Skip to content

Instantly share code, notes, and snippets.

@l2dy

l2dy/nat.md

Last active May 26, 2021 12:47
Show Gist options
  • Save l2dy/f085643cf920c32b97d55abe531d2d09 to your computer and use it in GitHub Desktop.
Save l2dy/f085643cf920c32b97d55abe531d2d09 to your computer and use it in GitHub Desktop.
Download ZIP
OpenSIPS in the Cloud with NAT Support
Raw
nat.md
  1. Install and start rtpproxy, configure firewall to allow UDP ports used.
  2. make menuconfig.
  3. Generate OpenSIPS Script -> Residential Script -> Configure.
  4. Select ENABLE_TLS, USE_AUTH, USE_DIALOG and USE_NAT.
  5. Go back, Generate & Save Residential Script.
  6. Copy etc/opensips_residential_*.cfg to /etc/opensips/opensips.cfg.
  7. Customize opensips.cfg and SIP_DOMAIN, DBENGINE, etc. in opensipsctlrc.
  8. opensipsdbctl create.
  9. systemctl enable opensips.service && systemctl start opensips.service.
  10. opensipsctl add <USER> <PASSWORD>.
  11. Enjoy and profit!

P.S. Check out https://blog.opensips.org/2016/11/11/how-to-avoid-plaintext-passwords/.

--- /etc/opensips_residential_2020.cfg
+++ /etc/opensips/opensips.cfg
@@ -37,14 +37,16 @@
 auto_aliases=no
 
 
+advertised_address="PUBLIC_DOMAIN"
+
 listen=udp:127.0.0.1:5060   # CUSTOMIZE ME
 
-listen=tls:127.0.0.1:5061   # CUSTOMIZE ME
+listen=tls:PRIVATE_IP:5061   # CUSTOMIZE ME
 
 ####### Modules Section ########
 
 #set module path
-mpath="/usr/local/lib/opensips/modules/"
+mpath="/usr/lib64/opensips/modules"
 
 #### SIGNALING module
 loadmodule "signaling.so"
@@ -125,21 +127,21 @@
 modparam("nathelper", "natping_interval", 10)
 modparam("nathelper", "ping_nated_only", 1)
 modparam("nathelper", "sipping_bflag", "SIP_PING_FLAG")
-modparam("nathelper", "sipping_from", "sip:[email protected]") #CUSTOMIZE ME
+modparam("nathelper", "sipping_from", "sip:pinger@PUBLIC_DOMAIN") #CUSTOMIZE ME
 modparam("nathelper", "received_avp", "$avp(received_nh)")
 
 loadmodule "rtpproxy.so"
-modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:12221") # CUSTOMIZE ME
+modparam("rtpproxy", "rtpproxy_sock", "udp:localhost:9000") # CUSTOMIZE ME
 
 loadmodule "proto_udp.so"
 loadmodule "proto_tls.so"
 loadmodule "tls_mgm.so"
-modparam("tls_mgm","verify_cert", "1")
+modparam("tls_mgm","verify_cert", "0")
 modparam("tls_mgm","require_cert", "0")
-modparam("tls_mgm","tls_method", "TLSv1")
-modparam("tls_mgm","certificate", "/usr/local/etc/opensips/tls/user/user-cert.pem")
-modparam("tls_mgm","private_key", "/usr/local/etc/opensips/tls/user/user-privkey.pem")
-modparam("tls_mgm","ca_list", "/usr/local/etc/opensips/tls/user/user-calist.pem")
+modparam("tls_mgm","tls_method", "TLSv1_2")
+modparam("tls_mgm","certificate", "/etc/opensips/tls/user/user-cert.pem")
+modparam("tls_mgm","private_key", "/etc/opensips/tls/user/user-privkey.pem")
+modparam("tls_mgm","ca_list", "/etc/pki/tls/certs/ca-bundle.crt")
 
  
 ####### Routing Logic ########
@@ -348,7 +350,7 @@
 	if (is_method("INVITE")) {
 		
 		if (isflagset(NAT)) {
-			rtpproxy_offer("ro");
+			rtpproxy_offer("ro", "PUBLIC_IP");
 		}
 
 		t_on_branch("per_branch_ops");
@@ -378,7 +380,7 @@
 	if (nat_uac_test("1"))
 		fix_nated_contact();
 	if ( isflagset(NAT) )
-		rtpproxy_answer("ro");
+		rtpproxy_answer("ro", "PUBLIC_IP");
 	xlog("incoming reply\n");
 }
@hasanr68
Copy link

Hi there.. Just implemented this with Opensips. It seems to work fine on the same network (Wi-Fi), but won't REGISTER UA from cellular network. Any suggestion what is wrong? Thanks a lot.

@l2dy
Copy link
Author

l2dy commented Nov 20, 2020

@hasanr68 Does your server have a public IP on the Internet? Have you replaced PUBLIC_DOMAIN with a domain that resolves to this address?

@hasanr68
Copy link

Hi again - thanks a lot for the quick response. I have used a PUBLIC_IP currently. I have also entered that PUBLIC_IP in the UA.

@hasanr68
Copy link

hasanr68 commented Nov 20, 2020
edited
Loading

To clarify, I used the following to install RTPProxy (changed Kamailio to Opensips), and the Listen_Addr and Control_Sock to the above values:
https://blog.voipxswitch.com/2015/06/18/rtpproxy-compiling-installing-on-debian-8/

@l2dy
Copy link
Author

l2dy commented Nov 20, 2020

@hasanr68 Assuming you are using TLS:

First, check if you can establish a TLS connection from your cellular network to the OpenSIPS server. You can use CLI tools, e.g. openssl s_client or gnutls-cli.

Second, you should use a domain (with DNS resolution set up) as PUBLIC_DOMAIN and enter that instead of the IP address in the UA.

To clarify, I used the following to install RTPProxy (changed Kamailio to Opensips):
https://blog.voipxswitch.com/2015/06/18/rtpproxy-compiling-installing-on-debian-8/

No problem with that, just make sure that your RTPProxy is reachable from the Internet as PUBLIC_IP (proxy ports not firewalled) and that the control socket matches.

@hasanr68
Copy link

Cool :) Thx a lot - inaccessible from the Internet was the issue. Just curious, when calling from the cell network, I get the following error:
ERROR:rtpproxy:force_rtp_proxy: Unable to parse body

Is that normal?

@l2dy
Copy link
Author

l2dy commented Nov 20, 2020

I've seen that error before, but everything was fine so I ignored it. If you found out why, please let me know.

@hasanr68
Copy link

Alright, will do! Thanks a lot for all your time and help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment