OpenSIPS
Purpose
Section titled “Purpose”Describe OpenSIPS’s role at the tenant edge: the single SIP entry point that terminates WSS, anchors media, and enforces carrier trust.
Overview
Section titled “Overview”OpenSIPS is the edge’s SIP front door. It terminates browser WSS (WebRTC
softphone) on 7443 and carrier SIP on 5060, authenticates requests, anchors
media in rtpengine (NG protocol on UDP 22222), then relays signaling to
FreeSWITCH ($du = sip:<FREESWITCH_URI>). FreeSWITCH listens on 5066 to avoid
colliding with OpenSIPS on 5060.
Inbound carrier INVITEs that match the trusted-carrier IP set bypass digest
auth (carriers authenticate by source IP and never answer a 407) and get
stamped X-G2D-Direction: inbound. Everyone else is challenged against the
subscribers table, which OpenSIPS reads over a local HTTP service (db_http) —
the edge holds no shared DB credential (ADR-011).
Configuration
Section titled “Configuration”The committed config under edge/opensips/ is a template, rendered per node
by deploy/scripts/edge-render-opensips.sh (this OpenSIPS build doesn’t do env
substitution). Key values it substitutes:
TENANT_ID=... # injected as the X-G2D-Tenant-ID header valueFREESWITCH_URI=... # the $du target (host:port) for relayed callsCARRIER_INBOUND_IPS=... # trusted carrier source IPs (empty → never matches)OPENSIPS_DB_URL=... # optional (auth reads subscribers via local db_http)Examples
Section titled “Examples”Browser (WSS :7443) ─┐ ├─► OpenSIPS ─► rtpengine (media anchor) ─► FreeSWITCH :5066 ─► carrierCarrier (:5060) ─────┘- Re-INVITEs must re-anchor rtpengine. Hold/resume/transfer carry fresh SDP that must pass through rtpengine again, or audio is lost after resume.
- WSS offers toward a browser must re-offer full WebRTC
(
UDP/TLS/RTP/SAVPF,DTLS=passive) so rtpengine generates the DTLS fingerprint the browser requires. - Re-rendering the template resets the injected tenant header, so the render script always re-runs the header injection — a naive copy leaves placeholders and OpenSIPS crash-loops.