Please note that the WebRTC server is experimental for now. WebRTC is a rapidly changing area, and so interoperability with WebRTC clients is uncertain and may be short-term as they are updated.

Installation

Enswitch can optionally have TLS/SRTP enabled for use by WebRTC clients and plain TLS/SRTP telephones. Note that SRTP must be used if WebRTC or TLS is used.

1. Purchase a TLS certificate for the hostname that users will connect to. Put the private key in /etc/kamailio/<hostname>.key and the certificate in /etc/kamailio/<hostname>.pem. The private key must not have a password.
2. If running Kamailio 4.2 or earlier, upgrade to Kamailio 5.0 or later.
3. On machines running Debian, or Ubuntu up to 18.x:
   • apt-get install iptables-dev libcurl4-openssl-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libopus-dev libpcap-dev libspandsp-dev libssl-dev libxmlrpc-core-c3-dev libavutil-dev libswresample-dev libavcodec-dev libavformat-dev libwebsockets-dev libavfilter-dev libip6tc-dev libxtables-dev gperf linux-headers-`uname -r` pandoc
4. On machines running Ubuntu 20.04 and later or Debian 11 and later:
   • apt-get install libiptc-dev libxtables-dev libcurl4-openssl-dev libevent-dev libglib2.0-dev libhiredis-dev libjson-glib-dev libopus-dev libpcap-dev libspandsp-dev libssl-dev libxmlrpc-core-c3-dev libavutil-dev libswresample-dev libavcodec-dev libavformat-dev libwebsockets-dev libavfilter-dev libip6tc-dev libxtables-dev gperf linux-headers-`uname -r` pandoc
5. On machines running CentOS, Redhat Enterprise, or Fedora:
   • yum -y install alsa-lib-devel glib2-devel gperf hiredis-devel iptables-devel json-glib-devel kernel-devel libevent-devel libopus-devel libpcap-devel libcurl-devel libwebsockets-devel pandoc spandsp-devel xmlrpc-c-devel

   Also, add the "RPM Fusion" YUM repository that provides the ffmpeg-devel and related packages, which are needed for rtpengine transcoding purposes. The specific command to add the repository link will depend on the distribution version, for example:

   • For RHEL 7 compatible systems: yum install https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpm
   • For RHEL 8 compatible systems: yum install https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-8.noarch.rpm
   • For RHEL 9 compatible systems: yum install https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-9.noarch.rpm
   • yum -y install ffmpeg-devel
6. On machines running Rocky Linux 9:
   • dnf -y install alsa-lib-devel glib2-devel gperf hiredis-devel iptables-devel iptables-legacy-devel json-glib-devel kernel-devel libevent-devel libpcap-devel libcurl-devel libopus-devel libwebsockets-devel pandoc spandsp-devel xmlrpc-c-devel

   Also, add the "RPM Fusion" YUM repository that provides the ffmpeg-devel and related packages, which are needed for rtpengine transcoding purposes:

   • dnf install https://mirrors.rpmfusion.org/free/el/rpmfusion-free-release-9.noarch.rpm
   • dnf -y install ffmpeg-devel
7. If using a single machine:
   • enswitch install rtpengine
8. If using a pair of machines where RTPEngine is always running on both, then on both machines do:
   • enswitch install rtpengine
   This is the recommended setup when using a pair of machines.
9. If using a pair of machines with failover setup via Corosync and Pacemaker, do:
   • enswitch install rtpengine-cp
   The service will not auto-start in this mode so please make sure to add this as a Corosync cluster resource under the 'enswitch' resource group.
10. Edit /etc/rtpengine/defaults, set the ADDRESS line to the public IP address of the machine if a single machine or to the service IP address if using corosync and pacemaker and set the LISTEN_NG line to the public IP address that will be used by RTPEngine.
11. Start RTPEngine using "service rtpengine start".
12. Edit /etc/kamailio/tls.cfg, and change the private_key and certificate lines to match the files you created above.
13. If using WebRTC:
    1. Edit /etc/kamailio/kamailio.cfg, and add or uncomment the following lines just above the include_file line. Change them to the IP address set in /etc/rtpengine/defaults:

       #!define WEBSOCKET_ADDR tcp:<IP address>
       #!define WEBSOCKET_TLS_ADDR tls:<IP address>
       #!define RTPENGINE_ADDR "udp:<IP address>:7724"

    2. Edit /etc/kamailio/kamailio.cfg and add explicit listen directives for Kamailio to listen to specific IP addresses and ports, in case these were not specified previously:

       listen = udp:<IP address 1>:5060
       listen = tcp:<IP address 1>:5060
       listen = udp:<IP address 2>:5060

       etc.
    3. Ensure that TCP port 8443, optionally TCP port 8080, and UDP port range 45000 to 50000 are open in the firewall.
    4. Restart Kamailio using "service kamailio restart" or "pcs resource restart kamailio".
    5. Test that the TLS certificate is working correctly by going to https://<hostname>:8443/ in a web browser. You should see a blank web page, and no warnings about an insecure connection.
    6. Test WebRTC calls to port 8443 (with TLS). The web browser used for testing must be running on a different machine to the Enswitch server. If you need a test WebRTC client, try JsSIP.
14. If using plain TLS/SRTP telephones:
    1. Edit /etc/kamailio/kamailio.cfg, and add a listen line like this:

       listen = tls:<IP address>:5061

    2. Ensure that TCP port 5061 is open in the firewall.
    3. Restart Kamailio using "service kamailio restart" or "pcs resource restart kamailio".
    4. Register a telephone using TLS (on some telephones add ";transport=tls" to the registrar) and test inbound and outbound calls.
15. Configure Enswitch and Kamailio appropriately for the number of TLS/WebRTC phones in use. Some example settings for 2,000 phones are:
    1. In Enswitch set "SIP proxy private memory" to 24.
    2. In Enswitch set "SIP proxy shared memory" to 8192.
    3. In Kamailio set tcp_max_connections to 32768.
    4. In Kamailio set tls_max_connections to 32000.