Browsed by
Category: Howto

openSIPS Installation Steps

openSIPS Installation Steps

openSIPS is a multi-purpose SIP server that is used by many telephony service providers and offers Class 4, Class 5, wholesale VoIP, enterprise PBX, virtual PBX, SBC, load balancing IMS platforms, call centers features and more. In this article, you can find the installation steps of openSIPS on Debian 10.

openSIPS is a high performance SIP server running on Linux that needs very little resources. Therefore, many telecom operators develop solutions with openSIPS. If you want to use openSIPS in your VoIP applications, you can follow the installation instructions below.

openSIPS Installation Steps

1. Components Used in openSIPS Installation & Versions:

  • Debian v10 (Buster) x64 minimal install (netinst)
  • OpenSips v3.0
  • OpenSips GUI v8.3.0
  • Apache v2.4
  • PHP v7.3
  • MariaDB v10

2. Pre Installation Tasks

To install openSIPS, you will first need a fresh Debian installation. You can download and install the amd64 netinst CD image from this link. Debian is very easy to install, you can also install it by following this video that I prepared.

After installing Debian, complete the installation of the following packages:

apt update && apt upgrade -y && apt -y install m4 git nano sudo curl dbus apache2 lsb-release

Normally, you can install the “monit” package as an option for monitoring, but at the time I wrote the article, it was removed from debian repos due to some vulnerabilities on the monit package. In case the situation changes, you can find the related setup command below:

apt -y install monit

3. PHP Installation

First install dependencies:

apt -y install curl apt-transport-https ca-certificates

Add PHP repo:

wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" > \ /etc/apt/sources.list.d/php.list 

After that, install PHP packages:

apt update && apt -y install php7.3 php7.3-gd php7.3-mysql php7.3-xmlrpc php-pear php7.3-cli php-apcu php7.3-curl php7.3-xml libapache2-mod-php7.3 

Install PHP MDB2 library with pear:

pear install MDB2#mysql

Edit PHP.ini file and change short_open_tag variable to On:

sed -i "s#short_open_tag = Off#short_open_tag = On#g" /etc/php/7.3/apache2/php.ini

4. MariaDB Installation

Get gpg keys needed for MariaDB repo and install necessary packages:

apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8 curl -sS https://downloads.mariadb.com/MariaDB/mariadb_repo_setup | sudo bash apt update && apt -y install mariadb-server 

After that edit my.cnf file as below:

nano /etc/mysql/my.cnf

To disable Strict mode and use default openSIPS latin1 character set, add these lines under [mysqld] header:

sql_mode='' 
character-set-server = latin1 

Restart MariaDB service:

systemctl restart mariadb

5. openSIPS Installation

Add gpg key:

apt -y install dirmngr && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 049AD65B

Add openSIPS repos:

echo "deb https://apt.opensips.org $(lsb_release -sc) 3.0-releases" >/etc/apt/sources.list.d/opensips.list 
echo "deb https://apt.opensips.org $(lsb_release -sc) cli-nightly" >/etc/apt/sources.list.d/opensips-cli.list 

Install openSIPS packages:

apt update && apt -y install opensips opensips-cli opensips-*-module opensips-*-modules python3-mysqldb python3-sqlalchemy python3-sqlalchemy-utils 

6. Database Installation

Create opensips user on MariaDB and grant rights:

mysql -p 
> 
CREATE USER 'opensips'@'localhost' IDENTIFIED BY 'opensipsrw'; 
GRANT ALL PRIVILEGES ON opensips.* TO 'opensips'@'localhost'; 
FLUSH PRIVILEGES; 
exit 

Run database installation script:

opensips-cli -x database create 

The script will ask you the database URL. Enter mysql://opensips:opensipsrw@localhost and choose default (install all tables).

7. Generating Configuration File

Run configuration generator script to generate configuration file:

/usr/sbin/osipsconfig 

Choose GenerateOpenSIPS Script > Residential Script > Configure Residential Script. Choose all items other than TLS by using space bar. Use Q to go to previous menu and schoose Generate Residential Script. Script will generate a configuration file and will promt the file name on screen. Replace opensips.cfg file with the generated one and give necessary rights:

mv /etc/opensips/opensips.cfg /etc/opensips/opensips.cfg.orig 
cp /etc/opensips/[üretilen konfig dosyası] /etc/opensips/opensips.cfg 
chmod 644 /etc/opensips/opensips.cfg 

8. Additional Configurations:

Write server IP address in opensips.cfg file:

nano /etc/opensips/opensips.cfg

write server IP addresses in two lines starting with listen= :

listen=udp:192.168.0.1:5060
listen=tcp:192.168.0.1:5060

Then check if the configuration file is valid or not:

opensips -C /etc/opensips 

If there is an error in the file, it will appear on the screen. Correct the errors, otherwise run the opensips service with the new configuration file by using the following command:

systemctl restart opensips 

9. GUI Installation

Download openSIPS GUI via git:

git clone -b 8.3.0 https://github.com/OpenSIPS/opensips-cp.git /var/www/opensips-cp

Create openSIPS GUI table on database:

cd /var/www/opensips-cp/config 
mysql -p opensips < db_schema.mysql 

10. Regular Collection of Statistics

Add the necessary script into cron.d folder and restart cron service:

cd /var/www/opensips-cp/config
cp tools/system/smonitor/opensips_stats_cron /etc/cron.d/
systemctl restart cron

11. Monit Configuration (Optional)

Add the necessary line into monitrc file and restart monit service:

echo -e "set httpd port 2812 and\nallow localhost" >> /etc/monit/monitrc
systemctl restart monit

12. Global Configurations

Open GUI config PHP file and edit as follows:

nano +30 /var/www/opensips-cp/config/boxes.global.inc.php 
// monit host:port 
$boxes[$box_id]['monit']['conn']="127.0.0.1:2812"; 
$boxes[$box_id]['monit']['user']="admin"; 
$boxes[$box_id]['monit']['pass']="admin"; 
$boxes[$box_id]['monit']['has_ssl']=0;

13. Apache Configuration

Define Virtual Hosts on Apache by using the commands below:

cat >> /etc/apache2/sites-available/opensips.conf << EOF 
<VirtualHost *:80> 

DocumentRoot /var/www/opensips-cp 

<Directory /var/www/opensips-cp/web>
     Options Indexes FollowSymLinks MultiViews
     AllowOverride None
     Require all granted 
</Directory> 

<Directory /var/www/opensips-cp>
     Options Indexes FollowSymLinks MultiViews
     AllowOverride None
     Require all denied 
</Directory> 
Alias /cp /var/www/opensips-cp/web 

<DirectoryMatch "/var/www/opensips-cp/web/tools/.*/.*/(template|custom_actions|lib)/">
      Require all denied 
</DirectoryMatch> 

</VirtualHost> 

EOF 

Disable default site, enable openSIPS GUI site, change owner of the folder and restart Apache:

a2dissite 000-default 
a2ensite opensips 
chown -R www-data. /var/www/opensips-cp 
systemctl restart apache2 

Finally the installation is finished. Use http://ipadress/cp URL with admin / opensips credentials to access openSIPS GUI.

How to Install & Configure TURN Server (coTURN)

How to Install & Configure TURN Server (coTURN)

This blog page covers how to install and configure coTURN server for your SIP or WebRTC projects (like Jitsi Meet) to allow users behind restrictive firewalls or proxies to connect.

What is TURN?

TURN stands for Traversal Using Relays around NAT. Similar as STUN, it is a network protocol / packet format (IETF RFC 5766) used to assist in the discovery of paths between peers on the Internet. It differs from STUN in that it uses a public relay to transfer packets between peers. TURN is used to exchange media packets when no other option is available. So that it consumes server resources and has an increased latency due to the extra hop in peer to peer connection.

The time when you must use TURN is when one of the peers is behind a symmetric NAT and the other is behind either a symmetric NAT or port-restricted NAT. The frequency of cases where a relay is necessary is around %10 of the overall connections, since STUN is enough for most cases.

Install coTURN Server

Audio / Video based services requires a wide range of UDP ports to be available for WebRTC. In some network restricted sites, such as those behind NAT or a firewall that restricts outgoing UDP connections, users may be unable to make outgoing UDP connections to your media server.

TURN protocol is designed to allow UDP communication flows to bypass NAT or firewalls by forcing the client to connect to the TURN server, and then force TURN server to connect to the destination on their behalf.

Using a TURN server under your control improves the success of connections to your multimedia application and also improves user privacy, since it acts like a proxy so that peers will no longer be sending their IP address information to a public STUN server.

Required Hardware

TURN protocol is not really CPU or memory intensive. Additionally, since it’s only used during connection setup (for STUN) and as a fallback for users who would otherwise be unable to connect, the bandwidth requirements aren’t particularly high. For a moderate number of connections, a single small VPS configuration is usually enough. Here you can find my reccomendations to install coTURN:

  • At least two vCPUs
  • 4GB Memory.
  • 20GB HDD. SSD can be used, but not mandatory.
  • The most important thing is the networking performance.
    • Low jitter (less than 30ms)
    • Low latency (less than 150ms)
    • Enough bandwidth to handle relayed media streams in both directions.

Having the server behind NAT (like on Amazon EC2) is OK, but all incoming UDP and TCP connections on any port (TCP 80 & 443, UDP 3478, 10000-20000) must be forwarded to coTURN server and not firewalled.

Required Software

I recommend using a minimal server installation of Debian with netinst or Ubuntu. Since coTURN software uses port TCP 443, the server which coTURN will be installed cannot have any other web applications running.

coTURN is already available in the Debian and Ubuntu repositories and it can be installed with apt-get:

$ sudo apt-get update
$ sudo apt-get install coturn

Please note that coTURN will not start automatically until the configuration is finished. You can find the configuration tasks in below.

DNS Entry For coTURN

You need to setup a fully qualified domain name (FQDN) that resolves the external IP address of your coTURN server. You’ll use this domain name to generate a TLS certificate.

Generating TLS Certificates

You can use certbot to generate free TLS certificates from Let’s Encrypt. To setup certbot, enter the following commands on your coTURN server:

$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot

Note: If you face with add-apt-repository command not found error, please use sudo apt-get install software-properties-common command to install the necessary packets.

You can then run a certbot command like the following to generate the certificate, replacing turn.fatiherikci.com with the domain name of your TURN server:

$ sudo certbot certonly --standalone --preferred-challenges http \
    --deploy-hook "systemctl restart coturn" \
    -d turn.fatiherikci.com

Current versions of the certbot command set up automatic renewal by default. Note that when certbot renews the certificate, it will restart coTURN service, so coTURN will start to use the updated certificate files. This will cause an interruption on any ongoing TURN connections. You may change the certbot renewal schedule or disable automatic renewal if you like.

Configure coTURN

coTURN configuration is stored in /etc/turnserver.conf file. There are a lot of options and all of them are documented in comments in that file. I include a sample configuration below with comments as the recommended settings, also with notes in places where customization is needed.

You can replace the contents /etc/turnserver.conf with the file below and make these changes:

  • Replace turn.fatiherikci.com with the hostname of your TURN server
  • Change the values in bold with your choices.

You can see an example config file below:

server-name=turn.fatiherikci.com
realm=turn.fatiherikci.com
cert=/etc/letsencrypt/live/turn.fatiherikci.com/cert.pem
pkey=/etc/letsencrypt/live/turn.fatiherikci.com/privkey.pem
fingerprint 
listening-ip=0.0.0.0 
external-ip= 1.2.3.4/192.168.0.1 #or just write the external ip 
listening-port=3478 
min-port=10000 
max-port=20000 
log-file=/var/log/turnserver.log 
verbose 
user=myusername:mypassword 
lt-cred-mech

You can now start the COTURN service with this command:

$ systemctl start coturn

Running coTURN as a Service

The Debian / Ubuntu package for coTURN requires that you edit a file to enable at startup. Edit /etc/default/coturn file and uncomment the following line:

TURNSERVER_ENABLED=1

That’s it! coTURN install is complete. Now you have an up and runnning TURN server!

Testing Your TURN Server

To test your coTURN server, you can use Trickle-Ice testing tool. Go to trickle-ice webpage and enter following:

STUN or TURN URI : turn:Your Public IP Address:3478
TURN username: Username
TURN password: Password

Then click Add Server button and then click Gather Candidates button. If everything works well, you should see Done as final result.

What is ENUM? ENUM Syntax

What is ENUM? ENUM Syntax

ENUM (Telephone Number Mapping, E.164 Number to URI Mapping) is an addressing protocol that converts telephone numbers to URI format (name@domain). This allows you to access a SIP, H.323 or other Internet phone user by dialing a phone number.

The ENUM function aims to ensure that users can be accessed anywhere in the world with the same number, best quality and the cheapest way. ENUM maps a phone number to an Internet address in the DNS system. Thus, a user with an ENUM number can broadcast the DNS record to which the call will be routed. Even different routes can be defined for different types of calls (fax, video, etc.).

It is possible to obtain an ENUM record as if it were a domain name. Nowadays, you can obtain this registration free of charge through many registration services and VoIP service providers.

ENUM Syntax

ENUM allows normal phone (E.164) numbers to be displayed as DNS names ending in e164.arpa. A number can be decoded for one or more predefined services.

For example, a telephone number + 90-312-555-1234 will be displayed as 4.3.2.1.5.5.5.2.1.3.0.9.e164.arpa after issuing rules defined in RFC 3761 and below:

  1. All characters except digits are removed. (“+90-312-555-1234” becomes “903125551234″)
  2. A period (“.”) Is placed between each number. (“9.0.3.1.2.5.5.5.1.2.3.4”)
  3. The order of the numbers is reversed. (“4.3.2.1.5.5.5.2.1.3.0.9”)
  4. .e164.arpa is added to the end of the array. (“4.3.2.1.5.5.5.2.1.3.0.9.arp a”)

To respond to this syntax, the DNS server must have a record that looks like this:

$ ORIGIN 4.3.2.1.5.5.5.2.1.3.0.9.barley.
   NAPTR 10 100 "u" "E2U + sip" "! ^. * $! Sip: fatih.erikci@fatiherikci.com!" .
   NAPTR 10 101 & quot; u & quot; & quot; E2U + h323 & quot; .
   NAPTR 10 102 "u" "E2U + msg" "! ^. * $! Mailto: fatih.erikci@fatiherikci.com!" .

In this record you see three different routing sequences for the address 4.3.2.1.5.5.5.2.1.3.0.9. The first is SIP, the second is H.323 and the third is the SMTP response. Device selects which service to communicate by using these records.

How It Works?

The operating principle of ENUM is similar to the DNS queries we use on the Internet. DNS NAPTR resource records are used in queries.

ENUM Query and Call
ENUM Query and Call
  1. The phone calls an E.164 number (+90-312-555-1234)
  2. Gateway translates it (4.3.2.1.5.5.5.2.1.3.0.9.e164.arpa) and asks the DNS server.
  3. The DNS server responds to this query with a URI (sip: fatih.erikci@fatiherikci.com).
  4. The gateway sends the call to the SIP server as a SIP URI call.
  5. The SIP server rings the IP phone registered with the URI.
How to Install Jitsi Meet on Debian 10

How to Install Jitsi Meet on Debian 10

PS: If you need professional assistance about installing & configuring Jitsi Meet, you can contact me via contact link.

Jitsi Meet is a very usable and simple WebRTC based open-source multi-platform video conferencing solution. It can be even cloud based solution or you can install it on your premises. In this blog post, I will explain how to install Jitsi server on your Debian or Ubuntu based linux platform.

Installing Jitsi Meet is very easy if you want to install it on Ubuntu or Debian linux platform. In this guide you can find how to install Jitsi Meet on Debian 10 by using .deb packages.

I prefer installing Debian from net installer package (netinst), since it is a minimal installation with up-to-date packages. I assume that you can install a Debian linux and I will continue from that point.

First, let’s install base packages like sudo & ssh, so set that up first. Log in from console as root, then install the necessary packets.

apt-get install -y ssh sudo ufw apt-transport-https

Add your non-root user (mine is ferikci) to /etc/sudoers file.

 ferikci  ALL=(ALL:ALL) ALL 

Now you can continue with your user by using sudo commands.

(Optional) Enable UFW firewall and open the needed ports:

ufw allow in ssh
ufw allow in http
ufw allow in https
ufw allow in 10000:20000/udp
ufw enable

I have to warn you that if you are connected to your linux machine via SSH, enter “ufw enable” command after entering “ufw allow in ssh” command, otherwise you may lose your current SSH connection.

Now re-login with your non-root user via SSH for the rest of the setup.

Add the Jitsi GPG key.

wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -

Add the Jitsi repository and update apt

sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
sudo apt-get -y update

Install Jitsi-Meet

Now you’re ready for Jitsi server installation. Use the command below to install jitsi-meet with dependencies:

sudo apt-get -y install jitsi-meet

You will be asked your hostname but do not only write your hostname, you MUST write as FQDN, otherwise you will encounter with problems. By the way, be sure that the FQDN can be addressable with your DNS server (Or you can insert the FQDN to your host file.).

Jitsi Hostname Configuration

After that you will be asked for certificate. In this installation I will use self-signed SSL certificate, so select the first option.

Jitsi SSL Certificate Configuration Menu

The installation will be completed after a while and it will put you to the command prompt. Reboot your linux machine:

sudo reboot

Now it’s time to connect to your video conference GUI. Use https://FQDN to go to the main page of Jitsi server:

https://jitsi.test.local

You will see a greeting page with a room name input field. Just enter a room name and click Go button.

Jitsi Meet Greeting Page

That’s it! You can add more participants with the same procedure or by using URL https://FQDN/roomname

https://jitsi.test.local/testroom
Finally Jitsi Meet is Alive!

Running Jitsi Meet Behind a NAT

If you wish to use your Jitsi server behind a NAT, you must configure your router to forward the following ports to your Jitsi Meet server:

  • 80/TCP
  • 443/TCP
  • 10000-20000/UDP

Next you have to add following lines to /etc/jitsi/videobridge/sip-communicator.properties file:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=[INTERNAL.IP.ADDRESS]
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=[PUBLIC.IP.ADDRESS]

For example, here is my configuration:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.1.20
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=95.9.74.32
CUCM Common Partition – How to Clean?

CUCM Common Partition – How to Clean?

Sometimes when you go through RTMT logs on a Cisco Unified Communicatios Manager (CUCM), you can see a critical warning of “LogPartitionLowWaterMarkExceeded“. This happens when free space in CUCM common partition becomes low.

In most cases this problem doesn’t affect the whole system to function, but the low space on disk may cause problems if you want to do some installation (eg. device pack) or upgrades.

CUCM common partition is also called as log partition and is mostly filled with CDRs, CUCM traces and phone firmware files from TFTP server. LogPartitionLowWaterMarkExceeded alarm is occured when the log partition disk space percentage reaches the “Low WaterMark” treshold. You can take this alarm as an early notification to clean up the disk space. CUCM doesn’t have such kind of automated cleanup process until the “High WaterMark” value is reached.

What Should I Do To Clean CUCM Common Partition?

To clean up and free some space in the common partition, you can do the following:

  • Change the threshold values of LogPartitionLowWaterMarkExceeded to 50% and LogPartitionHighWaterMarkExceeded to 60%, and then restart “Cisco Log Partition Monitoring Tool” service and after couple of hours you should see that the used space is decreased.
  • Delete unused log by using RTMT Trace/Log Central to collect logs/traces with “Delete Collected Log Files from Server” option.(this is for both active and inactive partitions). Select relateive range as 8-9 years to delete all unused logs.
  • Delete the old unused phone firmware files from the TFTP server.
  • Use CUCM script called ciscocm.free_common_space_v1.1.cop.sgn (you can find & download it in cisco.com) that deletes all files from the inactive common partition. But please be informed that after using this script, you won’t be able to switch to previous CUCM version.

If you want to reduce the CUCM common partition usage, you can do the following:

  • Deactivate Detail/Debug trace level.
  • Reduce the number of trace files to be stored.
  • For CDR: reduce the High Water Mark, reduce the occupied disk space, and reduce the number of days to store CDRs.