I use Skype a lot in my day-to-day communication but I am not happy with it, as it has poor privacy and a crappy client. The alternative for Voice over IP is, of course, the SIP protocol. SIP clients are also more or less crappy, but thanks to ZRTP we can have strong end-to-end-encryption and thanks to OPUS we can have sound quality at least as good as Skype. Furthermore, SIP is a decentralized protocol and, in a perfect world, does not need any servers at all, because it cann directly call other SIP clients based on their IP address.

In our real world, however, there are annoying things like NAT and dynamic IP addresses, so we'd rather have a SIP server (so one can reach me at a static address) and a proxy (so NAT does not hurt that much). There are of course SIP servers out there, even free ones, but I want to host my own one. The fun part is that people do not need an SIP account at all to call me, it just helps when you want to be called.

As a client, I chose Blink, which has pretty much all the features I need and is a quite nice piece of software (with quite bad packaging on most distributions1), the next-best choice would probably be the platform-independent client Jitsi which I also used for testing.

As a server, I chose Kamailio. Kamailio looks pretty complicated but in comparison to other SIP servers it is really simple as it only does registration and proxying (while the proxying itself is done by rtpproxy) and does not have advanced features like voicemail integrated, although it seems to be possible to integrate them. If you have more complex needs, take a look at Asterisk or FreeSWITCH.

In theory, setting up Kamailio on Debian is pretty simple, but in practice there were several pitfalls and I'm not sure I remember them all, so if you follow the instructions in this blogpost and you stumble over strange error messages, do not hesitate to contact me.

To get started, we install some packages. I did all of this on a relatively clean Debian testing (8.0) system.

apt-get install kamailio kamailio-mysql-modules kamailio-tls-modules mysql-server rtpproxy

This might prompt you to choose a mysql root password, if you did not have mysql-server before. Choose one and write it down. Next, we have to edit a bunch of configuration files, the first of which is /etc/default/kamailio, where we just enable the service:


The next file is /etc/kamailio/kamailio.cfg. We add some flags directly after the first line:

#!define WITH_MYSQL
#!define WITH_AUTH 
#!define WITH_NAT 
#!define WITH_TLS 

Now we choose a mysql user password (we do not have to create the user) and configure it in the DBURL definition somewhere in the same file:

#!define DBURL "mysql://kamailio:firstpassword@localhost/kamailio"

Now look for the alias option and set it to the hostname you want to use as the server part of your SIP address (think of it like email hosts):


Also, look out for the line configuring rtpproxy's port number and change it to:

modparam("rtpproxy", "rtpproxy_sock", "unix:/var/run/rtpproxy/rtpproxy.sock")

The next file is /etc/kamailio/tls.cfg where you can configure your TLS certificates. You should definitively generate new certificates, but if you just want to get started with testing, you can use the ones provided by Kamailio for now:

private_key = /etc/kamailio/kamailio-selfsigned.key 
certificate = /etc/kamailio/kamailio-selfsigned.pem 

Now we successfully configured the kamailio daemon. However, to control this deamon, there is the kamctl command-line utility which has to be configured in /etc/kamailio/kamctlrc. It also needs the same mysql user and password as configured above as well as a second username/password tuple for a read-only mysql user. You still do not have to create those users or databases by yourself.


Now we can use this tool to create the mysql users and database tables:

kamdbctl create

This will ask you for your MySQL root password as well as whether to create one or two optional tables (answer both with yes).

Last but not least we configure rtpproxy in /etc/default/rtpproxy:


Yey! Except… there is a bug in the rtpproxy debian package. Open /etc/init.d/rtpproxy and change the line DAEMON=/usr/sbin/rtpproxy to DEAMON=/usr/bin/rtpproxy.

Now start and enable the services (for Debian 7.0 or older, use the init scripts directly):

systemctl enable rtpproxy
systemctl start rtpproxy
systemctl enable kamailio
systemctl start kamailio

Done! You can now setup your SIP client. In Blink, if you are behind the NAT, set up the account, then go to settings, select your account and go to the Server Settings tab. Then enter your hostname as Outpound proxy, select port 5061 and TLS transport. Also make sure to fill in user username and tick the Always use checkbox, if you want to.

Again, it might be that I missed to mention one or two pitfalls I came by, so please write me an email/xmpp message if you get stuck.

  1. The Arch User Repository package for example misses at least python2-eventlib, python2-xcaplib and python2-msrplib as dependencies.