Extended Brain Storage

OpenBSD: Asterisk Secure Internet Telephony

Posted on April 18, 2018

A brief tutorial to provide private voice over IP (VoIP) services using Asterisk in OpenBSD...

Introduction

Asterisk is an open source communications project enabling administrators to create telephony applications for IP-based private branch exchanges (PBXs), voice over IP (VoIP) gateways and conference servers.

As with any other analog or digital communication system that requires the establishment and control of a (virtual) telecommunication circuit for its operation, the Internet telephony information exchange consists of:

There exist various proprietary as well as open source protocols to carry out the aforementioned functions. This tutorial deals only with the following ones:

The need to provide confidentiality to the telephony resulted into accordingly secured versions of the aforementioned protocols, i.e.:

Simply put, Asterisk can operate in two modes:


Installation

The installation is straightforward:

$ pkg_add asterisk
quirks-2.414 signed on 2018-03-28T14:24:37Z
Ambiguous: choose package for asterisk
a       0: <None>
        1: asterisk-13.20.0
        2: asterisk-13.20.0-imap
Your choice: 1
...

For secure call support, SRTP support needs to be installed:

$ pkg_add libsrtp

For Speex codec support:

$ pkg_add asterisk-speex

For G.729 codec support:

$ pkg_add asterisk-g729

All configuration files can be copied and modified from the examples directory:

$ ls -lA /usr/local/share/examples/asterisk/default/

Finally, a fully operational PBX uses up a fair amount of system resources. Therefore, the openfiles-cur needs to be increased in /etc/login.conf:

$ vi /etc/login.conf
asterisk:\
        :openfiles-cur=512:\
        :openfiles-max=2048:\
        :tc=daemon:

And the database needs to be refreshed:

$ cap_mkdb /etc/login.conf

Configuration

During the startup, Asterisk detects all available modules and activates them all. This may be useful for some administrators. However, when not all them are necessary, they can be prevented from loading in the modules.conf file, e.g. as follows:

$ vi /etc/asterisk/modules.conf
[modules]
;autoload=yes
autoload=no

; Module name                          Description

; Application
noload => app_adsiprog.so                ;Asterisk ADSI Programming Application
noload => app_agent_pool.so              ;Call center agent pool applications
load => app_alarmreceiver.so           ;Alarm Receiver for Asterisk
noload => app_amd.so                     ;Answering Machine Detection Application
load => app_authenticate.so            ;Authentication Application
noload => app_bridgewait.so              ;Place the channel into a holding bridge
noload => app_cdr.so                     ;Tell Asterisk to not maintain a CDR for
noload => app_celgenuserevent.so         ;Generate an User-Defined CEL event
load => app_chanisavail.so             ;Check channel availability
load => app_channelredirect.so         ;Redirects a given channel to a dialplan
load => app_chanspy.so                 ;Listen to the audio of an active channel
noload => app_confbridge.so              ;Conference Bridge Application
load => app_controlplayback.so         ;Control Playback Application
noload => app_db.so                      ;Database Access Functions
load => app_dial.so                    ;Dialing Application
noload => app_dictate.so                 ;Virtual Dictation Machine
noload => app_directed_pickup.so         ;Directed Call Pickup Application
load => app_directory.so               ;Extension Directory
noload => app_disa.so                    ;DISA (Direct Inward System Access) Appli
noload => app_dumpchan.so                ;Dump Info About The Calling Channel
load => app_echo.so                    ;Simple Echo Application
load => app_exec.so                    ;Executes dialplan applications
noload => app_externalivr.so             ;External IVR Interface Application
noload => app_festival.so                ;Simple Festival Interface
noload => app_followme.so                ;Find-Me/Follow-Me Application
noload => app_forkcdr.so                 ;Fork The CDR into 2 separate entities
noload => app_getcpeid.so                ;Get ADSI CPE ID
noload => app_ices.so                    ;Encode and Stream via icecast and ices
load => app_image.so                   ;Image Transmission Application
load => app_macro.so                   ;Extension Macros
noload => app_milliwatt.so               ;Digital Milliwatt (mu-law) Test Applicat
noload => app_minivm.so                  ;Mini VoiceMail (A minimal Voicemail e-ma
load => app_mixmonitor.so              ;Mixed Audio Monitoring Application
load => app_morsecode.so               ;Morse code
load => app_mp3.so                     ;Silly MP3 Application
noload => app_nbscat.so                  ;Silly NBS Stream Application
load => app_originate.so               ;Originate call
load => app_page.so                    ;Page Multiple Phones
load => app_playback.so                ;Sound File Playback Application
load => app_playtones.so               ;Playtones Application
load => app_privacy.so                 ;Require phone number to be entered, if n
noload => app_queue.so                   ;True Call Queueing
load => app_read.so                    ;Read Variable Application
load => app_readexten.so               ;Read and evaluate extension validity
load => app_record.so                  ;Trivial Record Application
load => app_sayunixtime.so             ;Say time
load => app_senddtmf.so                ;Send DTMF digits Application
load => app_sendtext.so                ;Send Text Applications
noload => app_sms.so                     ;SMS/PSTN handler
load => app_softhangup.so              ;Hangs up the requested channel
noload => app_speech_utils.so            ;Dialplan Speech Applications
load => app_stack.so                   ;Dialplan subroutines (Gosub, Return, etc
noload => app_stasis.so                  ;Stasis dialplan application
load => app_system.so                  ;Generic System() application
load => app_talkdetect.so              ;Playback with Talk Detection
load => app_test.so                    ;Interface Test Application
load => app_transfer.so                ;Transfers a caller to another extension
load => app_url.so                     ;Send URL Applications
load => app_userevent.so               ;Custom User Event Application
load => app_verbose.so                 ;Send verbose output
noload => app_voicemail.so               ;Comedian Mail (Voicemail System)
load => app_waitforring.so             ;Waits until first ring after time
load => app_waitforsilence.so          ;Wait For Silence
load => app_waituntil.so               ;Wait until specified time
load => app_while.so                   ;While Loops and Conditional Execution
noload => app_zapateller.so              ;Block Telemarketers with Special Informa

; Bridge
noload => bridge_builtin_features.so     ;Built in bridging features
noload => bridge_builtin_interval_feature;s.so Built in bridging interval features
noload => bridge_holding.so              ;Holding bridge module
load => bridge_native_rtp.so           ;Native RTP bridging module
load => bridge_simple.so               ;Simple two channel bridging module
load => bridge_softmix.so              ;Multi-party software based channel mixin

; CDR
noload => cdr_csv.so                     ;Comma Separated Values CDR Backend
noload => cdr_custom.so                  ;Customizable Comma Separated Values CDR
noload => cdr_manager.so                 ;Asterisk Manager Interface CDR Backend
noload => cdr_pgsql.so                   ;PostgreSQL CDR Backend
noload => cdr_sqlite3_custom.so          ;SQLite3 Custom CDR Module
noload => cdr_syslog.so                  ;Customizable syslog CDR Backend
noload => cel_custom.so                  ;Customizable Comma Separated Values CEL
noload => cel_manager.so                 ;Asterisk Manager Interface CEL Backend
noload => cel_pgsql.so                   ;PostgreSQL CEL Backend
noload => cel_sqlite3_custom.so          ;SQLite3 Custom CEL Module

; Channels
load => chan_bridge_media.so           ;Bridge Media Channel Driver
load => chan_console.so                ;Console Channel Driver
noload => chan_iax2.so                   ;Inter Asterisk eXchange (Ver 2)
noload => chan_mgcp.so                   ;Media Gateway Control Protocol (MGCP)
noload => chan_motif.so                  ;Motif Jingle Channel Driver
load => chan_pjsip.so                  ;PJSIP Channel Driver
load => chan_rtp.so                    ;RTP Media Channel
noload => chan_sip.so                    ;Session Initiation Protocol (SIP)
noload => chan_skinny.so                 ;Skinny Client Control Protocol (Skinny)
noload => chan_unistim.so                ;UNISTIM Protocol (USTM)

; Codecs
load => codec_a_mu.so                  ;A-law and Mulaw direct Coder/Decoder
load => codec_adpcm.so                 ;Adaptive Differential PCM Coder/Decoder
load => codec_alaw.so                  ;A-law Coder/Decoder
load => codec_g722.so                  ;ITU G.722-64kbps G722 Transcoder
load => codec_g726.so                  ;ITU G.726-32kbps G726 Transcoder
load => codec_g729.so                  ;g729 Coder/Decoder, based on Bcg729
load => codec_gsm.so                   ;GSM Coder/Decoder
load => codec_ilbc.so                  ;iLBC Coder/Decoder
load => codec_lpc10.so                 ;LPC10 2.4kbps Coder/Decoder
load => codec_resample.so              ;SLIN Resampling Codec
load => codec_speex.so                 ;Speex Coder/Decoder
load => codec_ulaw.so                  ;mu-Law Coder/Decoder

; Formats
load => format_g719.so                 ;ITU G.719
load => format_g723.so                 ;G.723.1 Simple Timestamp File Format
load => format_g726.so                 ;Raw G.726 (16/24/32/4
load => format_g729.so                 ;Raw G.729 data
load => format_gsm.so                  ;Raw GSM data
load => format_h263.so                 ;Raw H.263 data
load => format_h264.so                 ;Raw H.264 data
load => format_ilbc.so                 ;Raw iLBC data
load => format_jpeg.so                 ;jpeg (joint picture experts group) image
load => format_ogg_vorbis.so           ;OGG/Vorbis audio
load => format_pcm.so                  ;Raw/Sun uLaw/ALaw 8KHz (PCM,PCMA,AU), G.
load => format_siren14.so              ;ITU G.722.1 Annex C (Siren14, licensed f
load => format_siren7.so               ;ITU G.722.1 (Siren7, licensed from Polyc
load => format_sln.so                  ;Raw Signed Linear Audio support (SLN) 8k
load => format_vox.so                  ;Dialogic VOX (ADPCM) File Format
load => format_wav.so                  ;Microsoft WAV/WAV16 format (8kHz/16kHz S
load => format_wav_gsm.so              ;Microsoft WAV format (Proprietary GSM)

; Functions
load => func_aes.so                    ;AES dialplan functions
load => func_audiohookinherit.so       ;Audiohook inheritance placeholder functi
load => func_base64.so                 ;base64 encode/decode dialplan functions
load => func_blacklist.so              ;Look up Caller*ID name/number from black
noload => func_callcompletion.so         ;Call Control Configuration Function
load => func_callerid.so               ;Party ID related dialplan functions (Cal
load => func_cdr.so                    ;Call Detail Record (CDR) dialplan functi
load => func_channel.so                ;Channel information dialplan functions
load => func_config.so                 ;Asterisk configuration file variable acc
load => func_curl.so                   ;Load external URL
load => func_cut.so                    ;Cut out information from a string
noload => func_db.so                     ;Database (astdb) related dialplan functi
load => func_devstate.so               ;Gets or sets a device state in the dialp
load => func_dialgroup.so              ;Dialgroup dialplan function
load => func_dialplan.so               ;Dialplan Context/Extension/Priority Chec
load => func_enum.so                   ;ENUM related dialplan functions
load => func_env.so                    ;Environment/filesystem dialplan function
load => func_extstate.so               ;Gets an extension's state in the dialpla
load => func_frame_trace.so            ;Frame Trace for internal ast_frame debug
load => func_global.so                 ;Variable dialplan functions
load => func_groupcount.so             ;Channel group dialplan functions
load => func_hangupcause.so            ;HANGUPCAUSE related functions and applic
load => func_holdintercept.so          ;Hold interception dialplan function
load => func_iconv.so                  ;Charset conversions
load => func_jitterbuffer.so           ;Jitter buffer for read side of channel.
load => func_lock.so                   ;Dialplan mutexes
load => func_logic.so                  ;Logical dialplan functions
load => func_math.so                   ;Mathematical dialplan function
load => func_md5.so                    ;MD5 digest dialplan functions
load => func_module.so                 ;Checks if Asterisk module is loaded in m
load => func_periodic_hook.so          ;Periodic dialplan hooks.
load => func_pitchshift.so             ;Audio Effects Dialplan Functions
load => func_pjsip_aor.so              ;Get information about a PJSIP AOR
load => func_pjsip_contact.so          ;Get information about a PJSIP contact
load => func_pjsip_endpoint.so         ;Get information about a PJSIP endpoint
load => func_presencestate.so          ;Gets or sets a presence state in the dia
load => func_rand.so                   ;Random number dialplan function
load => func_realtime.so               ;Read/Write/Store/Destroy values from a R
load => func_sha1.so                   ;SHA-1 computation dialplan function
load => func_shell.so                  ;Collects the output generated by a comma
load => func_sorcery.so                ;Get a field from a sorcery object
load => func_speex.so                  ;Noise reduction and Automatic Gain Contr
load => func_sprintf.so                ;SPRINTF dialplan function
load => func_srv.so                    ;SRV related dialplan functions
load => func_strings.so                ;String handling dialplan functions
load => func_sysinfo.so                ;System information related functions
load => func_talkdetect.so             ;Talk detection dialplan function
load => func_timeout.so                ;Channel timeout dialplan functions
load => func_uri.so                    ;URI encode/decode dialplan functions
load => func_version.so                ;Get Asterisk Version/Build Info
load => func_vmcount.so                ;Indicator for whether a voice mailbox ha
load => func_volume.so                 ;Technology independent volume control

; PBX
noload => pbx_ael.so                     ;Asterisk Extension Language Compiler
load => pbx_config.so                  ;Text Extension Configuration
noload => pbx_dundi.so                   ;Distributed Universal Number Discovery (
load => pbx_loopback.so                ;Loopback Switch
load => pbx_realtime.so                ;Realtime Switch
load => pbx_spool.so                   ;Outgoing Spool Support

; Resources
noload => res_adsi.so                    ;ADSI Resource
noload => res_ael_share.so               ;share-able code for AEL
noload => res_agi.so                     ;Asterisk Gateway Interface (AGI)
noload => res_ari.so                     ;Asterisk RESTful Interface
noload => res_ari_applications.so        ;RESTful API module - Stasis application
noload => res_ari_asterisk.so            ;RESTful API module - Asterisk resources
noload => res_ari_bridges.so             ;RESTful API module - Bridge resources
noload => res_ari_channels.so            ;RESTful API module - Channel resources
noload => res_ari_device_states.so       ;RESTful API module - Device state resour
noload => res_ari_endpoints.so           ;RESTful API module - Endpoint resources
noload => res_ari_events.so              ;RESTful API module - WebSocket resource
noload => res_ari_model.so               ;ARI Model validators
noload => res_ari_playbacks.so           ;RESTful API module - Playback control re
noload => res_ari_recordings.so          ;RESTful API module - Recording resources
noload => res_ari_sounds.so              ;RESTful API module - Sound resources
load => res_clialiases.so              ;CLI Aliases
load => res_clioriginate.so            ;Call origination and redirection from th
load => res_config_curl.so             ;Realtime Curl configuration
noload => res_config_pgsql.so            ;PostgreSQL RealTime Configuration Driver
noload => res_config_sqlite3.so          ;SQLite 3 realtime config engine
load => res_convert.so                 ;File format conversion CLI command
load => res_crypto.so                  ;Cryptographic Digital Signatures
load => res_curl.so                    ;cURL Resource Module
noload => res_fax.so                     ;Generic FAX Applications
noload => res_fax_spandsp.so             ;Spandsp G.711 and T.38 FAX Technologies
load => res_format_attr_celt.so        ;CELT Format Attribute Module
load => res_format_attr_g729.so        ;G.729 Format Attribute Module
load => res_format_attr_h263.so        ;H.263 Format Attribute Module
load => res_format_attr_h264.so        ;H.264 Format Attribute Module
load => res_format_attr_opus.so        ;Opus Format Attribute Module
load => res_format_attr_silk.so        ;SILK Format Attribute Module
load => res_format_attr_siren14.so     ;Siren14 Format Attribute Module
load => res_format_attr_siren7.so      ;Siren7 Format Attribute Module
load => res_format_attr_vp8.so         ;VP8 Format Attribute Module
noload => res_hep.so                     ;HEPv3 API
noload => res_hep_pjsip.so               ;PJSIP HEPv3 Logger
noload => res_hep_rtcp.so                ;RTCP HEPv3 Logger
noload => res_http_websocket.so          ;HTTP WebSocket Support
load => res_limit.so                   ;Resource limits
noload => res_manager_devicestate.so     ;Manager Device State Topic Forwarder
noload => res_manager_presencestate.so   ;Manager Presence State Topic Forwarder
noload => res_monitor.so                 ;Call Monitoring Resource
load => res_musiconhold.so             ;Music On Hold Resource
load => res_mutestream.so              ;Mute audio stream resources
noload => res_parking.so                 ;Call Parking Resource
noload => res_phoneprov.so               ;HTTP Phone Provisioning
load => res_pjproject.so               ;PJPROJECT Log and Utility Support
load => res_pjsip.so                   ;Basic SIP resource
noload => res_pjsip_acl.so               ;PJSIP ACL Resource
load => res_pjsip_authenticator_digest.so ;PJSIP authentication resource
load => res_pjsip_caller_id.so         ;PJSIP Caller ID Support
noload => res_pjsip_config_wizard.so     ;PJSIP Config Wizard
noload => res_pjsip_dialog_info_body_generator.so ;PJSIP Extension State Dialog Info+XML Pr
load => res_pjsip_diversion.so         ;PJSIP Add Diversion Header Support
load => res_pjsip_dlg_options.so       ;SIP OPTIONS in dialog handler
load => res_pjsip_dtmf_info.so         ;PJSIP DTMF INFO Support
load => res_pjsip_empty_info.so        ;PJSIP Empty INFO Support
load => res_pjsip_endpoint_identifier_anonymous.so ;PJSIP Anonymous endpoint identifier
load => res_pjsip_endpoint_identifier_ip.so ;PJSIP IP endpoint identifier
load => res_pjsip_endpoint_identifier_user.so ;PJSIP username endpoint identifier
load => res_pjsip_exten_state.so       ;PJSIP Extension State Notifications
load => res_pjsip_header_funcs.so      ;PJSIP Header Functions
load => res_pjsip_history.so           ;PJSIP History
load => res_pjsip_logger.so            ;PJSIP Packet Logger
load => res_pjsip_messaging.so         ;PJSIP Messaging Support
noload => res_pjsip_mwi.so               ;PJSIP MWI resource
noload => res_pjsip_mwi_body_generator.so ;PJSIP MWI resource
load => res_pjsip_nat.so               ;PJSIP NAT Support
load => res_pjsip_notify.so            ;CLI/AMI PJSIP NOTIFY Support
noload => res_pjsip_one_touch_record_info.so ;PJSIP INFO One Touch Recording Support
noload => res_pjsip_outbound_authenticator_digest.so ;PJSIP authentication resource
noload => res_pjsip_outbound_publish.so  ;PJSIP Outbound Publish Support
noload => res_pjsip_outbound_registration.so ;PJSIP Outbound Registration Support
load => res_pjsip_path.so              ;PJSIP Path Header Support
noload => res_pjsip_phoneprov_provider.so ;PJSIP Phoneprov Provider
noload => res_pjsip_pidf_body_generator.so ;PJSIP Extension State PIDF Provider
noload => res_pjsip_pidf_digium_body_supplement.so ;PJSIP PIDF Digium presence supplement
noload => res_pjsip_pidf_eyebeam_body_supplement.so ;PJSIP PIDF Eyebeam supplement
noload => res_pjsip_publish_asterisk.so  ;PJSIP Asterisk Event PUBLISH Support
load => res_pjsip_pubsub.so            ;PJSIP event resource
load => res_pjsip_refer.so             ;PJSIP Blind and Attended Transfer Suppor
load => res_pjsip_registrar.so         ;PJSIP Registrar Support
load => res_pjsip_registrar_expire.so  ;PJSIP Contact Auto-Expiration
load => res_pjsip_rfc3326.so           ;PJSIP RFC3326 Support
load => res_pjsip_sdp_rtp.so           ;PJSIP SDP RTP/AVP stream handler
load => res_pjsip_send_to_voicemail.so ;PJSIP REFER Send to Voicemail Support
load => res_pjsip_session.so           ;PJSIP Session resource
load => res_pjsip_sips_contact.so      ;UAC SIPS Contact support
noload => res_pjsip_t38.so               ;PJSIP T.38 UDPTL Support
noload => res_pjsip_transport_management.so ;PJSIP Reliable Transport Management
noload => res_pjsip_transport_websocket.so ;PJSIP WebSocket Transport Support
noload => res_pjsip_xpidf_body_generator.so ;PJSIP Extension State PIDF Provider
load => res_realtime.so                ;Realtime Data Lookup/Rewrite
load => res_rtp_asterisk.so            ;Asterisk RTP Stack
load => res_rtp_multicast.so           ;Multicast RTP Engine
load => res_security_log.so            ;Security Event Logging
noload => res_smdi.so                    ;Simplified Message Desk Interface (SMDI)
load => res_sorcery_astdb.so           ;Sorcery Astdb Object Wizard
load => res_sorcery_config.so          ;Sorcery Configuration File Object Wizard
load => res_sorcery_memory.so          ;Sorcery In-Memory Object Wizard
load => res_sorcery_memory_cache.so    ;Sorcery Memory Cache Object Wizard
load => res_sorcery_realtime.so        ;Sorcery Realtime Object Wizard
noload => res_speech.so                  ;Generic Speech Recognition API
load => res_srtp.so                    ;Secure RTP (SRTP)
noload => res_stasis.so                  ;Stasis application support
noload => res_stasis_answer.so           ;Stasis application answer support
noload => res_stasis_device_state.so     ;Stasis application device state support
noload => res_stasis_playback.so         ;Stasis application playback support
noload => res_stasis_recording.so        ;Stasis application recording support
noload => res_stasis_snoop.so            ;Stasis application snoop support
noload => res_statsd.so                  ;Statsd client support
noload => res_stun_monitor.so            ;STUN Network Monitor
load => res_timing_pthread.so          ;pthread Timing Interface
noload => res_xmpp.so                    ;Asterisk XMPP Interface

The Asterisk daemon can be enabled and started:

$ rcctl enable asterisk
$ rcctl start asterisk

TLS keys preparation (Let's Encrypt), so that Asterisk has access:

$ mkdir -p /etc/asterisk/keys/
$ cp /etc/ssl/DOMAIN.TLD.fullchain.pem /etc/asterisk/keys/asterisk.crt
$ cp /etc/ssl/private/DOMAIN.TLD.key /etc/asterisk/keys/asterisk.key
$ chown -R _asterisk:_asterisk /etc/asterisk/keys
$ chmod 0500 /etc/asterisk/keys/
$ chmod 0400 /etc/asterisk/keys/*

In order to configure the dialplan, the new PJSIP-based module will be used. For testing purposes, two transports are set up with the following parameters:

All parameters are explained in Asterisk Wiki and the configuration is as follows:

$ vi /etc/asterisk/pjsip.conf
; === GLOBAL OPTIONS ===
[global]
type=global
keep_alive_interval=30

;=== TRANSPORTS ===

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0:5060

[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1
domain=DOMAIN.TLD ; not necessary if a single domain is used

;== ENDPOINT TEMPLATES ==

[endpoint-basic](!)
type=endpoint
transport=transport-udp
context=internal
disallow=all
allow=gsm
allow=vp8

[endpoint-tls](!)
type=endpoint
transport=transport-tls
context=internal
disallow=all
allow=opus
allow=gsm
;allow=speex
;;allow=ilbc
;allow=alaw
;allow=ulaw
;allow=g722
;allow=g726
;allow=g729
allow=vp8
allow=h264
;allow=h263p
;allow=h263
direct_media=yes
media_encryption=sdes
media_encryption_optimistic=no
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yes
ice_support=yes
from_domain=DOMAIN.TLD ; to have realm domain in incoming call requests

[auth-userpass](!)
type=auth
auth_type=userpass
realm=DOMAIN.TLD ; not necessary if a single domain is used

[aor-single-reg](!)
type=aor
max_contacts=2
remove_existing=yes

;== NAMED EXTENSIONS ==

[test1](endpoint-tls)
auth=auth-test1
aors=test1

[auth-test1](auth-userpass)
password=test1
username=test1

[test1](aor-single-reg)

[test2](endpoint-tls)
auth=auth-test2
aors=test2

[auth-test2](auth-userpass)
password=test2
username=test2

[test2](aor-single-reg)

;== BASIC EXTENSIONS ==

[1001](endpoint-basic)
auth=auth1001
aors=1001

[auth1001](auth-userpass)
password=1001
username=1001

[1001](aor-single-reg)

[1002](endpoint-basic)
auth=auth1002
aors=1002

[auth1002](auth-userpass)
password=1002
username=1002

[1002](aor-single-reg)

The extensions setup looks as follows (after commenting/removing all previous setup) and beside enabling calling to the four extensions, it creates a numbered extension 100, which performs an echo test:

$ vi /etc/asterisk/extensions.conf
[general]

[globals]
;SIPDOMAIN=IP_ADDRESS
SIPDOMAIN=DOMAIN.TLD

[internal]
exten => 1001,1,Dial(PJSIP/${EXTEN})
exten => 1002,1,Dial(PJSIP/${EXTEN})
exten => test1,1,Dial(PJSIP/${EXTEN})
exten => test2,1,Dial(PJSIP/${EXTEN})
exten => 100,1,Answer()
 same => n,Playback(demo-echotest)      ; Let them know what's going on
 same => n,Echo                         ; Do the echo test
 same => n,Playback(demo-echodone)      ; Let them know it's over
 same => n,Hangup()

In order to apply changes, Asterisk needs to be restarted:

$ asterisk -rx "core restart when convenient"
#or simply
$ rcctl restart asterisk

Modules Setup Files

In some cases, Asterisk looks for configuration files, complains when those are not found and sometimes even becomes happy with empty files. Therefore, the following commands may come in handy to prevent the error log messages.

The Asterisk Channel Event Logging (CEL) can be disabled as follows:

$ echo "[general]\nenable=no" > /etc/asterisk/cel.conf

The UDPTL support can be disabled as follows:

$ echo "" > /etc/asterisk/udptl.conf

The Asterisk Manager Interface (AMI) can be disabled as follows:

$ echo "[general]\nenabled = no" > /etc/asterisk/manager.conf

The named Access Control Lists (ACLs) can be disabled as follows:

$ echo "[acl_name]\ndeny=0.0.0.0/0.0.0.0\npermit=127.0.0.1" > /etc/asterisk/acl.conf

The Call Completion Supplementary Services (CCSS) can be disabled as follows:

$ echo "" > /etc/asterisk/ccss.conf

The following may come in handy:

$ echo "" > /etc/asterisk/features.conf
$ echo "" > /etc/asterisk/pjproject.conf
$ echo "" > /etc/asterisk/pjsip_notify.conf

Language Change and Music on Hold

The default language can be changed in:

$ vi /etc/asterisk/asterisk.conf
;defaultlanguage = en            ; Default language
;defaultlanguage = en_US         ; Default language
;defaultlanguage = en_AU         ; Default language
defaultlanguage = en_GB         ; Default language

The default music on hold (MOH) directory is:

$ ls -lA /usr/local/share/asterisk/moh

And the default MOH setup is the following:

$ echo "[general]\n\n[default]\nmode=files\ndirectory=moh" > /etc/asterisk/musiconhold.conf
#or (makes no difference):
$ cp /usr/local/share/examples/asterisk/default/musiconhold.conf /etc/asterisk

Note: It may be necessary to download additional files in accordance to the selected language and codecs. The list of available options can be found using:

$ pkg_info -Q asterisk | grep sound

Troubleshooting

With the Asterisk service running, it may be useful to verify that a particular module is activated. The first way is to connect to the console using (the more v's the more verbosity in the console):

$ asterisk -rvvv

and running a particular command, such as:

server*CLI> module show

Or it can be run directly as follows:

$ asterisk -rx "module show"

Showing help for a particular command can be performed as follows:

$ asterisk -rx "core show help"

Showing help for endpoints and endpoints themselves:

$ asterisk -rx "config show help res_pjsip"
$ asterisk -rx "show pjsip endpoints"

ICE, STUN, TURN Support

RTP configuration needs to be updated in order to enable ICE and STUN support as follows:

$ vi /etc/asterisk/rtp.conf
[general]
rtpstart=20000           ; 5000 by default
rtpend=22000             ; 31000 by default
;rtpchecksums=no         ; whether to enable or disable UDP checksums on RTP traffic
strictrtp=yes            ; strict RTP protection that drops RTP packets that
                         ; do not come from the source of the RTP stream,
                         ; enabled by default.

In order to help clients behind a network address translation (NAT) gateways to send their media streams directly (Asterisk in SIP Proxy mode), at least one of the following mechanisms needs to be enabled:

Restund is a modular and flexible STUN and TURN Server with IPv4 and IPv6 support, which can be installed as follows:

$ pkg_add restund

An example configuration, which can be set up in the /etc/restund.conf file, is as follows:

$ vi /etc/restund.conf
#
# restund.conf
#

# core
daemon                  yes
debug                   no
realm                   DOMAIN.TLD
syncinterval            600
#udp_listen             127.0.0.1:3478
udp_listen              RESTUND-PUBLIC-IPv4:3478
udp_sockbuf_size        524288
#tcp_listen             127.0.0.1:3478
tcp_listen              RESTUND-PUBLIC-IPv4:3478
#tls_listen             1.2.3.4:5349,/etc/cert.pem
#dtls_listen            1.2.3.4:5349,/etc/cert.pem
#dtls_sockbuf_size      524288
#dtls_hash_size         512

# modules (STUN messages are processed in module loading order)
module_path             /usr/local/lib/restund/modules
#module                 stat.so
module                  binding.so
#module                 auth.so
#module                 turn.so
#module                 mysql_ser.so
#module                 filedb.so
#module                 restauth.so
module                  syslog.so
module                  status.so

# auth
auth_nonce_expiry       3600

# turn
turn_max_allocations    512
turn_max_lifetime       600
turn_relay_addr         127.0.0.1
turn_relay_addr6        ::1

# mysql
#mysql_host             localhost
#mysql_user             ser
#mysql_pass             heslo
#mysql_db               ser
#mysql_ser              0

# filedb
#filedb_path            /etc/restund.auth

# syslog
syslog_facility         24

# status
status_udp_addr         127.0.0.1
status_udp_port         33000
status_http_addr        127.0.0.1
status_http_port        8080

The service activation is straightforward:

$ rcctl enable restund
$ rcctl start restund

Firewall Rules Update

As discussed earlier, Asterisk uses the following ports which should be accessible by the communicating parties:

The OpenBSD: Packet Filtering can be used to successfully update the OpenBSD's PF.

Tags: #OpenBSD #security #Asterisk #SIP #SIPS #SDES #TLS #DTLS #VoIP #PBX #restund

⏴ Previous Post Next Post ⏵