VoIP Server

Posted on 27 May 2026

The source material this page replaces covers repro, a SIP proxy from the reSIProcate project. repro has seen minimal development since around 2018 and is not a practical recommendation in 2026. This series uses FreePBX 17 with Asterisk 22 LTS: the current mainstream self-hosted PBX stack, actively maintained, and well-documented.

What a self-hosted PBX provides

VoIP stands for Voice over IP. The public telephone network converted to IP infrastructure years ago: every call you make on a landline or mobile already travels over IP for most of its journey. Running your own PBX gives you direct control over the IP side of that infrastructure.

For this three-site network, a self-hosted PBX provides:

Internal extensions across all three sites. A phone on one site can dial a short extension number to reach a phone on another site, through the inter-site WireGuard VPN. No external call, no cost, no third party.

A single phone number for the outside world. A SIP trunk connects the PBX to the public telephone network. Inbound calls to your number ring extensions. Outbound calls from extensions dial out to real phone numbers.

Voicemail. Per-extension voicemail with email delivery.

IVR (Interactive Voice Response). An automated attendant that answers calls and routes them to the correct extension or department.

Call recording. For compliance or personal record-keeping.

Softphone integration. Any SIP-capable softphone on the desktop (Zoiper, Linphone) or mobile (Zoiper, Groundwire) can register as an extension.

FreePBX and Asterisk

Asterisk is the telephony engine. It handles SIP signalling, codec negotiation, call routing, voicemail, and every other telephony function. It is configured via text files and a command-line interface.

FreePBX is a web-based management interface that sits on top of Asterisk. It provides a GUI for creating extensions, configuring trunks, setting up inbound and outbound routes, and managing voicemail. FreePBX writes Asterisk configuration files based on what is configured in the web interface. This means you almost never need to edit Asterisk configuration files directly.

The current versions are:

  • FreePBX 17: the latest GA release, with a modernised module framework and PHP 8.3 support
  • Asterisk 22 LTS: the current long-term support release, maintained with security and bug fixes until 2029

Architecture in this series

FreePBX manages its own Apache web server instance and has specific requirements that conflict with the shared infrastructure in this series. It belongs in a dedicated LXC container.

PBX container: FreePBX, Asterisk, Apache, MariaDB (local to the container), and all Asterisk components. This container is self-contained and does not share nginx or the database container used by other services.

The PBX is accessible from:

  • Internal network at all three sites via the WireGuard VPN
  • The public internet via port forwarding for SIP signalling and RTP media (for the SIP trunk and external softphones)
  • The FreePBX web interface at https://pbx.yourdomain.net via the nginx reverse proxy container (for administration)

SIP trunk for UK calls

A SIP trunk connects the PBX to the public telephone network. For UK residential and small business use, several providers offer SIP trunks:

VoIP.ms: pay-per-minute, no monthly fees, UK DID numbers available, good documentation for Asterisk/FreePBX integration.

SIPGATE: UK-based provider, offers free SIP accounts with a UK number, straightforward FreePBX integration.

Andrews & Arnold (AAISP): UK ISP with SIP trunk service, excellent reputation, more expensive but highly reliable.

Gradwell: UK VoIP provider with FreePBX-friendly configuration.

The full installation page covers SIP trunk configuration for a UK provider. The specific provider is a matter of personal preference and call volume requirements.

NAT considerations

SIP and the UDM-SE interact in a specific way worth understanding before installation. The UDM-SE is a consumer-grade NAT router. SIP was designed before NAT was ubiquitous and has known NAT traversal issues.

FreePBX includes PJSIP as its SIP stack (replacing the older chan_sip). PJSIP handles NAT better than chan_sip and is the correct choice for new deployments. The FreePBX installation page covers the NAT settings under Settings > Asterisk SIP Settings that must be configured for the UDM-SE environment.

For SIP endpoints within the internal network (softphones on the VPN or local network), NAT is not a concern. For external softphones connecting over the internet, NAT traversal configuration is required.

Firewall requirements

The PBX container needs the following ports open:

PortProtocolPurpose
5060UDP + TCPSIP signalling
5061TCPSIP over TLS
10000-20000UDPRTP media (audio)
4569UDPIAX2 (inter-Asterisk trunking, optional)

The SIP ports need to be forwarded from the WAN on the UDM-SE to the PBX container for external access. RTP media ports must also be forwarded: without them, calls connect but audio does not flow.

Security considerations

A PBX exposed to the internet is a high-value target. Toll fraud, where attackers compromise a PBX and make international calls at the account holder’s expense, is a real and costly threat. Mitigation is critical before exposing any SIP port to the internet.

fail2ban: monitors Asterisk logs for failed authentication attempts and blocks attacking IPs. Essential for any internet-facing PBX.

Strong extension passwords: SIP extension passwords must be long and random. Short or dictionary-word passwords are brute-forced quickly. FreePBX can generate strong passwords automatically.

Outbound call restrictions: restrict outbound routes to the countries and number ranges you actually need. Block premium-rate numbers, international prefixes not in use, and any range that could be exploited for toll fraud.

FreePBX Intrusion Detection: the built-in intrusion detection module (based on fail2ban) provides additional SIP-specific protection.

TLS and SRTP: configure SIP over TLS (port 5061) and SRTP for encrypted signalling and media. This is the correct configuration for any calls that traverse the public internet.

What the installation page covers

The full FreePBX installation page, when written, covers:

  • Container setup and initial Ubuntu 24.04 configuration
  • Asterisk 22 LTS compilation from source
  • FreePBX 17 installation and initial setup
  • Extension configuration for all three sites
  • SIP trunk configuration for a UK provider
  • Inbound and outbound route setup
  • Softphone configuration on the desktop and mobile
  • fail2ban and security hardening
  • TLS certificate configuration for the web interface and SIP transport
  • Voicemail with email delivery

Toll fraud is the most serious risk of running a self-hosted PBX. An attacker who compromises an extension with a weak password can make international calls for hours before the account holder notices. Configure fail2ban, use strong passwords, restrict outbound routes to what you actually need, and monitor call logs regularly. These are not optional extras for an internet-facing PBX.