Kamailio Behind NAT

Posted . ~5min read.

Kamailio 4.4

After returning home from AstriCon 10, I decided to start-up a new server and see how long it would take me to run a working Kamailio server behind NAT (on a private IP). Bottom line? About 30 minutes.

I was lucky to help staff the Kamailio booth this year and was honored to help so many other VoIP professionals (and enthusiasts) with their questions about Kamailio, so without further ado…

What is Kamailio?

Kamailio (OpenSER) is an open source SIP server capable of handling thousands of call set-ups per second. Some amazing features include:

  • Secure communication via TLS
  • Load Balancing
  • WebSocket support for WebRTC
  • failover
  • Security
  • and mucho mas

 Who should use Kamailio?

If you’re running fewer than 100 phones, you  most likely won’t have a need for Kamailio — unless you want failover, enhanced security, WebRTC, or one of the other Kamailio features.

I use Kamailio to help protect my systems from scanners, brute force SIP attacks, and other fun aspects of running business on the Interwebs.

… but … I digress …

Running Kamailio behind NAT

Many of us don’t have access to large numbers of public IP addresses. Some of us also like running systems on private IP addresses for personal reasons.

In the past (and still today), it was recommended that you run Kamailio on a public IP address. Regardless of the reason, with a patched rtpproxy and an advertised public IP address, you can have Kamailio running on a private IP address very quickly.

(NOTE: This tutorial was written for Kamailio 4.0 and an old version of RTPProxy. I recommend running the current version of both.)

Step 1: Install Kamailio

I chose to install Kamailio on CentOS. I’m not going to get into a religious war here on what OS you should use. Most of the development team of Kamailio use debian… I like CentOS, and that’s what I choose to deploy.

There’s an excellent tutorial for installing Kamailio posted on the main wiki: Install And Maintain Kamailio v4.0.x Version From GIT.

For CentOS, I first disable selinux, and then install some pre-reqs:

yum -y install gcc gcc-c++ bison openssl-devel libtermcap-devel ncurses-devel doxygen curl-devel newt-devel mlocate lynx tar wget nmap bzip2 unixODBC unixODBC-devel libtool-ltdl libtool-ltdl-devel mysql-connector-odbc mysql mysql-devel mysql-server flex libxml2 libxml2-devel pcre pcre-devel git

Some of these aren’t fully necessary for the deployment, but are good tools to have. I also generally install the development tools group as well.

yum groupinstall "Development Tools"

Once everything is ready (a reboot doesn’t hurt), it’s time to download and install Kamailio.

mkdir -p /usr/local/src/kamailio-4.0
cd /usr/local/src/kamailio-4.0
git clone --depth 1 git://git.sip-router.org/sip-router kamailio
cd kamailio
git checkout -b 4.0 origin/4.0
make cfg

Next, open modules.1st. I use vi. You can use whatever you’d like.

vi modules.1st

Find the section that says include_modules and add db_mysql. It will look like:

include_modules= db_mysql

Save the file… and let’s continue.

make all
make install

Step 2: Create the Database

Open the kamctlrc file, uncomment the mysql database reference, and change the default passwords:

vi /usr/local/etc/kamailio/kamctlrc
DBENGINE=MYSQL

Save the file and run the following command:

/usr/local/sbin/kamdbctl create

This creates the kamailio database for you.

Step 3: Modify the Kamailio config file

Kamailio builds a default file for you. We’re going to quickly modify it to get this demo working.

vi /usr/local/etc/kamailio/kamailio.cfg

Insert the following after the #!Kamailio line:

#!define WITH_MYSQL
#!define WITH_AUTH
#!define WITH_USRLOCDB
#!define WITH_ANTIFLOOD
#!define WITH_NAT

This adds a minimal amount of protection to your system (with ANTIFLOOD) and allows you to authenticate users to your system. It will also start the ball rolling for NATted communication.

Next, find the line that says: #!define DBURL “mysql://kamailio:kamailiorw@localhost/kamailio” and replace with:

#!define DBURL "mysql://USERNAME:PASSWORD@localhost/kamailio"

Next, find the line that says: #listen=udp:10.0.0.10:5060 and underneath it, add:

listen=udp:PRIVATEIP:5060 advertise PUBLICIP:5060

Save the file. Smile.

The advertise function here is key for running behind NAT along with…

Step the Fourth: Install the Patched rtpproxy

(NOTE: If you use the current version of rtpproxy, you won’t need to install the patch– it includes the advertise option)

rtpproxy is an open source program written by Sippy Software and available from their website, rtpproxy.org. The current stable version of rtpproxy is 1.2.1 and is missing one awesome feature — the ability to use an _advertised _address.

Luckily there are programmers who have resolved this issue for us.

Back in 2009, Daniel Goepp posted a patch to RTPproxy to support putting rtpproxy behind NAT.

Another Daniel, Daniel-Constantin Mierla, posted a patched version of rtpproxy on github.

We’ll choose the github for this example. I downloaded as a zip file and installed.

unzip master.zip
cd rtpproxy-master
./configure
make all
make install

You now have a version of rtpproxy that will advertise a public IP from behind NAT.

The Fifth Step: Starting the services

Since you’re behind NAT, you’re most likely going to want to forward UDP port 5060 for SIP and a UDP port range for RTP from your firewall to your Kamailio server’s private IP. For this example, let’s use an RTP port range of 20,000 to 30,000. (you’ll take care of your firewall forwarding however is needed on your particular firewall)

Start rtpproxy with a set rtp port range and an advertised public IP:

rtpproxy -A PUBLICIP -F -l PRIVATEIP -m 20000 -M 30000 -s udp:*:7722 -d INFO

Next, start Kamailio

kamctl start

Step 6: Add some users, and make calls

Adding a user is simple:

kamctl add USERNAME PASSWORD

For example, you could run kamctl add qxork superhotyeni which would add the user qxork with a password of superhotyeni.

In Closing…

Kamailio is incredible software… it’s addictive and you start learning that SIP can become a really incredible tool to work with.

To know Kamailio is to know SIP.

And there’s the problem. To know SIP you must learn SIP and play with SIP.

Since most of us don’t have access to spare servers that we can put on a public IP, we’re stuck learning the system on a local NAT at the office or (more commonly) at the house.

Running Kamailio behind NAT allows you to learn, test, and play with SIP. Now, there’s no excuse… let’s start learning!

Additional Reading:

Need Help?

We’re a friendly community. We also have cookies.

Next...
...and even more...