After returning home from AstriCon 10, I decided to start-up a new server and see how long it would take me to run a working Kamailio server behind NAT (on a private IP). Bottom line? About 30 minutes.
I was lucky to help staff the Kamailio booth this year and was honored to help so many other VoIP professionals (and enthusiasts) with their questions about Kamailio, so without further ado…
What is Kamailio?
Kamailio (OpenSER) is an open source SIP server capable of handling thousands of call set-ups per second. Some amazing features include:
- Secure communication via TLS
- Load Balancing
- WebSocket support for WebRTC
- and mucho mas
Who should use Kamailio?
If you’re running fewer than 100 phones, you most likely won’t have a need for Kamailio — unless you want failover, enhanced security, WebRTC, or one of the other Kamailio features.
I use Kamailio to help protect my systems from scanners, brute force SIP attacks, and other fun aspects of running business on the Interwebs.
… but … I digress …
Running Kamailio behind NAT
Many of us don’t have access to large numbers of public IP addresses. Some of us also like running systems on private IP addresses for personal reasons.
In the past (and still today), it was recommended that you run Kamailio on a public IP address. Regardless of the reason, with a patched rtpproxy and an advertised public IP address, you can have Kamailio running on a private IP address very quickly.
(NOTE: This tutorial was written for Kamailio 4.0 and an old version of RTPProxy. I recommend running the current version of both.)
Step 1: Install Kamailio
I chose to install Kamailio on CentOS. I’m not going to get into a religious war here on what OS you should use. Most of the development team of Kamailio use debian… I like CentOS, and that’s what I choose to deploy.
There’s an excellent tutorial for installing Kamailio posted on the main wiki: Install And Maintain Kamailio v4.0.x Version From GIT.
For CentOS, I first disable selinux, and then install some pre-reqs:
yum -y install gcc gcc-c++ bison openssl-devel libtermcap-devel ncurses-devel doxygen curl-devel newt-devel mlocate lynx tar wget nmap bzip2 unixODBC unixODBC-devel libtool-ltdl libtool-ltdl-devel mysql-connector-odbc mysql mysql-devel mysql-server flex libxml2 libxml2-devel pcre pcre-devel git
Some of these aren’t fully necessary for the deployment, but are good tools to have. I also generally install the development tools group as well.
yum groupinstall "Development Tools"
Once everything is ready (a reboot doesn’t hurt), it’s time to download and install Kamailio.
mkdir -p /usr/local/src/kamailio-4.0 cd /usr/local/src/kamailio-4.0 git clone --depth 1 git://git.sip-router.org/sip-router kamailio cd kamailio git checkout -b 4.0 origin/4.0 make cfg
modules.1st. I use vi. You can use whatever you’d like.
Find the section that says include_modules and add db_mysql. It will look like:
Save the file… and let’s continue.
make all make install
Step 2: Create the Database
Open the kamctlrc file, uncomment the mysql database reference, and change the default passwords:
vi /usr/local/etc/kamailio/kamctlrc DBENGINE=MYSQL
Save the file and run the following command:
This creates the kamailio database for you.
Step 3: Modify the Kamailio config file
Kamailio builds a default file for you. We’re going to quickly modify it to get this demo working.
Insert the following after the #!Kamailio line:
#!define WITH_MYSQL #!define WITH_AUTH #!define WITH_USRLOCDB #!define WITH_ANTIFLOOD #!define WITH_NAT
This adds a minimal amount of protection to your system (with ANTIFLOOD) and allows you to authenticate users to your system. It will also start the ball rolling for NATted communication.
Next, find the line that says: #!define DBURL “mysql://kamailio:kamailiorw@localhost/kamailio” and replace with:
#!define DBURL "mysql://USERNAME:PASSWORD@localhost/kamailio"
Next, find the line that says: #listen=udp:10.0.0.10:5060 and underneath it, add:
listen=udp:PRIVATEIP:5060 advertise PUBLICIP:5060
Save the file. Smile.
The advertise function here is key for running behind NAT along with…
Step the Fourth: Install the Patched rtpproxy
(NOTE: If you use the current version of rtpproxy, you won’t need to install the patch– it includes the advertise option)
rtpproxy is an open source program written by Sippy Software and available from their website, rtpproxy.org. The current stable version of rtpproxy is 1.2.1 and is missing one awesome feature — the ability to use an _advertised _address.
Luckily there are programmers who have resolved this issue for us.
Back in 2009, Daniel Goepp posted a patch to RTPproxy to support putting rtpproxy behind NAT.
Another Daniel, Daniel-Constantin Mierla, posted a patched version of rtpproxy on github.
We’ll choose the github for this example. I downloaded as a zip file and installed.
unzip master.zip cd rtpproxy-master ./configure make all make install
You now have a version of rtpproxy that will advertise a public IP from behind NAT.
The Fifth Step: Starting the services
Since you’re behind NAT, you’re most likely going to want to forward UDP port 5060 for SIP and a UDP port range for RTP from your firewall to your Kamailio server’s private IP. For this example, let’s use an RTP port range of 20,000 to 30,000. (you’ll take care of your firewall forwarding however is needed on your particular firewall)
Start rtpproxy with a set rtp port range and an advertised public IP:
rtpproxy -A PUBLICIP -F -l PRIVATEIP -m 20000 -M 30000 -s udp:*:7722 -d INFO
Next, start Kamailio
Step 6: Add some users, and make calls
Adding a user is simple:
kamctl add USERNAME PASSWORD
For example, you could run kamctl add qxork superhotyeni which would add the user qxork with a password of superhotyeni.
Kamailio is incredible software… it’s addictive and you start learning that SIP can become a really incredible tool to work with.
To know Kamailio is to know SIP.
And there’s the problem. To know SIP you must learn SIP and play with SIP.
Since most of us don’t have access to spare servers that we can put on a public IP, we’re stuck learning the system on a local NAT at the office or (more commonly) at the house.
Running Kamailio behind NAT allows you to learn, test, and play with SIP. Now, there’s no excuse… let’s start learning!
- The Kamailio Website: http://www.kamailio.org
- Asipto SIP and VoIP Knowledge Base: http://kb.asipto.com/
- Join the Kamailio Mailing List: http://www.kamailio.org/w/mailing-lists/
- Chat on #kamailio: http://www.kamailio.org/w/irc-channels/
- Contact me. http://qxork.com
We’re a friendly community. We also have cookies.