Linux | Install and Configure Asterisk PBX on Ubuntu 24.04 / Debian 13

Linux | Install and Configure Asterisk PBX on Ubuntu 24.04 / Debian 13

Asterisk is a powerful, open-source communications framework that transforms a standard Linux server into a comprehensive Private Branch Exchange (PBX). Key highlights of this guide include:

• Capabilities: It supports SIP trunking, IVR, voicemail, and conferencing without the burden of per-seat licensing fees.

• Version & Support: This guide focuses on Asterisk 22 LTS, the current Long-Term Support release, ensuring full support through October 2028.

• Technical Scope: The tutorial covers installing Asterisk from source on Ubuntu 24.04 and Debian 13, including:

• Compiling with PJSIP support.

• Configuring SIP endpoints and dialplans.

• Firewall configuration and softphone testing.

System Requirements & Preparation

• OS & Hardware: A server running Ubuntu 24.04 LTS or Debian 13 with a minimum of 2 CPU cores and 1 GB RAM.

• Connectivity: A Public IP address is required for remote SIP clients or trunking (essential for your Canada-to-Bangladesh link).

• Security & Firewall: The following ports must be open to allow signaling and voice traffic:

  • 5060/UDP (Standard SIP)

  • 5061/TCP (Encrypted SIP/TLS)

  • 10000-20000/UDP (RTP Media/Voice streams)

• Domain & SSL (Optional): A registered domain name is recommended if you plan to implement TLS/SRTP for secure, encrypted calling in production.

 Root or sudo privileges are required to perform the installation.

sudo -i

Step 1. Install Asterisk Build Dependencies

Asterisk is compiled from source, so we need development libraries and build tools. Start by updating the package index and installing the required packages.

apt update && apt upgrade -y 

Install the core build tools and libraries Asterisk needs for compilation:

apt install -y build-essential git curl wget subversion \

  libncurses5-dev libssl-dev libxml2-dev libsqlite3-dev \

  uuid-dev libjansson-dev libedit-dev pkg-config \

  autoconf automake libtool unixodbc-dev libcurl4-openssl-dev \

  libspeex-dev libspeexdsp-dev libogg-dev libvorbis-dev \

  libsrtp2-dev libopus-dev libresample1-dev sox mpg123 \

  xmlstarlet bison flex 

 These cover everything from TLS support (libssl-dev) to codec libraries (opus, speex, vorbis) and the SRTP stack needed for encrypted media.

Step 2. Download and Compile Asterisk 22 LTS

Download the latest Asterisk 22 LTS tarball from the official download server. The asterisk-22-current link always points to the newest 22.x release.

cd /usr/src

wget https://downloads.asterisk.org/pub/telephony/asterisk/asterisk-22-current.tar.gz

tar xzf asterisk-22-current.tar.gz

cd asterisk-22.*/

Run the prerequisite installation script to pull in any remaining dependencies specific to your distribution:

contrib/scripts/install_prereq install

The script detects your OS and installs any missing packages automatically. Next, configure the build with PJSIP support (the modern SIP stack that replaces the legacy chan_sip):

./configure --with-jansson-bundled --with-pjproject-bundled

The --with-pjproject-bundled flag builds PJSIP from the version bundled with Asterisk, which avoids library version conflicts with system packages. When the configure script finishes, you should see a summary showing all detected libraries.

Select which modules to build. The menuselect tool lets you enable or disable specific modules, codecs, and applications:

make menuselect.makeopts

menuselect/menuselect --enable CORE-SOUNDS-EN-WAV --enable CORE-SOUNDS-EN-G722 \

  --enable MOH-OPSOUND-WAV --enable MOH-OPSOUND-G722 \

  --enable EXTRA-SOUNDS-EN-WAV --enable EXTRA-SOUNDS-EN-G722 \

  menuselect.makeopts

This enables HD audio prompts (G.722) and music-on-hold files. Now compile Asterisk:

make -j$(nproc)

Compilation takes 10-15 minutes depending on your hardware. The -j$(nproc) flag uses all available CPU cores to speed things up. 

Step 3. Install Asterisk on Ubuntu / Debian

Once compilation finishes without errors, install the binaries, modules, and sample configuration files:

make install

make samples

make config

make install-logrotate

Here is what each target does:

- make install – copies binaries and modules to /usr/sbin/ and /usr/lib/asterisk/

- make samples – installs sample configuration files to /etc/asterisk/

- make config – installs the systemd service unit

- make install-logrotate – sets up log rotation so /var/log/asterisk/ does not fill your disk

Create a dedicated system user for Asterisk. Running as a non-root user is a basic security requirement:

groupadd asterisk

useradd -r -d /var/lib/asterisk -g asterisk asterisk

chown -R asterisk:asterisk /etc/asterisk /var/lib/asterisk /var/log/asterisk /var/spool/asterisk /var/run/asterisk /usr/lib/asterisk

Tell Asterisk to run as this user by editing the main configuration file:

vi /etc/asterisk/asterisk.conf

Find the (options) section and set the run user and group:

[options]

runuser = asterisk

rungroup = asterisk

Step 4. Configure PJSIP for SIP Connectivity

Asterisk 22 uses res_pjsip as its SIP channel driver. The legacy chan_sip module is deprecated and should not be used for new deployments. All SIP configuration goes in pjsip.conf – see the official PJSIP configuration guide for the full reference.

Open the PJSIP configuration file:

vi /etc/asterisk/pjsip.conf

Replace the contents with a clean base configuration. Update external_media_address and external_signaling_address with your server’s public IP:

[global]

type = global

user_agent = Asterisk PBX

; === Transport - UDP on port 5060 ===

[transport-udp]

type = transport

protocol = udp

bind = 0.0.0.0:5060

external_media_address = 192.168.100.100

external_signaling_address = 192.168.100.100

local_net = 192.168.101.0/24

local_net = 10.0.0.0/8

; === Transport - TCP on port 5060 ===

[transport-tcp]

type = transport

protocol = tcp

bind = 0.0.0.0:5060

; === Transport - TLS on port 5061 (production recommended) ===

;[transport-tls]

;type = transport

;protocol = tls

;bind = 0.0.0.0:5061

;cert_file = /etc/asterisk/keys/asterisk.crt

;priv_key_file = /etc/asterisk/keys/asterisk.key

;method = tlsv1_2

The external_media_address and external_signaling_address settings tell Asterisk what IP to advertise in SIP headers when behind NAT. The local_net entries define your private subnets so Asterisk knows when a client is local versus remote. Replace 192.168.100.100 with your actual public IP. The TLS transport is commented out – uncomment it and provide valid certificates for production use.

Step 5. Configure the Dialplan (extensions.conf)

The dialplan controls what happens when a call comes in or an extension is dialed. Open the extensions configuration:

vi /etc/asterisk/extensions.conf

Replace the contents with a basic internal calling dialplan:

[general]

static = yes

writeprotect = no

[globals]

[internal]

; Internal extensions - dial any 3-digit extension (100-199)

exten => _1XX,1,NoOp(Dialing extension ${EXTEN})

 same => n,Dial(PJSIP/${EXTEN},30,tTr)

 same => n,Voicemail(${EXTEN}@default,u)

 same => n,Hangup()

; Voicemail access - dial *97

exten => *97,1,VoiceMailMain(${CALLERID(num)}@default)

 same => n,Hangup()

; Echo test - dial *60 to verify audio path

exten => *60,1,Answer()

 same => n,Echo()

 same => n,Hangup()

This dialplan creates a context called (internal) where any 3-digit extension from 100 to 199 rings for 30 seconds, then sends unanswered calls to voicemail. The *97 extension lets users check voicemail, and *60 provides an echo test for verifying audio works in both directions.

Step 6. Create SIP Endpoints

Each SIP phone or softphone needs an endpoint, authentication, and AOR (Address of Record) entry in pjsip.conf. Add these blocks to the end of your /etc/asterisk/pjsip.conf file for two sample extensions:

vi /etc/asterisk/pjsip.conf

Append the following endpoint definitions:

; === Extension 100 ===

[100]

type = endpoint

context = internal

disallow = all

allow = ulaw

allow = alaw

allow = g722

allow = opus

auth = 100-auth

aors = 100-aor

direct_media = no

rtp_symmetric = yes

force_rport = yes

rewrite_contact = yes

[100-auth]

type = auth

auth_type = userpass

username = 100

password = ChangeMeNow100!

[100-aor]

type = aor

max_contacts = 3

remove_existing = yes

qualify_frequency = 30

; === Extension 101 ===

[101]

type = endpoint

context = internal

disallow = all

allow = ulaw

allow = alaw

allow = g722

allow = opus

auth = 101-auth

aors = 101-aor

direct_media = no

rtp_symmetric = yes

force_rport = yes

rewrite_contact = yes

[101-auth]

type = auth

auth_type = userpass

username = 101

password = ChangeMeNow101!

[101-aor]

type = aor

max_contacts = 3

remove_existing = yes

qualify_frequency = 30

Key settings explained:

• direct_media = no – forces media through Asterisk, which is essential when clients are behind NAT
• rtp_symmetric = yes and force_rport = yes – handle NAT traversal for both RTP and SIP signaling
• rewrite_contact = yes – rewrites the Contact header to the source address, fixing registration behind NAT
• qualify_frequency = 30 – sends OPTIONS pings every 30 seconds to keep NAT mappings alive and detect offline phones
• max_contacts = 3 – allows the same extension to register from up to 3 devices simultaneously

Change the passwords to strong unique values before going to production. Never use default or weak passwords on a SIP server – automated scanners constantly probe port 5060.

Step 7. Start and Enable the Asterisk Service

Configure the RTP port range before starting Asterisk. Open the RTP configuration:

vi /etc/asterisk/rtp.conf

Set the port range for media traffic:

[general]

rtpstart = 10000

rtpend = 20000

Now enable and start the Asterisk service:

systemctl enable asterisk

systemctl start asterisk

Verify Asterisk is running and check the version:

systemctl status asterisk

The service should show active (running). You can also check the version from the Asterisk CLI:

asterisk -rx "core show version"

This confirms Asterisk is running and shows the exact build version. To connect to the live Asterisk console for troubleshooting:

asterisk -rvvv

The v flags control verbosity level. Use -rvvvvv for maximum debug output when troubleshooting SIP registration issues.

Step 8. Configure Firewall for Asterisk PBX

Asterisk needs specific ports open for SIP signaling and RTP media. If you are running UFW (the default on Ubuntu), add these rules:

ufw allow 5060/udp comment "SIP signaling"

ufw allow 5060/tcp comment "SIP signaling TCP"

ufw allow 5061/tcp comment "SIP TLS"

ufw allow 10000:20000/udp comment "RTP media"

ufw reload

For Debian systems using nftables or iptables directly:

iptables -A INPUT -p udp --dport 5060 -j ACCEPT

iptables -A INPUT -p tcp --dport 5060 -j ACCEPT

iptables -A INPUT -p tcp --dport 5061 -j ACCEPT

iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

iptables-save > /etc/iptables/rules.v4

Verify the ports are listening:

ss -ulnp | grep asterisk

You should see Asterisk listening on port 5060 for both UDP and TCP.

Production hardening suggestion: Do not expose SIP port 5060 to the entire internet. Use firewall rules to restrict access to known SIP trunk provider IP ranges and your office/VPN networks. SIP brute-force attacks are constant and aggressive. Consider using Kamailio as a SIP proxy in front of Asterisk for large deployments that need load balancing and advanced routing.

Step 9. Test with a SIP Client

Register a SIP softphone to verify the setup works. Popular free SIP clients include Linphone (Linux/Windows/Mac/mobile), MicroSIP (Windows), and Onaip (Android/iOS).

Configure the softphone with these settings:

• SIP Server / Domain: your server’s IP address or hostname
• Username: 100
• Password: ChangeMeNow100! (or whatever you set in pjsip.conf)
• Transport: UDP
• Port: 5060

After registering, check the registration status from the Asterisk console:

asterisk -rx "pjsip show endpoints"

You should see your registered endpoint with status “Avail” (available). To verify audio, dial *60 from the softphone – this runs the echo test. Everything you say should echo back to you after a short delay.

If registration fails, check the Asterisk log for details:

tail -50 /var/log/asterisk/messages

Common registration issues include wrong passwords, firewall blocking port 5060, or NAT settings misconfigured in the transport section. Make sure external_signaling_address in pjsip.conf matches your server’s actual public IP.

To test internal calling, register a second softphone as extension 101 and dial 100 from it. The phone on extension 100 should ring for 30 seconds as defined in the dialplan.

Step 10. Install FreePBX Web GUI (Optional)

If you prefer managing Asterisk through a web interface instead of config files, FreePBX provides a full-featured GUI on top of Asterisk. It handles extensions, trunks, IVR menus, ring groups, and call recording through a browser.

Install the web server and PHP dependencies FreePBX needs:

apt install -y apache2 mariadb-server mariadb-client \

  php php-cli php-mysql php-gd php-curl php-mbstring \

  php-xml php-zip php-bcmath php-intl \

  nodejs npm

Enable and start the database and web server:

systemctl enable --now mariadb apache2

Download and install the latest FreePBX release:

cd /usr/src

wget https://github.com/FreePBX/framework/archive/refs/heads/release/17.0.zip -O freepbx-17.zip

unzip freepbx-17.zip

cd framework-release-17.0

./install -n --dbuser=root

After installation completes, open http://your-server-ip/admin in a browser to access the FreePBX dashboard. Set an admin password on first login.

If you only need a web GUI for basic PBX management, FreePBX is the standard choice. For advanced setups that integrate with XMPP chat servers or require custom AGI scripting, working directly with Asterisk config files gives you more control.

Closure:

Your Asterisk 22 LTS is now operational on Ubuntu 24.04 or Debian 13. With the core framework in place, you can now transition from a basic setup to a production-ready communication system.

Key Expansion Options:

• Feature Richness: Integrate SIP trunks from your ITSP (like the AWS SIP stack), configure IVRs, voicemail-to-email, and call recording.

• Security & Encryption: For production, TLS/SRTP is essential for encrypting both signaling and voice media.

• Proactive Defense: Implement Fail2Ban to automatically block SIP brute-force attempts.

• Monitoring & Maintenance: Use AMI (Asterisk Manager Interface) or SNMP for real-time monitoring, and ensure regular database backups are scheduled.