Which ports to open for VICIdial

A VICIdial server that cannot reach the outside world is useless, but one that exposes everything to the outside world gets attacked within hours. The trick is opening exactly the ports VICIdial needs and nothing more. This post lists those ports, explains what each one carries, and ends with the one rule that keeps you out of trouble: least exposure.

Signaling: SIP and IAX

Signaling is the part of a call that sets up, rings, answers, and tears down. SIP (Session Initiation Protocol) is the most common protocol for this and listens on UDP 5060 by default (TCP 5060 if you use SIP over TCP). VICIdial also supports IAX2, an older protocol native to Asterisk that bundles signaling and media on a single UDP port, 4569. If you only use SIP carriers and SIP phones, you can leave the IAX port closed. Open what you actually use.

One caution worth repeating: UDP 5060 is the single most scanned port on a phone server. If you can restrict it to your carrier's IP addresses instead of opening it to the whole internet, do that. SIP brute-force attempts run constantly, and an open registrar with weak passwords is how dialers get hijacked.

Media: the RTP range

Once a call connects, the actual audio travels as RTP, a stream of UDP packets carrying voice. RTP does not use one port; it uses a range, commonly 10000 to 20000 UDP on a VICIdial box. Every concurrent call leg needs its own pair of ports inside that range, so the range has to be open end to end. The most common cause of one-way or no audio is an RTP range that is closed or mangled by a router.

This is also where NAT traversal bites people. If your server sits behind a router that rewrites addresses, the RTP packets can arrive at the wrong place even though signaling worked fine. A public IP on the server, or correct NAT settings in Asterisk, avoids most of this pain.

How a call uses each port

sequenceDiagram
  participant Carrier
  participant Server
  participant Agent
  Carrier->>Server: SIP setup on UDP 5060
  Server->>Agent: SIP ring on UDP 5060
  Agent->>Server: SIP answer on UDP 5060
  Server->>Agent: RTP audio on UDP 10000 to 20000
  Agent->>Server: RTP audio on UDP 10000 to 20000

Web: admin and agent screens

Agents and managers reach VICIdial through a web browser, so you need the web ports open: TCP 80 for plain HTTP and TCP 443 for HTTPS. In practice you should serve everything over 443 and redirect 80 to it, because the browser-based Webphone uses a secure websocket that only works over a valid HTTPS connection. Putting the whole interface behind TLS is covered in its own guide.

Database: keep MySQL private

MySQL listens on TCP 3306. On a single-server install, nothing outside the box needs to reach it, so leave 3306 closed to the internet entirely. The only time you open it is when a separate web server or a clustered second box has to query the database, and even then you restrict it to those specific internal addresses. An exposed database port is a direct path to your lead data.

The rule: least exposure

Open only the ports a real call or a real login needs, and scope each one as tightly as you can to the IPs that legitimately use it. For the wider context of standing a server up cleanly, see our complete guide to installing VICIdial. The companion piece on putting VICIdial behind HTTPS explains the web side in detail.

Getting a firewall both open enough to work and tight enough to be safe is fiddly, and a single wrong rule causes silent audio problems. VICIfast ships every server with the firewall already scoped correctly, provisioned in under 40 seconds. See VICIfast pricing if you would rather not tune iptables by hand.