WebRTC with PJSIP

Configuration Asterisk 18+ -- Last reviewed 2026-03-29 webrtc pjsip wss tls configuration

WebRTC with PJSIP

Enable browser-based voice and video calling through Asterisk using WebRTC over the PJSIP stack. This requires a WSS (WebSocket Secure) transport, DTLS encryption for media, and TLS on the HTTP server.

Requirements

res_pjsip.so, res_http_websocket.so, res_srtp.so loaded
TLS certificates (self-signed or CA-issued)
A WebRTC client such as JsSIP, SIP.js, or a custom browser app

PJSIP Transports and WebRTC Endpoint (pjsip.conf)

; Standard UDP transport for desk phones
[transport-udp]
type = transport
protocol = udp
bind = 0.0.0.0

; TLS transport for encrypted SIP
[transport-tls]
type = transport
protocol = tls
bind = 0.0.0.0

; WebSocket Secure transport for WebRTC
[transport-wss]
type = transport
protocol = wss
bind = 0.0.0.0

; WebRTC endpoint
[webrtc_client]
type = endpoint
aors = webrtc_client
auth = webrtc_client
dtls_auto_generate_cert = yes
webrtc = yes
; webrtc=yes is shorthand for:
;   use_avpf = yes
;   media_encryption = dtls
;   dtls_verify = fingerprint
;   dtls_setup = actpass
;   ice_support = yes
;   media_use_received_transport = yes
;   rtcp_mux = yes
context = from-internal
disallow = all
allow = opus,g722,ulaw,vp9,vp8,h264

[webrtc_client]
type = auth
auth_type = userpass
username = webrtc_client
password = change_me_to_a_strong_password

[webrtc_client]
type = aor
max_contacts = 5
remove_existing = yes

HTTP Server with TLS (http.conf)

[general]
servername = Asterisk
enabled = yes
bindaddr = 0.0.0.0
bindport = 8088
tlsenable = yes
tlsbindaddr = 0.0.0.0:8089
tlscertfile = /etc/asterisk/keys/asterisk.pem
tlsprivatekey = /etc/asterisk/keys/asterisk.key
enable_static = yes
enable_status = yes
allowed_origins = *

RTP Configuration (rtp.conf)

[general]
rtpstart = 10000
rtpend = 20000

Module Loading (modules.conf)

[modules]
autoload = yes

; Ensure PJSIP stack is loaded, disable legacy chan_sip
load => chan_pjsip.so
noload => chan_sip.so
load => res_pjsip.so
load => res_pjsip_session.so
load => res_rtp_asterisk.so
load => res_srtp.so

; Bridge modules for media mixing
load => bridge_native_rtp.so
load => bridge_simple.so
load => bridge_softmix.so

; ARI (if using Stasis applications with WebRTC)
load => res_ari.so
load => res_ari_channels.so
load => res_ari_bridges.so

; Codecs
load => codec_opus.so

How it works

webrtc = yes: This single flag enables all the WebRTC-required PJSIP options: AVPF (audio/video feedback), DTLS media encryption, ICE for NAT traversal, RTCP multiplexing, and fingerprint-based DTLS verification. Without it, you would need to set 7 separate options.
dtls_auto_generate_cert = yes: Automatically generates ephemeral DTLS certificates for media encryption. For production, use dtls_cert_file and dtls_private_key pointing to proper certificates instead.
WSS transport: WebRTC mandates encrypted signaling. The wss protocol type handles WebSocket connections over TLS. The TLS configuration comes from http.conf, not from the transport section itself.
Opus and VP8/VP9/H.264: Opus is the preferred audio codec for WebRTC (wideband, low latency). VP8/VP9/H.264 are video pass-through codecs. Asterisk doesn't transcode video, it just forwards the streams.
RTP port range: rtpstart/rtpend defines the UDP port range for media. Open this range in your firewall for RTP traffic. Each call uses one RTP port (two if RTCP multiplexing is off).
Module loading: Explicitly loading res_srtp.so enables SRTP for encrypted media. bridge_softmix.so is needed for mixing multiple audio/video streams in conferences.

Tips

Generate self-signed certificates with ast_tls_cert: ./ast_tls_cert -C pbx.example.com -O "My Company" -d /etc/asterisk/keys.
For JsSIP, configure the WebSocket URL as wss://your-asterisk:8089/ws.
Browser WebRTC requires HTTPS origin. Serve your web application over HTTPS or use localhost for testing.
If you see "oops, certificate not trusted" errors, import the CA certificate into your browser or use a publicly trusted certificate (Let's Encrypt).
Test with pjsip show endpoint webrtc_client and pjsip show contacts to verify registration.
For NAT traversal beyond ICE, configure a STUN/TURN server and set ice_support = yes (already enabled by webrtc = yes).

User Notes

No notes yet. Be the first to contribute a tip or example.

Contribute a note

Share a tip, gotcha, or practical example. Keep it under 2000 characters. No questions (use the Asterisk community forums for support). Wrap code in backticks.

Related Snippets

SIP Video Call Support

Enable video calling in Asterisk -- configure video codecs (H.264, VP8, VP9) on PJSIP endpoints, set up video for WebRTC...

Configuration pjsip configuration codecs

PJSIP SIP Trunk Configuration

Complete PJSIP trunk setup with registration, endpoint, AOR, and identify sections

Configuration sip pjsip trunk

PJSIP Endpoint Templates and SIP Trunk

PJSIP configuration with template inheritance for endpoints, multi-transport setup, and SIP trunk registration.

Configuration pjsip configuration sip-trunk

BLF Hints for Desk Phones

Configure Busy Lamp Field indicators so desk phones show extension status

Configuration pjsip polycom configuration

PJSIP Configuration from Scratch

Complete PJSIP setup: transports, endpoints, template inheritance, SIP trunk registration, outbound dialing, and trouble...

Getting Started sip pjsip configuration