27. Install Roundpin

by Double Bastion - Updated September 20, 2022

27.1. Introduction

Roundpin is a fully featured browser phone that implements audio/video calling, video conferencing and text messaging using SIP over WebSocket and WebRTC. It can connect to SIP providers via Asterisk or directly.

Roundpin is intended to be used in conjunction with Asterisk, to benefit from the control, autonomy and advanced PBX features offered by Asterisk. However, if you don’t want to install Asterisk and you don’t need the text messaging and video call/video conference functionality of Roundpin, you can connect it directly to the SIP provider, on the condition that they allow direct connections from web applications that use SIP over WebSocket. We explain below how to connect Roundpin to a SIP provider both via Asterisk and directly.

If Asterisk is used, you can have free video, audio and text conversations with other extensions configured on the same Asterisk server. By connecting your Asterisk server to a SIP provider like Telnyx or Localphone, you can also make and receive audio phone calls to/from any phone number in the world, using a real phone number attached to your SIP account. In the installation instructions mentioned below, we describe in detail how to configure Asterisk and how to connect it to a Telnyx or Localphone account. However, any SIP provider that allows external Asterisk servers to connect to them, will work.

Roundpin also implements video conferencing. Users can initiate video conferences with other extensions configured in Asterisk but also with external users who don’t have Roundpin accounts. If they have a device with a video camera, to participate in a conference, external users only need a browser and the link to the conference.

Roundpin logs recent phone calls and their duration, it allows pausing, muting and transferring phone calls, as well as in-browser call recording for one-to-one audio/video calls. The underlying Asterisk server can be used to implement advanced PBX features, such as Interactive Voice Response (IVR or voice menu), voicemail, queue management, music on hold, number blacklisting, call recording, etc., as we describe in detail in the documentation mentioned below. All these can be done independently of your SIP provider. You need a SIP provider only to attach a regular phone number to your SIP account and be able to interface with the Public Switched Telephone Network (PSTN); all the rest can be done on your own server, including the IVR, voicemail, call recording, etc. This allows you to have total control over your communications and more privacy than if you were using your SIP provider’s voicemail, call recording, etc.

It is known that VoIP phone calls are up to 70% cheaper than regular phone calls. International VoIP phone calls can cost even 90% less than regular calls.

If you connect Roundpin to a SIP provider like Telnyx via Asterisk, you can make very cheap phone calls at prices starting from $0.005 per minute in the US. If you connect Roundpin directly to your SIP provider, you can make phone calls at prices starting at $0.002 per minute in the US. Phone numbers in various countries are offered at around $1/phone number/month.

The steps from below describing how to install Roundpin should be followed if you intend to connect Roundpin to the SIP provider via Asterisk, but also directly, without Asterisk.

27.2. Install Roundpin

To install Roundpin, first create a new directory:

mkdir /var/www/roundpin.example.com

Next, use a browser to navigate to the official web page, right-click on the ‘Download’ button and select ‘Copy Link’ to copy the download link to the clipboard, then run the following commands to download the zip file to your server:

cd /var/www/roundpin.example.com
wget https://www.doublebastion.com/wp-content/uploads/2022/01/roundpin_v1_0_0.zip

where https://www.doublebastion.com/wp-content/uploads/2022/01/roundpin_v1_0_0.zip is the download URL copied earlier.

Uncompress the zip file and then remove it:

unzip roundpin_v1_0_0.zip
rm roundpin_v1_0_0.zip

Change ownership and permissions for the /var/www/roundpin.example.com directory and its content:

chown -R www-data:www-data /var/www/roundpin.example.com
find /var/www/roundpin.example.com -type d -exec chmod 750 {} +
find /var/www/roundpin.example.com -type f -exec chmod 640 {} +

If you remember, when we described how to install Nextcloud, in the Obtain a Let’s Encrypt SSL certificate chapter, we explained how to obtain a Let’s Encrypt SSL certificate for both cloud.example.com and roundpin.example.com, so that you can connect to Asterisk, simultaneously, both SIP Trip Phone and Roundpin. Since you have a SSL certificate that is valid for both cloud.example.com and roundpin.example.com, you don’t need to obtain a new certificate for roundpin.example.com. You just have to mention that certificate in the Nginx configuration file, as explained below. Please note that Roundpin can only be installed over HTTPS. It will show an error message if you try to install it over HTTP.

27.3. Configure Nginx for Roundpin

Open the Nginx server blocks configuration file for editing:

nano /etc/nginx/sites-enabled/0-conf

Add the following blocks at the bottom of the file:

server {
    listen  80;
    listen [::]:80;
    server_name roundpin.example.com;
    return  301 https://roundpin.example.com$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name roundpin.example.com;
    root /var/www/roundpin.example.com;
    index index.php;

    ssl_certificate /etc/letsencrypt/live/cloud.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cloud.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/cloud.example.com/chain.pem;
    ssl_dhparam /etc/nginx/ssl/dhparam.pem;

    ssl_session_timeout 4h;
    ssl_session_cache shared:SSL:40m;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_prefer_server_ciphers on;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_stapling on;
    ssl_stapling_verify on;
    add_header Strict-Transport-Security "max-age=63072000" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
    fastcgi_hide_header X-Powered-By;

    add_header X-Frame-Options SAMEORIGIN;

    location = /robots.txt {
        allow all;
    }

    location ^~ /.well-known/acme-challenge {
        root /var/www;
    }

    location / {
       try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
       try_files $uri =404;
       fastcgi_split_path_info ^(.+\.php)(/.+)$;
       include fastcgi_params;
       fastcgi_index index.php;
       fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
       fastcgi_param HTTPS on;
       fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
    }

    location /restr {
       deny all;
    }

    location /textchat {
       allow 127.0.0.1;
       deny all;
    }

    access_log /var/log/sites/roundpin.example.com/access.log;
    error_log  /var/log/nginx/roundpin.example.com.error.log notice;
}

Replace example.com with the main domain hosted on your server. Create the access log directory:

mkdir -p /var/log/sites/roundpin.example.com

Restart Nginx:

systemctl restart nginx

27.4. Configure logrotate to rotate Roundpin logs

Configure logrotate to rotate the new access log:

nano /etc/logrotate.d/nginx

Add the following section at the bottom of the file:

/var/log/sites/roundpin.example.com/access.log {
	missingok
	rotate 10
	compress
	delaycompress
	notifempty
	create 0640 www-data adm
	size 2M
	sharedscripts
	prerotate               
		if [ -d /etc/logrotate.d/httpd-prerotate ]; then \
			run-parts /etc/logrotate.d/httpd-prerotate; \
		fi; \
	endscript

        postrotate
                [ ! -f /var/run/nginx.pid ] || kill -USR1 `cat /var/run/nginx.pid`
        endscript 
}

Replace example.com with the main domain hosted on your server.

27.5. Run the web-based installation

Use phpMyAdmin to create a MariaDB database (for example roundpindb), a user (for example roundpindbuser) and a password.

Then copy the roundpin-setup.php_sample file as roundpin-setup.php and change ownership, like this:

cd /var/www/roundpin.example.com
cp roundpin-setup.php_sample roundpin-setup.php
chown www-data:www-data roundpin-setup.php

Also, open the /var/www/roundpin.example.com/install-signup-check.php file for editing:

nano /var/www/roundpin.example.com/install-signup-check.php

Change the $installcheck and the $signupcheck parameters from false to true, to make them look like this:

$installcheck = true;

$signupcheck = true;

Next, use a browser to navigate to:

https://roundpin.example.com/roundpin-setup.php

You will see the following screen:

Enter the database name, database user and database user password, then click ‘Next’.

In the second installation screen enter the credentials of the Superadmin: username, password, email address. Then click ‘Submit’. The third screen will inform you that the installation is complete.

After the installation, the roundpin-setup.php file will become inaccessible. If you want to access it again in the browser and run the setup process again, you will have to manually edit the /var/www/roundpin.example.com/install-signup-check.php file, and change the $installcheck parameter from false to true again. Once the installation is complete, it’s recommended to delete the roundpin-setup.php file:

rm /var/www/roundpin.example.com/roundpin-setup.php

Next, navigate to https://roundpin.example.com and log in to Roundpin using the username and password that you have set up earlier for Superadmin:

When a new user will want to register, (s)he will have to navigate to the login page, (https://roundpin.example.com), and click the ‘SIGN UP’ tab:

The new user will enter her/his email address, username, password and role (Regular User or Superadmin), then click ‘SIGN UP’. The difference between Superadmin and Regular User is that the Superadmin will be able to create video conference links and give them to external users, so that they can participate in video conferences without having a Roundpin account. The video conference links can be created in the ‘Settings’ window, ‘Audio & Video’ section, under ‘External Video Conference Users’, as we’ll explain further down below. The Regular Users won’t see the ‘External Video Conference Users’ section, so, they won’t be able to create such links.

In general, only a single person is a Superadmin: the person who installs and administers Roundpin. Yet, the application allows multiple Superadmins to register, in case multiple users with full privileges are needed.

After registration, the user will receive a confirmation email to the email address (s)he has provided. After clicking the link in that email to confirm their email address, they will be able to log in to Roundpin at https://roundpin.example.com using the username and password set up at registration.

When you know that all the Superadmins and Regular Users have registered, it’s recommended that you disable the ‘SIGN UP’ tab on the login form, by editing the /var/www/roundpin.example.com/install-signup-check.php file and changing $signupcheck = true; to $signupcheck = false; Then, if you ever want to give other users the opportunity to register, you can re-enable the ‘SIGN UP’ tab again, by changing the $signupcheck parameter from false to true.

27.6. Move the roundpin-config.php file outside the web root

Since the /var/www/roundpin.example.com/roundpin-config.php file contains sensitive information, it’s recommended to move it outside the web root by running:

cp /var/www/roundpin.example.com/roundpin-config.php /srv/scripts/roundpin.php

Then change ownership and permissions for the /srv/scripts/roundpin.php file:

cd /srv/scripts
chown www-data:root /srv/scripts/roundpin.php
chmod 400 /srv/scripts/roundpin.php

Then replace the content of /var/www/roundpin.example.com/roundpin-config.php like this:

cd /var/www/roundpin.example.com
cat /dev/null > roundpin-config.php
nano roundpin-config.php

Enter the following content inside this file:

<?php include('/srv/scripts/roundpin.php'); ?>

27.7. Configure Fail2ban to protect Roundpin against brute-force attacks

First add a new filter in the /etc/fail2ban/filter.d directory:

nano /etc/fail2ban/filter.d/roundpin.conf

Add the following content inside this file:

[Definition]

failregex = ^<HOST> .* \"POST /roundpin-login.php HTTP/2.0\" 200 724 .*$
ignoreregex = 

Then edit the /etc/fail2ban/jail.local file:

nano /etc/fail2ban/jail.local

Add the following block right before the [phpmyadmin] block:

[roundpin]
enabled  = true
filter   = roundpin
logpath  = /var/log/sites/roundpin.example.com/access.log
port     = 80,443
findtime = 3600
maxretry = 4
bantime = 604800

Replace example.com with the main domain hosted on your server. Reload Fail2ban:

systemctl reload fail2ban

27.8. Configure Roundpin

27.8.1. Configure Roundpin so that it connects to the SIP provider via Asterisk

To use all the features of this application first install Asterisk and configure it as explained in the Install Asterisk chapter. Also, to help in situations where callers are behind routers, install Coturn as a STUN server, as explained in the Install Coturn chapter.

After installing and configuring Asterisk and Coturn, log in to Roundpin. On your first login, the ‘Settings’ pop-up window will show up, inviting you to enter your credentials, so that Roundpin can register to the underlying Asterisk server, to be able to make and receive phone calls:

In the ‘Connection Settings’ section, enter the following credentials:

WebSocket Domain : roundpin.example.com

WebSocket Port: 8089

WebSocket Path: /ws

Display Name: The name that you want to associate with your extension, for example: John Smith

SIP Username: Your extension number configured in Asterisk (as explained in the ‘Install Asterisk’ chapter), for example: 601

SIP Password: The password for the extension entered in the previous field, as it is configured in the /etc/asterisk/pjsip.conf file

STUN server domain or IPv4 address, and port number: If you have configured Coturn as a STUN server as we explained in the Install Coturn chapter, enter the IPv4 address of your server followed by the port number used by Coturn, like this:

123.123.123.123:8443

where 123.123.123.123 is the IPv4 address of your server.

After you fill out the fields mentioned above, Roundpin will be able to connect to the Asterisk server. Yet, it’s recommended to also review the settings in the ‘Audio & Video’ section:

Here it’s recommended to leave the Speaker, Ring Device and Microphone sections as they are and to leave ‘Auto Gain Control’, ‘Echo Cancellation’ and ‘Noise Suppression’ checkboxes checked. Under Camera you should select the camera that you want to use with Roundpin, in case you have multiple cameras attached to your computer. Under ‘Frame Rate (per second)’ it’s recommended to select 30, under ‘Quality’ select ‘HD’, under ‘Image Orientation’ select ‘Normal’, under ‘Aspect Ratio’ select ‘4:3’. You could experiment with different values in these fields, but the values that we mentioned usually work best.

Under ‘Video Conference Extension’ enter the extension that you configured in the /etc/asterisk/extensions.conf file for video conference purposes, as explained in the ‘Conference Calls’ subchapter of the ‘Install Asterisk’ chapter.

Under ‘Percent of screen width that the video conference windows will have’ enter the percent from the total screen width that you want the width of the video conference windows to represent. For example, if you want each video conference window to have a width which represents 32% of the total screen width, enter 32. If you don’t enter any value, the default of 32 will be applied.

In the ‘Profile Picture’ section you can upload your picture or an avatar, to have it displayed next to your name when you log in.

It’s also recommended to check the ‘Enable Onscreen Notifications’ checkbox in the ‘Notifications’ section.

If you followed the Install the mail server chapter and installed a complete mail server, and you want to integrate Roundcube with Roundpin, to be able to open a new email window with one click, to easily send emails to your Roundpin contacts, and to be able to check incoming emails from inside Roundpin, you should also fill out the fields in the ‘Email Integration’ section (please note that to be able to integrate Roundcube with Roundpin, you will need to enable the ‘autologon’ and ‘autologout’ plugins in Roundcube, as explained in the Enable the ‘autologon’ and ‘autologout’ plugins chapter):

Check the ‘Enable Roundcube email integration’ checkbox, in the ‘Roundcube domain’ field enter mail.example.com, where example.com is the main domain hosted on your server, in the ‘Roundcube user’ field enter the email address that you use to login to Roundcube (Eg: admin@example.com), in the ‘Roundcube password’ field enter the password for the mentioned Roundcube user. If you have enabled HTTP basic authentication for the mail.example.com domain, in the ‘Roundcube basic authentication username’ and ‘Roundcube basic authentication password’ enter the user and password respectively that you use for basic authentication on mail.example.com.

You can use the ‘Change Password’, ‘Change Email’ and ‘Close Account’ sections to change the password you use to log in to Roundcube, to change the email address associated with your Roundpin account, that you entered when you registered, and to close your Roundpin account, respectively.

To save the changes, click the ‘Save’ button. You can always re-open the ‘Settings’ window and change your settings by clicking on the ‘Settings’ wheel which can be seen in the lower right corner of this image:

27.8.2. Configure Roundpin so that it connects to the SIP provider directly

If you don’t need the text messaging and video call/video conference functionality of Roundpin and you don’t want to install Asterisk, you can connect it directly to the SIP provider. We explain below how to connect it to Telnyx, but in a similar way other SIP providers can be used if they allow direct connections from web applications using SIP over WebSocket. They should list the settings needed by WebRTC clients, as Telnyx does at the bottom of this page.

27.8.2.1. Configure your Telnyx account

After you sign up for a Telnyx account click on the ‘My Account’ icon in the upper right corner of the screen, then click on ‘My Account’, click the ‘Verifications’ tab and take the steps to undergo verification, so that you become ‘Level 1’ and ‘Level 2’ verified. ‘Level 1’ verification usually requires verifying the email address you used to create your Telnyx account, by clicking a link included in a message sent to that email address. ‘Level 2’ verification can be requested by pressing the ‘Verify’ button in the ‘Level 2 Verification’ section (on the ‘Verifications’ tab). After you make your request for ‘Level 2’ verification, a representative from Telnyx will look at your account details and (s)he may send you an email asking about the way you plan to use your Telnyx account, after which (s)he will approve the ‘Level 2’ verification. Being ‘Level 1’ and ‘Level 2’ verified unlocks all the features of a Telnyx account: you can buy numbers, assign a connection/messaging profile to a number, set up global messaging capabilities, create a multi-user organization, make international calls, set up call forwarding, send SMS messages at a higher rate.

While logged in to your Telnyx account, click on Numbers on the left panel. To buy a real phone number located in a country of your choice click on the ‘Search & Buy Numbers’ tab, then under ‘Local Numbers’, in the ‘Search Type’ select ‘Region’, in the ‘Region’ text field enter the name of the country, in the ‘Number Features’ select ‘Voice’, then, if you want your number to have other capabilities select other features such as ‘SMS’ from the drop-down list, then click on the ‘Search Numbers’ button. You will see a list with all the numbers available in the selected region. Choose the number that you like, click ‘Add to Cart’, then click on ‘Cart’ on the upper bar, then click on the ‘Place Order’ button.

After you have bought a local phone number click on ‘Numbers’ on the left panel; on the ‘My Numbers’ tab you will see your number in the list of acquired phone numbers.

Then click on SIP connections on the left panel, click on the ‘Add SIP Connection’ button, in the ‘Name’ field enter the name of the new SIP connection, for example Roundpin_Calls, then click on ‘Create SIP Connection’. After you create the new connection click on the small pencil icon to open the options window. On the options window, on the ‘BASIC’ tab, under ‘SIP Connection Type’ choose ‘Credentials’, then in the ‘Username’ field enter a username for this connection, roundpinuser for example, in the ‘Password’ field enter a strong password; write down the username and password to use them later. Next, under ‘AnchorSite’ choose a town that is closer to the physical location of your server, then, under ‘Expert Settings’, in the ‘Port’ drop-down list choose ‘rtcp-mux’. Next, click on the ‘INBOUND’ tab and in the ‘Number Format (DNIS)’ drop-down list choose ‘SIP Username’. (The last 2 settings are extremely important. If you connect Roundpin to Telnyx via Asterisk, the last 2 settings will be different, namely ‘Port’: ‘rtp+1’ and ‘Number Format (DNIS)’: ‘E.164’.) To be able to hear a ringing sound when calling a number, click on the ‘OUTBOUND’ tab, then click on ‘Expert Settings’, then, under ‘Ringback Settings’ choose ‘Enable Instant Ringback (180)’ from the drop-down list. Leave all the other settings as they are and click on the ‘Save All Changes/Done Editing’ button.

To be able to make phone calls you will also need to configure an Outbound Voice Profile. On the left panel click on ‘Outbound Voice Profile’, then click on the ‘Add New Profile’ button. In the ‘Name’ field enter a name for the profile, 1_outbound for example, then click ‘Create’. In the new window, under ‘Associated Connections and Applications’ click ‘Add connections/apps to profile’, select the name of the SIP connection created earlier, Roundpin_Calls in this example, by checking its checkbox, then click ‘Add Connections/Apps to profile’. Next, under ‘Traffic Type’ choose ‘Conversational’, then under ‘International Allowed Destinations’ select the countries and regions to which outbound calls will be allowed, by clicking their name. You can select all the 253 countries and regions, to allow outbound calls to all of them. Click on ‘Save’ to save the changes.

Next, create a Billing Group. Click on the ‘My Account’ icon in the upper right corner of the screen, then click on the ‘Billing Groups’ tab. In the ‘Create Billing Group’ field enter a name, Default_Billing for example, then click on ‘Create’. Then add the billing group to your phone number: click on ‘Numbers’ on the left panel, then on your number’s row, in the ‘Billing Group’ field select the billing group that you have just created, Default_Billing in this example. Also, in the ‘Connection or App’ field on the same row, choose the connection created earlier, Roundpin_Calls in this example.

27.8.2.2. Configure Roundpin

On your first login, the ‘Settings’ pop-up window will show up, inviting you to enter your credentials, so that Roundpin can register to your SIP account:

In the ‘Connection Settings’ section, enter the following credentials:

WebSocket Domain : sip.telnyx.com

WebSocket Port: 7443

WebSocket Path: /

Display Name: 13030303030 (Replace 13030303030 with the phone number that you have configured in your Telnyx account as explained above. It has to include the country calling code: 1 for US, 49 for Germany, 44 for UK, etc.)

SIP Username: roundpinconnectionuser (Replace roundpinconnectionuser with the username for the SIP connection that you associated with your phone number in your Telnyx account.)

SIP Password: strongpassword (Replace strongpassword with the password for roundpinconnectionuser.)

STUN server domain or IPv4 address, and port number: stun.telnyx.com:3478

After you fill out the fields mentioned above, Roundpin will be able to connect to your Telnyx account. Yet, it’s recommended to also review the settings in the ‘Audio & Video’ section:

Here it’s recommended to leave the Speaker, Ring Device and Microphone sections as they are and to leave ‘Auto Gain Control’, ‘Echo Cancellation’ and ‘Noise Suppression’ checkboxes checked.

Since you connect Roundpin directly to Telnyx, the video calls/conferences functionality won’t be available, therefore, leave all the video settings as they are.

In the ‘Profile Picture’ section you can upload your picture or an avatar, to have it displayed next to your name when you log in.

It’s also recommended to check the ‘Enable Onscreen Notifications’ checkbox in the ‘Notifications’ section.

If you followed the Install the mail server chapter and installed a complete mail server, and you want to integrate Roundcube with Roundpin, to be able to open a new email window with one click, to easily send emails to your Roundpin contacts, and to be able to check incoming emails from inside Roundpin, you should also fill out the fields in the ‘Email Integration’ section (please note that to be able to integrate Roundcube with Roundpin, you will need to enable the ‘autologon’ and ‘autologout’ plugins in Roundcube, as explained in the Enable the ‘autologon’ and ‘autologout’ plugins chapter):

Check the ‘Enable Roundcube email integration’ checkbox, in the ‘Roundcube domain’ field enter mail.example.com, where example.com is the main domain hosted on your server, in the ‘Roundcube user’ field enter the email address that you use to login to Roundcube (Eg: admin@example.com), in the ‘Roundcube password’ field enter the password for the mentioned Roundcube user. If you have enabled HTTP basic authentication for the mail.example.com domain, in the ‘Roundcube basic authentication username’ and ‘Roundcube basic authentication password’ enter the user and password respectively that you use for basic authentication on mail.example.com.

You can use the ‘Change Password’, ‘Change Email’ and ‘Close Account’ sections to change the password that you use to log in to Roundcube, to change the email address associated with your Roundpin account, that you entered when you signed up, and to close your Roundpin account, respectively.

To save the changes, click the ‘Save’ button. You can always re-open the ‘Settings’ window and change your settings by clicking on the ‘Settings’ wheel displayed in the lower right corner of this image:

27.9. Using Roundpin

If you click on your picture, you will see the following menu:

You can use this menu to auto-answer all incoming calls, to set the ‘Do Not Disturb’ status, which will make all incoming calls to fail (all incoming calls will be automatically ended, you won’t hear any ringing but you will see the notice ‘You missed a call (Busy Here)’ on the call log displayed on the right panel when you click on the name of the contact who called); you can also set the ‘Call Waiting’ status, which is the default status, you can refresh registration on the Asterisk server, you can add a contact and you can log out. To add a contact click on the ‘Add Contact’ option. You will see the ‘Add Contact’ pop-up window:

The only mandatory field is the ‘Display Name’. Yet, you should enter as many contact details as you have for each contact. If the contact has an extension configured on the underlying Asterisk server, like 602, 603, etc., enter it in the ‘Extension (Internal)’ field. If the contact is an external user, leave the ‘Extension (Internal)’ field empty and enter just the other details. When finished, click ‘Add’. You will see the contact’s name on the left panel. If you have a picture of the newly added contact, you can add it by clicking on the contact’s picture placeholder, which will open the ‘Edit Contact’ pop-up window:

In the ‘Edit Contact’ window you can add a picture but you can also edit all the other contact details.

After you have added an extension as a contact, if that extension is online, you will see a green status circle below its picture. If you click on its name, the right panel will open and there you can initiate a text conversation:

You can add emoticons to your text messages and you can send files to your interlocutor. To send a file click the ‘Send File’ button at the right end of the text editing field, then click the ‘Select File’ button on the horizontal bar above the text editing field, to choose a file from your computer and attach it to your message:

Once you click the ‘Send Message’ button, both the text message and the file will be sent:

Both the sender and the receiver are able to download the file by clicking on its link, in the chat history panel. If you installed the ClamAV antivirus, as explained in the Install ClamAV and integrate it using clamav-milter chapter, any file sent in this way will be automatically scanned with clamav-daemon, so that only the files free from viruses or other types of malware can get through.

All text messages are encrypted twice: apart from TLS encryption, each message is encrypted using asymmetric cryptography (1024 bit RSA keys). Every time a user reloads the page, a new private – public key pair is generated for that respective user.

If you hover over the name of an extension on the left panel, you will see two small buttons, one for the audio and the other for the video call. If both you and the other person have functioning microphones and speakers detected by the browsers and you click on the ‘Audio Call’ button, you can initiate an audio call:

During an audio call you can mute your microphone, record the conversation, transfer the call to another extension, pause the call or hang up, by pressing the respective buttons.

If both you and the other person have functioning microphones, speakers and cameras detected by the browsers and you click on the ‘Video Call’ button, you can initiate a video call:

You can have text/audio/video conversations with other extensions configured in Asterisk. With contacts that are not extensions, you can have only audio conversations. Yet, if contacts are not extensions but they have a device with a browser and Internet access, you can have a video conversation with them by using a special feature of Roundpin that allows you to initiate video conferences with external users; they only need a link to participate in a video conference, as we explain in the Video Conferences with external users chapter, further down below.

If you installed a complete mail server as explained in the Install the mail server chapter and you enabled Roundcube integration as explained above, when you click the envelope shaped ‘Email’ button on the logo bar, you will be automatically logged in to Roundcube and your Inbox will be displayed on the right panel:

If a contact has an email address in its saved data and you hover over its name on the left panel, you will see a small envelope shaped button next to the ‘Audio Call’ button. When you click that button, a new ‘compose’ window will open on the right panel, with the contact’s email address already entered in the ‘To’ field. All you will have to do is to enter a subject, the text of the email, then press ‘Send’, to send the email:

27.9.1. Dial any number

As explained earlier, Roundpin can be used like a real phone, to call any real phone number in the world. To dial a number, click on the ‘Dial Number’ button located below your name. This will open the dial pad:

roundpin_dial_pad

Any phone number that you enter has to be preceded by the country calling code. For example, if you want to call the German phone number 1212121212, you will dial 491212121212, where 49 is the country calling code of Germany. There is no need to add a + sign or 00 in front of the country calling code.

A similar dial pad can be seen if during a phone conversation you click the ‘Show Key Pad’ button located alongside the ‘Mute’, ‘Start Call Recording’, ‘Transfer Call’, ‘Hold Call’ and ‘End Call’ buttons. That dial pad is used to press specific keys when listening to the IVR prompts.

27.9.2. Regular video conferences

Below your Roundpin display name, next to the ‘Dial Number’ button, there is the ‘Launch Video Conference’ button. By clicking on it, you can enter the video conference configured for the extension that you entered earlier in the ‘Settings’ window, ‘Audio & Video’ section, ‘Video Conference Extension’ field. You can be the first who enters the conference, or you can be the second, third, etc., in case other Roundpin users, have already initiated the conference. The width of the video window for all participants will be the one that you have set up in the ‘Percent of screen width that the video conference windows will have’ field.

While in a video conference, if you hover over your video window (the leftmost on the first row), you will see a bar with several controls at the upper right corner of the window.

roundpin_video_conference_controls

Using these controls you can open a dial pad (to enter the pin of the conference, if required), mute your audio stream, mute your video stream, share your screen or any open window on your screen, return to video camera sharing, set the video window in fullscreen mode.

While in a video conference, if you click on the small arrow located at the top of the screen, the Hangup/Fullscreen bar will open:

You can set the entire screen in fullscreen mode by clicking the ‘Fullscreen’ button. When you want to exit the video conference you can click the ‘Hangup’ button. This will end the conference call for you, while the other participants can continue to participate in the conference.

27.9.3. Video Conferences with external users

If you are a superadmin, in the ‘Settings’ window, at the bottom of the ‘Audio & Video’ section, you will see the ‘External Video Conference Users’ section. Here you can enter a special extension that you have configured in Asterisk: the extension that would allow external users to access a video conference without having a Roundpin account. Let’s say that you choose 789 as the special extension. Edit the /etc/asterisk/pjsip.conf file:

nano /etc/asterisk/pjsip.conf

Add the following blocks right above the [publish-extension-state] block:

; External video conference user

[789]
type=aor
max_contacts=250

[auth789]
type=auth
auth_type=userpass
username=789
password=Y24bE9vtt4wL2szK9q

[789]
type=endpoint
context=context-out
message_context=textmessages
aors=789
auth=auth789
transport=transport-wss
webrtc=yes
disallow=all
allow=ulaw
allow=alaw
allow=vp8
allow=h264
max_audio_streams=10000000
max_video_streams=10000000
dtls_cert_file=/etc/asterisk/keys/asterisk.pem
dtls_private_key=/etc/asterisk/keys/asterisk.key


[789]
type=identify
endpoint=789
match=123.123.123.123

where Y24bE9vtt4wL2szK9q is a strong password and 123.123.123.123 is the public IP of your server. Restart Asterisk to apply the changes:

systemctl restart asterisk

Next, in the ‘External Video Conference Users’ section mentioned above, in the ‘Extension’ field enter 789, in the ‘SIP Password’ field enter the password set up in Asterisk for extension 789, Y24bE9vtt4wL2szK9q in our example, then click the ‘Save’ button. A pop-up message will announce you that the data has been saved successfully. The page will refresh itself automatically and when you will open the ‘Settings’ window again, the ‘External Video Conference Users’ section will look like below:

As you can see, the ‘Link’ field has been populated with an automatically generated link, that you can copy to clipboard by clicking the ‘Copy link to clipboard’ icon. You can then send that link to any user by email or by other means and they can access the conference as extension 789, without the need for a Roundpin account. All they need is the link and a device with a browser and Internet access.

Please note that the link doesn’t contain the plain text SIP password for extension 789. It doesn’t even contain the SIP password in an encrypted form. All it contains is the domain of the server, roundpin.example.com, and the extension number (789) and the Roundpin username of the superadmin who generated the link (john_doe , for example), both the extension number and the username being encrypted with a strong encryption algorithm.

You can set up multiple extensions for external users (790, 791, 792, etc.) in the same way as you did for 789. In this way, you can create multiple links for external access to video conferences. Please note that although many different users can enter a video conference simultaneously using the same generated link (and the same Asterisk extension), it’s recommended to generate and give different links to different external users.

All the generated links will be functional as long as they exist. After a video conference takes place and one or multiple external users have used the links that you have sent them in advance, you can remove those links by clicking on the X sign next to the ‘Edit’ button. If at least one link associated with your username exists in the database, when you click ‘Log Out’, you will see a pop-up message informing you that there are links saved in the database that can give external users access to the video conferences and that you can remove all the links saved to the database associated with your username. If you click OK, all the links will be automatically removed from the database and thus will become non-functional.

27.9.4. In-browser call recording

Please note: if you want to record an audio or video call by pressing the ‘Start Call Recording’ button that appears alongside the ‘Show Key Pad’, ‘Mute’, ‘Transfer Call’, ‘Hold Call’ and ‘End Call’ buttons while in a conversation, you will have to have browser history enabled in your browser. In Firefox, in ‘Privacy & Security’ > ‘History’, you should select either ‘Remember history’ or ‘Use custom settings for history’ and check ‘Remember browsing and download history’. Otherwise, pressing the ‘Start Call Recording’ button will not work. Also, please note that it would be fair-play to warn the other party of your intention to record the conversation before starting recording. If you just press the ‘Start Call Recording’ button, your interlocutors will not know that they will be recorded. This is why the best method of implementing call recording is at the level of Asterisk, which involves playing a warning message before starting the recording, as explained in the Call recording subchapter of the Install Asterisk chapter. Also, at the moment, the in-browser call recording functionality can be used only in one-to-one audio/video calls and not in video conference calls. If you need to record a video conference, the best method for the moment is to use OBS Studio, installed on your local computer.

27.10. Upgrading Roundpin

First archive the /var/www/roundpin.example.com folder and include the date in the name of the archive:

cd /var/www
tar czf roundpin.example.com-2020-5-21.tar.gz roundpin.example.com

Store the archive in a safe place as backup.

Next, export Roundpin’s database using phpMyAdmin. Once logged in to phpMyAdmin click on the name of the database on the left panel (roundpindb in our example), then click on Export on the upper bar, then click on ‘Go’. After you save the sql file on your computer, rename it to include the date, then place it in a safe location, along with the archive created above.

Then download the new version of Roundpin from the official web page and upload it to the /var/www/roundpin.example.com folder, overwriting the old files with the new ones. Change ownership and permissions:

cd /var/www
chown -R www-data:www-data roundpin.example.com
find /var/www/roundpin.example.com -type d -exec chmod 750 {} +
find /var/www/roundpin.example.com -type f -exec chmod 640 {} +

27.11. Privacy of phone conversations

As mentioned, if you use Roundpin, when you make audio/video calls or have text conversations with other extensions configured on your Asterisk server, the data transfer between a user’s browser, the server and the other user’s browser, is TLS encrypted. This is also true for video conferences. In addition, all text messages are encrypted with a 256 bit AES key which is regenerated for each message and is itself encrypted before being transmitted, with the receiver’s RSA public key which is regenerated on each page load. We can call this end-to-end encryption.

However, if you make phone calls to mobile or landline phone numbers, all the data will pass through Telnyx or Localphone servers and through other servers of different phone carriers, downstream. This means that the audio calls to regular phone numbers will only be encrypted on the ‘browser – to – server’ leg of the journey, but not on the ‘server – to – Telnyx/Localphone – phone carriers – receivers’ leg of the journey. This also applies to phone calls to/from regular phone numbers made with SIP Trip Phone, and to SMS messages sent/received with SMS Relentless and to faxes sent/received with Pax Fax, although in the case of SMS messages and faxes, the path between your server and Telnyx/Plivo/Twilio/Flowroute/Phaxio servers is also encrypted, since the data is transferred via requests over HTTPS. (The incoming SMS messages and faxes are also signed, and this allows SMS Relentless and Pax Fax respectively, to verify the authenticity of all the incoming SMS messages and faxes.)

Also, you have to be aware that even the providers that we recommend (Telnyx, Localphone, Plivo, Phaxio) as well as all the other similar providers, can use, and in general do use, the hosting services of tech giants like Google, Microsoft, Amazon, IBM, while the phone carriers that allow the phone calls, SMS messages, faxes to reach their final receivers, can also use the hosting services offered by the mentioned companies. This is something that you cannot control, since regular phone calls, SMS messages and faxes are not encrypted and they normally pass through the servers of various companies spread around the globe, depending on the destination of the phone calls/SMS messages/faxes. Nobody can convince all the SIP providers and phone carriers in the world to strictly avoid the hosting services of the mentioned tech giants. This means that when you use the applications included in RED SCARF Suite to make/receive phone calls to/from regular phone numbers, or to send/receive SMS messages, or to send/receive faxes, you have to be aware that only a part of the data transfer is encrypted, and that in many cases, this transfer is made via the servers of the big tech giants which we fight against.

The conclusion is that although communication between Asterisk extensions is secure and all the faxes sent/received via Phaxio can be HIPAA compliant if you follow all the instructions detailed in this guide and the steps presented on Phaxio’s website, it’s good to keep in mind that communication with regular phone numbers depends on different carriers from different parts of the world and it has its privacy challenges.

The solution to this privacy issue is to avoid transmitting extremely sensitive data by means of regular phone calls or SMS messages or faxes. If you want to transmit extremely sensitive data, a more secure way is to use encrypted emails, as we describe in the Install Thunderbird and use it to encrypt/decrypt emails chapter. Yet, you have to be aware that no type of digital encryption is 100% secure due to various factors that are associated with it, like operating system or application vulnerabilities, social factors, etc. Therefore, if you want to transmit extremely sensitive data, we recommend using the ‘Ben Laden method’ of communication, which means to avoid all types of electronic devices and convey the message face to face.

You can send your questions and comments to: