you, but they do it through an intermediary with whom you have a registered SIP trunk. Thus, the SIP vulnerability (if there is any) remains with the SIP provider and never with your server directly.

For today’s tutorial, we’ll be using the latest and greatest PIAF-Green™ Virtual Machine featuring Asterisk 11 and FreePBX® 2.11. We also recommend installation of Incredible PBX™ 11 which includes Travelin’ Man™ 3 to provide secure WhiteList management for your Asterisk firewall. Here are links to the PIAF-Green VM with Incredible PBX 11 as well as the Travelin’ Man 3 tutorial to get you started. We recommend you configure this using a VirtualBox® virtual machine on your favorite desktop computer just to get comfortable with the setup. Then you can repeat the drill using a dedicated or cloud-based server once you’ve mastered the basics. All of today’s setup will work without making any adjustments to your hardware-based firewall which should be sitting between your desktop computer and the Internet.

Registering for a Sip2Sip Account. Once you have the VoIP platform in place with Asterisk 11, FreePBX 2.11, Incredible PBX 11, and Travelin’ Man 3, you’re ready to add a SIP trunk from Sip2Sip.info. Just sign up for a free account on their site leaving the Account Name field blank. They will email you your credentials. Click on the provided link in the email to access your new account at http://x.sip2sip.info. Your account name will consist of a 10-digit-number@sip2sip.info. To log in, use the default SIP address as shown and leave the password field blank. Then click Login Now. Immediately click on the settings tab, choose an 8-digit numeric password, disable your Voice Mailbox, and click the SAVE button. Your Sip2Sip account is now secure unless someone is lucky enough to guess your password from the 100 million possibilities. You’ll need your 10-digit SIP account number and password to set up your SIP trunk on your Asterisk 11 server in the next step so write them down and then log out of your Sip2Sip account!

FreePBX and Asterisk Configuration Overview. Using a web browser, log into FreePBX® on your server. We’ll need to create several items to get everything working. First, we’ll add a new SIP trunk with your Sip2Sip credentials to handle incoming calls. Second, we’ll add a Custom Trunk to handle outbound calls to Sip2Sip. Third, we’ll add an Inbound Route to process incoming calls. Fourth, we’ll add an Outbound Route so that you can make calls using your outbound Sip2Sip trunk. Calls to other Sip2Sip numbers are free. For the rest, you’ll pay a per minute fee. Whether to use the pay service is completely up to you! Finally, we’ll log into your server as root and add Sip2Sip to your IPtables WhiteList and make two manual adjustments to the Asterisk dialplan to accommodate Sip2Sip’s way of handling SIP calls. Then we’ll restart Asterisk, and you’re done.

  1. Connectivity -> Trunks -> Add SIP Trunk
  2. Connectivity -> Trunks -> Add Custom Trunk
  3. Connectivity -> Inbound Routes -> Add Incoming Route
  4. Connectivity -> Outbound Routes -> Add Route
  5. Enable Sip2Sip in your IPtables WhiteList
  6. Add srvlookup=yes in sip_general_custom.conf
  7. Set enable=yes in dnsmgr.conf
  8. Restart Asterisk: amportal restart

Adding Sip2Sip SIP Trunk. While logged into FreePBX 2.11, choose Connectivity -> Trunks -> Add SIP Trunk. Fill out the form like this using your Sip2Sip 10-digit number and password. Unlike some trunk setups, entering your actual 10-digit Sip2Sip number as the Outbound Caller ID is mandatory, or inbound calls will be rejected by your server. Replace 223XXXXXXX with your actual 10-digit Sip2Sip number in the five places shown below. Replace 12345678 with your actual Sip2Sip password in the two places shown below.

  1. Trunk Name: Sip2Sip
  2. Outbound Caller ID: 223XXXXXXX
  3. Dial Pattern: leave blank
  4. Trunk Name: sip2sip
  5. Trunk Details:
    • type=peer
    • canreinvite=no
    • nat=yes
    • qualify=yes
    • domain=sip2sip.info
    • fromdomain=sip2sip.info
    • outboundproxy=proxy.sipthor.net
    • fromuser=223XXXXXXX
    • defaultuser=223XXXXXXX
    • secret=12345678
    • insecure=invite
    • context=from-trunk
    • host=sip2sip.info&81.23.228.129&81.23.228.150&85.17.186.7
  6. Register String: 223XXXXXXX:12345678@sip2sip.info/223XXXXXXX

Adding Sip2Sip Custom Trunk for Outbound Calling. While logged into FreePBX 2.11, choose Connectivity -> Trunks -> Add Custom Trunk. Fill out the form like this using the entries below:

  1. Trunk Name: sip2sip-out
  2. Dialed Number Matched Pattern: 223NXXXXXX
  3. Custom Dial String: SIP/$OUTNUM$@sip2sip.info

Adding Inbound Route. Next you need to tell FreePBX how to process incoming calls from your Sip2Sip number. Choose Connectivity -> Inbound Routes -> Add Incoming Route and fill out the form to look like this. Change the destination to match whatever you prefer: an extension, ring group, IVR, etc. If you followed last week’s tutorial to install Lenny Encore, then you can choose Lenny as your destination as well.

Adding Outbound Route. Next you need to tell FreePBX how to process outbound calls to your Sip2Sip account. Choose Connectivity -> Outbound Routes -> Add Route and fill out the form to look like this. After you have saved your entries, make certain that you drag the sip2sip-out route to the top of your Outbound Route List (on the right side). Otherwise, 10-digit Sip2Sip calls may inadvertently be processed by one of your other trunks that handles 10-digit numbers. The 3333 and 4444 numbers are test accounts at Sip2Sip to enable you to try out connectivity.

Adding Sip2Sip to Your IPtables WhiteList. We’re assuming you already have installed Travelin’ Man 3 and secured your server by running /root/secure-iptables. If not, start there. Now we need to enable UDP SIP connectivity for Sip2Sip in your WhiteList by running the following commands while logged in as root:

/root/add-fqdn sip2sip sip2sip.info
/root/add-ip sip2sip1 81.23.228.129
/root/add-ip sip2sip2 81.23.228.150
/root/add-ip sip2sip3 85.17.186.7

Making Asterisk Dialplan Adjustments. While still logged into your server as root, issue the following commands to finish up enabling Sip2Sip URI support in Asterisk. The last command verifies that your Sip2Sip trunk is actually registered.

echo "enable=yes" >> /etc/asterisk/dnsmgr.conf
echo "srvlookup=yes" >> /etc/asterisk/sip_general_custom.conf
amportal restart
asterisk -rx "sip show registry"

Adding an IPkall DID for Your SIP URI. We’ve now completed all the steps necessary to receive incoming SIP URI calls using your new Sip2Sip URI: 323XXXXXXX@sip2sip.info. Anyone in the world can dial that SIP URI from a SIP phone, and the calls will be answered by your server. But suppose we’d also like folks to be able to pick up a Plain Old Telephone and call using Sip2Sip.info to route the incoming call through the SIP URI. Here’s the easy way to do it. Just sign up for a free DID at www.ipkall.com. After choosing an area code for your free number, you’ll be prompted for the following information. Here’s what you’d enter using today’s example:

  • Sip2Sip Phone Number: 323XXXXXXX
  • SIP Proxy: sip2sip.info
  • Email Address: your-email-address
  • Password: some-password-to-get-back-into-your-account

Once you’ve completed the form, submit it and wait for your new phone number to be delivered in your email. You should get it within a couple minutes so check your spam folder if you don’t see it. Congratulations! You’ve done everything you need to do for anyone to call you using either your Sip2Sip URI or your new DID number from IPkall.

It’s worth noting that IPkall recycles DIDs that aren’t used for 30 days. If you use Incredible PBX, the easiest way to assure you don’t lose your number is to set up a weekly recurring Telephone Reminder that calls your IPkall number.

Adding SIP URI Dialing with Your Own Domain. Thanks to a great tip from @w1ve on the PIAF Forum, you now can create free SIP URIs using your own domain. Here’s how.

Troubleshooting. If you experience intermittent congestion issues with attempted connections to your SIP URI, try the [from-sip-external] trick outlined in our PIAF Forum posting.

Add Free Calls to 40 Million Asterisk Servers with e164.org. While we’re on a roll of free calling, here’s a simple way to add free calling to 40 million Asterisk servers around the world. Just add your name and phone numbers to the e164.org registry at no cost and configure FreePBX with ENUM support. Then outbound calls to numbers in the e164 registry will always be free as well. The whole setup takes less than 10 minutes. Here’s how.

You already have a SIP URI for your Asterisk server from the Sip2Sip setup above. Now let’s get you signed up with an account on e164.org. Go to the web site and click the Sign Up tab. Go through the sign up drill and then log into your new account. Then click the Phone Numbers tab and add your IPkall phone number to e164. If you have additional DIDs, enter the area code and number for each of them. Then click the Next button. You’ll be warned about not having the number you’ve specified redirected to an IVR. If you already have this DID redirected to an IVR, change the routing temporarily to an extension that you can answer to obtain your PIN before you press Next to proceed. You’ll then be prompted for the SIP address to contact your server. Leave the default SIP protocol and plug in the address you were assigned by Sip2Sip. As soon as you click the Next button, your phone should start to ring, but there may not be a message when you answer. Hang up and wait for the second call within 15 minutes. It will include your PIN. Now click on the Phone Numbers tab and update your phone entry by choosing Enter PIN and typing your assigned PIN. Your phone number now has been activated with the e164 service. To complete the setup, you’ll want to click on the Do Not Call option and make your selections. You also can decide whether to list yourself in the ENUM White Pages directory.

Remember that the real purpose of this drill is to avoid charges when you place outbound calls to numbers in the ENUM directory. We merely added your numbers to e164.org so that others could benefit as well. So the final step before you can start saving money is to configure FreePBX to handle ENUM lookups for outbound calls from your server. One more observation may be helpful. You’ll recall that one of the limitations of FreePBX has always been that once an outbound route was chosen for a call, if the call was completed using the first destination trunk in that route, then the call processing ended there. ENUM adds a new wrinkle because we basically want to connect to ENUM to check for a free route and, if no matching entry is found, then we want the next trunk to process the call. As luck would have it, FreePBX has been tweaked to allow this scenario. All you have to do is create an ENUM trunk and then place it first in your sequence of trunks for each of your outbound routes. If an ENUM entry is found for the number you’re calling, the call will be routed as a free call with a direct SIP connection. Otherwise, the call processing will continue and the call will be routed using the next trunk specified in your outbound route.

There are two steps in FreePBX to implement ENUM. First, create a special ENUM trunk. Second, adjust your Outbound Routes to process outbound calls using the ENUM trunk first. Then the series of trunks you already have specified in each outbound route will be triggered if there is no ENUM path for your call. NOTE: You obviously wouldn’t do this for an emergency 911 outbound route.

In FreePBX, click Connectivity -> Trunks, Add ENUM Trunk. Enter your desired CallerID for these calls. Set a maximum number of channels, if desired, and then leave the other entries blank in most cases. Save your settings and reload your dialplan. Now click Connectivity -> Outbound Routes and adjust the sequence of trunks for each of your existing routes. Be sure to put ENUM in the top position of each desired route. Also make certain that all calls are dialed with a dial string of 1NXXNXXXXXX or NXXNXXXXXX with a Prepend entry of 1 as shown below. Enjoy!


Don’t forget to List Yourself in Directory Assistance so everyone can find you by dialing 411. And add your new number to the Do Not Call Registry to block telemarketing calls. Or just call 888-382-1222 from your new number.
 

 

Deals of the Week. There’s still one amazing deal on the street, but you’d better hurry. A new company called Copy.com is offering 20GB of free cloud storage with no restrictions on file size uploads (which are all too common with other free offers). Copy.com has free sync apps for Windows, Macs, and Linux systems. To take advantage of the offer, just click on our referral link here. We get 5GB of extra storage which will help avoid another PIAF Forum disaster.

Originally published: Monday, August 19, 2013




Need help with Asterisk? Visit the PBX in a Flash Forum.


 

Don’t miss the first-ever FreePBX World on August 27-28 at the Mandalay Bay in Las Vegas. For complete details, see this post on the FreePBX blog.


 

We are pleased to once again be able to offer Nerd Vittles’ readers a 20% discount on registration to attend this year’s 10th Anniversary AstriCon in Atlanta. Here’s the Nerd Vittles Discount Code: AC13NERD.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest…

Be Sociable, Share!

Comments are closed

Ringbinder theme by Themocracy