Opensips Notes

30.10.2021

Talant Blogs about VOIP

Alexey Kazantsev Blog

Igor Olhovsky

28.09.2021

kamailio rtpengine media timeout TIPs

1. timeout will be raised only if both sides of rtp is silent
2. you have to enable tcp at kamailio config (disable_tcp=no)
3. you must have in kamailio cfg: listen=tcp:127.0.0.1:8090, loadmodule “xmlrpc.so”, and additional params:

loadmodule "xmlrpc.so"
modparam("xmlrpc", "route", "XMLRPCS")
modparam("xmlrpc", "url_skip", "^/sip")
modparam("xmlrpc", "url_match", "^/RPC2")

4. you have to add route XMLRPC:

route[XMLRPCS] {
  xlog("L_ALERT","RPC recieved");
  dispatch_rpc();
}

5. config rtpengine should have:

 b2b-url = http://127.0.0.1:8090/RPC2
 xmlrpc-format = 2

6. after restart kamailio and rtpengine you may to check you may do command from command line:

curl http://127.0.0.1:8090/RPC2

output should be like that:

<?xml version="1.0"?>
<methodResponse>
<fault>
<value>
<struct>
<member>
<name>faultCode</name>
<value><int>400</int></value>
</member>
<member>
<name>faultString</name>
<value><string>Invalid XML-RPC Document</string></value>
</member>
</struct>
</value>
</fault>
</methodResponse>

20.09.2021

RTPENGINE + G729 DEBIAN 10.10 and Debian 11

apt update
apt upgrade -y
apt install -y linux-headers-$(uname -r) linux-image-$(uname -r)

##reboot

mkdir /opt/rtpengine

cd /opt/rtpengine

apt install -qqy git curl mariadb-server libmosquitto-dev libwebsockets-dev python3-websockets apt-utils devscripts dpkg-dev debhelper iptables iptables-dev libcurl4-openssl-dev libglib2.0-dev libavcodec-extra libhiredis-dev libpcre3-dev libssl-dev libxmlrpc-core-c3-dev markdown zlib1g-dev module-assistant dkms gettext default-libmysqlclient-dev gperf libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbencode-perl libcrypt-openssl-rsa-perl libcrypt-rijndael-perl libdigest-crc-perl libdigest-hmac-perl libevent-dev libio-multiplex-perl libio-socket-inet6-perl libjson-glib-dev libnet-interface-perl libpcap0.8-dev libsocket6-perl libswresample-dev libsystemd-dev nfs-common netcat-openbsd netcat unzip libconfig-tiny-perl libspandsp-dev**

git clone https://github.com/sipwise/rtpengine.git .
cp etc/rtpengine.sample.conf /etc/rtpengine/rtpengine.conf

VER=1.0.4

curl https://codeload.github.com/BelledonneCommunications/bcg729/tar.gz/$VER >bcg729_$VER.orig.tar.gz

tar zxf bcg729_$VER.orig.tar.gz

cd bcg729-$VER

git clone https://github.com/ossobv/bcg729-deb.git debian

dpkg-buildpackage -us -uc -sa

cd ../

dpkg -i libbcg729-*.deb


export DEBIAN_FRONTEND=noninteractive

apt-get update -qqy

mkdir -p ./debian/flavors

touch ./debian/flavors/no_ngcp


dpkg-checkbuilddeps

dpkg-buildpackage -b -us -uc

dpkg -i ../*.deb

**manual edit: /etc/rtpengine/rtpengine.conf: set your IPs.

If you want to add webrtc2sip feature use next lines

certbot certonly -d webrtc.domain.com

**manual edit: kamailiorc: uncomment db engine string

kamdbctl create kamailio 


download template kamailio.cfg, tls.cfg and kamailio_local.cfg 

(git clone https://bitbucket.org/erewin/webrtc2sip-template.git)

systemctl start rtpengine
systemctl start kamailio

To make the same on Debian 11

#!/usr/bin/sh
apt update
apt upgrade

#here you have reboot

#!/usr/bin/sh
mkdir /opt/rtpengine

cd /opt/rtpengine

apt-get install git curl -y

apt-get install libmosquitto-dev libwebsockets-dev python3-websockets apt-utils dpkg-dev debhelper iptables libxtables-dev libip6tc-dev libip4tc-dev libcurl4-openssl-dev libglib2.0-dev libavcodec-extra libhiredis-dev libpcre3-dev libssl-dev libxmlrpc-core-c3-dev markdown zlib1g-dev module-assistant dkms gettext default-libmysqlclient-dev gperf libavcodec-dev libavfilter-dev libavformat-dev libavutil-dev libbencode-perl libcrypt-openssl-rsa-perl libcrypt-rijndael-perl libdigest-crc-perl libdigest-hmac-perl libevent-dev libio-multiplex-perl libio-socket-inet6-perl libjson-glib-dev libnet-interface-perl libpcap0.8-dev libsocket6-perl libswresample-dev libsystemd-dev nfs-common netcat-openbsd netcat unzip libconfig-tiny-perl libspandsp-dev
#debian 11
apt install libxtables-dev libip6tc-dev libip4tc-dev libiptc-dev

apt install -y linux-headers-$(uname -r) linux-image-$(uname -r)

git clone https://github.com/sipwise/rtpengine.git .


VER=1.0.4

curl https://codeload.github.com/BelledonneCommunications/bcg729/tar.gz/$VER >bcg729_$VER.orig.tar.gz

tar zxf bcg729_$VER.orig.tar.gz

cd bcg729-$VER

git clone https://github.com/ossobv/bcg729-deb.git debian

dpkg-buildpackage -us -uc -sa

cd ../

dpkg -i libbcg729-*.deb


export DEBIAN_FRONTEND=noninteractive

apt-get update -qqy

mkdir -p ./debian/flavors

touch ./debian/flavors/no_ngcp


dpkg-checkbuilddeps

dpkg-buildpackage -b -us -uc

dpkg -i ../*.deb

8.08.2021

Kamailio TLS-UDP with dispatcher and used old openssl 1.0.2 (sslv2\3 support)

This project is how to convert TLS-UDP with kamailio. Problem is that modern Unix (Ubuntu and debian have only modern openssl library so it’s not support ssv2\3 protocol). To make it works you have to

• do this steps at vanilla system.
• get source of kamailio
• for compiling using /make include_modules=”tls”/
• rtpengine should be installed as usual
• then everything should go as usual

Benefits from this configs is that working for inbound\outbound calls and use Dispatcher.
this is example of dispatcher file:

#
# dispatcher destination sets (groups)
#

# line format
# setid(int) destination(sip uri) flags(int,opt) priority(int,opt) attributes(str,opt)


1 sip:PEER1:5070;transport=udp 0 0 socket=udp:KAM_SOCKET_UDP:5070
1 sip:PERR2;transport=udp 0 0 socket=udp:KAM_SOcKET_UDP:5070

2 sip:TLS_CARRIER:5061;transport=tls 0 0 socket=tls:TLS_SOCKET_KAM:5061

Example of kamailio config you may get here.

#!KAMAILIO
#
############################################################
# *** Value defines - IDs used later in config
#!ifdef WITH_DEBUG
#!define DBGLEVEL 3
#!else
#!define DBGLEVEL 2
#!endif
#!define DS_LIST "/usr/local/etc/kamailio/dispatcher.list"
#!define LISTEN_UDP_PRIVATE udp:LOCAL_INTERFACE_IP:5070
#!define FLAG_FROM_ASTERISK 10
#!define FLAG_FROM_PEER 11


# - flags
#   FLT_ - per transaction (message) flags
#!define FLT_ACC 1
#!define FLT_ACCMISSED 2
#!define FLT_ACCFAILED 3
#!define FLT_NATS 5

#	FLB_ - per branch flags
#!define FLB_NATB 6
#!define FLB_NATSIPPING 7

####### Global Parameters #########

/* LOG Levels: 3=DBG, 2=INFO, 1=NOTICE, 0=WARN, -1=ERR, ... */
debug=DBGLEVEL

/* set to 'yes' to print log messages to terminal or use '-E' cli option */
log_stderror=no

memdbg=5
memlog=5

log_facility=LOG_LOCAL0
log_prefix="{$mt $hdr(CSeq) $ci} "

children=8

auto_aliases=no

server_signature=no

alias="DOMAIN_NAME"

listen=udp:LOCAL_INTERFACE_IP:5070
listen=tls:LOCAL_INTERFACE_IP:5061 advertise EXTERNAL_IP:5061

tcp_connection_lifetime=3605

tcp_max_connections=20000

tcp_accept_no_cl=yes

enable_tls=yes
tls_max_connections=20000

enable_sctp=no

####### Modules Section ########
mpath="/usr/local/lib64/kamailio/modules/"


#loadmodule "db_mysql.so"
loadmodule "kex.so"
loadmodule "corex.so"
loadmodule "tm.so"
loadmodule "pike.so"
loadmodule "htable.so"
loadmodule "nathelper.so"
loadmodule "tmx.so"
loadmodule "sl.so"
loadmodule "rr.so"
loadmodule "pv.so"
loadmodule "maxfwd.so"
#loadmodule "registrar"
#loadmodule "usrloc.so"
loadmodule "textops.so"
loadmodule "textopsx.so"
loadmodule "dialog.so"
loadmodule "tls.so"
loadmodule "siputils.so"
loadmodule "xlog.so"
loadmodule "sanity.so"
loadmodule "ctl.so"
loadmodule "cfg_rpc.so"
loadmodule "acc.so"
loadmodule "counters.so"
loadmodule "dispatcher.so"
loadmodule "outbound.so"
loadmodule "rtpengine.so"
loadmodule "path.so"


####Module Specific Parameters####
modparam("rr", "enable_double_rr", 1)

modparam("tls", "config", "/etc/kamailio/tls.cfg")
modparam("path", "use_received", 1)


modparam("acc", "log_flag", FLT_ACC)
modparam("acc", "failed_transaction_flag", FLT_ACCFAILED)
modparam("acc", "log_extra", "src_user=$fU;src_domain=$fd;dst_ouser=$tU;dst_user=$rU;dst_domain=$rd;src_ip=$si")

modparam("rtpengine", "rtpengine_sock", "udp:127.0.0.1:2223")
modparam("pike", "sampling_time_unit", 2)
modparam("pike", "reqs_density_per_unit", 16)
modparam("pike", "remove_latency", 4)
modparam("htable", "htable", "ipban=>size=8;autoexpire=300;")


modparam("dispatcher", "list_file", DS_LIST)
#modparam("dispatcher", "db_url", DBURL)
modparam("dispatcher", "table_name", "dispatcher")
modparam("dispatcher", "flags", 2)
modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404")
modparam("dispatcher", "ds_probing_mode", 1)
modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404")
modparam("dispatcher", "force_dst", 1)
modparam("dispatcher", "ds_ping_interval", 20)
modparam("dispatcher", "ds_ping_from", "sip:keepalive@smsglobal.com")
modparam("dispatcher", "ds_ping_reply_codes", "class=2;code=480;code=404")
modparam("nathelper", "received_avp", "$avp(s:rcv)")


###Routing Logic

request_route {

	# per request initial checks
	route(REQINIT);
	
	# CANCEL processing
	if (is_method("CANCEL")) {
		if (t_check_trans()) {
			route(RELAY);
		}
		exit;
	}

	# handle retransmissions
	if (!is_method("ACK")) {
		if(t_precheck_trans()) {
			t_check_trans();
			exit;
		}
		t_check_trans();
	}

        route(CHECK_SOURCE_IP);

	# handle requests within SIP dialogs
	route(WITHINDLG);

	### only initial requests (no To tag)

	# record routing for dialog forming requests (in case they are routed)
	# - remove preloaded route headers
	remove_hf("Route");
	if (is_method("INVITE|SUBSCRIBE")) {
		record_route();
	}

	# account only INVITEs
	if (is_method("INVITE")) {
		setflag(FLT_ACC); # do accounting
	}

	# handle presence related requests
	route(PRESENCE);

	# handle registrations
	route(REGISTRAR);

	if ($rU==$null) {
		# request with no Username in RURI
		sl_send_reply("484","Address Incomplete");
		exit;
	}

	# dispatch destinations
	route(DISPATCH);
}


route[RELAY] {
    if (is_method("INVITE")) {
        if(!t_is_set("failure_route")) {
            t_on_failure("MANAGE_FAILURE");
        }
    }

    if (isflagset(FLAG_FROM_PEER)) {
	    xlog("L_INFO","seems call from $si goig from PEER");
	    
    } else {
            
            xlog("L_INFO","Relaying TO TLS\n ");
    }


    if (!t_relay()) {
            sl_reply_error();
    }
    #exit;

}

# Per SIP request initial checks
route[REQINIT] {
	if (!mf_process_maxfwd_header("10")) {
		sl_send_reply("483","Too Many Hops");
		exit;
	}

	if(!sanity_check("1511", "7")) {
		xlog("Malformed SIP message from $si:$sp\n");
		exit;
	}
	force_rport();
	
	if(src_ip!=myself) {
		if($sht(ipban=>$si)!=$null) {
			# ip is already blocked
			xdbg("request from blocked IP - $rm from $fu (IP:$si:$sp)\n");
			exit;
		}
		if (!pike_check_req()) {
			xlog("L_ALERT","ALERT: pike blocking $rm from $fu (IP:$si:$sp)\n");
			$sht(ipban=>$si) = 1;
			exit;
		}
	}

	if($ua =~ "friendly|scanner|sipcli|sipvicious|VaxSIPUserAgent") {
		# silent drop for scanners - uncomment next line if want to reply
		# sl_send_reply("200", "OK");
		exit;
	}
	if(is_method("OPTIONS") && uri==myself && $rU==$null) {
		sl_send_reply("200","Keepalive");
		exit;
	}



}

route[CHECK_SOURCE_IP] {
    if(ds_is_from_list("1")) {
            setflag(FLAG_FROM_ASTERISK);
    } else {
            setflag(FLAG_FROM_PEER);
    }
}

# Handle requests within SIP dialogs
route[WITHINDLG] {
	if (has_totag()) {
		# sequential request withing a dialog should
		# take the path determined by record-routing
		if (loose_route()) {
			if (is_method("BYE")) {
				setflag(FLT_ACC); # do accounting ...
				setflag(FLT_ACCFAILED); # ... even if the transaction fails
			}
			route(RELAY);
		} else {
			if (is_method("SUBSCRIBE") && uri == myself) {
				# in-dialog subscribe requests
				exit;
			}
			if ( is_method("ACK") ) {
				if ( t_check_trans() ) {
					# non loose-route, but stateful ACK;
					# must be ACK after a 487 or e.g. 404 from upstream server
					t_relay();
					exit;
				} else {
					# ACK without matching transaction ... ignore and discard.
					exit;
				}
			}
			sl_send_reply("404","Not here");
		}
		exit;
	}
}

# Handle SIP registrations
route[REGISTRAR] {
	if(!is_method("REGISTER"))
		return;

	sl_send_reply("404", "Not Acceptable");
	exit;
}

# Presence server route
route[PRESENCE] {
	if(!is_method("PUBLISH|SUBSCRIBE"))
		return;

	sl_send_reply("404", "Not Acceptable");
	exit;
}

# Dispatch requests
route[DISPATCH] {
        # round robin dispatching on gateways group '1'
        # record routing for dialog forming requests (in case they are routed)
        # - remove preloaded route headers
        remove_hf("Route");
        if (is_method("INVITE|REFER")) {
                record_route();
                if (has_body("application/sdp")) {
                    if (rtpengine_offer()) {
                            t_on_reply("1");
                    }
                } else {
                    t_on_reply("2");
                }

                if (isflagset(FLAG_FROM_PEER)) {
		    xlog("L_INFO","Call from $si seems from PEER");
                    if(!ds_select_domain("1", "4")) {
                            send_reply("404", "No destination");
                            exit;
                    }

                }

                if (isflagset(FLAG_FROM_ASTERISK)) {
		    xlog("L_INFO","Call from $si seems from ASTERISK");
                    if(!ds_select_domain("2", "4")) {

                            send_reply("404", "No destination");
                            exit;
                    }
		    xlog("L_INFO","Call from $si seems from ASTERISK [$du] [$ru]");
		    
                }
		    

		    xlog("L_INFO","DESTINATION is $du");
        }

        if (is_method("ACK") && has_body("application/sdp")) {
                rtpengine_answer("force");
        }

        route(RELAY);
}


failure_route[RTF_DISPATCH] {
	if (t_is_canceled()) {
		exit;
	}
	# next DST - only for 500 or local timeout
	if (t_check_status("500")
			or (t_branch_timeout() and !t_branch_replied())) {
		if(ds_next_dst()) {
			xdbg("--- SCRIPT: retrying to <$ru> via <$du> (attrs: $xavp(_dsdst_=>attrs))\n");
			t_on_failure("RTF_DISPATCH");
			route(RELAY);
			exit;
		}
	}
}

onreply_route[1] {
        if (has_body("application/sdp")) {
                rtpengine_answer("force");
        }
}

onreply_route[2] {
        if (has_body("application/sdp")) {
                rtpengine_offer("force");
        }
}

8.12.2020

kamailio. siremis. xmlrpc. jsonrpc.

xmlrpc работает через порты, которые используются и для SIP. Файлы настройки протоколов для siremis

siremis/modules/sipadmin/service/

jsonrpc может работать через разные транспорты, по умолчанию работается через Unixsock.нужные параметры в конфиге kamailio:

<UnixSockLocal name="unixsocklocal" address="/var/run/siremis/siremis_rpc.sock" timeout="3.0"/>
<!-- kamailio.cfg: modparam("jsonrpcs", "dgram_socket", "/var/run/kamailio/kamailio_rpc.sock") -->
<!-- kamailio.cfg: modparam("jsonrpcs", "dgram_mode", 0666) --> <UnixSockRemote name="unixsockremote" address="/var/run/kamailio/kamailio_rpc.sock" timeout="3.0"/>

TIPs: Возможны проблемы с разрешениями поправляется выставлением разрешения на каталог /var/run/kamailio 701 (добавить поиск для остальных пользователей) ну и сам файл sock должен быть доступен для чтения\записи

30.11.2020

kamailio. Rtpproxy not apply on re-invite.

При реинвайте не применяется rtpproxy, использовал rtpproxy_manage. Проблема была в том, что при реинвайте провайдер отправлял ответ с уже включенным a=nortpproxy в sdp. соответственно kamilio просто игнорил этот ответ. полечилось добавлением в конфиг такой строчки:

modparam("rtpproxy", "nortpproxy_str", "")

24.12.2019

Kamailio. uac_auth. cseq. t_relay fail.

чтобы увеличивать cseq нужно использовать модуль диалог.

modparam(“dialog”, “track_cseq_updates”, 1)

если вы используете в failure_route uac_auth, то учите что при несовпадении realm в запросе на авторизацию и в функции uac_auth вы получите ошибку

ERROR: {1 62503 INVITE } tm [t_fwd.c:1717]: t_forward_nonack(): no branches for forwarding
ERROR: {1 62503 INVITE } tm [tm.c:1679]: _w_t_relay_to(): t_forward_noack failed

А в 2016 был баг на эту тему в kamailio. сейчас видимо не баг.

1.05.2019

Черный список ip адресов для voip

sh скрипт который

!/bin/bash
 BADIPSFILE="badips.list"
 BADIPSFILETEMP="$BADIPSFILE".temp
 ADDLISTFILE="$BADIPSFILE".load
# get new list
 wget https://www.badips.com/get/list/voip/0 -O $BADIPSFILETEMP
# sort new list
 sort $BADIPSFILETEMP -o $BADIPSFILETEMP
# touch to be sure that file exist
 touch $BADIPSFILE
# diff old ans new file
 diff $BADIPSFILE $BADIPSFILETEMP | grep -Po '\d+.\d+.\d+.\d+' > $ADDLISTFILE
# copy new file to old for next ips going fast
 cp -f $BADIPSFILETEMP $BADIPSFILE
 cp -f drop_temp.xml drop_temp_.xml
 BLOCKED_IP=$ADDLISTFILE
 IPTABLES="iptables"
 if [ -f $BLOCKED_IP ]; then
     while read BLOCKED; do
                $IPTABLES -A INPUT_direct -i ens192 -s $BLOCKED -p udp -j DROP
        done < $BLOCKED_IP
 fi

5.07.2018

Kamailio. topos. topology hiding. bug.

В kamailio обнаружился баг с модулем topos. Проявляется так: Если во время звонка случается re-invite от клиента, то сообщения BYE обрабатываются некорректно. Этот BYE отправляется не дальше клиенту, а остается на kamailio, сам kamilio при этом выдает “Not here” и точка. Клиент не получает BYE в следствие чего звонок на конечной точке зависает.

Связано это с модулем topos который позволяет скрывать топологию сети после прохождения через sip-proxy. сам по себе модуль очень хорош – его достаточно загрузить и никаких настроек не надо.
но вот багесть. Разработчик уже поправил в исходном коде, но в пакеты пока не попал…

22.06.2017

Настройка voip телефона Polycom 331 для работа с TLS и DNS SRV

Странная логика у этого аппарата, ну понятно, что в виду нехватка документации объяснить какие-то пункты я не смогу, например, мне не понятно, как взаимодействует раздел SIP и line1. Но моя задача была настроить телефон так, чтобы он работал с TLS и DNS SRV, т.к. в текущем проекте, мы использовали DNS failover. Сразу скажу, что все получилось и сама схема DNS SRV failover прекрасна.

Общая схема такая: Polycom 331 —tls— Kamailio —udp— Asterisk

Итак, вот скрины настроек.

Остальные настройки вне line1 нужно сделать дефолтными, и всё пойдет.

Search

Search