Install Kamailio SIP Server on Ubuntu 24.04 [Guide]

Kamailio is an open-source SIP (Session Initiation Protocol) server that handles SIP signaling for VoIP, video, and real-time communication platforms. It works as a SIP proxy, registrar, location server, and load balancer – processing thousands of call setups per second on commodity hardware. Kamailio powers some of the largest telecom deployments worldwide, from carrier-grade VoIP networks to enterprise unified communications systems.

Original content from computingforgeeks.com - post 2962

This guide walks through installing Kamailio 6.1 on Ubuntu 24.04 LTS from the official Kamailio repository. We cover database backend setup with MySQL, TLS configuration for encrypted SIP signaling, SIP user management, firewall rules, and integration with RTPEngine for media relay.

Prerequisites

A server running Ubuntu 24.04 LTS with at least 2GB RAM and 2 CPU cores
Root or sudo access
A public IP address or domain name pointing to your server
Ports 5060 (SIP), 5061 (SIP TLS), and 10000-20000 (RTP media) open on your firewall
MySQL or MariaDB installed (covered in this guide)

Step 1: Install Kamailio from the Official Repository

The Kamailio project maintains its own APT repository with pre-built packages for Ubuntu 24.04 (noble). Using the official repo gives you the latest 6.1.x release with all modules available as separate packages.

First, install the repository signing key and add the Kamailio 6.1 repository:

sudo apt install -y gnupg2
curl -fsSL https://deb.kamailio.org/kamailiodebkey.gpg | sudo gpg --dearmor -o /usr/share/keyrings/kamailio.gpg

Add the Kamailio 6.1 repository for Ubuntu 24.04 (noble):

echo "deb [signed-by=/usr/share/keyrings/kamailio.gpg] https://deb.kamailio.org/kamailio61 noble main" | sudo tee /etc/apt/sources.list.d/kamailio.list

Update the package index and install Kamailio along with the MySQL, TLS, and WebSocket modules:

sudo apt update
sudo apt install -y kamailio kamailio-mysql-modules kamailio-tls-modules kamailio-websocket-modules kamailio-utils-modules

Confirm the installed version:

kamailio -V

The output shows the Kamailio version and build details:

version: kamailio 6.1.1 (x86_64/linux)
flags: USE_TCP, USE_TLS, USE_SCTP, TLS_HOOKS, USE_RAW_SOCKS, DISABLE_NAGLE, USE_MCAST, DNS_IP_HACK, SHM_MMAP, PKG_MALLOC, Q_MALLOC, F_MALLOC, TLSF_MALLOC, DBG_SR_MEMORY, USE_FUTEX, FAST_LOCK-ADAPTIVE_WAIT, USE_DNS_CACHE, USE_DNS_FAILOVER, USE_NAPTR, USE_DST_BLOCKLIST, HAVE_RESOLV_RES

Step 2: Install and Configure MySQL Database Backend

Kamailio uses a database to store SIP user credentials, location data, routing rules, and accounting records. MySQL (or MariaDB) is the most common backend for production deployments.

Install MySQL server if not already present:

sudo apt install -y mysql-server

Secure the MySQL installation:

sudo mysql_secure_installation

Now configure Kamailio to use MySQL as its database backend. Open the Kamailio defaults file:

sudo vi /etc/default/kamailio

Set RUN_KAMAILIO to yes and adjust memory parameters based on your server resources:

RUN_KAMAILIO=yes
SHM_MEMORY=128
PKG_MEMORY=16
USER=kamailio
GROUP=kamailio

Step 3: Configure kamailio.cfg for SIP Proxy Operation

The main configuration file at /etc/kamailio/kamailio.cfg controls all SIP processing logic. Before editing, back up the default configuration:

sudo cp /etc/kamailio/kamailio.cfg /etc/kamailio/kamailio.cfg.bak

Open the configuration file:

sudo vi /etc/kamailio/kamailio.cfg

In the top section of the file, enable the MySQL, authentication, and TLS preprocessor defines. These activate the corresponding modules when Kamailio starts:

#!define WITH_MYSQL
#!define WITH_AUTH
#!define WITH_USRLOCDB
#!define WITH_TLS

Further down in the file, locate the database URL parameter and set it to match your MySQL credentials. Replace kamailiorw with a strong password you will set in the next step:

#!ifdef WITH_MYSQL
#!define DBURL "mysql://kamailio:kamailiorw@localhost/kamailio"
#!endif

The default kamailio.cfg ships with a well-structured routing logic that handles SIP registration, authentication, NAT traversal, and call routing. For a basic SIP proxy and registrar, the default routing blocks work without modification once the defines above are enabled.

Step 4: Create Kamailio Database Tables

Kamailio provides the kamdbctl tool to create and manage its database schema. First, configure the database connection parameters in the kamctlrc file:

sudo vi /etc/kamailio/kamctlrc

Uncomment and set these parameters to match your database setup:

DBENGINE=MYSQL
DBHOST=localhost
DBNAME=kamailio
DBRWUSER="kamailio"
DBRWPW="kamailiorw"
DBROUSER="kamailioro"
DBROPW="kamailioro"

Replace kamailiorw and kamailioro with strong passwords. The read-write user handles SIP registrations and accounting writes, while the read-only user is for lookups.

Run kamdbctl to create the database, tables, and MySQL users:

sudo kamdbctl create

When prompted, answer y to create the standard tables, and y again if asked about presence and uid tables. The tool creates around 40 tables covering registrations, subscriber authentication, dialplan rules, dispatcher sets, accounting records, and more.

Verify the database was created by listing the tables:

sudo mysql -e "USE kamailio; SHOW TABLES;" | head -20

You should see tables like subscriber, location, acc, dialog, and dispatcher listed in the output.

Step 5: Start and Enable the Kamailio Service

With the database and configuration in place, start Kamailio and enable it to start on boot:

sudo systemctl enable kamailio
sudo systemctl start kamailio

Check the service status to confirm Kamailio is running:

sudo systemctl status kamailio

The output should show the service as active (running) with the worker processes spawned:

● kamailio.service - Kamailio (OpenSER) - the Open Source SIP Server
     Loaded: loaded (/lib/systemd/system/kamailio.service; enabled; preset: enabled)
     Active: active (running)
   Main PID: 12345 (kamailio)
     CGroup: /system.slice/kamailio.service
             ├─12345 /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -f /etc/kamailio/kamailio.cfg
             ├─12346 /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -f /etc/kamailio/kamailio.cfg
             └─12347 /usr/sbin/kamailio -P /run/kamailio/kamailio.pid -f /etc/kamailio/kamailio.cfg

Verify Kamailio is listening on SIP port 5060:

sudo ss -tulnp | grep kamailio

You should see Kamailio listening on both UDP and TCP port 5060:

udp   UNCONN   0   0   0.0.0.0:5060   0.0.0.0:*   users:(("kamailio",pid=12345,fd=3))
tcp   LISTEN   0   128   0.0.0.0:5060   0.0.0.0:*   users:(("kamailio",pid=12345,fd=5))

Step 6: Add SIP Users with kamctl

Kamailio stores SIP user credentials in the subscriber database table. The kamctl command-line tool manages users, routing, and runtime diagnostics. If you have previously worked with Asterisk, note that Kamailio handles user management through its database rather than config files.

Add a new SIP user with a username and password:

sudo kamctl add alice secret123
sudo kamctl add bob secret456

The users are created in the format user@domain where the domain defaults to your server’s hostname or the SIP domain configured in kamailio.cfg.

List all registered SIP users:

sudo kamctl db show subscriber

To change a user’s password:

sudo kamctl passwd alice newpassword123

Remove a user when no longer needed:

sudo kamctl rm alice

Check online (currently registered) users at any time with:

sudo kamctl ul show

Step 7: Configure TLS for Encrypted SIP Signaling

SIP traffic over UDP/TCP sends credentials and call metadata in cleartext. TLS encrypts the SIP signaling channel (SIPS on port 5061), which is essential for any production deployment. This is separate from SRTP media encryption, which is handled by the RTP relay.

Generate a self-signed TLS certificate for testing, or use your own certificate from Let’s Encrypt for production:

sudo mkdir -p /etc/kamailio/tls
sudo openssl req -x509 -newkey rsa:4096 -keyout /etc/kamailio/tls/key.pem -out /etc/kamailio/tls/cert.pem -days 365 -nodes -subj "/CN=sip.example.com"
sudo chown -R kamailio:kamailio /etc/kamailio/tls
sudo chmod 600 /etc/kamailio/tls/key.pem

Edit the TLS configuration file:

sudo vi /etc/kamailio/tls.cfg

Set the certificate and key paths in the default server section:

[server:default]
method = TLSv1.2+
verify_certificate = no
require_certificate = no
private_key = /etc/kamailio/tls/key.pem
certificate = /etc/kamailio/tls/cert.pem

[client:default]
verify_certificate = no
require_certificate = no

Make sure the #!define WITH_TLS line is uncommented in /etc/kamailio/kamailio.cfg (we set this in Step 3). Then restart Kamailio to apply the TLS configuration:

sudo systemctl restart kamailio

Verify TLS is active by checking that Kamailio now listens on port 5061:

sudo ss -tulnp | grep 5061

The output confirms Kamailio is accepting TLS connections:

tcp   LISTEN   0   128   0.0.0.0:5061   0.0.0.0:*   users:(("kamailio",pid=12345,fd=7))

Step 8: Configure UFW Firewall Rules for SIP

SIP uses several ports that must be open for calls to work. Port 5060 handles standard SIP signaling over UDP and TCP, port 5061 handles encrypted SIP over TLS, and the RTP media range (10000-20000) carries the actual audio and video streams.

sudo ufw allow 5060/udp comment "SIP UDP"
sudo ufw allow 5060/tcp comment "SIP TCP"
sudo ufw allow 5061/tcp comment "SIP TLS"
sudo ufw allow 10000:20000/udp comment "RTP media"

If UFW is not yet enabled, enable it while keeping SSH access:

sudo ufw allow 22/tcp comment "SSH"
sudo ufw enable

Verify the firewall rules are active:

sudo ufw status verbose

The output should list the SIP and RTP ports as ALLOW:

Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                   # SSH
5060/udp                   ALLOW       Anywhere                   # SIP UDP
5060/tcp                   ALLOW       Anywhere                   # SIP TCP
5061/tcp                   ALLOW       Anywhere                   # SIP TLS
10000:20000/udp            ALLOW       Anywhere                   # RTP media

Step 9: Test SIP Registration with a SIP Client

With Kamailio running and SIP users created, test the setup by registering a SIP client. You can use any standards-compliant SIP softphone – Olinphone, Olinphone, Zoiper, MicroSIP (Windows), or Olinphone (Linux/Mac).

For command-line testing, use SIPp to send a registration request:

sudo apt install -y sip-tester

Configure your SIP softphone with these settings:

SIP Server/Domain: Your server IP or domain (e.g., 192.168.1.100)
Username: alice (the user created in Step 6)
Password: secret123
Transport: UDP, TCP, or TLS
Port: 5060 (or 5061 for TLS)

After configuring the client, check Kamailio’s registered contacts to confirm the registration succeeded:

sudo kamctl ul show

A successful registration shows the user’s contact address, socket, and expiry timer:

AOR:: alice
 Contact:: sip:[email protected]:5060;transport=udp
  Expires:: 3600
  Callid:: [email protected]
  Cseq:: 1
  User-agent:: Olinphone/1.0
  Socket:: udp:192.168.1.100:5060

To troubleshoot registration failures, check the Kamailio logs:

sudo journalctl -u kamailio -f

Step 10: Integrate Kamailio with RTPEngine for Media Relay

Kamailio handles SIP signaling only – it does not relay audio or video streams. For calls between endpoints behind different NATs, you need an RTP proxy to relay media. RTPEngine (developed by Sipwise) is the recommended choice for production Kamailio deployments due to its kernel-space packet forwarding and SRTP support.

Install RTPEngine from the Ubuntu repository:

sudo apt install -y rtpengine

Configure RTPEngine by editing its defaults file:

sudo vi /etc/default/rtpengine

Set the listen interface and RTP port range. Replace 192.168.1.100 with your server’s actual IP address:

RUN_RTPENGINE=yes
LISTEN_NG=127.0.0.1:2223
INTERFACES="internal/192.168.1.100"
PORT_MIN=10000
PORT_MAX=20000
LOG_LEVEL=6

Start and enable the RTPEngine service:

sudo systemctl enable rtpengine
sudo systemctl start rtpengine
sudo systemctl status rtpengine

Now configure Kamailio to use RTPEngine for media relay. Install the RTPEngine module for Kamailio:

sudo apt install -y kamailio-rtpengine-modules

Add the RTPEngine module to your kamailio.cfg. Open the configuration file:

sudo vi /etc/kamailio/kamailio.cfg

Add these lines in the module loading section (after the existing loadmodule statements):

loadmodule "rtpengine.so"
modparam("rtpengine", "rtpengine_sock", "udp:127.0.0.1:2223")

In the request routing logic, add RTPEngine calls to handle media for INVITE requests. Add this inside your route[RELAY] block before t_relay():

if (is_method("INVITE")) {
    rtpengine_manage("replace-origin replace-session-connection");
}
if (is_method("ACK") && has_body("application/sdp")) {
    rtpengine_manage("replace-origin replace-session-connection");
}

Also add RTPEngine handling in the reply route to manage the SDP in responses. Add this in your onreply_route block:

if (has_body("application/sdp")) {
    rtpengine_manage("replace-origin replace-session-connection");
}

For BYE requests, release the RTP session. Add this in your route where you handle BYE messages:

if (is_method("BYE")) {
    rtpengine_delete();
}

Restart Kamailio to load the RTPEngine module:

sudo systemctl restart kamailio

Verify the RTPEngine integration by checking Kamailio’s module list:

sudo kamctl rpc rtpengine.show_all

Useful Kamailio Management Commands

Here is a quick reference of common kamctl commands for day-to-day Kamailio administration. You can also manage Kamailio using the Siremis web management interface.

Command	Description
`kamctl ul show`	Show all currently registered SIP users
`kamctl add user pass`	Add a new SIP subscriber
`kamctl rm user`	Remove a SIP subscriber
`kamctl passwd user newpass`	Change subscriber password
`kamctl monitor`	Real-time statistics monitor
`kamctl stats`	Show server statistics (transactions, dialogs, memory)
`kamctl dispatcher show`	List dispatcher (load balancer) destinations
`kamcmd core.version`	Show running Kamailio version

Conclusion

Kamailio 6.1 is now running on Ubuntu 24.04 as a SIP proxy and registrar with MySQL backend, TLS encryption, and RTPEngine media relay. This setup handles SIP registrations, authenticated call routing, and NAT traversal for real-world VoIP deployments.

For production hardening, set verify_certificate = yes in the TLS config, enable SIP rate limiting with the pike module to block brute-force attacks, configure htable for IP blocklisting, and set up accounting with the acc module for CDR generation. Monitor Kamailio health with kamctl stats and integrate with your existing monitoring stack using the Kamailio project’s SNMP or HTTP statistics module.