We continue the Incredible PBX for Asterisk-GUI adventure today with a close look at SIP URIs, those email-like addresses that are the fundamental building blocks for VoIP technology. Consider this. If everyone in the world had a SIP address instead of a phone number, every call to every person in the world via the Internet would be free. That pretty much sums up why SIP URIs are important. The syntax for SIP URIs depends a bit upon your platform. In the Asterisk® world, they look like this: SIP/somenameORnumber@FQDN.yourdomain.com. On many SIP phones, you enter SIP URIs in the following format: sip:somenameORnumber@FQDN.yourdomain.com. Others use somenameORnumber@FQDN.yourdomain.com. Assuming you have a reliable Internet connection, once you have "dialed" a SIP URI, the destination SIP device will ring just as if they had a POTS phone. And Asterisk processes SIP URIs in much the same way as other calls originating from trunks. As noted, SIP URI calls of any duration to anywhere are free. And, of course, Incredible PBX is also free with No Gotchas!
In our original articles on Incredible PBX for Asterisk-GUI, we covered outbound calls to SIP URIs, and we’ll briefly review that procedure today. Then we’ll move on to setting up one or more SIP URIs for your own server so that you can receive incoming SIP URI calls. We’ll show you how to route them to any destination you like, both internal and external. We’ll also address the security implications of enabling SIP URI calling on your server. You don’t want the whole world calling into your server to make outbound calls on your nickel. We’ll also walk you through a safer SIP methodology in which you use a service provider as a SIP intermediary to better protect the security of your server. And finally, we’ll show you how to interconnect your new SIP URIs to real telephone numbers at zero cost. Then your friends without a SIP URI still can call you from any POTS or cellphone in the world.
SIP URI Calling with Incredible PBX for Asterisk-GUI
With one line of dialplan code, you can add Speed Dials for free SIP URI calling worldwide. The dialplan code is stored in the [CallingRule_SIP_URI] context in extensions_custom.conf. Just clone one of the existing entries, designate a speed dial number to connect to the SIP URI, and enter the SIP URI for the destination. Numerous SIP providers support assignment of SIP URI’s to existing DIDs for unlimited free calling from anywhere in the world. Here’s a sample using a speed dial code of 53669 (L-E-N-N-Y). Use it for your telemarketers:
exten = 53669,1,Dial(SIPfirstname.lastname@example.org).
Choosing a SIP URI Strategy with Incredible PBX for Asterisk-GUI
Before we actually create SIP URIs on your own server to receive anonymous calls, let’s walk through the available implementation strategies so that you can make an informed choice on how best to proceed. Keeping in mind that SIP URIs consist of an identifier and a fully-qualified domain name (FQDN) or IP address, one option is to use the same domain that you use for your company. We don’t recommend this approach because it makes it easy to guess where your SIP resources reside. Another option is to use a really obscure FQDN with your SIP URIs. Something like k43X20.mycompany.com or, for dynamic addresses, something like k43X20.dyndns.org makes more sense. In the next section, we’re going to lock down SIP access to your server to this FQDN so the more obscure the FQDN the safer you will be. Security through obscurity still works wonders. A third option is to use the IP address of your server instead of an FQDN. That’s a bad choice because of programs like SIPVicious that the bad guys use to scan the Internet for potential SIP targets to be hacked.
An alternative approach worth considering is to use a provider such as VoIP.ms as a SIP intermediary. In this scenario, you create a sub-account and assign an obscure extension number to that account. This in turn generates a SIP URI that can be used to connect to that account from your server by simply registering a VoIP.ms trunk in Incredible PBX. Once the trunk is registered, incoming SIP URI calls to your VoIP.ms sub-account will be forwarded (without cost) to your server without exposing Asterisk to SIP guest access at all. The wrinkle with this option is that VoIP.ms has often indicated that they plan to charge a reduced fee for these connections at some point. However, to date, they’ve never done it. If VoIP.ms shifts gears down the road, you obviously can as well. For the time being, we would encourage you to take advantage of this free service option. It remains our first choice for SIP URI implementation because there is no need to expose SIP resources on your server at all. VoIP.ms takes care of all the SIP security headaches leaving you to enjoy free calling. In the screenshot we’ve shown above, assuming your VoIP.ms account number was 12345, the SIP URI to connect to this sub-account would be
email@example.com assuming you registered your trunk with the houston.voip.ms server.
Creating Your Own SIP URIs with Incredible PBX for Asterisk-GUI
The procedure for creating one or more SIP URIs on your own Incredible PBX server is straight-forward:
- For servers behind a hardware-based firewall, map UDP 5060 (SIP) to your server
- Enable allowguest access in [general] context of sip.conf
- Create desired SIP URIs in [public] context of extensions.conf
1. Unless your server is sitting on the public Internet without a hardware-based firewall, you’ll need to map UDP port 5060 (SIP) from the firewall to the private LAN address of your server. Otherwise incoming SIP calls will never reach Incredible PBX. Most routers have a Port Forwarding tab in which you designate the port to be forwarded, the type of port, and the destination IP address. Consult the manual for your router/firewall for detailed instructions.
2. Changing the allowguest setting in the [general] context of sip.conf is mandatory since the purpose of SIP URI calling is to accept calls from unregistered users. The risk, of course, is that anyone in the world with an Internet connection can attempt to connect to your server. More on that later. For now, issue this command after logging into your server as root:
sed -i 's|allowguest=no|allowguest=yes|' /etc/asterisk/sip.conf
Once you issue this command and restart Asterisk, the setup of Incredible PBX for Asterisk-GUI is to route anonymous SIP calls to the [public] context in extensions.conf. Only extensions in this context will be exposed to anonymous callers. This is important. NEVER change the destination context for these calls to one that provides unrestricted access to the calling resources on your server. The reason should be obvious. But, in case it isn’t, this would permit anonymous callers to use all of your trunks to place outbound calls to anywhere… on your nickel. $100,000 phone bills are the usual result.
3. There are two important facets in creating your own SIP URIs for anonymous access to your server. As touched upon previously, the first is choosing an obscure FQDN for your server. This is a really important layer of security for a couple of reasons: (1) your anonymous caller has to know the actual FQDN of your server in order to reach you and (2) in the next step we’re going to lock down your server to only allow anonymous SIP access from this FQDN. So choose carefully. The second consideration is deciding which server resources you wish to expose for SIP URI access. Do you wish to permit SIP URI calls only to a specific extension or ring group, or perhaps a custom IVR just for SIP URI callers, or perhaps a conference or DISA access (very dangerous)?
You can deploy more than one SIP URI. For each one, you’ll need a destination for the incoming call and an identifier or extension. Identifiers could be numeric, alphanumeric, or pure alpha characters. For example, 8005551212, joe6001, and accounting are all perfectly acceptable. The resultant SIP URI would be something like joe6001@k43X20.mycompany.com.
As noted, for each destination on your server that you wish to enable for SIP URI access, you add a line of dialplan code to the [public] context in extensions.conf. The syntax is identical to what you’ve previously used in routing incoming trunk calls to a destination except we’ll restrict connections to those matching the identifier you’ve chosen for each SIP URI. Here are some examples to get you started.
To route SIP URI accounting@k43X20.mycompany.com to Ring Group #1:
exten = accounting,n,Goto(ringroups-custom-1,s,1)
To route SIP URI joe6001@k43X20.mycompany.com to Extension 6001:
exten = joe6001,n,Goto(default,6001,1)
To route SIP URI demo@k43X20.mycompany.com to the Nerd Vittles demo IVR:
exten = demo,n,Goto(voicemenu-custom-2,s,1)
To route SIP URI lenny@k43X20.mycompany.com to an outside SIP URI:
exten = lenny,1,Dial(SIPfirstname.lastname@example.org)
To route SIP URI conference@k43X20.mycompany.com to the default conference at extension 2663:
exten = conference,1,Goto(conf_bridge,2663,1)
To route SIP URI weather@k43X20.mycompany.com to the Weather by ZIP Code application:
exten = weather,1,Goto(CallingRule_extensions_custom,947,1)
To route SIP URI 800directory@k43X20.mycompany.com to Directory Assistance using Google Voice trunk:
exten = 800directory,1,Dial(Motif/GoogleVoiceemail@example.com)
Securing Your Server with SIP URI Implementations
There are two important security steps once you have enabled anonymous SIP URI calling to your server. The first line of defense is to harden the IPtables Firewall to only permit anonymous SIP access to the specific FQDN you plan to use for your SIP URI callers. The second is to harden Asterisk to disallow requests for domains not serviced by your server.
1. Edit the IPv4 rules for your operating system. On the CentOS-compatible platforms, it’s /etc/sysconfig/iptables. On the Debian/Ubuntu/Raspbian platforms, it’s /etc/iptables/rules.v4. Toward the end of the file and just above the final fail2ban entries, insert the following code using your actual FQDN in the first line:
-A INPUT -p udp --dport 5060 -m string --string "@k43X20.mycompany.com" --algo bm -j ACCEPT -A INPUT -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP -A INPUT -p udp --dport 5060 -m string --string "OPTIONS sip:" --algo bm -j DROP -A INPUT -p udp -m udp --dport 5060 -j DROP
2. Run the following commands substituting your actual FQDN in the first line to lock down Asterisk to only your FQDN for anonymous SIP connections:
sed -i '/\\[general\\]/a ;domain=k43X20.mycompany.com' /etc/asterisk/sip.conf sed -i '0,/;domain/s/;domain/domain/' /etc/asterisk/sip.conf sed -i '0,/;allowtransfer=no/s/;allowtransfer=no/allowtransfer=no/' /etc/asterisk/sip.conf sed -i '0,/; allowexternaldomains=no/s/; allowexternaldomains=no/allowexternaldomains=no/' /etc/asterisk/sip.conf
3. Restart your firewall:
4. Restart Asterisk:
Interconnecting a SIP URI with a Free PSTN Phone Number
Wouldn’t it be nice if all your friends and business associates without SIP URI capability could still call you using a traditional PSTN number? Well, it’s your lucky day because www.ipkall.com provides just what you need, a free phone number in the Seattle area that you can connect to an existing SIP URI on your server.
When folks call the Seattle number, they will be connected to your server using whatever routing you chose for the SIP URI in the previous section. So sign up for a number, enter your email address and the SIP URI for the calls, and wait for the confirmation email identifying your new telephone number. The only catch is that you need to receive at least one call a month to keep the number. Aside from that, there are no restrictions on use of the PSTN numbers. Enjoy!
Don’t forget to List Yourself in Directory Assistance with your new IPkall PSTN number so everyone can find you by dialing 411. And be sure to add your new number to the Do Not Call Registry to block telemarketing calls.
Originally published: Wednesday, March 25, 2015
Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! Please have a look and post your support questions there. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of users just like you. You won’t have to wait long for an answer to your question.
Need help with Asterisk? Visit the PBX in a Flash Forum.
Special Thanks to Our Generous Sponsors
FULL DISCLOSURE: ClearlyIP, Skyetel, Vitelity, DigitalOcean, Vultr, VoIP.ms, 3CX, Sangoma, TelecomsXchange and VitalPBX have provided financial support to Nerd Vittles and our open source projects through advertising, referral revenue, and/or merchandise. As an Amazon Associate and Best Buy Affiliate, we also earn from qualifying purchases. We’ve chosen these providers not the other way around. Our decisions are based upon their corporate reputation and the quality of their offerings and pricing. Our recommendations regarding technology are reached without regard to financial compensation except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.
BOGO Bonaza: Enjoy state-of-the-art VoIP service with a $10 credit and half-price SIP service on up to $500 of Skyetel trunking with free number porting when you fund your Skyetel account. No limits on number of simultaneous calls. Quadruple data center redundancy. $25 monthly minimum spend required. Tutorial and sign up details are here.
The lynchpin of Incredible PBX 2020 and beyond is ClearlyIP components which bring management of FreePBX modules and SIP phone integration to a level never before available with any other Asterisk distribution. And now you can configure and reconfigure your new Incredible PBX phones from the convenience of the Incredible PBX GUI.
VitalPBX is perhaps the fastest-growing PBX offering based upon Asterisk with an installed presence in more than 100 countries worldwide. VitalPBX has generously provided a customized White Label version of Incredible PBX tailored for use with all Incredible PBX and VitalPBX custom applications. Follow this link for a free test drive!
Special Thanks to Vitelity. Vitelity is now Voyant Communications and has halted new registrations for the time being. Our special thanks to Vitelity for their unwavering financial support over many years and to the many Nerd Vittles readers who continue to enjoy the benefits of their service offerings. We will keep everyone posted on further developments.
Some Recent Nerd Vittles Articles of Interest…