Voice over IP (VoIP) systems rely on robust SIP configurations to handle calls efficiently, especially in enterprise environments where security threats and scaling demands are constant challenges. Asterisk’s PJSIP channel driver replaces the older chan_sip module, offering modular configuration sections for endpoints, transports, authentication, and more, enabling better performance under high loads.
This blog post provides a comprehensive, step-by-step guide to configuring PJSIP for security via TLS/SRTP and scalability through templates and realtime backends, tailored for production VoIP deployments like contact centers or Sheerbit-style telecom solutions.
Modern VoIP operators in India and globally face rising DDoS attacks, eavesdropping risks, and endpoint proliferation—up to 25k+ registrations causing taskprocessor overloads without optimization. Proper PJSIP setup ensures encrypted signaling/media, NAT traversal, and dynamic scaling, reducing reload times and CPU usage for businesses handling thousands of concurrent calls.
PJSIP Configuration Basics
PJSIP uses a flat text file, pjsip.conf, divided into sections like [transport], [endpoint], [aor], [auth], [identify], and [registration]. Each section relates hierarchically: transports bind protocols/ports, endpoints link to auth/aors, AORs manage contacts, and identify matches inbound traffic by IP/host. Load modules in modules.conf with load => res_pjsip.so and related res_pjsip_* modules.
Start with a basic UDP transport:
[simpletrans]
type=transport
protocol=udp
bind=0.0.0.0For a single endpoint like extension 6001 registering inbound:
[6001]
type=endpoint
context=internal
disallow=all
allow=ulaw
auth=auth6001
aors=6001
[auth6001]
type=auth
auth_type=userpass
username=6001
password=6001
[6001]
type=aor
max_contacts=1This allows registration; max_contacts enables dynamic contacts.
Setting Up Secure TLS Transport
Security begins with TLS for signaling encryption, preventing SIP packet snooping. Generate self-signed certificates using Asterisk’s ast_tls_cert script in contrib/scripts:
mkdir /etc/asterisk/keys
cd /path/to/asterisk/contrib/scripts
./ast_tls_cert -C pbx.example.com -O "Your Company" -d /etc/asterisk/keys -b 2048This creates ca.crt, asterisk.crt/key/pem. Enter passphrases as prompted.
Configure TLS transport in pjsip.conf:
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1_2
ca_list_file=/etc/asterisk/keys/ca.crt
require_client_cert=yes
verify_client=yes
verify_server=yesUse method=tlsv1_2 for modern security; append ;transport=tls to URIs if needed. Reload with pjsip reload.
Endpoint Configuration for Security
Link endpoints to TLS with media_encryption=sdes for SRTP (requires libsrtp installed pre-compile):
[secure-endpoint](+)
type=endpoint
transport=transport-tls
context=internal
disallow=all
allow=g722,ulaw
auth=secure-auth
aors=secure-aor
media_encryption=sdes
dtmf_mode=rfc4733
rtp_symmetric=yes
force_rport=yes
rewrite_contact=yesrtp_symmetric and force_rport handle NAT; sdes negotiates SRTP keys via SDP. Pair with auth/aor:
[secure-auth]
type=auth
auth_type=userpass
username=secureuser
password=strongpass123!
[secure-aor]
type=aor
max_contacts=5
remove_existing=yesremove_existing=yes updates contacts on re-register.
SIP Trunk Setup with Outbound Registration
For providers like Zadarma or GoTrunk, configure registration and endpoint:
[mytrunk]
type=registration
outbound_auth=mytrunk-auth
server_uri=sip:sip.provider.com:5061;transport=tls
client_uri=sip:youraccount@sip.provider.com
retry_interval=60
expire=3600
[mytrunk-auth]
type=auth
auth_type=userpass
username=youraccount
password=yourpass
[mytrunk-aor]
type=aor
contact=sip:sip.provider.com:5061
[mytrunk]
type=endpoint
context=from-trunk
disallow=all
allow=ulaw
outbound_auth=mytrunk-auth
aors=mytrunk-aor
media_encryption=sdes
from_user=youraccount
rtp_symmetric=yes
[mytrunk-identify]
type=identify
endpoint=mytrunk
match=provider.ip.addressUse outbound_auth for trunks; identify matches provider IPs.
Scaling with Templates
Templates prevent redundancy for 100s of endpoints. Define inheritable templates (ending ! for override):
[endpoint-basic](!)
type=endpoint
context=internal
disallow=all
allow=ulaw,g722
rtp_symmetric=yes
force_rport=yes
dtmf_mode=rfc4733
media_encryption=sdes
transport=transport-tls
[auth-userpass](!)
type=auth
auth_type=userpass
[aor-single-reg](!)
type=aor
max_contacts=1
remove_existing=yesInstantiate:
[6001](endpoint-basic)
auth=auth6001
aors=6001
[auth6001](auth-userpass)
username=6001
password=6001
[6001](aor-single-reg)Repeat for 6002+; templates scale to thousands without duplication.
Realtime Configuration for High Scalability
For 10k+ endpoints, use realtime with databases (PostgreSQL/MySQL) via extconfig.conf and res_config_odbc:
; extconfig.conf
ps_endpoints => odbc,asterisk,pjsip_endpoints
ps_aors => odbc,asterisk,pjsip_aors
ps_auths => odbc,asterisk,pjsip_authsIn pjsip.conf:
endpoint/cache=memory_cache,maximum_objects=1024,object_lifetime_maximum=3600
endpoint=realtime,ps_endpoints
aor/cache=memory_cache,expire_on_reload=yes,object_lifetime_maximum=600
aor=realtime,ps_aorsCache reduces DB queries; stale entries expire. Schema example (ps_endpoints table mirrors pjsip.conf fields like id, type, auth, aors).
Advanced Security Best Practices
- Firewall: Allow only 5061/tcp/udp from trusted IPs; use fail2ban for brute-force protection.
- Strong auth: Enforce long passwords, IP-based auth via identify.
- SRTP mandatory: Set
media_encryption=dtlsfor DTLS-SRTP (newer, no SDP keys). - Updates: Patch Asterisk regularly; monitor taskprocessor overload at 25k endpoints.
- Proxies: Front with Kamailio/OpenSIPS for load balancing.
| Feature | UDP (Basic) | TLS+SRTP (Secure) | Realtime Scaled |
|---|---|---|---|
| Encryption | None | Signaling+Media | Same + DB Cache |
| Contacts | Static | Dynamic (max=5) | 100k+ via DB |
| NAT Handling | force_rport | +rewrite_contact | Template-driven |
| Performance | Low load | Medium | High (cached) |
Monitoring and Troubleshooting
Use pjsip show endpoints, pjsip show aors, pjsip show registrations for status. Logs: pjsip set logger on; debug TLS with pjsip_logger.conf. Common issues:
- TLS handshake fails: Match CN in certs, disable verify_client=no temporarily.
- No audio: Check rtp_symmetric, direct_media=no .
- Scalability: Tune taskprocessor threads in pjsip.conf.
Test: Register softphone (Zoiper/Blink) over TLS, dial trunk, verify locks/SRTP in Wireshark.
Performance Tuning for Scale
- Threads:
taskprocessor overhead=200in pjsip.conf. - Codecs: Prioritize Opus/G.722 for efficiency.
- Limits:
max_contacts=10per AOR, qualify_frequency=60. - Clustering: Multiple Asterisks behind OpenSIPS, shared DB.
In production VoIP like Sheerbit’s contact centers, combine templates+realtime for 50k calls/day without reloads.
Conclusion
Mastering PJSIP in Asterisk delivers a fortress-like VoIP system: TLS/SRTP secures against eavesdroppers, templates/realtime scales to enterprise loads, and best practices ensure reliability. Implement iteratively: start basic, add TLS, then scale: testing with sip reload and CLI verifies each layer. For Indian telecom pros building B2B solutions, this setup optimizes costs while meeting TRAI security norms, positioning your VoIP ventures for growth in AI-integrated contact centers. Deploy today for calls that are private, performant, and future-proof.
