This tutorial demonstrates basic WebRTC support and functionality within Asterisk. Asterisk will be configured to support a remote WebRTC client, the sipml5 client, for the purposes of making calls to/from Asterisk within the Firefox web browser.
For this tutorial, it is assumed that you are logged in as the root user. It is also assumed that you are running a version of Asterisk that is at least 13.15.0 or 14.4.0 and have a recent version of Firefox, e.g. 54.0.
Check Asterisk Dependencies
To connect the sipml5 client to Asterisk, Asterisk must have been built with support for the res_crypto, res_http_websocket, and res_pjsip_transport_websocket resource modules. To optionally enable high-quality calls between Asterisk and the sipml5 client, Asterisk's Opus codec module is required. If Opus is not installed into Asterisk, lower-quality calls will still be possible. To check for the presence of these modules you can perform:
And you should see something similar to:
If these modules are not found, please return to your menuselect configuration of Asterisk.
Next, to ensure these modules are loaded by Asterisk, you can perform:
You should see something similar to:
If the modules are not loaded, check your /etc/asterisk/modules.conf configuration file to make sure they are not explicitly disabled.
Modern browsers require use of TLS and DTLS-SRTP for WebRTC signaling and media encryption. For Asterisk to use TLS and DTLS-SRTP, it is necessary to load certificates. Within this tutorial, we will create a self-signed certificate authority and server certificate. Some browsers require the use of publicly-signed certificates. The acquisition of publicly-signed certificates is outside the scope of this tutorial.
Asterisk provides a utility script, ast_tls_cert in its contrib/scripts source directory. We will use it to make a self-signed certificate authority and a server certificate for Asterisk, signed by our new authority.
First, let's make a place for our certificates:
Next, call the script as such:
- The "-C" option is used to define our host - DNS name or our IP address.
- The "-O" option defines our organizational name.
- The "-d" option is the output directory of the keys.
- You'll be asked to enter a pass phrase for /etc/asterisk/keys/ca.key, put in something that you'll remember for later.
- This will create the /etc/asterisk/keys/ca.crt file.
- You'll be asked to enter the pass phrase again, and then the /etc/asterisk/keys/asterisk.key file will be created.
- The /etc/asterisk/keys/asterisk.crt file will be automatically generated.
- You'll be asked to enter the pass phrase a third time, and the /etc/asterisk/keys/asterisk.pem, a combination of the asterisk.key and asterisk.crt files, will be created.
You can then check your /etc/asterisk/keys directory to verify the new files were created, as such:
And you should see:
Configure Asterisk's built-in HTTP daemon
The sipml5 client uses Websocket as its transport method. To communicate with Websocket clients, Asterisk uses its built-in HTTP daemon. Configure /etc/asterisk/http.conf like:
Here, we've enabled the HTTP daemon and set its binding address and port - required for basic operation of the HTTP daemon. We have also enabled the TLS support, and have set the TLS binding address and port as well as the server key - the one we made in the previous step - to use.
To verify the web server is running, perform:
And you should see:
Next, we need to configure PJSIP. The sipml5 client uses Websocket as a transport, and connects to Asterisk's HTTP daemon, but it uses the SIP protocol. Asterisk's default channel driver for SIP communications is PJSIP. For more about PJSIP in Asterisk, you can refer to the Configuring res_pjsip pages.
PJSIP WSS Transport
Like Asterisk's HTTP daemon, which needs to be configured to listen for Websocket transports, PJSIP needs to be configured with Websocket transports. In this case, we will configure a PJSIP transport for Websocket using the "Secure Websocket" transport identifier wss. To your /etc/asterisk/pjsip.conf, you should add:
As Websockets leverage the built-in HTTP server TLS certificate information is not configured here but in http.conf instead. If they are configured here they are ignored.
PJSIP AoR and Auth
Next, we need to configure an entity within PJSIP to accept registration from our browser-based sipml5 client. To do this, we will create three PJSIP objects in our /etc/asterisk/pjsip.conf configuration file: an aor, an auth, and an endpoint.
Your aor and your auth should look something like:
Here, we establish that the thing registering with us will be known internally as "199" and that it will use 199 and 199 as its username and password registration credentials. Note that this is NOT SECURE and you should choose a MUCH better password if you're following any of these instructions.
Next, we need to create an endpoint object that will reference this aor and auth as well as be provided with configuration parameters that are specific to WebRTC clients. Your endpoint in /etc/asterisk/pjsip.confs should look something like:
An explanation of each of these settings parameters can be found on the Asterisk 13 Configuration_res_pjsip page. Briefly:
- Declare an endpoint that references our previously-made aor and auth.
- Notify Asterisk to expect the AVPF profile (secure RTP)
- Setup the DTLS method of media encryption.
- Specify which certificate files to use for TLS negotiations with this endpoint and our verification and setup methods.
- Enable ICE support
- Tell Asterisk to send media across the same transport that we receive it from.
- Enable mux-ing of RTP and RTCP events onto the same socket.
- Place received calls from this endpoint into an Asterisk Dialplan context called "default"
- And setup codecs by first disabling all and then selectively enabling Opus (presuming that you installed the Opus codec for Asterisk as mentioned at the beginning of this tutorial), then G.711 u-law.
In the event that you still utilize Asterisk's older SIP channel driver, chan_sip, in lieu of the modern PJSIP channel driver, you may use the following as a guide for configuring sip.conf:
Configure Asterisk Dialplan
We'll make a simple dialplan for receiving a test call from the sipml5 client.
This instructs Asterisk to Answer a call to "200," to play a file named "demo-contracts" (included in Asterisk's core sound file packages), and to hang up.
Firewall configuration is outside the scope of the tutorial, however here is the output from my Uncomplicated FireWall service to show you what you may need to open:
You may wish to reconfigure your services to non-standard ports, or narrow the possible source addresses for additional security.
5060: This is the standard port for SIP communications
8089: This is the standard port for Secure Websockets when used with Asterisk's built-in HTTP sever
10000:20000: This is the port range configured in rtp.conf for audio to flow.
Next, we'll perform a graceful restart of Asterisk, where in-progress calls are allowed to complete before Asterisk is stopped, so that it can pick up the changes that we've made to its configuration. From the Linux console execute:
And you'll see:
Browsers and WSS
When using WSS as a transport, Chrome and Firefox will not allow you, by default, to connect using WSS to a server with a self-signed certificate. Rather, you'll have to install a publicly-signed certificate into Asterisk. Or, you'll have to import the the self-signed certificate we made earlier into your browser's keychain, which is outside the scope of this Wiki.
Or, for Firefox and Chrome, you can open a separate browser tab and point it to Asterisk's HTTPs server's TLS port and WS path, e.g. https://[ ip of asterisk server ]:8089/ws, and you can manually confirm the security exception.
SIPML5 is a useful client for testing Asterisk. Many real-world users explore other options that may include rolling your own client.
First, go back and read the previous section and make sure that you've opened a new tab in Firefox and visited https://[ ip of asterisk server]:8089/ws and that you've confirmed the security exception. We're doing testing and development here, not deployment to real production, so this is "okay."
Once there, click the "Enjoy our live demo" link to be directed to the sipml5 client.
In the Registration box, use configuration similar to the following:
Here, we have input the following:
- Display Name is a free-form string
- Private Identity is our username from our PJSIP auth object
- Public Identity is in the format:
- sip : (name of our PJSIP aor object) @ (IP Address of the Asterisk system)
- Password is our password from our PJSIP auth object
- Realm is "asterisk.org"
Next, click the "Expert mode?" form button. It will open a new browser tab. In the Expert settings box, use a configuration similar to the following:
Here, we have made the following changes:
- Checked the "Disable Video" box
- Filled in the WebSocket Server URL using the format:
- wss : // (ip address of asterisk) : 8089 / ws
- Checked the "Disable 3GPP Early IMS" box
Click "Save" and return to the other demo tab with the Registration box.
Next, click "Login" and you should see Connected as such:
You should see a corresponding connection happen on the Asterisk CLI. You can log into the Asterisk CLI by performing:
Then, you can LogOut and Login and see something like:
Make a test call
In the sipml5 Call control box input 200. Then press the Call button. You'll see a drop-down:
Select "Audio" to continue. Once you do this, Firefox will display a popup asking permission to use your microphone:
Next, the Call control box will indicate that the call is proceeding:
Finally, when the call is connected, you will see In Call:
and you will hear "Congratulations, you have successfully installed and executed the Asterisk open source PBX..."
You've just made your first call via WebRTC using Asterisk!