Skip to content

OpenSIPS

Describe OpenSIPS’s role at the tenant edge: the single SIP entry point that terminates WSS, anchors media, and enforces carrier trust.

OpenSIPS is the edge’s SIP front door. It terminates browser WSS (WebRTC softphone) on 7443 and carrier SIP on 5060, authenticates requests, anchors media in rtpengine (NG protocol on UDP 22222), then relays signaling to FreeSWITCH ($du = sip:<FREESWITCH_URI>). FreeSWITCH listens on 5066 to avoid colliding with OpenSIPS on 5060.

Inbound carrier INVITEs that match the trusted-carrier IP set bypass digest auth (carriers authenticate by source IP and never answer a 407) and get stamped X-G2D-Direction: inbound. Everyone else is challenged against the subscribers table, which OpenSIPS reads over a local HTTP service (db_http) — the edge holds no shared DB credential (ADR-011).

The committed config under edge/opensips/ is a template, rendered per node by deploy/scripts/edge-render-opensips.sh (this OpenSIPS build doesn’t do env substitution). Key values it substitutes:

Terminal window
TENANT_ID=... # injected as the X-G2D-Tenant-ID header value
FREESWITCH_URI=... # the $du target (host:port) for relayed calls
CARRIER_INBOUND_IPS=... # trusted carrier source IPs (empty → never matches)
OPENSIPS_DB_URL=... # optional (auth reads subscribers via local db_http)
Browser (WSS :7443) ─┐
├─► OpenSIPS ─► rtpengine (media anchor) ─► FreeSWITCH :5066 ─► carrier
Carrier (:5060) ─────┘
  • Re-INVITEs must re-anchor rtpengine. Hold/resume/transfer carry fresh SDP that must pass through rtpengine again, or audio is lost after resume.
  • WSS offers toward a browser must re-offer full WebRTC (UDP/TLS/RTP/SAVPF, DTLS=passive) so rtpengine generates the DTLS fingerprint the browser requires.
  • Re-rendering the template resets the injected tenant header, so the render script always re-runs the header injection — a naive copy leaves placeholders and OpenSIPS crash-loops.