platform v0.9.11 verified 2026-05-14
Path: /admin-settings → SIP Trunks tab
SIP trunks define how the platform identifies and authenticates inbound SIP traffic from external carriers, SIP providers, or WebRTC gateways. Multiple trunk types run in parallel on a single Kamailio instance.
How changes take effect
Change Action Downtime Create / edit / enable / disable trunk Redis sync (Admin Tools → Sync All to Redis)None Identification or auth credentials changed Redis sync None TLS settings or CA upload Redis sync (~5 s for the TLS watcher)None — hot reload TLS_ENABLED env var changeContainer restart (docker compose restart telpro) Brief restart kamailio.cfg changedContainer rebuild + restart Brief restart
The TLS sync watcher polls Redis every 5 s for TLS material changes and triggers kamcmd tls.reload.
Identification
How Kamailio identifies which trunk a call belongs to. Trunks are evaluated in priority order (lower number = checked first). When multiple identification methods are enabled on a trunk, all must match (AND).
Method Checks Use case Source IP Caller's IP vs. list / CIDR. Carriers with static IPs. From Domain SIP From header domain vs. regex. Distinct From-domain. User-Agent User-Agent header vs. regex.Recognisable UA strings. Combined Two or three of the above. Higher specificity when ranges overlap.
Priority example
Priority Trunk Why 10 IP + Domain + UA Most specific. 20 IP + UA Narrows by UA within IP range. 30 From domain (digest) Any IP, specific domain, password required. 90 IP-only catch-all Network-level fallback.
Fields
Field Required Description Identify By Yes Multi-select: source_ip, from_domain, user_agent. Allowed IPs Conditional When source_ip is selected. Array of CIDRs. From Domain Pattern Conditional Regex against From-header domain. User-Agent Pattern Conditional Regex against User-Agent.
Authentication
Runs after identification. Authorises the identified caller to proceed.
Method How Prerequisites Use case ip_only Identification alone authorises. Allowed IPs configured. Trusted static-IP carriers (Twilio, Vonage). digest SIP digest auth (407 challenge). Auth User + Pass on trunk. Carriers / devices supporting digest. ip_and_digest Source IP + digest. Allowed IPs + Auth User + Pass. Maximum security.
Field Required Description Auth Method Yes ip_only / digest / ip_and_digest.Auth Realm Conditional SIP realm sent in 407 (defaults to From-domain). Auth User Conditional Username expected in digest response. Auth Pass Conditional Password (stored encrypted).
Field Default Description SRTP Mode disableddisabled (plain RTP) / prefer (negotiate) / require (RTP/SAVP only). SRTP terminates at RTPEngine; TelSys always sees plain RTP.Symmetric RTP falseReply to the address:port the media was received from, ignoring SDP. Use for NAT or unreliable SDP.
TLS
Multiple TLS modes coexist on a single Kamailio instance — UDP/5060 and TLS/5061 run side by side.
Prerequisites
Requirement Setup TLS enabled on Kamailio TLS_ENABLED=true in docker-compose.yaml. Restart required.Server certificate server.crt + server.key in tls/ (volume-mounted).CA certificate (for mTLS) Upload as Platform Secret with purpose CA_CERT and reference it on the trunk.
Modes
Mode Settings Enforces No TLS All TLS fields off Plain UDP/TCP. TLS required Require TLS Transport = trueReject UDP/TCP with 403. TLS + verify peer Above + Verify Peer + Require Client Cert + CA Verifies client cert against the CA. TLS + peer name + Peer Name Verification + Remote Subject Name Checks the cert's CN matches. Full mTLS + peer name All of the above Max security.
Fields
Field Default Description Require TLS Transport false Reject non-TLS with 403. Verify Peer Certificate false Verify against CA bundle. Require Client Certificate false Client must present a cert during the handshake. Peer Name Verification disableddisabled / enabled — check CN.TLS Remote Subject Name — Expected CN (e.g. trunk.pstn.twilio.com). TLS CA Certificate — Platform Secret of purpose CA_CERT.
TLS checks run before authentication and routing.
Field Description Unique ID Header SIP header carrying the external call ID (e.g. X-Twilio-CallSid). Used to correlate with carrier CDRs.
Special handling
Field Default Description Is Internal false Mark internal trunk (Janus, localhost). Sets RTPEngine direction=priv direction=priv. Requires X-Call false Trunk requires an X-Call-ID header pre-created by TelAPI. Used for WebRTC via Janus.
Technical
Field Default Description Max Concurrent Calls 0 (unlimited) Cap. Exceeded → 486 Busy Here. Codec Preferences ["PCMA", "PCMU"]Audio codec priority for RTPEngine. Priority 50 Trunk matching priority.
Parallel operation
All trunk types run together: UDP and TLS in parallel; mixed auth methods; mixed media settings; mTLS-required and TLS-without-client-cert trunks coexist (TLS server domain uses verify_client = optional).
Workflows
IP-only trunk (Twilio-style)
Identify By source_ip, Allowed IPs ["54.172.60.0/23"], Auth ip_only → enable → save → Redis sync.
Digest-auth trunk
Identify By from_domain with pattern, Auth digest (user + pass + realm) → save → Redis sync.
Full mTLS trunk
Upload CA as Platform Secret → on the trunk, enable Require TLS, Verify Peer, Require Client Cert, link the CA, set Peer Name + Remote Subject Name → save → Redis sync.
Reference examples
Twilio production
Setting Value Identify By source_ip, from_domainFrom Domain Pattern .*\.twilio\.com$Auth Method ip_onlyRequire TLS Transport trueSRTP Mode requireSymmetric RTP trueUnique ID Header X-Twilio-CallSidPriority 20
Janus internal
Setting Value Identify By source_ipAllowed IPs ["10.30.0.13/32"]Auth Method ip_onlyIs Internal trueRequires X-Call truePriority 10
Admin Settings → SIP Trunks tab
Highlight: trunk cards with name, identification method, enabled status; edit dialog with auth + TLS + media sections
See also