Simple TLS Gateway

Well, 2020 is certainly a strange year… Some of us have been working from home for a very long time while others are now just understanding the benefits. Of course, when a drastic change in work environment becomes a forced change, the implementation can be quite daunting.

Let’s look at telephony for example.

Many small, medium, and even enterprise PBX deployments have been designed to only allow endpoints (aka phones) to connect from within the local network.

So, how can you allow remote connectivity to your pbx without changing your PBX?

Enter Kamailio —
The Open Source SIP Server

Kamailio® (successor of former OpenSER and SER) is an Open Source SIP Server released under GPL, able to handle thousands of call setups per second. Kamailio can be used to build large platforms for VoIP and realtime communications – presence, WebRTC, Instant messaging and other applications. Moreover, it can be easily used for scaling up SIP-to-PSTN gateways, PBX systems or media servers like Asterisk™, FreeSWITCH™ or SEMS.

One feature that truly shines for our work from home scenario focuses on some of Kamailio bridging capabilities. Kamailio can bridge TLS (secure) connections from the outside work (aka work from home) to UDP “connections” on the local network (aka to the PBX).

By combining Kamailio with RTPengine, you can also bridge secure audio (SRTP) on the outside to normal audio (RTP) on the inside.

Basic Concept

Basic Visual Concept of TLS/SRTP Bridge
Basic Visual Concept of TLS/SRTP Bridge

The concept allows you to replace the PBXIP with your PBX’s IP address, and public/private/domain as well. You can easily use Let’s Encrypt to get an SSL certificate for your domain.

Endpoints appear to the PBX as on the local network. In most cases, no configuration changes would be needed to your PBX whatsoever.

Example Config

I’ve posted an example TLS/SRTP bridge config on my github repo.

Hope this helps you… if you have any questions, comments, please don’t hesitate to reach out.

Additional Resources / Information

By Fred Posner

Fred Posner provides VoIP consulting services through The Palner Group and For ten years, Fred helped his wife, Yeni Monroy, run Bearkery®, a family bakery in Gainesville, Florida. The bakery sadly closed during the COVID19 pandemic. Contact Fred at

4 replies on “Simple TLS Gateway”

Very nice, thank you for sharing ! I have noticed a strange behaviour tho. In a case of an incoming call coming to the IPBX (from a mobile phone through a PSTN gw), forwarded to the bridge then to the UAC, once the UAC answers, if the BYE is initiated by the UAC, the other end (the phone behind the PSTN gw) doesn’t receive a BYE and is still connected.

In any other case (incoming call from PSTN hang up by the mobile phone, outgoing call from the UAC to the PSTN hang up by the UAC, outgoing call from the UAC to the PSTN hang up by the mobile phone).

So It is only in case of an incoming call hang up by the UAC that the BYE gets lost.

If you have any clue…

Thanks and regards,

Great, thank you, is possible login too from webrtc?, or need change very advanced in the actual code.

You could use this with WebRTC using the websockets module and some additional listening actions / rtpengine mods.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.