In this article you will find instructions on how to install MikoPBX on a separate computer.
MikoPBX supports installation on a standalone computer. There are two installation methods:
Live USB — writing the image to a flash drive and then installing it onto another disk.
Bootable USB — installing the system directly onto the USB drive itself, allowing you to boot and run the system from it.
This section provides image writing instructions for all supported operating systems (Windows, MacOS, Linux).
MikoPBX Manual
Description of MikoPBX and the sections you can find in the documentation. Introduction to the documentation.
Foreword
Welcome to the MikoPBX documentation resource! Here you can find step-by-step instructions related to interacting with the MikoPBX PBX system. For your convenience, the documentation is organized into sections - just like in the web interface, making it very easy to navigate.
Thank you for choosing MikoPBX! ❤️
Getting to know MikoPBX
Description of the first login to the MikoPBX web-interface
First login to the MikoPBX system
Go to the MikoPBX installation console, remember the IP address that your PBX received.
Enter the received MikoPBX IP address in the web browser. The authorization page will be displayed. Log in using the default credentials:
System requirements
Discription of system requirements for the MikoPBX system
Network Channel Requirement
An example of calculating the required channel bandwidth for different codecs for 30 simultaneous calls. PBX supports the most popular codecs:
G.711 - 4.67 Mbps
Installation by writing the image to a USB drive (Live USB)
Installing the system directly onto a USB drive (Bootable USB)
Hetzner cloud (In dev)
Setup
What is MikoPBX?
MikoPBX is a free telephony server with its own operating system and a simple, user-friendly web interface. It works with virtually any telephony technology in the world.
MikoPBX Interface
MikoPBX is a fully modular interface for Asterisk, written in PHP and JavaScript. This means that you can implement absolutely any additional Asterisk telephony functionality within MikoPBX. Moreover, if you develop a useful module, you can place it in the public repository and make it available to all MikoPBX users. Additionally, MikoPBX has very low hardware requirements:
Simultaneous Calls
Minimally Recommended Configuration
5 - 10
1 GHz x86-64, 512 MB RAM
Up to 25
3 GHz x86-64, 1 GB RAM
Over 25
2 CPUs 3 GHz x86-64, 2 GB RAM or more
Where to Start?
To get started, you should install MikoPBX using any method convenient for you. Below are installation options. By clicking on their names, you can access detailed articles:
After installation, you can begin exploring your PBX system. The "User Guide" documentation will help you with this, providing detailed information about specific sections:
Module Management – this section provides a detailed explanation of how to install and manage modules.
Documentation on Specific Modules – in this section, you'll find detailed descriptions of each module, as well as steps for configuring and using them.
FAQ Section
In this section, you can find answers to your questions and solutions that will help you expand the functionality of basic features. This section, like the main documentation, is divided into categories for easy navigation.
If you have a question that isn't covered here, you can seek assistance in the Telegram Community, where MikoPBX users help each other resolve issues and needs related to the PBX system.
After successful authorization, MikoPBX will automatically open the settings for changing the password:
First authorization in the MikoPBX WEB interface
After changing the password, the system will be fully operational. It is recommended to immediately configure the firewall rules. You can read about how to do this by following the link.
Use the following default credentials for the first login to the MikoPBX web interface:
Username: admin
Password: admin
MikoPBX IP address for connecting to the WEB interface
Authorization page in the web interface
For more information about the General Settings, see the section.
GSM - 1.68 Mbps
G.722 - 4.67 Mbps
G.729 - 1.38 Mbps
Minimum system requirements
800 Mb hard disk for the main system
A 50+ Gb hard drive for recording conversations
1 (2 cores) x86-64 processor
2 GB of RAM
Network Adapter
The calculation is approximate, when using the same codec on all devices connected to the PBX. Read more .
We recommend using two hard drives for PBX deployment.
A PC with such parameters, in our tests, holds 38 simultaneous incoming calls under the conditions:
10 agents are connected to the queue (all online)
Approximately, 1 hour of conversation takes up 14MB of disk space. The recommended size for the disk storing call recordings is at least 50 gigabytes.
AWS
MikoPBX Installation Options Using AWS
The simplest way to install MikoPBX is by deploying a ready-made image from the AWS Marketplace. If you wish to launch a custom version of MikoPBX, please refer to the detailed instructions where we describe step-by-step how to create an AMI image from any MikoPBX distribution.
Google Cloud
MikoPBX Installation Guide using Google Cloud
Installing MikoPBX in Google Cloud can be done in two ways: using an image from the Google Cloud Marketplace or from an image based on a file uploaded from the MikoPBX distribution. The first method provides quick and easy deployment of the standard version of MikoPBX, while the second is suitable for intermediate releases.
Cloud
In this article you will find instructions on how to install MikoPBX using various cloud services.
MikoPBX supports installation via many cloud services. In this section you can find detailed instructions for them. Click on an item in the list below to go to the instruction for a specific virtual machine:
Proton Setup (Login, Password)
Mail setup for the proton.me service
Generating an SMTP Token
First, go to your Proton account settings ().
Virtual Machine
In this article you will find instructions on how to install MikoPBX using various virtual machines.
MikoPBX supports installation using many virtual machines. In this section you can find detailed instructions for them. Click on an item in the list below to go to the instruction for a specific virtual machine:
Then go to the "Proton Mail" -> "IMAP/SMTP" section.
"IMAP/SMTP" section
Scroll down to the "SMTP submission" section. Click "Generate token".
"Generate token" button for creating a new token
Enter an arbitrary name in the "Token name" field — MikoPBX in our case — and select the Email address for which you are creating the token.
Creating a new SMTP token
A token will be created. Its parameters will be shown only once and will become unavailable once you close the window. Save them, as we will use them for further configuration.
Created token parameters
Connecting in MikoPBX
Go to the "System" -> "Mail and Notifications" section.
"Mail and Notifications" section
Go to "SMTP Settings". Fill in all the required parameters:
Sender Address - your email address that you used to generate the token.
Sender Name - the name from which the mail is sent.
Authentication Type - "Username and password".
SMTP Username - SMTP Username from the token data window.
SMTP Password - SMTP token from the token data window.
SMTP Host - smtp.protonmail.ch
SMTP Port - 587.
Encryption Type - STARTTLS (port 587).
Click "Save".
Mail parameters in MikoPBX
Click "Test connection". You will see the following window confirming that the entered data is correct:
This guide provides detailed steps to get started with MikoPBX and helps you quickly configure the system.
Follow the step-by-step instructions in the order presented for a quick and successful system setup.
Installing MikoPBX
MikoPBX is a full-fledged operating system for your hardware; it is not a standalone application. It is provided as an image file (*.iso, *.img, *.raw).
It supports various installation methods:
Installation .
Installation .
Installation .
Installation in a .
Follow the link for your preferred installation method and proceed according to the provided instructions.
First Login to the Web Interface
After installation, you need to access the MikoPBX web interface for further system configuration. To do this, find the PBX's IP address in the MikoPBX console:
In this example, the IP address is 192.168.0.203. To access the web interface, enter this IP address into your browser's address bar:
After the first login, the system will prompt you to change your password.
Settings Within the Web Interface:
Network and Firewall Settings
For stable PBX operation, you need to configure the network through the Network and Firewall → Network Interface section. Detailed instructions for these settings can be found .
In MikoPBX, all local subnets can be defined in the Network and Firewall → Firewall section. The firewall is intended to restrict access to the PBX based on traffic type and subnets. Follow the setup instructions .
Configuring Protection Against Hacking (Fail2Ban)
Fail2Ban blocks IP addresses exhibiting unusual activity; it can reduce the rate of failed authentication attempts and helps protect your PBX from hacking. Instructions to help with the setup can be found .
Adding and Configuring Employee Accounts
After completing the initial PBX setup, you can proceed to create accounts for your employees. This will assist you.
Connecting Providers
After adding employees, you need to connect providers to your PBX. Instructions for this section can be found . Instructions with examples of configuring real providers can be found .
Setting Up Incoming and Outgoing Routing
At this stage, you need to set routing rules for incoming and outgoing calls: how calls passing through a specific provider will be handled:
To create routing rules, you may also need the following features:
Marketplace and Modules
The Marketplace allows you to extend the system's standard functionality using modules:
You can read more about Modules in MikoPBX in .
Information on registering in the MikoPBX Marketplace can be found .
VMware ESXi
Installing MikoPBX using VMware ESXi.
Creating a Virtual Machine
Start by creating a new virtual machine.
Enter the Name, Type, and Version of the virtual machine, as shown in the image below.
Select a datastore for the virtual machine.
Allocate 1024 MB of memory to the virtual machine and create a new virtual hard disk for the system with a size of 1024 MB.
Choose the SCSI controller type and adapter type, as shown in the image below.
Select BIOS as the Firmware option.
Review and save the changes.
Configuring the Virtual Machine
Open the settings of the created virtual machine. Create a new hard disk for storing call recordings.
Go to the CD/DVD Drive tab. Upload the ISO image for installation, and check the box next to "Connect at power on."
Installing MikoPBX
Start the virtual machine.
The MikoPBX command-line interface will open as the PBX starts loading from the optical disk containing the ISO image. You will see the message: "The system is loaded in recovery mode (Live CD)".
Install MikoPBX:
Go to [8] Install:
Information about all available disks will appear (in this example: sdb, sdc).
Enter the name of the disk you intended as the "system" disk, in this case, sdb, and press Enter (or simply press Enter if it’s already selected).
The system will prompt for confirmation. Type y and press Enter:
Once installation is complete, you will be prompted to select a disk for storing call recordings.
Enter the disk name (in this example, the only available disk is sdc) and press Enter.
After installation, the system will reboot.
MikoPBX will now boot from sdb, the system disk, and the line "The system is loaded in Recovery mode" will no longer appear—indicating a successful installation.
This completes the MikoPBX installation.
First Login to MikoPBX
To access the control panel, enter the virtual machine's IP address in your browser's address bar.
The default login credentials are admin for both username and password.
This completes the MikoPBX installation.
Telephony
Description of the MikoPBX telephony section
The "Telephony" chapter in the MikoPBX documentation contains detailed information and instructions related to setting up and using telephony in the system.
Extensions in MikoPBX are individual users of the system who are assigned internal numbers for making and receiving calls. They have personal accounts that allow you to configure access rights, call forwarding and other personal settings in the system.
In this article, you will find detailed documentation on adding new employees to the station, setting up their rights and profiles. In addition, information about their additional parameters.
Call queues
Call queues in MikoPBX are a feature that allows you to distribute incoming calls between a group of operators, holding calls in a queue until an operator becomes available. This ensures efficient management of a large call flow and improves customer service.
In this article, you will find detailed documentation on creating and configuring such queues.
IVR Menu
IVR menu in MikoPBX is an interactive voice menu that allows callers to interact with the phone system by pressing keys (DTMF). It automatically routes calls to the right departments or employees, improving call handling efficiency and customer service.
In this article, you will find documentation on creating and configuring an IVR menu.
Conferences
Conferences in MikoPBX are a feature that allows you to organize group phone calls with multiple participants at the same time. It allows you to hold group discussions, meetings and appointments over the phone, improving communication both within the company and with external partners.
In this article, you will find documentation on creating and configuring conference rooms.
Sound files
Sound files in MikoPBX are audio recordings that are used by the system to play various messages, such as greetings, announcements, IVR menu instructions or waiting signals. They allow you to personalize the audio content that callers hear, improving interaction with the system and providing the necessary information.
In this article, you will find detailed information about them, as well as how to add and edit them.
Call detail records (CDR)
Call detail records in MikoPBX is a log that stores information about all incoming and outgoing calls through the system. It provides detailed data about each call, including time, duration, participant numbers and status, which allows you to analyze communications and optimize the operation of the company's telephone network. In this article, you will find information about storing call records and their filters.
Call Routing
Description of the MikoPBX routing section
The "Call Routing" section in MikoPBX is an interface for configuring call direction rules within the telephone system. Here, administrators can determine how to handle incoming and outgoing calls by setting conditions and routes for efficient distribution of calls among employees, departments, or external lines.
Telephony providers in MikoPBX is the system section where connections to external communication operators are configured via internet protocols for IP telephony. Here, administrators can add and configure SIP trunk accounts or other types of connections that allow the system to make and receive calls to and from landline and mobile numbers.
In this article, you will find detailed documentation on connecting providers to the system, their configuration, and features.
Incoming Routes (Incoming Routing)
Incoming Routing in MikoPBX are a set of rules that define how the system handles incoming calls from external telephony providers. With them, administrators can set call directions based on various conditions such as the caller's number, time of day, or the specific number the call was received on. This enables automatic distribution of incoming calls to specific employees, departments, IVR menus, or call queues. Configuring incoming routes helps optimize call handling and improve customer service quality by providing flexible and efficient management of the company's telephone communications.
In this article, you will find detailed documentation on configuring incoming routing.
Outgoing Routes (Outbound Routing)
Outgoing Routes in MikoPBX are a set of rules and settings that determine how the system handles outgoing calls from employees to external numbers. With them, administrators can manage call direction through various telephony providers or communication lines based on certain conditions such as the dialed number, prefixes, time of day, or user access rights. This helps optimize communication costs, distribute load between channels, and implement security policies by restricting or allowing certain types of calls. Configuring outgoing routes provides flexibility and control over outgoing telephone communication, contributing to the effective operation of the company's communication system.
In this article, you will find detailed documentation on configuring outgoing routing.
Off-Work Time (Night and Holiday Switch)
Off-Work Time in MikoPBX is a tool for setting up call handling rules during periods when the company is not operating, such as at night, on weekends, or on holidays. With it, administrators can define how the system will handle incoming calls during off-hours: redirect to voicemail, play special voice messages, or forward calls to the mobile numbers of on-call staff. This allows for proper interaction with clients outside of working hours and maintains a high level of service.
In this article, you will find detailed documentation on setting up off-work time for your system.
Updating from the MikoPBX console
Update option from MikoPBX console
Below is an example of a PBX installed on a VirtualBOX virtual machine, updated from version 2023.1.223 to version 2023.2.206.
Download the iso image of the required PBX version from the repository.
.iso image in MikoPBX release repository
In VirtualBOX, open the settings of the virtual machine where the PBX is installed.
Go to the Storage section.
Select the virtual optical drive.
Click the icon in the Attributes group, and click Choose Disk File.
Select the downloaded PBX iso image.
Start the machine.
Selecting a disk file in the VirtualBox interface
The console will display the line "The system loaded in Recovery mode".
MikoPBX Console
Select Install / Repair (or press the number 8 on the keyboard) and press Enter.
You need the command "Update to version ****.*.**". Press the number 2 on the keyboard, then press Enter.
The update installation will begin. When it is complete, the PBX will reboot.
After the PBX reboots, the message "The system loaded in Recovery mode" will no longer appear, indicating that the PBX has booted from the hard disk and not from the virtual optical drive.
The installed update version will be displayed in green at the top.
Docker container
MikoPBX Installation Guide using Docker container
The "Host system" must run on Linux 5+. Tested on Debian 11, Ubuntu 21.04, and Ubuntu Server 22.04 LTS.
MikoPBX can be run in Docker using two main methods. The first method involves running the container directly using a Docker command with the necessary parameters. The second method involves using Docker Compose, which simplifies managing multi-container applications and allows the entire configuration to be described in a yaml file, making the deployment and maintenance of the system more convenient.
Docker installation and creating a user and directories
Preparation guide for MikoPBX using Docker
Installing Docker and Docker Compose on Ubuntu 22.04
Before working with Docker, you need to install Docker and Docker Compose themselves. Here's how to do it:
# Update package list and install required dependencies
sudo apt update
sudo apt install apt-transport-https ca-certificates curl software-properties-common
# Add the GPG key for Docker's official repository
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
# Add Docker's repository to the APT sources list
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable"
# Install Docker CE
sudo apt update
sudo apt install docker-ce
# Install Docker Compose
sudo curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
sudo chmod +x /usr/local/bin/docker-compose
# Verify Docker Compose version
sudo docker-compose --version
Creating a user and directories on the host system
Before creating the container on the host machine, it's necessary to create a user and group with limited permissions, as well as a folder for storing configuration settings and call recordings
Useful commands
Command to connect to the PBX console:
Command to connect to the PBX console menu:
Connecting to sngrep for SIP analysis
PBX update
This article contains step-by-step instructions for updating MikoPBX to a newer version.
Before updating, be sure to back up your PBX settings using the .
Modules
Description of the Modules section in MikoPBX
The "Modules" section in MikoPBX is an interface for managing additional functional components of the system, which includes two subsections: "Module Management" and "Dialplan Applications".
Managing these subsections allows you to configure MikoPBX as flexibly and efficiently as possible, expanding the functionality of the telephone system and adapting it to the unique requirements of the organization.
Registration in the MikoPBX Marketplace does not affect the basic functionality of the system. You can use MikoPBX to work with calls without registration and installation of additional modules. However, we recommend that you go through the registration procedure in the marketplace to get the opportunity to expand the functionality of the system.
Registration will give you access to additional modules and extensions.
Module management
Module management in MikoPBX is an interface for managing additional system components that expand its functionality. Here, administrators can install, update, enable or disable modules, adding new features or integrations with external services. This section allows you to adapt the system to the specific needs of the company, ensuring flexibility and scalability of the telephone network.
Application dialplans
MikoPBX dialplan applications are a set of tools that allow you to set up individual call processing scenarios within the system. With their help, you can define a sequence of actions that the system will perform when a call is received or made. This may include redirecting a call to a specific extension, playing special audio messages, requesting additional information from the caller, or performing other functions.
Using dialplan applications, you can flexibly customize the logic of the telephone system to the needs of your business without delving into complex programming. This makes it easier to create complex call processing scenarios, allowing you to improve the efficiency of communications and improve the level of customer service.
Network and Firewall
Description of the Network and Firewall section in MikoPBX
The "Network and Firewall" section of MikoPBX is an interface for configuring network settings and managing the system's firewall. Here, administrators can configure IP addresses, network interfaces, and create firewall rules to protect the system from unauthorized access. This section ensures the secure and stable operation of MikoPBX in the organization's network infrastructure.
The "Network Interface" section in MikoPBX is an interface for configuring the system's network connection parameters. Here, administrators can manage IP addresses, subnet masks, gateways, and other network settings for each network interface. This allows MikoPBX to be correctly integrated into the organization's network and ensure its stable operation in accordance with the requirements of the network infrastructure.
Firewall
The "Firewall" section of MikoPBX is an interface for configuring the system's firewall. Here, administrators can create and manage network traffic filtering rules, controlling access to MikoPBX and protecting it from unauthorized access and network threats. Configuring the firewall ensures the security of the telephone system, preventing potential attacks and ensuring stable operation in the organization's network infrastructure.
Anti brute force (Fail2Ban)
The "Anti brute force (Fail2Ban)" section in MikoPBX is a tool for ensuring system security from unauthorized access and network attacks. Fail2Ban monitors event logs and automatically blocks IP addresses that make suspicious or repeated failed login attempts. Setting up this section helps prevent system hacking and protect the organization's confidential data.
Date and Time
In this subsection, you can configure the clock and calendar settings.
You need to set the time zone correctly to ensure accurate system time display. If the time zone is not set, notifications and call history will be recorded with incorrect timestamps.
To configure the time zone, go to the "System" section and select "Time Settings":
"Time Settings" section
There is an option to set the time "manually" without using an NTP server. However, whenever possible, we recommend using automatic time synchronization.
To manually set the time, toggle the switch "Adjust the time manually."
"Adjust the time manually" switch
Sound files
Adding/Creating Audio Files in MikoPBX
Uploading a sound file to the PBX
Audio files in MikoPBX are used in various call scenarios and interactive voice menus (In IVR menu, during non-working hours, in call queues, for various system notifications, and in hold music.) to play voice greetings or notify customers.
The list of available sound files is displayed in the "Telephony" -> "Sound files".
Conferences
Creating and configuring conferences in MikoPBX
Conference calling is used for conducting group discussions, meetings, or negotiations in cases where participants are unable to meet in person. It is also used when a particular matter needs to be discussed with multiple participants simultaneously.
Create conference rooms
The list of conference rooms is located in the "Telephony" -> "Conferences section".
To create a new conference room, click the "Add conference
Updating from the web interface
Update option from the web interface
In some sections of the interface (e.g., Extensions), the current version of MikoPBX is displayed in the lower right corner.
In the PBX web interface, go to Maintenance → PBX update.
If there are newer versions of the PBX available, they will be displayed in the Online updatesavailable table, with the version number in the first field and the list of changes in the second.
There are two update options: online update and update using a downloaded img file.
Incoming routing
Description and configuration of incoming routing
In this section, you need to create rules and templates for distributing incoming calls for providers created in MikoPBX. The rules for incoming calls describe the route of a call from the moment it arrives at the PBX to the moment it is completed. You can create an unlimited number of inbound routing rules. You can create several rules for one provider.
Routing rule priority and default route
Rules are listed in order of priority. If no one answers the incoming call within the time interval specified in the rule, the call will be routed to the next priority rule. Rules can be moved up and down in the list, that is, their priority can be changed by dragging them by the arrows.
Call detail records (CDR)
How to view and filter call history in MikoPBX
Call History provides a log of all incoming, outgoing, and internal calls. It is located under "Telephony" -> "Call History".
Benefits
The Call History feature in MikoPBX enables users to:
Night and Holiday Switch
Setting up non-working time rules
"Off-hours" in MikoPBX is a tool for setting up call processing rules during periods when the company is not working, such as at night, on weekends or holidays. With its help, administrators can determine how the system will handle incoming calls during off-hours: forward to an answering machine, play special voice messages or forward calls to the mobile numbers of on-duty employees. This ensures correct interaction with customers outside of working hours and maintains a high level of service.
Creating a rule
To add a new rule, click on the "Add Time Interval" button.
Reboot
Description of section functions
Rebooting the station via the MikoPBX interface
The system shutdown/reboot menu can be found in MikoPBX by clicking on "Reboot" in the "Maintenance" section.
When you open the page, a list of active calls to the PBX will be displayed. The start date of the call is displayed, from whom and to whom the call.
Updating the docker
Upgrade option for MikoPBX in Docker container
To update the MikoPBX container to the latest version, you can follow these steps in the command line. These steps include stopping the current container, downloading the new version of the image, and running the container with the updated image.
Updating the docker
First, you need to properly stop the running container. After stopping the container, you can safely remove it
To launch a new container using the latest image version with the same settings as before, use the following commands:
Maintenance
Description of the Maintenance section in MikoPBX
The Maintenance section of MikoPBX is an interface for managing the technical aspects of the system and ensuring its stable operation. Here, administrators can perform tasks on data backup and recovery, software updates, system status monitoring, and event log management. This section helps maintain the functionality of the telephone system, promptly detect and eliminate possible problems.
PBX update
The "PBX update" section in MikoPBX is an interface for managing system software updates. Here, administrators can check for new versions, install updates, and view the change history. Regular use of this section ensures that MikoPBX is up-to-date, secure, and stable.
System
Description of the "System" section in MikoPBX
The "System" section in MikoPBX is the interface for managing general settings and parameters of the telephone system. Here, administrators can configure core system parameters, manage updates, date, and other functions that ensure stable and secure operation of MikoPBX. This section allows you to control and optimize the system's operation at the entire infrastructure level.
General settings
In the "General settings" section of MikoPBX, administrators can manage the main system parameters, such as call recording retention settings, notifications, log parameters, voice prompt language, and many other system options. This section provides control over general functions and behavior of MikoPBX, allowing you to optimize the system's operation according to the organization's needs.
If the logs do not provide a username and password, use the default credentials:
Username: admin
Password: admin
This completes the basic setup of MikoPBX! For a deeper exploration of MikoPBX's capabilities, we recommend referring to the comprehensive documentation.
The "System log entries" section in MikoPBX is a tool for monitoring and analyzing the status of the telephone system. Here, administrators can view event logs, check the status of various services and system components, and test connections and calls. Using this section helps to promptly detect and eliminate technical problems, ensuring stable and efficient operation of MikoPBX.
Reboot
The "Reboot" section in MikoPBX is an interface for securely managing the state of the telephone system via the web interface. Here, administrators can reboot the system to apply new settings or shut it down gracefully for maintenance. Using this section prevents possible errors and ensures stable operation of MikoPBX. In addition, the possibility of rebooting via the console will be discussed.
The "Time Settings" section in MikoPBX is an interface for configuring system date and time parameters. Here, administrators can set the current date and time, choose a time zone, and configure synchronization with Network Time Protocol (NTP) servers. Correct date and time settings are important for accurate event logging, call logs, and the operation of schedule-dependent functions, ensuring system synchronization with other network devices and services.
Mail settings
The "Mail settings" section in MikoPBX allows you to configure sending system notifications via email. Here, administrators specify SMTP server parameters, define events for notifications, such as voice messages or system errors, and edit email templates. This section helps to timely inform users and administrators about important events, ensuring effective control over the system's operation.
Asterisk Manager Inteface (AMI)
The "Asterisk Manager Inteface (AMI)" section in MikoPBX is an interface for configuring access to the Asterisk Manager Interface (AMI). Here, administrators can manage AMI connection parameters, such as enabling or disabling access, specifying login credentials for authentication. Configuring AMI access allows external applications or scripts to interact with the MikoPBX system for monitoring and managing calls, expanding the telephone system's functional capabilities.
System files customization
The "System files customization" section in MikoPBX provides administrators with the ability to directly modify or supplement the system's standard configuration files. Here, you can make individual settings that are not available through the standard web interface and adapt the system's behavior to the specific requirements of your organization.
This section is intended for advanced users who have a deep understanding of the structure and operation of MikoPBX. With its help, you can:
Edit configuration files: Make changes to existing files or add new parameters.
Override standard settings: Change default values for certain functions or modules.
Add your own scripts or modules: Expand the system's functionality by integrating custom solutions.
It is important to note that incorrect modification of system files can lead to unstable operation or system failures. Therefore, it is recommended to create backups before making changes and to carefully check the correctness of the settings.
# Creating a new user (e.g., www-user) without superuser rights
sudo adduser --disabled-password --gecos "" www-user
# Creating directories for data storage
sudo mkdir -p /var/spool/mikopbx/cf
sudo mkdir -p /var/spool/mikopbx/storage
# Granting the created user ownership of the directories
sudo chown -R www-user:www-user /var/spool/mikopbx/
Updating using Docker compose
First, you need to properly stop the running container. After stopping the container, you can safely remove it
The next step is to download the latest MikoPBX image:
An example of the docker-compose.yml file that can be used to update your MikoPBX container through Docker Compose:
Save the contents to a file named docker-compose.yml, make the necessary adjustments, and run the command:
Notes
Data: Since data is stored in Docker volumes (mikopbx_cf and mikopbx_storage), it remains untouched during the update, preserving settings and user data.
Environment Variables: Ensure that all necessary environment variables are correctly passed.
Safety: Always create backups of your data before updating.
These steps will help ensure a smooth and safe update of your MikoPBX container.
sudo docker exec -it mikopbx sh
sudo docker exec -it mikopbx /etc/rc/console_menu
sudo docker exec -it mikopbx sngrep
# Stop the current container
sudo docker stop mikopbx
# Remove the current container
sudo docker rm mikopbx
# Downloading the latest container image version
sudo docker pull ghcr.io/mikopbx/mikopbx-x86-64:latest
# Starting the container in unprivileged mode
sudo docker run --cap-add=NET_ADMIN --net=host --name mikopbx --hostname mikopbx \
-v data_volume:/cf \
-v data_volume:/storage \
-e SSH_PORT=23 \
-it -d --restart always ghcr.io/mikopbx/mikopbx-x86-64:latest
# Stop the current container
sudo docker stop mikopbx
# Remove the current container
sudo docker rm mikopbx
# Downloading the latest container image
sudo docker pull ghcr.io/mikopbx/mikopbx-x86-64:latest
docker-compose.yml
services:
mikopbx:
container_name: "mikopbx"
image: "ghcr.io/mikopbx/mikopbx-x86-64:latest"
network_mode: "host"
cap_add:
- NET_ADMIN
entrypoint: "/sbin/docker-entrypoint"
hostname: "mikopbx-in-a-docker"
volumes:
- data_volume:/cf
- data_volume:/storage
tty: true
environment:
# Change the station name through environment variables
- PBX_NAME=MikoPBX-in-Docker
# Change the default SSH port to 23
- SSH_PORT=23
# Change the default WEB port to 8080
- WEB_PORT=8080
# Change the default WEB HTTPS port to 8443
- WEB_HTTPS_PORT=8443
volumes:
data_volume:
sudo docker compose -f docker-compose.yml up
"Sound files" section
To add a new sound file, click "Add a new sound file".
"add a new sound file" button
Click "Upload a new file" and select a sound file.
"Upload a new file" button
Correct the file name if necessary.
The name of the recording file
Save settings
"Save settings" button
"Start recording" button
Custom sound files are stored on the PBX along the path /storage/usbdisk1/mikopbx/media/custom. Music on hold files are stored in /storage/usbdisk1/mikopbx/media/moh.
Music on hold
If a client gets into a queue during a call or is waiting for redirection, the PBX plays a melody for him. It is possible to download your own tunes for listening while waiting.
You can do this on the "Music on Hold" tab as described above.
"Music on hold" tab
Supported file formats: wav, mp3, ogg, m4a, aac.
When working over the https protocol, it is possible to record an audio file using a microphone.
".
"Add conference" button
You must specify the name of the conference and its internal number, by calling which you can enter this conference
New conference room parameters
To prevent unauthorized access to the conference by employees for whom the discussion is not intended, you can secure the conference room with a password. To do this, fill in the "Conference Pin" field. Only digits can be entered in this field, with a minimum requirement of at least one digit.
Conference PIN field
In this case, to join the conference, employees will need to enter the PIN code after dialing the conference PIN.
Characteristics of conference calling include:
Communication is conducted solely through voice (no other means of information transmission besides speech are provided).
All participants can speak and hear each other simultaneously, ensuring duplex communication.
Participants use telephones (hardware or software) for communication.
Usage:
Each participant dials the conference number. The first participant hears hold music until at least one more participant joins the conference. An employee can transfer their caller into the conference by using specific key combinations on their phone. Transfers can be made to both internal and external numbers. The key combination for transfers is set in the System -> General Settings -> Call Transfers section.
Example: An employee dials the combination **1111 (the combination for unconditional transfer), and their caller joins the conference as its first participant. The call is completed for the transferring employee, and to join the conference, they dial the conference number 1111.
The maximum number of conference participants is not limited.
Online upgrade
Updates are downloaded to the PBX and applied immediately.
To update this way, click the button for the desired version.
Button to update the system
A warning window will appear. Click Upgrade.
Warning window
The PBX will download and apply the updates, and then reboot.
Update using a downloaded img file
To update using this method, click the button for the desired version.
Button to download the update file
The img file will start downloading. Wait for the download to complete.
Then click the button and select the downloaded img file.
Selecting a file to update
Then click Apply the update, and in the warning window, click Upgrade.
Installing the update
The updates will be applied, and the PBX will reboot upon completion.
The update process
We recommend performing updates sequentially without skipping releases.
Displaying the version in the web interface
"PBX update" section
Section "Available online updates"
Be cautious! If the system is installed on the same disk where call recordings are stored, there may be difficulties with the update.
Please note that this method can also be used to roll back to a previous version.
Priority Scheme
If the call is not answered according to any of the rules, the Default incoming route is used.
Default incoming route
The following actions are available and can be specified as the default rule:
Play busy signal - the client will play a busy signal and the incoming call will be ended;
Hang up;
Redirect the call - the call can be transferred to a number that you can select in the field located to the right of the action. You can select an IVR menu, call queue, conference, or employee extension number as the number for transfer.
Multiple routes for one provider
For one provider, you can describe several incoming routes.
First, the call goes along the upper route. If the client does not get through, then the call goes according to the lower rule (lower priority). If the client does not get through via the second route, then the call goes through the default route.
Several incoming routes for one provider
Create a routing rule
To add a new incoming routing rule, click the Add a new rule button.
New Rule
In the Note field, describe the route you want to implement. In the future, this will help you debug the call circuit.
Select the Provider for which you are creating a new incoming call distribution template.
The additional DID number is the number the client called you on. This field is optional and should be completed if you need to route calls more accurately.
Parameters for a new rule
At the next step, you need to indicate to which phone number the incoming call from the client will be sent. The telephone number can be IVR menu numbers, call queues, conferences, or employee internal numbers.
Parameters for a new rule
Specify the time during which the call will be sent to the phone number you specified.
Parameters for a new rule
If after the specified time interval no one answers the incoming call, the call will be routed to the next priority rule.
Additional examples of configuring incoming routing are available in the FAQ section.
"Call Routing" -> "Incoming Routing" section
Display all calls;
Filter calls based on criteria;
Visually identify missed calls from the call log;
Download or listen to call recordings.
Each entry in the call log contains information about:
The caller’s phone number (Who);
The recipient’s phone number (To Whom);
The date and time of the call (Call Date);
The duration of the call (Duration) – this excludes time spent on greetings or announcements.
Calls marked in red are missed calls. Their duration is logged as zero, and these calls cannot be played back:
Missed calls
For answered calls, users can listen to or download the recording. When downloading a recording, you can choose WebM (Opus), MP3, WAV, or OGG (Opus) format.
Listen to the recording function
Each call log entry provides detailed information about the participants involved.
Detailed information
Filters
The search bar in the Call History page supports the following filters:
Phone Number Filter
You can search using either an internal staff number or an external client number.
Filter by Phone number
Specific Field Filter
You can add a prefix to search only in a specific field:
src:74952293042 - search by caller number;
dst:302 - search by destination number;
did:74952293042 - search by DID number;
linkedid:mikopbx-... - search by the unique call identifier.
If no prefix is specified, MikoPBX performs a general search by caller number, destination number, DID, and employee name.
Search by number or a specific call history field
Date Filter
When opening the Call History, MikoPBX selects a date range based on the latest call records. To filter for a specific period, select the date range and click Apply.
Filter by date
Call detail records (CDR)
To apply a filter, press Enter after entering the search criteria.
"Add time interval" button
A form for creating a new rule will open.
A form for creating a new rule
In the form, you will find the following fields:
Period: The calendar period when employees are absent from the office, such as during New Year's or May holidays.
Weekdays: Specific weekdays for which the rule will be applied.
Time Range: The time period during the day when employees are absent.
Incoming Call Action: You can choose to play a sound file or perform a call transfer. Call transfer options include transferring the call to a conference, IVR menu, queue, internal employee extension, or specific termination numbers.
In the Note field, you can add a note with a description of the created rule, so that you can quickly navigate through the essence of this rule using this description. With the eraser button, you can clear the fields opposite which this button is located.
Apply only to certain incoming routes
By activating this function, a new menu "Route restrictions" will appear on top of you
"Apply only to certain incoming routes" switch and "Route restrictions" Section
Here you can choose which specific routes the rule you are creating will apply to.
"Route restrictions" section
Examples of rules
This rule is used for calls during non-working hours from Monday to Friday, specifically from 7:00PM to 9:00 AM:
Example of the rule
This rule is used to handle calls on Saturdays and Sundays:
Example of the rule
"Call routing" -> "Night and Holiday Switch" Section
List of active calls
Restart the PBX - the command starts restarting the station.
Turn off PBX - completes all processes and disconnects the station.
System shutdown/reboot options
Rebooting the station via the console menu
You can restart the station via the console menu. To do this, select the section "[3] Reboot the system"
MikoPBX console
If you want to restart the station: press "[1] Reboot MikoPBX"
If you want to turn off the station: press "[2] Shutdown"
The system will reboot.
Restart/shutdown station
Reboot with disk check
In case of an emergency restart of the PBX (for example, power outage), it may be necessary to check the disk for errors.
In the PBX console menu, enter the command "[9] Console(Shell)" and press Enter.
System launch the MikoPBX console.
Console menu MikoPBX
Enter the command reboot. Press Enter.
The system will reboot with a disk check.
Reboot command
As long as there are active calls, the reboot and shutdown will not be available via the web interface.
"Maintenance" -> "Reboot" section
Installing the system on a USB drive (Bootable USB)
Before starting, download the disk image file with the .raw extension. You can do this here.
Installing the system on a USB drive
Windows
This guide uses the balenaEtcher utility. You can download it .
First, format your USB drive with the following parameters:
File system - FAT32
Allocation unit size - 8192 bytes
Open balenaEtcher. Click "Flash from file" and select the previously downloaded .raw file.
Click "Select target".
From the list, select your USB drive. Then click "Select 1".
Next, click "Flash!"
Wait for the process to complete. Then proceed to the section .
MacOS
Connect your USB drive and open the Terminal.
Run the following command:
This command displays all connected disks. Look for the disk labeled (external, physical).
In our case, it is disk4 (the number may differ on your system). Use this number in the following steps.
Next, format the USB drive using this command:
Enter your administrator password when prompted and wait for the formatting to complete.
Unmount (disconnect) the disk using the following command:
Write the image to the USB drive using this command:
Wait for the writing process to complete. Then proceed to the section .
Linux
In this example, the image writing process will be demonstrated on Ubuntu 24.04.
Connect your USB drive and open the Terminal.
Run the following command:
This command displays information about all connected disks. Find your USB drive in the list and note its name. In our case, it is sdb.
Next, format the USB drive using this command:
Enter your administrator password when prompted and wait for the formatting to complete.
Unmount (disconnect) the disk using this command:
Write the image to the USB drive using this command:
Wait for the process to complete. Then proceed to the section .
Booting from USB drive
Boot from the USB drive. If errors occur (black screen), make sure that:
Secure Boot - Disabled
CSM (Compatibility Support Module) - Enabled
The system has successfully booted, but no drive is connected for storing call recordings. To connect it, use the arrow keys to navigate to "[6] Data storage" and press Enter.
Then select "Mount drive as data storage" to connect the disk.
Select the disk that will be used to store call recordings. Enter its ID (name), for example sdc in our case, and press Enter.
After this, the system will reboot and will be ready for use and for the first login to the Web interface.
To open the Web interface, enter your MikoPBX IP address in your browser’s address bar.
Use the default login credentials.
Google Cloud Marketplace
MikoPBX Installation Guide using Google Cloud Marketplace
For quick and convenient navigation within the Amazon service, use the search panel
Creating a virtual machine
Open Services / Compute / EC2 and navigate to Images / AMI Catalog
In the open tab enter MikoPBX in the search bar
In the AWS Marketplace AMIs section select the image (x86 or ARM version) by clicking the Select button
On the opened tab click Subscribe now
Click the Launch an instance from AMI button to create a virtual machine
Enter the virtual machine name, for example mikopbx-vm
If you have an SSH key
Specify the SSH key in the Key pair field
If you don't have an SSH key
Select Create new key pair and specify the key pair name, for example mikopbx_key
Follow the instructions further
If necessary, change the size of the storage disk in Configure storage, default size is 50Gb
Under Network settings, all required Firewall rules are configured automatically
For other fields use default values
Click Launch instance
Starting MikoPBX
Go to the created virtual machine mikopbx-vm
On the opened tab, select Connect / EC2 serial console, wait for the system to fully load until the authentication parameters are displayed
Copy the external address of the created virtual machine and enter it in the browser's address bar
Use the login and password provided in EC2 serial console for login
Storage
Disk space usage and storage settings
The "Storage" section in MikoPBX allows you to monitor disk space usage and manage data storage settings. It provides a detailed breakdown of occupied space by category: call recordings, system logs, backups, and other files. In addition to local storage monitoring, the section allows you to configure automatic upload of recordings to an S3 cloud storage.
Section location: "Maintenance" -> "Storage".
"Maintenance" -> "Storage" section
Storage information
The "Storage information" tab provides an overview of disk space usage.
At the top of the page there is a block with a horizontal chart that visually shows what share of the total disk volume each data category occupies. In the example, 56.0 GB out of 100.0 GB is used. Each segment of the chart is color-coded according to the legend:
🟠 Call recordings
🟣 Call history
🔵 System logs
🟢 Additional modules
At the bottom of the page there is a list of data categories and the amount of storage each one occupies.
Local Storage
The "Local Storage" tab allows you to set the retention period for call recordings on the station. Use the slider to select the desired period:
30 days (1 month) — minimum retention period.
90 days (3 months) — recommended for small businesses.
1 year — for compliance with legal requirements.
Click "Save" to save the settings.
S3 Cloud Storage
This tab is used to configure automatic upload of call recordings to an external S3-compatible storage (e.g.: Amazon S3, MinIO, Wasabi).
At the top of the tab there is a toggle "Automatic recording upload to cloud storage" — it enables or disables the upload feature.
To connect to a bucket, fill in the following fields:
S3 endpoint URL — the address of the storage service (e.g., https://storage.yandexcloud.net for Yandex Cloud S3).
S3 region — the region where the bucket is located (e.g., ru-central1 in our case).
S3 bucket name — the name of the bucket where recordings will be uploaded.
Click "Save" to save the settings.
Next, click the "Test Connection" button — the system will perform a test connection and display the result at the top of the page. Upon successful connection, the message "S3 connection successful" will appear and synchronization of call recordings will begin.
At the bottom of the tab there is a "Local storage period (S3 mode)" slider — it determines how long recordings will be stored locally on the station after being uploaded to the cloud before being automatically deleted. The local retention period cannot exceed the total retention period.
Instructions for connecting cloud storage
Connecting DigitalOcean S3 Storage
Instructions for connecting DigitalOcean Spaces Object Storage as an S3 storage
Navigate to Manage → Spaces Object Storage. Click Create a Spaces Bucket to create a new bucket.
On the bucket creation page, under Choose a datacenter region, select the region closest to your MikoPBX server. Choose Standard Storage.
In the Choose a unique Spaces Bucket name field, enter a name of your choice for the bucket.
Click Subscribe & Create Bucket.
Open the page of the newly created bucket by clicking its name in the Buckets section.
Go to the Settings tab.
Scroll down to the Access Keys section. Click Create Access Key to generate a new key pair.
Fill in the required parameters for the new key:
Select access scope — Limited Access.
Buckets — select the bucket you created earlier.
Permissions — Read/Write/Delete.
Click Create Access Key.
Your key pair values (Access Key ID and Secret Key) will be displayed. Save these values — you will need them when configuring MikoPBX.
Connecting to MikoPBX
Go to the Maintenance → Storage tab.
Open the S3 Cloud Storage tab and fill in the following fields:
Automatically upload recordings to cloud storage — enable the toggle.
S3 Endpoint URL — enter https://sgp1.digitaloceanspaces.com, replacing sgp1 with your region.
S3 Region — enter the region of your DigitalOcean bucket (e.g. sgp1
Use the Local Storage (S3 mode) slider to configure how long recordings are kept locally before being deleted after upload to the cloud.
Click Save.
After saving the settings, click Test Connection. If the connection is successful, you will see the message "S3 connection successful" and synchronization of call recordings will begin.
Microsoft Outlook Setup (OAuth2)
Mail setup for the Outlook service (outlook.com; hotmail.com) via OAuth2 Authentication
Settings in Microsoft Entra
Application Registration
Sign in to the
Go to "Entra ID" -> "App registrations". Then click "New registration" to register a new application.
Select the following parameters for your application:
Name - enter a name for your application.
Supported account types - select "Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)".
Specify the Redirect URL:
Select a platform — select "Web".
URL:
Replace 192.168.100.71 with your MikoPBX address.
Then click "Register".
The application will be created. Save the Client ID — you will need it in the future for configuration inside the MikoPBX web interface.
Granting Permissions and Creating a Client Secret
From the application's main page, go to "Manage" -> "API permissions".
Click "Add a permission".
In the "Microsoft Graph" section, select "Delegated Permissions". Enter "SMTP" in the search bar. Check the box next to "SMTP.Send".
Also enter "offline" in the search bar. Check the box next to "offline_access".
Click "Add permissions".
Next, go to "Certificates & secrets" -> "Client secrets". Click "New client secret".
Set the required parameters:
Description - an arbitrary description.
Expires - the duration for which you are issuing this client secret. It will be needed for application authentication in MikoPBX.
Click "Add".
Copy the "Value" (not the Secret ID!). It will be needed for configuration in the MikoPBX web interface.
Granting Permissions to a User
For the application to work correctly, you need to grant permission to use the SMTP protocol for the user whose mailbox you are authorizing during this setup. To do this, follow these steps:
Go to the organization's admin center ().
Go to "Users" -> "Active Users". Click on the name of the user account under which the application is being created.
In the account, go to the "Mail" section and select "Manage email apps".
Make sure that "Authenticated SMTP" is allowed. Save the changes by clicking "Save changes".
Settings in MikoPBX
Go to the MikoPBX web interface. Then "System" -> "Mail and Notifications" -> "SMTP Settings".
Fill in all the required fields:
Sender address, Sender name — your email and the name from which the emails will be sent.
Authentication type — OAuth2.
SMTP login — your email.
Leave all other settings at their default values. A more detailed description can be found in the main article about mail parameters ().
After that, click "Save"!
Click "Connect via OAuth2". Sign in to your Microsoft account. Then confirm granting all requested permissions.
Upon successful authorization, you will see the corresponding window.
Firewall
Description and configuration of Firewall rules in MikoPBX
The Firewall in MikoPBX is an interface for configuring the system's firewall. Here, administrators can create and manage network traffic filtering rules, controlling access to MikoPBX and protecting it from unauthorized access and network threats. Configuring the firewall ensures the security of the telephone system, preventing potential attacks and ensuring stable operation in the organization's network infrastructure.
In MikoPBX, all local subnets can be described in the "Network and Firewall" → "Firewall" section. The firewall is designed to restrict access to the station by traffic type and subnets.
Section "Network and Firewall" -> "Firewall" in MikoPBX
To add a new rule, you need to click on the button:
Button for creating a new rule
General settings
You can give the rule any custom name. To the right of the subnet address, there is a field for Subnet Mask in CIDR format.
Available services
SIP&RTP - registration of phones and voice traffic. Session Initiation Protocol is used for establishing connections between VoIP phones.
WEB - access to the administrative interface for configuring the PBX. SSH - root access to the system.
SSH (Secure Shell) allows accessing the MikoPBX console.
Advanced Options
Each subnet has a flag 'Is it a VPN or a local network'. When this flag is set, MikoPBX will present itself as a local IP to all local subnets instead of external ones.
The flag 'Never block addresses from this network' should be enabled only for trusted subnets. If this flag is enabled, intrusion prevention rules will not apply to this subnet
Behaviour in Docker containers
In Docker bridge mode the MikoPBX built-in firewall and fail2ban do not protect the web interface: the container cannot manage host iptables, and HTTP clients arrive from the docker0 gateway. SIP protection continues to work (UDP DNAT preserves the source IP).
To protect the web interface in Docker, choose one of:
network_mode: host for the container (when the host is dedicated to the PBX);
An external CrowdSec-compatible bouncer in front of the MikoPBX API — see .
Anti brute force
This section is used to configure Fail2ban
Fail2ban is enabled together with the Network Firewall switch in the "Network and Firewall" → "Firewall" section.
"Firewall and anti-hacking protection are enabled" switch
Fail2ban blocks IP addresses with abnormal activity. When there is a failed authentication attempt, information about the error will be logged in the PBX. Fail2ban analyzes all failed attempts and keeps track of them. When the number of failed attempts exceeds the maximum allowed authentication attempts, the IP address is banned. Fail2ban is capable of slowing down the rate of failed authentication attempts.
Please note that Fail2ban will not help with the use of simple passwords.
The Anti brute force settings can be found at the bottom of the "Network Firewall settings":
"Anti brute force" section
If a certain number of failed login attempts (Number of attempts for blocking) occurs within a specific period (Within (seconds)), the IP address will be blocked for a specified duration (Block for (seconds)).
The whitelist of addresses defines IP addresses that will not be blocked by Fail2ban. You can specify individual IP addresses like 93.188.40.10 or subnet like 93.188.40.10/32. The separator used is a 'space'.
Please note that if you have set the 'Never block addresses from this network' option in the 'Network Firewall' section for a subnet, that subnet is automatically added to the whitelist, and you don't need to add it manually. It is not recommended to manually populate the whitelist of IP addresses. It is preferable to specify IP addresses only in exceptional cases.
The list of blocked addresses shows which IP addresses are currently blocked.
You can also unblock an address by clicking on the corresponding icon in the table.
Installation via writing the image to a USB drive (Live USB)
Installing the system by writing the image to a USB drive
Writing the image to a USB drive
Windows
Before starting the process, format your USB drive with the following parameters:
Hyper-V
Installing MikoPBX using Hyper-V.
Creating a virtual machine
Select Action / New / Virtual Machine
UTM
Installing MikoPBX in UTM
In this manual, the installation will be performed on UTM. Before it starts, download the disk image file with the ".iso" extension. You can do this by .
Creating a virtual machine
Go to UTM. Click "Create a New Virtual Machine" to create a new virtual machine.
Digital Ocean
Installing MikoPBX using the DigitalOcean Cloud Platform
In this guide, we will perform a step-by-step installation of MikoPBX using the DigitalOcean cloud platform.
Before beginning, you need to copy the download link for the latest .raw MikoPBX image. You can find these on .
Uploading the Image to DigitalOcean
IVR Menu
Creating and configuring IVR menu in MikoPBX
An IVR menu includes options for routing incoming calls using an interactive voice menu. It allows callers to navigate through a series of menu prompts using their telephone keypad (DTMF). Each option in the menu can be associated with a specific action or routing destination, such as transferring the call to a particular department, providing self-service options, or connecting the caller to a specific extension or queue. The IVR menu enhances the caller's experience by offering a self-service mechanism and streamlining call routing based on their selections.
Pre-configuration
Before creating an IVR menu, it is necessary to upload audio files that will be played to callers when they contact your company. The audio files can be added in the "Telephony" -> "Sound files"
Proxmox
Installing MikoPBX using Proxmox.
Loading the MikoPBX image
Open the local / ISO images tab and select Download from URL
Registration in the modules marketplace
Description of the registration process
General Information
Registering in the MikoPBX Module Marketplace is not required for the system’s basic functionality. You can fully utilize MikoPBX for handling calls without registration or installing additional modules. However, we recommend registering in the marketplace to expand your system’s capabilities.
Registration gives you access to additional modules and extensions.
These include both free modules (moved out of the core system for easier initial setup) and paid modules from us and third-party developers.
If you are a developer, you can contact us at [email protected] to get instructions on creating and adding your module to the Marketplace.
Module management
This guide explains how to connect, configure, and manage modules in MikoPBX. It also covers how to install applications using the built-in Marketplace.
Additional modules allow you to expand the functionality of the main system. In this guide, you will find information on managing modules and installing applications using the built-in Marketplace.
Detailed instructions for configuring and operating each module can be found .
You can find the Module Management section under "Modules" -> "Marketplace of modules".
API Keys
Description of usage in MikoPBX
REST API MikoPBX allows you to automate station management and integrate it with external systems - CRM, helpdesk, corporate portals, and custom services. API keys are used to access the API.
Authorization
All REST API requests are authorized via the Authorization: Bearer <token> header. MikoPBX supports two token types:
Type
Installation on MDADM RAID1
Preparation
Prepare a PC with two disks of the same size.
Boot the machine in.
Migrating MikoPBX to Another Server
Overview of methods for transferring MikoPBX to another server
There are several ways to transfer MikoPBX to a different host (server). Each method has its advantages and special considerations. Below is a brief overview of each option, and you can refer to the detailed guides in this section.
Option #1: Transfer Using Backup
Description:
A backup of the current MikoPBX configuration is created and then uploaded to the new server. This method is suitable for smaller amounts of data.
Transfer Using Backup
A method to transfer MikoPBX to another host using backup
This method involves creating a backup of your current MikoPBX configuration, transferring it, and restoring it on the new server. It’s simple to implement and suitable for small systems. This approach is convenient for users with minimal technical experience.
First, create a backup of your previous system. You can find detailed instructions in .
Select the data you want to transfer and wait for the process to complete.
Transfer using scheduled backup (SFTP)
A method to transfer MikoPBX to another host using scheduled backup via SFTP
The second method involves setting up automatic scheduled backups, saving the data directly onto the target server via SFTP. This approach is particularly convenient for transferring larger amounts of data, as it eliminates the need for intermediate storage of the backup.
Configuring Scheduled Backup
First, you need to configure scheduled backups for the MikoPBX you want to transfer data from.
Reset to factory settings
Method 1
Go to "General Settings" -> "Delete all system settings"
Give this access key a name — enter an arbitrary name to identify this key pair.
in this guide).
S3 Bucket Name — enter the name of the bucket you created in DigitalOcean (e.g. mikopbx-s3-storage in this guide).
Access Key and Secret Key — paste the values obtained in the first part of this guide.
Remember your region name (sgp1 in the screenshot below) — you will need it later when configuring MikoPBX.
A shorter local retention period frees up disk space faster.
In Docker (bridge mode) fail2ban writes bans to Redis but the container cannot manage host iptables — web-interface bans are not applied automatically. To project them to the host, run an external bouncer (see External firewall for Docker). SIP protection works normally.
Parameters of the Anti Brute Force rule
Blocked addresses list
Unlock button
Pros:
Easy to set up.
Allows you to preserve the current configuration.
Considerations:
May be less reliable for large amounts of data.
Requires intermediate storage for the backup (e.g., local disk or cloud).
Option #2: Transfer Using SFTP and Scheduled Backups
Description:
A backup is automatically created and saved directly to the target server via the SFTP protocol. This method is especially effective for large amounts of data.
Pros:
Suitable for large amounts of data.
Minimizes manual actions.
Provides direct data transfer between servers.
Considerations:
Requires SFTP configuration on both servers.
Needs correct SSH user settings for proper operation.
Option #3: Transfer Using rsync
Description:
The rsync command is used to directly synchronize data between the old and new servers. This method is convenient for experienced users.
Pros:
Fast synchronization, even for large data volumes.
Preserves access rights and directory structure.
Does not require creating intermediate backups.
Considerations:
Requires basic command-line knowledge.
Possible errors if configurations (e.g., paths) are incorrect.
Both servers must be accessible on the network at the same time.
Application ID (Client ID), Secret key (Client Secret) — data from Microsoft Entra.
After expiration, the created client secret will stop functioning and you will need to repeat the process of creating a new key and connecting to MikoPBX.
After creation, the Client Secret value will be shown only once. Do not forget to copy it into the MikoPBX web interface.
The image will be written using the Rufus utility. You can download it here.
Rufus main page
After installing the utility, open its interface. In the "Device" section, select your USB drive, click SELECT, and choose the previously downloaded .iso image. Its verification will begin.
Selected image and disk
Once verification is complete, set the following parameters and click START:
File system - FAT32
Cluster size - 8192 Bytes
Quick format - checked
Create extended label and icon files -uncheck this option
Starting the image writing process
In the popup window, select "Write in DD Image mode" and click OK.
"Write in DD image mode" option
In the confirmation window warning that all data on the disk will be erased, click OK.'
Disk format confirmation
Wait until the image writing process is complete. When done, you’ll see the message "READY".
Then proceed to the section "System installation".
Successfully writed image
MacOS
Connect your USB drive and open the Terminal.
Run the following command:
This will display information about all connected disks. Find the one labeled (external, physical) — for example, disk4 (the number may differ on your system). Use its number for the next steps.
List of all available disks
Next, format the USB drive with this command:
Enter your admin password when prompted and wait until formatting completes.
Formatting the disk
Unmount (disconnect) the disk using this command:
unmountDisk command
Write the image to the USB drive using this command:
Wait until the writing process is complete. Then proceed to the section "System installation".
Successfully writed image
Linux
This example uses Ubuntu 24.04 to demonstrate the image writing process.
Connect your USB drive and open the Terminal.
Run the following command:
This will display information about all connected drives.
Find your USB drive in the list and remember its name. In our example, it is sdb.
lsblk command
Next, format the USB drive with the following command:
Enter your admin password when prompted and wait until formatting completes.
Disk fromatting
Unmount (disconnect) the disk using this command:
umount command
Write the image to the USB drive using this command:
Wait until the writing process is complete. Then proceed to the section "System installation".
Successfully writed image
System installation
Boot from the USB drive.
If errors occur (black screen), make sure that:
Secure Boot - Disabled
CSM (Compatibility Support Module) - Enabled
System booted from LiveUSB device
The system is booted in LiveCD mode — indicated by the red message. To install, use the keyboard arrows to navigate to "[8] Install" and press Enter.
Section "[8] Install"
Select the disk where the system will be installed. Enter its ID (name), for example sdc.
Selecting the system disk
Confirm your choice by typing "y" to continue.
Confirmation of your choice
After installation, you will be asked to select a disk for storing call recordings.
Make your choice as before.
Selecting the records storage disk
After that, the system will reboot and be ready for use and the first login to the Web interface.
Successfully installed system
To open the Web interface, enter the IP address of your MikoPBX in your browser’s address bar.
Use the default login credentials.
The USB drive size must be at least 1 GB. All data on the USB drive will be deleted!
The USB drive size must be at least 1 GB. All data on the USB drive will be deleted!
All data on the disk will be deleted! Double-check the disk name before formatting!
The USB drive size must be at least 1 GB. All data on the USB drive will be deleted!
All data on the disk will be deleted! Double-check the disk name before formatting!
All data on the selected disk will be erased!
Default credentials for first login to the Web interface:
Login: admin
Password: admin
On the Specify Name and Location tab, enter the name of the virtual machine, for example mikopbx-vm
Configuring Virtual Machine
Proceed to the Specify Generation tab, and select Generation 1
Configuring Virtual Machine
On the Assign Memory tab, allocate the required amount of RAM based on the expected load on the PBX. For a test machine, you can specify 2 GB
Configuring Virtual Machine
Proceed to the Configure Networking tab, and select a pre-configured network connection
Configuring Virtual Machine
On the Connect Virtual Hard Disk tab, adjust the system disk size to 1 GB
Configuring Virtual Machine
On the Installation Options tab, check the Install an operating system from a bootable CD/DVD-ROM option
Select Image file (.iso) and provide the link to the MikoPBX distribution file with the .iso extension
Configuring Virtual Machine
After entering all values, click the Finish button
Configuring Virtual Machine
Data storage disk
Go to the settings of the created virtual machine
Select the IDE controller to which the system disk is connected
On the opened tab, select Hard Drive and click the Add button
Click the New button
On the Choose disk format tab, select VHD
Adding second hard disk
On the Choose disk type tab, select Fixed size
Adding second hard disk
On the Specify name and location tab, specify the name (e.g., storage.vhd) and the location of the disk
Adding second hard disk
On the Configure Disk tab, set the disk size for data storage to at least 50 GB
Adding second hard disk
Use the default values for other fields
Complete the setup by clicking the Finish button
Adding second hard disk
Installing MikoPBX
To start the virtual machine, click Connect... -> Start
"Connect..." button
Go to the Connect tab of the created virtual machine mikopbx-vm
If the boot is successful, a console menu will appear. Enter 8 from the keyboard to start the installation
Installing MikoPBX
Select the system disk and enter the disk name from the keyboard, for example sda. Confirm the selection by entering y from the keyboard
Installing MikoPBX
Installing MikoPBX
Connect the disk for storing call recordings, and enter the disk name for connection from the keyboard, for example sdb
Installing MikoPBX
Starting MikoPBX
To access the MikoPBX web interface, enter your virtual machine's IP address in your browser's address bar. You can find the IP address in the console.
MikoPBX IP-address
Enter the IP address in your browser’s address bar. Log in using the default credentials.
MikoPBX web-interface authorization page
For deploying the PBX, use two disks:
a 1 GB disk for the main system
a 50+ GB disk for storing call recordings
When the message "Press any key within 30 seconds to boot from LiveCD..." appears, do not press any buttons. In this case, the system will boot from the hard drive.
Use the following default credentials for the first login to the MikoPBX web interface:
Username: admin
Password: admin
Select "Virtualize" as the VM type.
Selecting the type of virtual machine
Select "Preconfigured" - "Linux" as the operating system type.
Choosing the type of operating system
Select the previously downloaded disk image file in the "Boot ISO Image" section. To do this, click on "Browse...".
Selecting a disk image file for a VM
Next, specify the characteristics of your virtual machine. In our case, 2 GB of RAM and 2 processor cores will be used.
VM Configuration
Next, specify the size for the system disk. In our case, 1 GB.
Specifying the size of the system disk
Click Continue.
The "Shared Directory" section
The final configuration of the VM will be displayed. Give it the desired name (the "Name" field). And click "Save".
The final configuration
Connecting a disk for data storage
Go to the VM settings. To do this, right-click on its name, then "Edit".
VM Settings
Go to "Drives". Click "New..."
"Drives" section
Create a new disk with the following parameters:
Interface - VirtlO
Size - at least 50 GB (in this documentation, 10 GB will be used for the test machine)
Click "Create".
Creating a second disk
System installation
Start the VM.
Launching a VM
After loading, you will see the message PBX is running in Live or Recovery mode. This means that the system is loaded from the disk image in Live mode. It is necessary to install the system. To do this, go to the "[8] Install on Hard Drive" section.
MikoPBX in LiveCD mode
Select the disk to install the system. In our case, vda and vdb disks are available, and we select the vda disk for installation.
Selecting a disk to install the system on
Confirm the selection: enter "y" from the keyboard and press Enter.
Confirming the disk selection
Next, select a disk for storing conversation recordings. In our case, the only remaining one is 10 GB size disk.
Selecting a disk for storing conversation recordings
After that, the system will reboot and be available in normal mode (the label "PBX is running in Live or Recovery mode" will disappear).
MikoPBX IP-address
Enter this IP address in the browser bar to access the Web interface.
MikoPBX Web-interface
This instruction has been relevant since the first release, published in 2026. Tested on Apple Silicon processors.
The system disk. The system is installed on it, the recommended size is 1 GB.
A disk for storing recordings of conversations. The recommended size is from 50 GB.
Standard login information:
Login: admin
Password: admin
Go to "Manage" → "Backups & Snapshots":
Section "Backups & Snapshots"
Go to "Custom Images" → "Import via URL":
"Import via URL"
Paste the link to the .raw disk image file you copied earlier.
Enter a name for the image, select the region where it will be uploaded (this should match the region of your future virtual machine), and choose "Unknown" as the operating system type.
Click "Upload image".
Image parameters
Wait for the image upload to complete.
Creating a Virtual Machine in the Cloud
Go to DigitalOcean’s main page:
DigitalOcean’s main page
To create a new virtual machine (Droplet), go to "Create" → "Droplets":
Creating a droplet
Select a region and datacenter for your virtual machine:
VM Parameters #1
Next, choose the previously uploaded image and configuration for your virtual machine:
VM Parameters #2
Go to the "Additional Storage" tab. Here, you can add a second disk that will be used for call recordings. To do this, click "Add volume" and specify the parameters for the new disk.
"Additional Storage" section
Go to "Choose authentication method." Here, you need to select "SSH Key" and add the key pair for SSH authentication. For more information on generating SSH keys, see:
We recommend a minimum size of 50GB for the call recordings disk.
The default login for SSH on a DigitalOcean VM is do-user.
Adjust:
C:\Users\<Username>\.ssh\id_ed25519 to the path of your local SSH key.
"Sound files" section
Choose your music file using "Upload a new file"
"Upload a new sound file" button
Additionally, there is the option to record a file using a microphone if you connect to the MikoPBX over HTTPS.
Creating an IVR menu
Go to "Telephony" → "IVR menu" section.
"IVR Menu" section
Click "Add new IVR nenu."
"Add new IVR menu" button
Set the name, number, and, if necessary, a comment for the IVR menu. Select the audio file that you uploaded in the previous step.
Parameters of the new IVR menu
Configure Actions when you extend. In the first column, specify the extension number, and in the second column, set the addressing rule.
"Actions when you extend" section
Set the number of retries before transferring to the default number.
Number of repetitions before transferring to the default number
Set the timeout for entering an extension number (value in seconds) after which the voice greeting will be repeated.
Timeout to enter an extension number after IVR menu playback
The Default extension is required in case the client does not enter an extension number (for example, due to technical limitations).
Default extension
Enable the "Allow Dialing of any extension" toggle switch if needed.
"Allow dialing of any extension" switch
Enter the IVR menu number that can be dialed to reach that specific IVR menu.
Press "Save settings."
"IVR menu extension"
How IVR works
The principle of operation of an IVR (Interactive Voice Response) is as follows:
When calling the IVR menu number, the Voice Greeting audio file starts playing.
During the playback of the voice menu, the caller can select menu options or dial an employee's internal extension. The "Allow Dialing Any Internal Number" flag allows callers to dial internal employee numbers with SIP accounts. Routing to queues, IVRs, conferences, and other destinations is configured separately in the IVR action table.
After the voice menu is played, there is a waiting period of the "Input Extension Timeout" for entering an extension number.
The total time allowed for entering the extension number is calculated as the sum of the audio file duration and the input extension timeout.
If the total time for entering the extension number expires, a repeat voice announcement occurs, and there is another waiting period within the timeout for the next IVR attempt.
If the user enters an incorrect number or does not enter any number at all, a repeat voice announcement occurs, and there is another waiting period within the timeout for the next IVR attempt.
The maximum number of attempts is set by the "Number of Retries" parameter before transferring to the default number.
Once the number of attempts exceeds the specified value, the call is redirected to the default number.
In the URL field, paste the link to the MikoPBX distribution file with the .iso extension
Click the Download button and wait for the file to finish downloading
Loading the MikoPBX image
Creating a virtual machine
Select Create VM
On the General tab, enter the name of the virtual machine, for example mikopbx-vm
Configuring virtual machine
Go to the OS tab, and in the ISO image field, select the previously downloaded image
Set the OS type to Linux
Configuring virtual machine
On the System tab, uncheck the Qemu Agent box, and use the default values for other fields
Configuring virtual machine
Go to the Disks tab
Adjust the size of the system disk to 1 GB
Configuring virtual machine
Click the Add button and add an additional disk for data storage
Specify a disk size of at least 50 GB
Configuring virtual machine
On the CPU and Memory tabs, specify the computing resources for the virtual machine based on the expected load on the PBX. For a test machine, you can set Cores (CPU tab) to 2 and Memory (Memory tab) to 2 GB
Configuring virtual machine
Configuring virtual machine
On the Network tab, uncheck the Firewall box
Configuring virtual machine
Go to the last tab, Confirm, and check the Start after created box
After entering the values, click the Finish button
Configuring virtual machine
Installing MikoPBX
Go to the created virtual machine mikopbx-vm
On the open tab, go to the Console section
If the boot is successful, a console menu will appear. Enter 8 from the keyboard to start the installation
Installing MikoPBX
Select the disk for the system and enter the disk name from the keyboard, for example sda. Confirm the selection by entering y from the keyboard
Installing MikoPBX
Installing MikoPBX
Connect the disk for storing call recordings, enter the disk name for connection from the keyboard, for example sdb
Installing MikoPBX
Starting MikoPBX
To access the MikoPBX web interface, enter your virtual machine's IP address in your browser's address bar. You can find the IP address in the console.
MikoPBX IP-address
Enter the IP address in your browser’s address bar. Log in using the default credentials.
MikoPBX WEB-interface authorization page
To deploy the PBX use two disks:
A 1 Gb disk for the main system
A 50+ Gb disk for storing call recordings
When the message "Press any key within 30 seconds to boot from LiveCD..." appears, do not press any buttons. In this case, the system will boot from the hard drive.
Use the following default credentials for the first login to the MikoPBX web interface:
Username: admin
Password: admin
To begin the registration process, navigate to "Modules" -> "Marketplace of modules":
Section "Modules" -> "Marketplace of modules"
If you are not registered in the Marketplace, the section will look as follows:
Marketplace section if registration is not completed
Registration Process
To start the registration process, click the Register in Marketplace button:
The "Registration in the marketplace" button
The license key stores all your licenses for MikoPBX products. If you already have a key, you can enter it in the corresponding field. If you've forgotten your key, search your email inbox for messages from [email protected]
License key
If you don’t have a key, you can generate a new one by completing the registration form:
Registration form for the marketplace
Organization Name – Enter your company/organization name.
Contact Email – Enter your organization’s email address.
Contact Person – Enter the name of the contact person.
Contact Phone (optional) – Provide a contact number.
Unique Company Identifier (e.g., Tax ID, VAT) (optional).
Click Register.
Upon successful registration, you will see the following screen:
A notification confirming the system's registration.
The license key field will display a blurred value by default. Hover over it to view or copy the key.
Successful registration in the marketplace
License Management
To manage your license, go to Marketplace -> License Management and click the corresponding option:
Enter your license key in the Enter your license key or activated coupon field and click Login:
Entered license key
You will access a system with nine sections:
SaaS System
Go to the Session monitor section:
"Session monitor" Section
In the Info column, click the i button for each binding to view detailed host information.
Host information
In the Action column, use the Drop button to unbind the license from the current host.
Resetting the license on the host
Potential Issues
Registration Issues
If you encounter issues during registration, check for internet access to the MikoPBX server. Ensure connectivity to lic.miko.ru and lic.mikopbx.com over port 443 (HTTPS). Verify firewall settings and network permissions.
Strikethrough Key Icon
MikoPBX periodically connects to licensing servers to verify installed modules. If a module license becomes unavailable, the module will be disabled, and a strikethrough key icon will appear next to its name.
MikoPBX is a free solution and does not require registration.
The absence of a license does not impact call functionality. You can register or cancel your Marketplace registration anytime.
If you move MikoPBX to another host or restore it from a backup, you will need to reset license bindings in the .
One license key is issued per company. If your company uses multiple MikoPBX instances, a single registration is sufficient.
Installed Modules
This section allows you to manage modules: connecting them, configuring them, and uploading your own custom modules. Documentation on developing your own modules can be found here.
All installed modules are listed under the tab of the same name:
All installed modules
You can upload your own module using the "Upload New Module" button. You need to upload .zip files. After uploading, the module will appear in the list under the "Installed Modules" tab.
"Upload new module" button
You can also access the settings of any module for further configuration:
Module settings
Additionally, you can enable or disable a module.
Enable/disable module
From the interface of an installed module, you can quickly access its documentation by clicking on the question mark to the right of the module's short description:
Quick jump to module documentation
Quick Access to Modules
You can add any module to the sidebar menu for quick access, which can be useful if you need constant access to the module's settings to change parameters or its status.
Modules in quick access
To do this, follow these instructions:
Go to the settings of the module you want to add to the sidebar menu by clicking on the edit icon to the right of the module's version:
Go to module settings
Click on the settings icon to the right of the module's status to access the display settings for the module in the sidebar menu:
Settings of the module
In this section, you can:
Toggle the display of the module in the sidebar menu—"Show module in sidebar menu".
Choose the section where it will be displayed—in the example, the "Modules" section is selected.
Specify a custom name for the module if desired.
After completing the settings, click "Save".
Module display options in the side menu
Marketplace
In this section, you can install modules from MIKO as well as from partner developers.
Marketplace section
Each module has a button for downloading and installing it. Basic information about the module with a short description is also displayed here.
Button for installing the module
To the left of the module's name, you can find an icon indicating whether it is paid or free. For example, in the image above, the "Access Control Management" module is paid, while the "Backup&Recovery module" module is free.
Module Card
You can access a module's detailed page by clicking on its name in the Marketplace interface.
Module card
Here you can find the version of the current release, information about the developer, and whether the module is paid or free. There are also three sections:
Module Description
This section contains images illustrating the module's functionality and settings. Additionally, there is a basic description of the module and a "Useful Links" section with a link to detailed documentation on configuring and operating the module.
Version History
In this section, you can find the module's version history with detailed descriptions of changes, as well as the minimum compatible version of MikoPBX for proper operation. You can also install a specific version of the module by clicking on the blue link under its description.
Version History section
Activating Coupons
If you purchase a module, you will receive a coupon. To activate it, go to Modules -> Marketplace of modules:
Marketplace of modules section
Then navigate to the "License Management" section.
In the "Activate Coupon" field, enter your coupon code and click "Activate Coupon"
Coupon activation
To use both paid and free modules, you need to register your copy of MikoPBX and obtain a free license key. Instructions on how to do this can be found here.
Each paid module has a trial period of 2 weeks. During this period, you can try the module's functionality and decide whether to purchase it. To purchase a module, write to
The protection key always starts with MIKO-. Coupons for modifying product composition always start with MIKOUPD-.
When to use?
JWT token
Internal system components, modules, built-in tools
For external integrations, always use an API key — it is created manually, has configurable access permissions, and can be revoked at any time.
Creating an API Key
Go to "System" → "API Keys".
"API Keys" section in MikoPBX
`Click "Add API Key".
Fill in the Description field (e.g.: CRM Integration)
Copy the generated API key — it is displayed only once
Important: save the key immediately after creation. Once the page is closed, it cannot be recovered — you will need to create a new one.
Basic API key parameters
Configuring Access Permissions
Follow the principle of least privilege — each key should only have access to the resources that are actually needed.
When creating a key, two options are available:
Full access — the key gets read and write access to all API resources. Use only if truly necessary.
Manual configuration — the access level for each API resource is specified individually: read-only, read and write, or no access.
Network filter: choose one of two options:
Localhost connections only — the key will only work from the local network. Recommended if the integration runs within the infrastructure.
Connections from any address are allowed — the key is accessible without IP restrictions. Use only if the client is located outside the local network.
Security
Following these requirements protects the API from token interception and unauthorized access:
Valid SSL certificate:
Use a trusted SSL certificate on the MikoPBX server side. The easiest way is to issue a free certificate via the Let's Encrypt module (instructions for working with the module are available here).
Operating without a valid certificate is only acceptable in an isolated test environment with no internet access.
Certificate trust on the client side:
The client must verify the server certificate on every request. Disabling verification (verify=False in Python, -k in curl) is not acceptable in production: without it, a man-in-the-middle (MITM) attack becomes possible, where an attacker intercepts the Bearer token in plaintext.
Key scope restriction:
Each key must only have access to the resources actually used by the integration. Do not use "Full access" unless necessary — compromising such a key gives an attacker full control over the API.
Network access restriction:
If the integration runs within a local network — choose "Local connections only". This prevents a compromised key from being used from an external network.
Use "Allow connections from any address" only when the client is physically located outside the local network, and make sure all other security measures are in place — a valid SSL certificate and minimal key permissions.
Examples and Detailed Documentation
Click a card to navigate:
"Read" allows you to retrieve data (GET)
"Read and write" allows you to create, modify, and delete data (POST, PUT, DELETE)
Download your archive by clicking the corresponding button in the "Backup Module" section:
Button to download archive
On the new host (server) with your MikoPBX installation, restore from the archive by clicking "Upload backup file":
"Upload backup file" button
After this, your system will be restored from the archive. This method is ideal for transferring small amounts of data.
Go to the "Backup" module. Navigate to the "Backup Schedule" tab:
"Backup schedule" button
Next, set the scheduled backup parameters:
Server Address: Enter the address of your new MikoPBX server.
Mode: SFTP mode
Port: 22
Username: The SSH username for your new MikoPBX server.
Password: The SSH password for your new MikoPBX server.
The path on the server: "/storage/usbdisk1/mikopbx/backup/"
For information on SSH connection, refer to the related documentation. To start the backup immediately after saving the settings, choose the option "Start backup immediately after saving settings". You can also select the specific data you want to transfer in the corresponding section.
Parameters of backup
Wait for the backup to complete, and then shut down the old machine.
Restoring from the Backup on the New Host
If the data transfer is successful, your backup will appear in the backup module section on the new host:
Backup copy
To restore from the backup on your new host, do the following:
Go to the backup settings by clicking on the respective element:
Way to recovery settings from a copy
Select the data you need to transfer and click "Restore from a backup":
"Restore from a backup"
In the input field, paste the text "delete everything", click "Save settings"
Method 2
Open the MikoPBX console menu. Use the keyboard to enter 9 to go to the PBX console.
Enter two commands sequentially:
After executing these commands, MikoPBX will reboot. The login to the web interface takes place with the login (admin) and password (admin) by default.
Proxmox LXC is a lightweight container solution within the Proxmox VE virtualization platform, based on LXC (Linux Containers) technology. They allow running isolated Linux systems with minimal resource consumption compared to full virtual machines.
Downloading the Container Template
Go to the "local" storage, then "CT Templates". Click "Download from URL" to open the template download dialog from a URL.
Go to with releases and copy the download link for the template file with the "lxc.tar.gz" extension.
Paste the link into the "URL" field and click "Query URL". If you copied the correct link, the "File name" field will be populated with the filename having the "lxc.tar.gz" extension.
Click "Download" to start the download.
After the download is complete, you will see the "TASK OK" message.
Creating an LXC Container
Click "Create CT" in the upper right part of the interface to create a new container.
Fill in all the basic container parameters:
Hostname — enter a name for the service.
Password — enter the password for logging into the MikoPBX web interface.
SSH public keys — generate and paste your SSH key. You will then be able to use it to connect to the station via SSH. More details about key generation and SSH connection can be found .
Click "Next".
Select the previously downloaded template in the "Template" section.
Click "Next".
Next, specify the system disk size. The recommended value is 1 GB.
Click "Add" to add a new disk.
Specify the size of the second disk — this is where call recordings will be stored. The recommended size is at least 50 GB. Also specify the disk path — "/storage".
Click "Add" to add a new disk.
Specify the size of the third disk for storing configuration. The recommended size is 0.5 GB. Also specify the disk path — "/cf".
Click "Next".
On the next tab, specify the number of CPU cores to be used. For a small company, 1–2 cores is sufficient (see for more details).
Click "Next".
Next, specify the amount of RAM and Swap memory for the container.
Click "Next".
In the next section, configure your network settings. In our case, DHCP is used to obtain an IPv4 address. The Firewall does not need to be enabled here, but it must be configured later in MikoPBX (see for more details).
Click "Next".
In the DNS settings section, click "Next".
You will see the final container configuration. Click "Finish".
First Launch
Go to the management window of the created container by clicking on its name. Click the "Start" button to launch it.
Then go to the "Console" tab. Wait for the system to load and find the web interface IP address.
Enter it in your browser's address bar. Then perform the first login to MikoPBX.
Asterisk Manager Interface (AMI)
Setting up AMI access
Asterisk Manager Interface (AMI) is a powerful and convenient Asterisk programming interface (API) for managing the system from external programs. Thanks to the AMI, external programs can connect to Asterisk via the TCP protocol, initiate the execution of commands, read the result of their execution, as well as receive notifications about events in real time.
AMI is often used for integration with business processes and systems, CRM software (Customer Relationship Management - customer interaction management). Asterisk is often managed from the CLI console, but using AMI does not require direct access to the server running Asterisk. AMI is the simplest tool, which in the hands of a developer can be a very powerful and flexible tool for integration with other software products. It enables developers to use the information generated by Asterisk in real time.
The first thing to do is to enable the AMI and create a user with which the client program will authenticate. "System" -> "Asterisk Manager Interface(AMI)":
"Asterisk Manager Interface (AMI)" section
To add a new account, you must specify a Username and Password. In addition, it is necessary to set a Network filter, i.e. from which subnet the connection to the AMI user is allowed. You can allow connections from any addresses, or specify a specific network that you have configured in the "Network and Firewall" → ""
AMI User Options and Rights
AMI user rights set in the [user] section of the configuration file /etc/asterisk/manager.conf
rights ID
reading
writing
System log entries
Description of section functions
The "System Diagnostics" section in MikoPBX is a tool for monitoring and analyzing the status of the telephone system. Using this section helps to promptly detect and eliminate technical problems, ensuring stable and efficient operation of MikoPBX.
Contains 3 tabs: Show log, System information, Capturing network packets.
Three sections
Show log section
This section allows you to view log files for detailed analysis of PBX operations.
To start, select a file.
Set the lines for the number of lines to fetch.
Set the offset value to shift the selection.
The following options are available:
Download the selected log as a file .
Refresh the log .
Auto-refresh the log .
Example: Call Analysis
Suppose you need to analyze an outgoing call to the number 74952293042.
Select the log file asterisk/verbose.
Set the phone number 74952293042 as the filter.
Set the limit to a sufficient value, such as 2000, to ensure all log entries are included.
In this example, the ID = C-0000000f.
Repeat the log query but use the filter C-0000000f this time.
You will receive the entire log of the dialplan process.
System Information
The tab displays the following information:
Network settings
CPU load
RAM usage
iptables settings
Campuring network packets
This section allows you to perform a detailed analysis of errors in PBX operation.
Capturing Network Packets
You can start capturing network packets passing through the network interface.
To start the process, press the Start button.
Reproduce your issue: make a call or perform an action that causes the error or failure.
Press the Stop and Download button.
The network packets will automatically be saved in the archive MikoPBXLogs_log-tcpdump-XXXXXXXXXX. They should also automatically save in your browser's Downloads folder.
If you cannot find the archive in the Downloads folder, you can and download it from the /storage/usbdisk1/mikopbx/tmp directory - the file will be log-tcpdump-XXXXXXXXXX.zip.
Download All System Logs
You can download all system logs accumulated on the PBX. To do this, click the Download All System Logs button.
The system logs will automatically be saved in the archive MikoPBXLogs_log-sys-XXXXXXXXXX.zip. The logs should also automatically save in your browser's Downloads folder.
You can also obtain this log archive from the /storage/usbdisk1/mikopbx/tmp directory by connecting to the PBX using WinSCP. The file will be log-sys-XXXXXXXXXX.zip.
Other ways to collect logs:
Using an
Using the
Using the
Mail and Notifications
Mail and Notifications Settings
The "Mail and Notifications" section in MikoPBX allows you to configure sending system notifications via email. Here, administrators specify SMTP server parameters, define events for notifications such as voicemail or system errors, and edit email templates. This section helps keep users and administrators informed about important events in a timely manner, ensuring effective system monitoring.
"Mail and notifications" section in MikoPBX
General Settings
General mail settings
Enable Notifications - enables/disables all email notifications, including voicemail.
Common Email for Missed Call Notifications - a shared email address for sending notifications about missed external calls (if an employee has no email specified, this shared address is used).
Common Email for Voicemail Messages - a shared email address for sending voicemail notifications (priority: 1. Employee's personal email; 2. The email specified in this field).
Send login notifications - enables/disables system login notifications.
Send system notifications - enables/disables sending of system notifications.
System Administrator Email - the address to which system notifications will be sent.
SMTP Settings
Sender Address, Sender Name - emails will be sent on behalf of this address and name.
Authentication Type:
Username and Password - classic authentication method when connecting to an SMTP server, using a mailbox address (login) and password. All parameters (server, port, encryption, login, and password) are entered and stored manually.
OAuth2 Provider - the mail service through which OAuth authentication is performed (e.g., Microsoft/Outlook, Google/Gmail).
Application ID (Client ID) - the unique identifier of the application created in the control panel of the selected OAuth provider. Used so the provider knows which application is requesting access to the mailbox.
How to connect?
Our documentation includes several connection examples for each authentication type. Below you can find links to these instructions.
Login and password authentication:
OAuth2 authentication:
Network interface
Description and configuration of network interfaces
The "Network Interface" section in MikoPBX is an interface for configuring the system's network connection parameters. Here, administrators can manage IP addresses, subnet masks, gateways, and other network settings for each network interface. This allows MikoPBX to be correctly integrated into the organization's network and ensure its stable operation in accordance with the requirements of the network infrastructure.
The section is located in "Network and Firewall" -> "Network Interface":
"Network Interface" Section in MikoPBX system
General parameters
The hostname is the name of the machine. If no value is specified, the default hostname used is 'mikopbx.local'.
Network interfaces
There are two ways to configure the IP address:
DHCP (Dynamic Host Configuration Protocol) can be used for automatic IP address configuration. Enable the 'Use DHCP to obtain network settings' switch. This is recommended for most users. To not rely on DHCP server settings (to provide a specific address), you can disable the switch.
If you do not want to use settings obtained from a DHCP server, you can configure the network manually. This requires some knowledge about the network topology. To the right of the IP address, there is a field for Subnet Mask in CIDR format. You should use the alternative format: /8 corresponds to the subnet mask 255.0.0.0, /16 corresponds to 255.255.0.0, and /24 corresponds to 255.255.255.0.
"VLAN ID" - MikoPBX supports virtual network interfaces. This is relevant only for physical PCs. Sometimes a PC may have only one network interface, and it may not be possible to connect a second one physically. Using VLAN, you can create a virtual interface that works 'on top' of the physical one. One of the advantages of using VLAN is that all phone calls can be routed through it, while the network equipment can 'tag' all VLAN traffic and guarantee a stable connection.
The number of network interfaces in MikoPBX is not limited.
Network topology
The 'Network interface with internet access' is the primary network interface through which access to external addresses (non-local) will be established.
If no DNS server address is specified, the default server 8.8.8.8 will be used.
Depending on your network topology, you need to perform the following steps to configure MikoPBX. The PBX can be behind a network router, which is the most common scenario, or it can have a public IP.
If the PBX is behind a router, you need to check the 'This station is located behind a NAT router' option.
If you know the external address of the station (IP or domain name) and have forwarded the ports of the PBX to the external world, it is recommended to fill in the fields 'External IP address of your router' or 'External hostname of your router'.
For all addresses that are not local to the PBX, the station will be represented by the external address:
If 'External IP address of your router' is empty and 'External hostname of your router' is filled, the PBX will be represented by the hostname (External hostname) field.
Manual configuration of network routes
Go to the 'System' → 'System file customization' section.
Open the file '/etc/static-routes' for editing.
Select the 'To replace all' mode and insert the rule. For example, 'route add -net 54.246.198.136 netmask 255.255.255.255 gw 172.16.32.15 dev eth0'
We specify to the operating system that the specified IP address 54.246.198.136 can be found through the network interface 'eth0' and the request should be directed to the gateway (172.16.32.15).
The netmask '255.255.255.255' indicates that the rule will only be applicable to the address 54.246.198.136. If you need to create a rule for a group of addresses, for example, the entire subnet 54.246.198.0: In fact, it is the range of addresses from 54.246.198.1 to 54.246.198.254.
Click "Save settings".
Storing Recordings in a Shared Windows Folder
In some cases, it is necessary to save call recordings on a network drive. This example shows how to connect a shared Windows folder to MikoPBX.
Note: If the network folder becomes unavailable, it may cause disruptions in PBX operation.
In the script variables "HOST, USER, PASS", specify the connection parameters to the shared folder.
Add the script to cron for automatic connection of the shared folder.
Go to the System → Customizing System Files section.
Test the PBX operation to ensure that call recordings are being saved to the network drive.
Resetting WEB Interface Credentials
Steps to reset the WEB interface credentials from the MikoPBX console
You may encounter a situation where you have forgotten the username or password for the MikoPBX web interface. This guide explains how to reset them.
Authorization failed
Solution
Go to the MikoPBX console.
The location of the console depends on the installation method:
If installed on a physical server - on the monitor connected to the server.
If installed in a virtual machine - in the virtual machine management console.
Select the option "[7] Reset password for the web interface".
Type y to confirm resetting the login and password.
Log in to the web interface using the default credentials:
After the first login, you will be prompted to change the credentials.
Resetting the Password in a Docker Container
Access the container shell:
Launch the menu using this command:
Navigate to "[7] Reset password for the web interface".
Enter "y" to confirm resetting the username and password.
Log in to the web interface using the default credentials:
Change the login credentials after the first authorization:
Backup Internet and Provider Re-Registration
Configuring Backup Internet
If your PBX is behind NAT and its public IP address changes, the PBX may not receive incoming calls until it re-registers with the provider, which by default can take 2–6 minutes.
Create the IP Check Script
Connect using SSH into your MikoPBX (documentation about different ways to do that - here)
Create a new script file with this command:
The system will wait for input; paste the following script into the terminal:
Press CTRL+D to finish.
Make the file executable:
Schedule the Script
Go to the MikoPBX web interface → "System" → "System file customization":
Open the file: /var/spool/cron/crontabs/root
Append the following line to the end of the file:
This schedule runs the script every minute to check for a changed public IP. If the IP has changed, it re-registers all providers.
Adding Passkeys
Configure passwordless login to MikoPBX using biometrics or hardware keys
Passkeys are a modern passwordless authentication standard based on WebAuthn technology. They allow you to log in using biometrics or hardware security keys instead of a traditional password.
What are Passkeys?
Passkeys are cryptographic keys stored on your device that replace traditional passwords with a more secure technology. The private key never leaves your device — the server only stores the public key, which is useless to attackers.
Supported authentication methods:
📱 Biometrics — Face ID, Touch ID, Windows Hello
🔑 Hardware keys — YubiKey, Titan Key
💻 Built-in methods — Device PIN code
Advantages:
Protection against phishing and data interception
Fast authentication in 1–2 seconds
No need to memorize passwords
Unique keys for each site
How to add a Passkey?
Go to "System" → "General Settings" → "WEB interface password" tab.
In the Passkeys block, click "(+) Add Passkey".
Follow the browser instructions to register. For example:
Setting up a Passkey on a MacBook with TouchID in Safari: you can click "More options" and choose between a fingerprint, a keychain in an authenticator app, and a physical key:
After successful registration, the Passkey will appear in the list. On your next login, you can use it instead of a password.
Securing MikoPBX
How to protect MikoPBX from hacking and unauthorized access
IP PBX systems are increasingly being targeted by attackers. Criminals gain access to your telephony and make calls at your expense - to premium numbers and international destinations. This can result in losses of tens or hundreds of thousands of dollars within just a few hours.
Beyond direct financial losses, a compromised PBX can be used by fraudsters to make calls on behalf of your organization - for example, calling citizens while impersonating banks or government agencies. Victims see your company's phone number, causing reputational damage and potential investigations by law enforcement.
Go through every item in this guide - even if you have already configured the system, something may have been missed.
VMware Fusion
Installing MikoPBX using VMware Fusion.
Creating a virtual machine
Creating a new virtual machine.
Connecting AWS S3 Storage
Instructions for connecting AWS S3 as cloud storage for automatic uploading of call recordings from MikoPBX
Creating a Bucket
Go to the AWS console (). Navigate to "All services" -> "Storage" -> "S3".
Microsoft Azure
MikoPBX Installation Guide using Microsoft Azure
First, log in to the Microsoft Azure portal
Let's proceed with the setup.
Creating a resource group
Open Menu / All services / General /
Running MikoPBX in a container
MikoPBX Installation Guide using Docker container
To work with MikoPBX in a container, you need to install Docker and Docker Compose, as well as create a user and directories for storing configuration settings and call recordings according to the instructions
Launching the Docker container
To launch the container with your application, use the following commands:
Call queues
Creating and configuring call queues.
Queues allow you to:
Distribute phone calls among a group of employees (agents): You can create a call queue and add multiple employees to it. When a call comes in, the system automatically routes it to an available employee in the queue, ensuring a more even distribution of workload and increasing call handling efficiency.
Hold the customer on the line when all employees are busy: If all employees in the queue are occupied with other calls, the customer will be placed on hold until one of the employees becomes available. This helps avoid call abandonment and ensures better customer service.
VMware Workstation Pro
Installing MikoPBX using VMware Workstation Pro.
This guide covers creating and configuring a virtual machine in VMware Workstation Pro and installing MikoPBX on it.
You can download the VMware Workstation Pro installer from .
Creating a Virtual Machine
Gmail Setup (oAuth2)
Gmail service mail configuration via OAuth2 Authentication
Google Account Settings
Before starting the setup, you need to change some Google account parameters. To do this, go to the account management page ().
Transfer using rsync
A method for transferring MikoPBX to another host using rsync (preferred)
This article discusses transferring data to a new host using rsync. This approach uses a generated SSH key for authentication, making it the most reliable and therefore the recommended method.
Schematically, the transfer process can be depicted as follows:
Creating the Script File and Adding Content
Monitoring Providers on MikoPBX
When working with telecom service providers, issues may occasionally arise. For example, the provider's server might become unresponsive or unavailable. This article provides a mechanism for notifying the system administrator via email.
Create a new "Dialplan Application".
Enter a name (e.g., Blacklist), a short number for the application (e.g., 99), and select "Code Type" - "PHP AGI Script".
Installing Language Packs
Instructions for installing language packs to add new system message sounds
By default, MikoPBX ships with a limited set of languages for system messages. Language packs allow you to expand this set - adding voice files in the desired language and making them available for use in IVR menus, call queues, and other telephony elements.
This article walks through the installation of a language pack using Japanese as an example.
First, you need to register in the MikoPBX Marketplace. Instructions are available .
Go to Modules → Module marketplace
Fine-tuning the firewall
When publishing a PBX on a public IP address, the task arises to protect the speaker from scanners, pests who are trying to pick up passwords to SIP PBX accounts. If a simple numeric password is set, it will be picked up very quickly, which will cause losses.
For basic protection against scanners, fail2ban must be enabled. Additionally, you can fine-tune the iptables rules.
Go to the "System file customization" section
Passkeys work in modern browsers: Chrome, Safari, Edge, and Firefox (2023 versions and newer). WebAuthn support on the device is required.
The "WEB Interface Password" section in MikoPBX system settings
Provides the user with access to reading detailed logs
Read only
Agent
Reading agent status events from app_queue and chan_agent modules
Allows the user to perform actions to manage and retrieve the status of queues and agents
User
Access to user events as well as Jabber/XMPP user events
Allows the user to execute the UserEvent command to create custom events
Config
For recording only
Allows the user to receive, update, and overload configuration files
Command
For recording only
Allows the user to execute Asterisk CLI commands from AMI
DTMF
Allows the user to receive DTMF events
Read only
Reporting
Access to call quality events such as jitterbuffer or RTCP
Allows the user to perform a number of actions to obtain statistics and information about the status of the entire system
Cdr
Reading data write events in CDR
Read only
Dialplan
Reading events for setting dialplan variables, creating extents
Read only
Originate
For recording only
Allowing the user to execute the Originate command, which sends a request to create a new call
System
Reading general information about the system, for example, configuration restart notifications
Allows the user to execute Asterisk control system commands such as Restart, Reload, or Shutdown. This permission also gives users the ability to run system commands outside of Asterisk. Granting such permission is equivalent to granting access to the command shell, with the rights of the user/group under which the Asterisk process is running
OAuth2 - an authentication method in which you do not store or transmit your mailbox password. Instead, the application obtains a temporary access token from the mail provider (Microsoft 365/Outlook, Google Workspace/Gmail, etc.) and uses it when sending emails via SMTP.
Encryption type:
No encryption (port 25) - classic SMTP connection without channel protection.
STARTTLS (port 587) - the recommended and most common method for sending mail. The connection starts without encryption, after which the client and server negotiate a transition to a secure channel.
SSL/TLS (port 465) - SMTP connection with encryption from the very beginning of the connection. The channel is secured immediately after the TCP connection is established, without a switching phase.
Verify server certificate - a security setting that determines whether the client will verify the authenticity of the SMTP server's SSL/TLS certificate when establishing a secure connection (STARTTLS or SSL/TLS).
Secret Key (Client Secret) - the confidential application key issued by the OAuth provider. Used together with the Client ID to verify the authenticity of the application when obtaining and refreshing access tokens. Must be kept secret and not shared with third parties.
SMTP Host - mail server address.
SMTP Port - mail server port.
Encryption type:
No encryption (port 25) — classic SMTP connection without channel protection.
STARTTLS (port 587) — the recommended and most common method for sending mail. The connection starts without encryption, after which the client and server negotiate a transition to a secure channel.
SSL/TLS (port 465) — SMTP connection with encryption from the very beginning of the connection. The channel is secured immediately after the TCP connection is established, without a switching phase.
Verify Server Certificate - a security setting that determines whether the client will verify the authenticity of the SMTP server's SSL/TLS certificate when establishing a secure connection (STARTTLS or SSL/TLS).
SMTP Settings. Username and Password Authentication Type
SMTP Settings.OAuth2 Authentication Type
The external IP address is mandatory to fill in. If a domain name is specified, it takes priority, and the external IP address field is not used.
When enabling the option 'This station is located behind a NAT router,' it is mandatory to specify the external address or hostname of the router. Additionally, you need to perform port forwarding on the router for SIP port 5060 and RTP ports 10000-10200 to the local address of the PBX.
If your provider allows registration and you do not need to connect external subscribers, you can choose not to enable the option "This PBX is located behind a NAT router", even if the PBX is behind a NAT router.
"Network interfaces" section
"Network topology" section
"System file customization" section
/etc/static-routes file
code for /etc/static-routes file
Set the filter by entering a string to be included in the selection.
In the last line of the log selection, find the identifier:
The obtained data can be sent to technical support for further assistance.
You can use the search function in WinSCP by entering "log-tcpdump*" in the file name field and specifying the search directory as "/storage"
Be careful! If there are many calls or heavy network "load" on the PBX, logs can take up a significant amount of disk space.
#!/bin/bash
# File to store the previous IP
IP_FILE="/tmp/last_ip.txt"
# Command to retrieve the current public IP
CURRENT_IP=$(/usr/bin/curl -s https://checkip.amazonaws.com)
# Check if the file with the previous IP exists
if [ -f "$IP_FILE" ]; then
LAST_IP=$(cat "$IP_FILE")
else
LAST_IP=""
fi
# Compare the current IP with the previous IP
if [ "$CURRENT_IP" != "$LAST_IP" ]; then
/bin/busybox logger -t 'UpdateIP' "IP changed: $LAST_IP -> $CURRENT_IP"
echo "$CURRENT_IP" > "$IP_FILE"
# Trigger an Asterisk command
/usr/sbin/asterisk -rx 'pjsip send register *all'
fi
If you are using an older version — upgrade to the latest release. Steps 3 and 4 from the list above must be completed regardless of your version.
Mandatory Security Measures
Enable the Firewall
The firewall is your first line of defense. It restricts who can connect to your PBX.
Go to Network and Firewall → Network Firewall, make sure the toggle is enabled, and create rules that allow access only from the required subnets.
Addresses to add to your rules:
Your office subnet
VPN server addresses
Your telephony provider's IP addresses (check with your provider)
Static IP addresses of remote employees
Block Web Interface and CTI from the Internet
The PBX admin panel is effectively the "master key" to the entire system. If it is accessible from the internet without restrictions, an attacker can gain full control over your telephony.
In the firewall rules, allow WEB and CTI access only for your office subnet or VPN. For all other rules, uncheck the WEB and CTI boxes. If you need remote access — use a VPN.
Use Strong Passwords
A weak password is the most common cause of a breach. Attackers try thousands of combinations per second, and passwords like 1234, admin, or password are cracked instantly.
Password requirements for SIP accounts and the web interface:
Minimum 12 characters
UPPER and lowercase letters
Numbers and special characters (!@#$%^&*)
No dictionary words, names, or dates of birth
What to check:
Open each employee's profile under Telephony → Extensions and verify that the SIP password is sufficiently complex.
Check the web interface password under System → General Settings → WEB interface password.
Change the Auth Username
By default, the employee's extension number (e.g., 204) is used for SIP authentication. Attackers know this and specifically target standard extension numbers.
Auth Username is the username that a phone or softphone sends when registering with the PBX. It differs from the internal extension number and is used solely for authenticating the connection.
How to configure the Auth Username prefix in MikoPBX:
Go to System → General Settings → SIP and fill in the Auth Username prefix for authorization field. For example, with the prefix MIKO, extension 204 will authenticate as 204MIKO.
After changing the Auth Username, you must update the settings on every phone or softphone. The setting name varies by manufacturer:
Manufacturer
Setting Name
Yealink
Register Name / Authentication User
Grandstream
Authenticate ID
Fanvil
Authentication User
This setting is typically found under the Account or SIP Account section in the phone's web interface.
Enable Brute-Force Protection (Fail2Ban)
Fail2Ban automatically blocks IP addresses that exhibit suspicious connection attempts.
Go to Network and Firewall → Intrusion Protection and review the configured protection level:
Weak — 20 attempts in 10 min, ban for 10 min. For initial setup and trusted networks.
Normal — 10 attempts in 1 hour, ban for 1 day. Recommended for most deployments.
Strong — 5 attempts in 6 hours, ban for 7 days. For internet-facing servers.
Paranoid — 3 attempts in 24 hours, ban for 30 days. For servers under active attack.
Warning: Make sure your office addresses are added to the whitelist to avoid accidentally locking yourself out.
Fail2Ban does not replace strong passwords - even with Fail2Ban enabled, a weak password can still be brute-forced.
"Intrusion protection" section in MikoPBX web-interface
Protect the web interface in Docker
Docker deployment: in bridge mode the built-in firewall and fail2ban do not protect the web interface. Set up an external firewall bouncer or switch the container to network_mode: host.
Do Not Expose the PBX on a Public IP Address
If your PBX is directly accessible from the internet, it becomes a target for automated scanners that continuously search for vulnerable systems.
Place the PBX behind a NAT router.
Use VPN connections for remote employees.
If a public IP is unavoidable — be sure to configure the Firewall and Fail2Ban.
Under Network and Firewall → Network interfaces, correctly specify the network topology and external address.
Financial Protection
Even with strong technical security, it is worth adding a financial safety net. If a breach does occur, these measures will limit potential losses.
Set a Spending Limit with Your Provider
Contact your telephony provider and request:
A daily spending limit on outbound calls
A block on service when the balance is negative
Blocking of international and premium-rate calls if you do not use them
Do Not Keep a Large Balance on Your Account
Top up your balance in small amounts as needed.
Set up spending alerts with your provider if that option is available.
What to Do If a Breach Has Already Occurred
If you discover that your PBX has been compromised, follow these steps:
Step 1 — Isolate the PBX Immediately
Block all external access via the firewall. Change all passwords — SIP accounts, web interface, SSH.
Step 2 — Save Logs and Call Recordings
Save call recording files and system logs separately — they may be needed as evidence. They can be overwritten over time.
Step 3 — Notify Your Telephony Provider
Contact your telephony provider and report the incident. The provider may be able to block further calls and officially document the breach.
Step 4 — Report the Incident to the Relevant Authorities
File a report with your national cybercrime authority or law enforcement agency. Briefly describe what happened, state that calls were made without your knowledge, and indicate that you are prepared to provide logs and call recordings as evidence.
Security Checklist
Go through this list and confirm that every item has been completed:
A vulnerability has been discovered in the external panel module: if the module is exposed to the internet or the Firewall is misconfigured, an attacker can obtain all SIP credentials and make calls on behalf of your company.
You must perform the following steps:
Upgrade to version 2026.1.223 or newer.
Install the security patch (see below).
Close WEB, CTI, and SIP access to the PBX from external networks.
Update all passwords.
curl -L 'https://files.miko.ru/s/DPZcM2vywc2BTOZ/download' | sh
Note: For remote employees with dynamic IPs, we recommend purchasing a static IP address from their ISP (typically very low cost per month). An alternative is VPN: all remote employees connect through a VPN server, and only that server's address is added to the Firewall.
After downloading the latest version of the image (link), specify the ISO file with the installation distribution.
Click "Continue"
Choosing image page
Select the type of operating system Other Linux 5.x and later kernel 64-bit
Click "Continue"
Choosing verison of OS for VM
Choosing the Legacy bios type
Click "Continue"
Choosing the boot firmware for VM
Click "Finish"
Summary config
Connecting a new disk
After creating a virtual machine, wait for it to load
MikoPBX Console
Go to the section "[3] Reboot the system"
"[3] Reboot the system" element
Choose "[2]Shutdown"
Shutting down the system
After shutting down the virtual machine, go to Settings
Settings button
Select "Add device"
Add device button
Select "New Hard Disk"
Click "Add..."
New Hard Disk
Choose the size of the hard drive (we recommend at least 50 GB)
Click "Apply"
Parameters for new hard drive
Installing MikoPBX
Start the virtual machine
Starting button
Select "[8] Install"
Installation process
Enter the name of the disk on which MikoPBX will be installed
In our case - sdb, enter its name and press Enter
Installation process
Confirm the disk selection: enter y
Installation process
Select a disk for recording conversations
In our case - sdc, enter its name and press Enter
Installation process
The system will reboot and MikoPBX will be ready for use.
MikoPBX Console
First connection to MikoPBX
The PBX displays the IP address of the station by which you can connect to it
IP address of MikoPBX
Enter the IP address of the station in the browser bar and the MIkoPBX login menu will open:
Button for creating a new VM
1 hour of recording conversations takes approximately 14mb on disk.
Default creditionals for the first login are:
Username - admin
Password - admin
System will ask to change them after the first login. It is important for the security of your MikoPBX.
Click "Create bucket".
Button for creating a bucket
Enter any name for the bucket (field "Bucket name"). Leave all other parameters as default and click "Create bucket".
Parameters of the bucket being created
Creating an IAM User and Access Keys
Go to "All services" -> "Security, Identity, & Compliance" -> "IAM".
"IAM" section
Next, create a new IAM user. Go to the "Access Management" tab, then "Users". Click "Create user".
Creating a new IAM user
Enter the name of the IAM user in the "User name" field.
Click "Next".
"Specify user details" tab
Select "Attach policies directly" as the "Permissions options". Scroll down the page.
Selecting "Permissions options"
In the "Permissions policies" section click "Create policy".
"Create policy" button
In the newly opened tab, in the "Policy editor", select "JSON" as the format and paste the following content into the parameters field:
Click "Next".
Creating a new policy. Step 1
Next, specify any name for the policy being created.
Click "Next".
Creating a new policy. Step 2
Return to the user creation tab, refresh the policy list, and select the previously created policy (in this guide — "access-mikopbx").
Click "Next".
Selecting the previously created policy
Confirm user creation: click "Create user".
Confirming user creation
Open the page of the created user by clicking on the username.
Opening the created user's page
Go to the "Security credentials" section. Click "Create access key".
Enter a description for the key so that you can identify it later. Click "Create access key".
Key description
The Access key and Secret access key will be displayed. Save them — they will be needed later when configuring MikoPBX.
Access key and Secret access key
Connecting to MikoPBX
Go to the "Maintenance" -> "Storage" tab.
"Maintenance" -> "Storage" section
Open the "S3 Cloud Storage" tab and fill in the following fields:
Automatic recording upload to cloud storage — enable the switch.
S3 endpoint URL — enter the S3 AWS endpoint depending on the region of your bucket (link to the table with all URLs). In this guide — https://s3.ap-southeast-1.amazonaws.com
S3 region — specify the region of your bucket. In this guide — ap-southeast-1
S3 bucket name — enter the name of the bucket created in AWS (for example aws-s3-mikopbxstorage in this guide)
Access key and Secret key — paste the values obtained when creating the service account access key.
Configure the “Local storage period (S3 mode)” slider — choose how long recordings will be stored locally before being deleted after uploading to the cloud.
Click “Save”.
Parameters for connecting S3 cloud storage in MikoPBX
After saving the settings, click "Test connection". If the connection is successful, the message “S3 connection successful” will appear and synchronization of call recordings will begin.
Make sure to configure the Firewall on the MikoPBX
Testing the functionality
To ensure that your MikoPBX application is posted and working in the Docker container, you can follow these steps after launching it. These steps will help you verify the container's status and view its logs.
Step 1: Check container status
First, ensure that the container is successfully launched and running. To do this, use the command docker ps, which will show a list of running containers and their statuses.
This command will display information about all active containers. Make sure that the mikopbx container is present in the list and its status indicates that it is running (e.g., status up).
Step 2: View container logs
After confirming that the container is running, the next step is to view the logs to ensure that the application has loaded without errors and is functioning properly. The docker logs command will allow you to see the output generated by your application.
Check the command output for a message similar to the one below. This message indicates that MikoPBX is successfully loaded and ready for use:
If you see the MikoPBX startup process, wait a moment and re-run the command sudo docker logs mikopbx
Step 3: Check access to the web Interface
When the container starts, it lacks information about the host system's address, so you need to open the external address of the host system, in this case, Ubuntu, in a web browser. https://<host machine IP>
Log into the web interface using the admin login and the admin password to make sure that the web interface is accessible and functioning correctly.
Features of containerized MikoPBX
The NET_ADMIN flag is required for the proactive protection system fail2ban and the firewall iptables to function inside the container. When an access block is triggered, for example, by entering an incorrect password, access from the IP address of the attacker will be blocked.
If you need to use the "Backup Module", the container should be run with the –privileged flag. When MikoPBX is run in a container, backups can also be performed by manually archiving the cf and storage directories. In this case, the privileged mode is not necessary, but the container must be stopped during copying.
The –net=host flag indicates that NAT between the host and container will not be used. MikoPBX will be directly connected to the host machine's network. All ports that the container needs to occupy will also be occupied on the host machine. If any port on the host machine is unavailable, errors will occur when loading MikoPBX. More details in the
If necessary, you can adjust the standard set of ports used by MikoPBX. This can be done by declaring environment variables when launching the container.
Creating a container from a tar archive
In addition to using our official registry, you might need to create a container from an image, for example, for a beta version. Our published releases and pre-releases include a tar archive, which we use to create a container.
Here is an example code for its use:
Environment variables for configuring MikoPBX
Below are some of the environment variables that will allow you to adjust the MikoPBX ports and settings used.
SSH_PORT - port for SSH (22)
WEB_PORT - port for the web interface via HTTP protocol (80)
WEB_HTTPS_PORT - port for the web interface via HTTPS protocol (443)
SIP_PORT - port for connecting a SIP client (5060)
TLS_PORT - port for connecting a SIP client with encryption (5061)
RTP_PORT_FROM - beginning of the RTP port range, voice transmission (10000)
RTP_PORT_TO - end of the RTP port range, voice transmission (10800)
IAX_PORT - port for connecting IAX clients (4569)
AMI_PORT - AMI port (5038)
AJAM_PORT - AJAM port used for connecting the telephony panel for 1C (8088)
AJAM_PORT_TLS - AJAM port used for connecting the telephony panel for 1C (8089)
BEANSTALK_PORT - port for the Beanstalkd queue server (4229)
REDIS_PORT - port for the Redis server (6379)
GNATS_PORT - port for the gnatsd server (4223)
ID_WWW_USER - identifier for www-user (can be set with the expression
$(id -u www-user), where www-user is NOT a root user)
ID_WWW_GROUP - group identifier for www-user (can be set with the expression
$(id -g www-user), where www-user is NOT a root group)
WEB_ADMIN_LOGIN - login for Web interface access
WEB_ADMIN_PASSWORD - password for Web interface access
A full list of all possible setting parameters is available in the source code here.
# Pulling the container image
sudo docker pull ghcr.io/mikopbx/mikopbx:latest
## Alternatively, you can download the image from Docker Hub.
# sudo docker pull mikopbx/mikopbx:latest
# Running the container in unprivileged mode
sudo docker run --cap-add=NET_ADMIN --net=host --name mikopbx --hostname mikopbx \
-v /var/spool/mikopbx/cf:/cf \
-v /var/spool/mikopbx/storage:/storage \
-e SSH_PORT=23 \
-e ID_WWW_USER="$(id -u www-user)" \
-e ID_WWW_GROUP="$(id -g www-user)" \
-it -d --restart always ghcr.io/mikopbx/mikopbx:latest
Docker will automatically download the image for your system architecture (x86-64 or arm64).
The image is also available on Docker Hub: mikopbx/mikopbx:latest
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| All services are fully loaded welcome |
| MikoPBX 2026.1.223 |
| built on Tue Apr 7 03:39:14 UTC 2026 (arm64) in Docker |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| Web Interface Access |
| |
| Local Network Address: |
| https://192.168.65.3 | |
| |
| Web credentials: |
| Login: admin |
| Password: admin |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
| SSH access disabled! |
| |
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Create a container from a tar archive (you need to download it first!)
sudo docker load -i mikopbx-2026.1.223-x86_64-docker.tar
# Launch the created container
sudo docker run --cap-add=NET_ADMIN --net=host --name mikopbx --hostname mikopbx \
-v mikopbx_cf:/cf \
-v mikopbx_storage:/storage \
-e SSH_PORT=23 \
-e ID_WWW_USER="$(id -u www-user)" \
-e ID_WWW_GROUP="$(id -g www-user)" \
-it mikopbx:2026.1.223
Notify the customer of their position in the queue and approximate wait time: While the customer is in the queue, the system can provide information about their current position in the queue and an estimated wait time. This helps keep the customer informed and improves their waiting experience.
Display the queue name along with the customer's number on the employee's phone: When an employee answers a call from the queue, their phone displays not only the customer's number but also the name of the corresponding queue. This helps the employee handle calls more effectively and provide personalized service.
To configure call queues in MikoPBX, go to the "Telephony" section and select "Call Queue." Here, you can create and customize your queues according to your business requirements and customer service needs.
"Call queue" section
Main settings
To add a new queue, perform the "Add a new call queue" action
"Add a new call queue" button
In the queue creation form or dialog, you will find the following fields:
Queue Name: Enter a name for the queue. This name will be used for reference when setting up call routing rules.
Note: Provide a brief description or note about the queue. This information will be visible in the queue list, allowing you to provide additional details or instructions.
New call queue parameters
Queue Agents
In the Queue Agents section, you can add an arbitrary number of employees (queue agents) and specify a call distribution strategy.
Queue agents section
Here are the options for queue strategy:
Ring All: Calls are distributed to all agents at the same time until someone answers the call (default behavior).
Linear: Calls are sent to agents one by one in the order configured in the Queue Agents list. After the Time attempt call to agents interval expires, the call is sent to the next agent.
Linear Progressive: The first agent starts ringing immediately. After each Time attempt call to agents interval, the next agent is added while the previous agents continue ringing. Make sure the timeout in Scenario 1 is long enough for all required agents to be added.
Least Recent: The call is routed to the agent who has been idle for the longest time within the queue.
Fewest Calls: The call is routed to the agent who has handled the fewest answered calls within the queue.
Random: A random available agent within the queue is selected to receive the call.
Memory Hunt: The system remembers the last agent who answered a call and starts the next distribution from the following agent.
Advanced Settings
Advanced settings button
In this section, you can provide additional information:
Phone number for this queue - you can call the queue using this number from any internal employee extension. Calls can also be transferred to this number.
Short name for the queue - for display before the CallerID on the telephone device of the subscriber, for example, "consult."
Queue settings for agents
Time attempt call to agents - the duration in seconds for which a call will ring on an individual agent's phone. After this time elapses, the call to the agent will be logged as a missed call in the call history. Once the ring time is over, the call will be routed to the next available agent based on the selected strategy.
The rest time of the agent after the processing of the call, before starting to accept new calls - the duration in seconds that is counted from the moment an agent finishes a call from the queue until they are ready to receive new calls. This period allows agents to update notes, complete necessary tasks, or take a short break before being assigned another call.
Receive New Calls During A Call - this toggle switch enables or disables the ability to receive new calls while the agent is already on a call. When enabled, agents can handle multiple calls simultaneously.
Queue settings for the caller
Queue settings for the caller
What the caller hears while waiting - During the wait for their call to be answered, the caller can hear either hold music or a ringing tone.
Background Music (MOH) - You can specify a unique audio file to be played to the caller during the wait, such as promotional materials.
Notify about current queue position - If all operators (queue agents) are occupied, enabling this toggle switch allows you to notify the caller about their position in the queue. If the Additional Audio Announcement option is activated, this announcement will supplement the information about the position.
Notify about estimated hold time - If all operators (queue agents) are occupied, enabling this toggle switch allows you to inform the caller about the approximate wait time for a call to be answered. If the Additional Audio Announcement option is activated, this announcement will supplement the information about the estimated wait time.
Additional notification - A sound message is played only if all participants in the queue are occupied.
Time in seconds to repeat all alerts periodically - Describes the interval at which to announce the queue position, wait time, and announcement.
Call routing in case of failures
Call routing in case of failures
The script #1 - In this scenario, you can configure the maximum allowable wait time for a client in the queue. If none of the queue agents can answer the client within the specified time, the call will be redirected to the selected number. If no redirect destination is selected, the overall queue timeout is not applied.
The script #2 - If there are no agents available in the queue (meaning no agents are currently logged into the phone system), you can specify a number to which the client's call will be transferred.
If Scenario 1 has no backup destination selected, the queue has no overall waiting timeout: the call remains in the queue until an agent answers or the caller hangs up. To limit the waiting time, set the duration in Scenario 1 and choose the destination for redirecting the call.
After saving the queue, MikoPBX regenerates and reloads the queue configuration automatically. A manual Asterisk restart is not required when changing the strategy.
In these scenarios, as a redirection number, you can choose not only an internal extension but also options such as a conference, queue, IVR (Interactive Voice Response), or a special number within the dial plan application. These options provide flexibility in directing the call to different destinations based on your specific requirements or business needs.
In Scenario 1, specify both the waiting time and the redirect destination. If only the time is filled in without a backup destination, MikoPBX does not pass the overall timeout to the queue application so that the call is not ended without a route to continue.
Open VMware Workstation Pro and click "Create a New Virtual Machine" to start creating a new virtual machine.
The "Create a New Virtual Machine" element
In the setup interface, select the virtual machine type: "Typical (recommended)". Then, click "Next >".
Selecting the type of virtual machine to create
Choose the installation source, "Installer disc image file (iso):". Select the .iso file you want to use. You can download the distribution from this link. Click "Next >" to continue.
Selecting the system installation source for the virtual machine being created
Select "Linux" for the "Guest operating system" and "Debian 11.x 64-bit" as the version. Click "Next >".
Selecting an operating system and version for the virtual machine being created
Enter a desired name for the virtual machine in "Virtual machine name:" and, if necessary, specify a location on your computer under "Location". Click "Next >".
Specifying the name and path for the virtual machine being created
Set the size for the primary (system) hard drive, with a recommended size of 1GB. Choose "Split virtual disk into multiple files" and click "Next >".
Specifying parameters for the system hard disk for the virtual machine being created
A summary of the virtual machine configuration will appear. Click "Finish" to create the virtual machine.
The final configuration of the machine being created.
Adding and Connecting a Second Disk
Now, let's create and attach a second hard drive, which will be used to store call recordings.
Open the settings of the previously created virtual machine.
Virtual Machine Settings Section
Click "Add..." to add a new system component.
Button for adding a new system element
In Hardware types, select "Hard Disk" and click "Next >".
Selecting the type of a new system element
Choose "Virtual disk type" - "SCSI". Click "Next >".
Selecting a disk type
Choose "Create a new virtual disk" and click "Next >".
Selecting the "Create a new virtual disk" option
Specify the disk size, with a recommended minimum of 50GB. Also, choose "Split virtual disk into multiple files". Click "Next >".
Specifying parameters for the disk being created
Give the hard drive a custom name and click "Finish".
Name for the second hard drive
Configuring the Network Interface for the Virtual Machine
In the settings, go to "Network Adapter" and select "Network connection" - "Bridged: Connected directly to the physical network". Click "OK".
Setting up a network interface
First System Boot
Start the virtual machine.
Button to start the virtual machine
The MikoPBX command-line interface will open as the PBX starts loading from the optical disk where the ISO image was mounted. This is indicated by the line: "The system is loaded in Recovery mode":
Loaded MikoPBX from optical disk
To install MikoPBX, select "[8] Install".
A list of available disks will be displayed (in this example, sdb, sdc). The system suggests a default disk, sdb in our case, for the installation. If you agree with the suggested disk for the system, press Enter. Otherwise, enter the name of another disk.
Selecting a disk for the system
The system will issue a warning. To confirm the operation, enter "y" and press Enter.
After installation, you'll be prompted to select a disk for storing call recordings. Enter the disk name (in this example, sdc) and press Enter.
Selecting a disk for storing call recordings
After installation, the system will restart. MikoPBX will now boot from sdb, the installation disk, without the line "The system is loaded in Recovery mode"—indicating a successful installation.
MikoPBX successfully installed
First Login to MikoPBX
To access the MikoPBX web interface, enter your virtual machine's IP address in your browser's address bar. You can find the IP address in the console.
MikoPBX IP address
Enter the IP address in your browser’s address bar. Log in using the default credentials.
MikoPBX WEB interface authorization page
Use versions of MikoPBX other than 2024.1.114 for installation on VMware Workstation Pro. Version 2024.1.114 currently does not support installation via VMware Workstation Pro!
Solution: enter the station's URL address in the MikoPBX web interface: "Network and Firewall" -> "Network Interfaces". Go to the "Network Topology" section and enter the hostname in the "External hostname of your router" field. (Enable "This station is located behind a NAT router".)
Problem solution
Setting up OAuth 2.0 in Google requires using the station's URL address.
The easiest way is to create a DNS record on the local server or add an IP address-to-domain name mapping in the hosts file on the device from which the configuration is being performed.
Replace "mikopbx.station.com" with your station's URL.
First, establish an SSH connection to your new MikoPBX. You can find instructions on how to do this in this article.
Successful SSH connection to the new MikoPBX
Once connected, switch to the console ([9] Console). First, you need to create a directory to store the script file. Use the following command:
Navigate to the created directory:
Create the file "transfer-rsync.sh" to store the script:
Running commands to create a file
Next, you need to fill the file with the script content. You can find the script here.
Use the following command to download the script:
Running and Using the Script
Make the file executable:
Run the script:
You will be prompted to enter necessary information about your old MikoPBX:
IP address of your old station
Username for SSH authentication
Port for SSH authentication
Entering the required data
Next, you’ll be asked whether to generate a new key. If you haven’t done this before, type "y" to confirm. If you previously generated a key for accessing the second MikoPBX, type "n":
Generating a new key
A new SSH key will be created. You must copy this key and insert it into the web interface of your old MikoPBX at General Settings → SSH → SSH Authorized keys field.
Generated ssh key
Inserted key
After saving the key on the old MikoPBX, wait a few seconds, then press any key to continue the script.
The transfer of all data to the new host will begin. This may take some time.
Adjust the file name according to your dialplan application identifier "DIALPLAN-APP-CF967EE0
.
"Module marketplace" section
In the Marketplace section, find the language pack you need (Japanese in this guide) and install it.
Installing a language pack in the MikoPBX Marketplace
After installation, the corresponding set of sound files will be downloaded to the disk at /storage/usbdisk1/mikopbx/media/sounds/ja-jp (for Japanese).
Activating the Language Pack
Go to the Installed Modules tab and enable the installed language pack module.
Enabling a module with a language pack
Go to System → General settings.
"General settings" section
On the Main tab, locate the Language of system audio messages field and select your language.
Click Save.
Selecting a language for audio messages
The Asterisk service will restart and the system message language will be updated accordingly.
The added rule allows blocking all incoming requests over the UDP protocol that contain the substring "friendly-scanner"
Swap is a disk area that the system uses as additional memory when RAM runs out. It operates significantly slower than RAM and serves as a reserve to prevent the system from terminating processes when memory is insufficient.
Login credentials:
Login: admin
Password: the password you set during the initial container creation.
Selecting a template for the container being created
System disk parameters
Parameters for the second disk
Parameters for the third disk
Container parameters (CPU)
Container parameters (Memory)
Container parameters (Network)
Container parameters (DNS)
Final container configuration
Container startup process
Web interface IP address
MikoPBX web interface
Vultr
Installing MikoPBX using the Vultr cloud platform
This guide applies to MikoPBX version 2024.2.138 and later!
This guide provides a step-by-step process for installing MikoPBX on the Vultr cloud platform.
Before starting, you must download the latest .iso MikoPBX image file from MikoPBX’s GitHub releases.
Uploading the Image to Vultr
Uploading the File to Storage
First, you need to upload the image to the cloud platform.
Navigate to "Cloud Storage" → "Object Storage":
Create a new storage resource by clicking "Add Object Storage":
Select the type of storage (it’s recommended to use the basic option, as you only need it to store the disk image). Also provide a name.
Click on your newly created storage resource:
Go to the "Buckets" tab and create a new bucket with a custom name.
The storage information will display S3 connection details.
Next, connect to your storage via WinSCP. Open WinSCP and select "New Site":
Enter the following parameters:
File protocol – Amazon S3
Encryption – TLS/SSL Implicit encryption
Port number – 443
Click "Login".
Upload the .iso disk image file to the storage.
Return to the Vultr interface and go to your bucket’s directory.
Click the three dots to the right of the file name, then "Change Access". Grant access by toggling the switch.
Importing the ISO
Click the three dots to the right of the file name and select "Copy URL".
Navigate to "Orchestration" → "ISOs":
Click "Add ISO":
Paste the link to your previously uploaded file and click "Upload".
Adding an SSH Key Pair
Go to "Account" → "SSH Keys". Click "Add SSH Key":
Generate an SSH key pair .
In the interface for adding the key pair, provide a custom name and paste your public SSH key.
Click "Add SSH Key".
Creating a Virtual Machine
Go to "Products" → "Compute":
Click "Deploy Server":
In the next section, select the region and configuration for your virtual machine.
Continue configuring the server:
Under ISO/iPXE, select the previously uploaded ISO.
Select the SSH key pair you created.
Click "Deploy".
Creating a Second Disk
After the server is created, power it off.
Go to "Cloud Storage" → "Block Storage":
Click "Add Block Storage":
Select the disk type, region (same as the VM), size, and a custom name.
Go to the management page for the newly created block storage. Attach the volume to your virtual machine using the "Attach to:" option.
Installing the System
Go to your virtual machine management page.
Open the console by clicking the relevant button:
You will enter the built-in console.
Navigate to "[8] Install".
Select the disk to be used as the system disk. Confirm by typing "y" and pressing "Enter":
Select the disk for storing call recordings. The system will reboot.
Go to "Settings" for your virtual machine and then "Custom ISO". Click "Remove ISO".
At this point, MikoPBX is installed and ready to use.
Connecting to the Web Interface
In your browser, enter the IP adress of your virtual machine. You can find it in the MikoPBX console.
Log in using the following credentials:
Username: admin
Password: The VM ID, which looks like "150dd137-a0e2-45f6-baf9-ddc15a600d60" and can be found in the address bar (screenshot below).
Outbound routing
Description and configuration of outgoing routing
Outgoing routes in MikoPBX are a set of rules and settings that determine how the system handles outgoing calls from employees to external numbers. With their help, administrators can control the direction of calls through different telephony providers or communication lines depending on certain conditions, such as the dialed number, prefixes, time of day or user access rights. This allows you to optimize communication costs, distribute the load between channels and apply security policies by restricting or allowing certain types of calls. Setting up outgoing routes provides flexibility and control over outgoing telephone communications, contributing to the efficient operation of the company's communication system.
In this article, you will find detailed documentation on setting up outgoing routing.
"Call routing" -> "Outbound routing" section
Creating a rule
Step 1: Add a new rule
To add a new outgoing routing rule, click the "Add a new rule" button.
Step 2: Title and Note
The name of the rule can be set arbitrarily.
In a note, you can describe the call route that you want to implement; this can help you in debugging in the future.
Step 3. Setting the number template
Set a template for outgoing calls. Read more about number templates in this .
The example in the picture above means the following: if the dialed number starts with "345" or "375" and the rest of the number consists of 10 digits.
Step 4: Number Conversion
Convert number - this setting is intended to remove the number prefix and replace it with the desired prefix.
Set a template for outgoing calls. Read more about number templates in the .
In the example given, digits are not cut off at the beginning of the number and digits are not added.
Step 5. Selecting a provider
Select from the list the provider for which you configured outgoing routing and save the changes.
Examples
Examples of number templates
The number starts with
The rest of the number consists of the specified number of digits
Examples of numbers
Examples of changing number prefixes
Example 1. It is necessary to replace the number prefixes “+7” with “8”.
For example, the number +74952293042 should be converted to the number 84952293042.
The implementation of the rule looks like this:
Example 2. It is necessary to replace the number prefixes “8”, “7” with “+7”.
For example, the numbers 84952293042 and 74952293042 should be converted to +74952293042.
The implementation of the rule looks like this:
Example 3: You need to add the prefix "8" to the number.
For example, the numbers 4952293042 and 4996382584 should be converted to 84952293042 and 84996382584 respectively.
The implementation of the rule looks like this:
Example 4: You need to remove the area code "8495" or "7495" or "8499" or "7499" and leave the 7-digit number.
For example, the numbers 84952293042 and 74996382584 should be converted to 2293042 and 6382584 respectively.
The implementation of the rule looks like this:
Connecting Wasabi S3 Storage
Instructions for connecting Wasabi Cloud Storage as an S3 storage
In the left menu, select "Buckets" and click "Create Bucket".
On the bucket creation page, specify:
Bucket Name — enter any unique name for the bucket (e.g., mikopbx-s3-storage).
Region — select the region closest to your MikoPBX server.
Click "Create Bucket".
After creating the bucket, you need to create an access policy. Go to "Policies" in the left menu and click "Create Policy".
Enter a name for the policy (Policy Name) and a description for future identification (Description). In the "Policy Editor" field, paste the following set of rules:
Go to "Users" in the left menu (under "Users & Groups") and click "Create User".
On the first step "Details", fill in the following parameters:
UserName — enter any username (e.g., mikopbx-user).
Type of Access — check only "Programmatic (create API keys)".
Require MFA — leave disabled.
Click "Next".
On the Groups step — skip it and click "Next".
On the Policies step — select the policy you created earlier (e.g., mikopbx-access in this guide) and click "Next".
On the Review step, verify the parameters and click "Create User".
After the user is created, the Access Key and Secret Key will be displayed. Save these values — you will need them to configure MikoPBX.The Secret Key is shown only once.
Connecting to MikoPBX
Go to the "Maintenance" tab → "Storage".
Switch to the "S3 Cloud Storage" tab and fill in the following fields:
Automatically upload recordings to cloud storage — enable the toggle.
S3 endpoint URL — enter the endpoint for your region from the table below.
For example, for region eu-central-1: https://s3.eu-central-1.wasabisys.com
S3 region — specify the region of your Wasabi bucket (e.g., eu-central-1
Click "Save".
Region
Endpoing URL
After saving the settings, click "Test Connection". If the connection is successful, the message "S3 connection successful" will appear and synchronization of call recordings will begin.
System files customisation
Description of the capabilities of the "System file customization" section
The system file customization section can be found under "System" -> "System file customization":
System file customization section
This section allows for customization of system and Asterisk configuration files. We recommend using this section only for experienced Asterisk administrators. MikoPBX provides the ability to modify the following configuration files via the web interface:
File Name
Description
asterisk.conf
To edit a configuration file, use the button:
You will be presented with the configuration file editing form:
"Add to end of file" - appends content to the end of the selected configuration file (recommended).
"To replace all" - your changes will completely overwrite the configuration file.
Customizing System Files with Scripts
In some cases, more complex modifications to system files are required than simply adding text to the end of a configuration file. For instance, you may need to redistribute PJSIP account parameters while retaining the ability to configure the system through the web interface.
We've introduced a new approach to customization, where you can describe a Bash script that will execute each time the system generates a configuration file. This way, integrators can make precise changes to configuration files without developing additional modules.
For example, you can modify the pjsip.conf file and change the max_contacts parameter for all internal numbers, except one.
sip.conf
You can add parameters to an existing section using the (+) syntax:
extensions.conf
It is possible to intercept the execution of the dialplan by defining custom contexts. Currently, you can intercept executions in the following contexts:
internal-originate-custom - used for calls originating from the telephony panel for 1C.
<PROVIDER-ID>-incoming-custom - used for handling incoming calls from the provider.
<PROVIDER-ID>-outgoing-custom - used for handling outgoing calls via the provider.
Example context:
Make sure to call the method "return" at the end.
The extra disk space has run out, the disk size has increased
To execute the following commands, you will need to .
Control of free disk space
Change the login name
When a new is added to the PBX, a SIP account with a numeric internal number is created on the PBX. In some cases, for security reasons, it is necessary to change the name for authorization of this employee.
When configuring SIP Clients, you can often see two key parameters:
Username - usually equal to the account ID, in the case of MikoPBX equal to the internal number
Auth name - username for authorization. In the case of MikoPBX is equal to the internal number
12, 15, 14, 25 digit from 1 to 5, occurrence twice
[8-9]+
0
8899, 888, 988888 digit from 8 to 9, occurrence one or more times
[7-8]{1}
10
79257184255, 84952293042
7925
leave the field blank
Additional examples of configuring outgoing routing are available in the FAQ section.
If the dialed number matches the rules of several routes, then the call will be made in the order of the route descriptions, one by one, until the call is answered, or until there are no more suitable routes.
S3 bucket Name — specify the name of the bucket created in Wasabi (e.g., mikopbx-s3-storage).
Access Key and Secret Key — paste the values obtained when creating the Access Key.
Configure the "Local storage (S3 mode)" slider — select how long recordings will be stored locally before being deleted after upload to the cloud.
https://s3.eu-central-1.wasabisys.com
eu-central-2 (Frankfurt)
https://s3.eu-central-2.wasabisys.com
eu-west-1 (London)
https://s3.eu-west-1.wasabisys.com
eu-west-2 (Paris)
https://s3.eu-west-2.wasabisys.com
ap-northeast-1 (Tokyo)
https://s3.ap-northeast-1.wasabisys.com
ap-northeast-2 (Osaka)
https://s3.ap-northeast-2.wasabisys.com
ap-southeast-1 (Singapore)
https://s3.ap-southeast-1.wasabisys.com
ap-southeast-2 (Sydney)
https://s3.ap-southeast-2.wasabisys.com
us-east-1 (N. Virginia)
https://s3.wasabisys.com
us-east-2 (N. Virginia)
https://s3.us-east-2.wasabisys.com
us-west-1 (Oregon)
https://s3.us-west-1.wasabisys.com
Remember your region name (e.g., ap-southeast-1), as you will need it when configuring MikoPBX.
Replace "YOUR-BUCKET-NAME" with the name of the bucket you created earlier (e.g., mikopbx-s3-storage in this guide).
Creating a new bucket
Bucket configuration parameters
Creating a new access policy
Access policy configuration parameters
Creating a new user
"Details" tab when creating a user
"Groups" tab when creating a user
"Policies" tab when creating a user
"Review" tab when creating a user
Access Key and Secret Key
"Storage" section in MikoPBX
S3 Wasabi connection parameters
Successful connection
eu-central-1 (Amsterdam)
"Script" mode in MikoPBX system file customization allows administrators to add custom scripts or commands directly into the configuration files. This mode is ideal for advanced users who need to execute specific actions, automate tasks, or modify system behavior dynamically, enhancing the flexibility of the PBX configuration. It should be used with caution to avoid system disruptions.
all_peers-custom - used for direct outgoing calls from a phone.
outgoing-custom - used when dialing an external number, before selecting an outbound route.
add-trim-prefix-clid-custom - used for handling incoming calls, best suited for normalizing incoming phone numbers by adding/removing a prefix.
internal-users-custom - used for handling calls to internal extensions.
public-direct-dial-custom - used for handling incoming calls without authentication.
General (global) settings of Asterisk.
In the asterisk.conf configuration file, you define the following:
- The location, permissions, and owner of the socket used to connect the remote management console to the server.
The location of various directories used by the Asterisk server to determine where configuration files, libraries, scripts, and logs will be created.
Default command-line parameters for starting the server.
cel.conf
Channel Event Logging. Unlike CDR, it logs all events that occur in the channel.
extensions.conf
The Asterisk dialplan. It defines how incoming and outgoing calls are handled and routed. This file controls the behavior of all connections passing through your PBX.
features.conf
The file defines custom codes and options for Asterisk functions like call transfer, call pickup, on-demand recording, digit timeout, call parking, etc.
http.conf
Built-in Asterisk HTTP server configuration.
iax.conf
Describes your IAX protocol connections.
indications.conf
Nationalization of tonal signals.
logger.conf
Asterisk logging configuration. This file configures logging of Asterisk events to files, console, and Linux syslog. To apply settings, run the command "logger reload" in the Asterisk console (CLI).
manager.conf
AMI (Asterisk Manager Interface) configuration.
modules.conf
Asterisk module loading parameters.
musiconhold.conf
Music-on-hold settings in IVR.
queues.conf
Asterisk queue settings. Detailed description of call strategies, penalty, timeout, member, and other available parameters.
rtp.conf
Global RTP settings – media ports and protocol.
sip.conf
Configures internal and external SIP channels in Asterisk.
voicemail.conf
Email notification settings.
jail.local
Fail2ban settings.
msmtp.conf
SMTP client settings.
Modify the dialplan with caution – there is a high chance of disrupting the PBX!
Customization menu of the system file /acl.conf (example)
File customization with "Scripts"
Disabling the disk
Before starting work, you should unmount the disk. To do this, run the script:
Make sure that the data storage disk is no longer mounted:
Editing the Partition table
Deleting a partition
First, delete the existing partition. This operation does NOT delete data on the disk, just edits the partition table.
Launching the Section Editor:
The system will prompt you to enter a command, enter "d" and press Enter:
Система запросит выбрать раздел к удалению, он один, вводим номер раздела «1» и жмем Enter:
Сохраняем таблицу разделов, вводим команду «w» и жмем Enter:
Adding a larger section
Launching the Section Editor:
The system will prompt you to enter a command, enter "n" and press Enter:
Next, specify the command "p", the section will be primary, press Enter:
Enter the number of the created section "1", press Enter:
Next, the system will ask you to enter the numbers of the first and last sector "First sector" / "Last sector", wait for Enter, do not enter anything and agree with the "default" values.
Checking a new partition
Checking the section for errors
Run the verification command:
Example of the result of the team's work:
Partition file system size
Run the command:
Example of command output:
Rebooting and mounting
When booting, the system will automatically mount a disk for data storage:
Some virtual machines allow you to increase the disk size
Be sure to back up your data before you work!
The data storage disk is usually mounted in the "/storage/usbdisk1" directory. From the example above, it can be seen that 4.5G of 4.9G is currently available.
[user2_pingtel]
type=friend
username=user2_pingtel
secret=blah
host=dynamic
qualify=1000 ; Consider the client unreachable if response time exceeds 1 sec.
callgroup=1,3-4 ; The client is a member of call groups: 1, 3, and 4.
pickupgroup=1,3-4 ; We can "pick up" calls using *8 for calls in groups 1, 3, and 4.
defaultip=192.168.0.60
disallow=all
allow=ulaw
allow=alaw
allow=g729
Installing MikoPBX as a guest machine in VirtualBOX
Use versions of MikoPBX below 2024.1.114 for installation on VirtualBOX
Version 2024.1.114 temporarily does not support installation on VirtualBOX
Create a virtual machine
Download Virtual Box from the link and install it.
Create a new virtual machine.
Specify the Machine Name and Folder.
Type - Linux.
Version -Other Linux (64Bit).
Click Next.
Specify the size of the base memory - 1024 MB, as well as the number of processors - 2
Press Next.
Select Create a new virtual hard disk. Enter a disk size of 700 MB, and also check the box "Pre-allocate Full Size"
Click Create.
Confirm the creation of the virtual machine: click Finish.
Setting up a virtual machine
Go to the settings of the created virtual machine.
To do this, click "Settings" in the upper menu.
Click the "Storage" tab. Add a new hard drive to store call records.
In the window that appears, click Create.
Select the hard disk format - VDI (VirtualBox Disk Image).
Click Next.
The hard disk must be of a fixed size.
Check the box next to "Pre-allocate Full Size"
Click Next.
Specify the Name of the created disk.
Set the Disk Size to about 50 GB.
Click Finish.
Choose the newly created drive and click Select.
The created drive will appear in the media list.
Please mount the MikoPBX image onto an optical disc. To do this, select the optical disc in the 'Media' section and click on the image file selection button in the 'Attributes' section.
In the appeared menu, click on 'Choose a disk file...'
Select the downloaded ISO disk image.
"Go to the 'Network' tab.
Set the Connection Type to 'Bridged Adapter'. Click 'OK' to save all the settings you have made.
Installantion MikoPBX
Start the created virtual machine.
The command interface of the PBX will open. The PBX will start booting.
At this stage, MikoPBX is booting from the optical disc containing the ISO image. This is indicated by the message: 'The system is loaded in Recovery mode'.
Install MikoPBX.
Click Install.
Information about all available disks will be displayed (in this example: sdb, sdc).
Enter the name of the disk you referred to as the 'system disk' from the keyboard, in this case sdb, and press Enter. (If it is selected by default, you can simply press Enter).
The system will prompt for confirmation. Enter 'y' and press Enter.
After completing the installation, you will be prompted to select a disk for storing call records.
Enter the disk name (in this example, the only available disk is 'cdc') and press Enter.
After the installation is complete, the system will reboot.
MikoPBX will now run from the sdb drive where you installed it.
We will see that the line "The system is loaded in Recovery mode" is missing.
The first login to MikoPBX
To access the control panel, you need to enter the IP address of your virtual machine in the browser's address bar.
The installation of MikoPBX using VirtualBOX is now complete.
Alibaba Cloud
Installing MikoPBX using the Alibaba Cloud platform
This guide applies to MikoPBX version 2024.2.135 and later!
This step-by-step guide will walk you through installing MikoPBX on the Alibaba Cloud platform.
First, create a bucket for storing your image. Go to the OSS Management Console ().
Go to Buckets.
Click Create Bucket:
Specify the following:
Bucket name – a custom name for your storage.
Region – pick the region where your image will be stored.
Click OK.
Go to your newly created bucket by clicking its name in the Buckets section:
Click Upload object and upload the previously downloaded .raw disk image file (leave other parameters at default).
Once the disk image file is uploaded, copy its link. Click View Details to the right of the file name; in the opened menu, copy the URL field.
Creating the Image
Return to the ECS Console () and go to Images.
Click Import Image:
Select Linux Operating System and click Next.
Enter/select the following image parameters:
Image File URL – Paste the link to the disk image file you uploaded.
Click OK to create the image. Wait until the process finishes (the Status will show Available).
Creating an SSH Key Pair
Next, create and add an SSH key pair in Alibaba Cloud.
In the ECS Console, go to Network Security → Key Pairs:
Click Create SSH Key Pair:
Generate an SSH key pair. For details on how to generate a key pair, see . Fill in the required parameters:
Name – A custom name for your key pair.
Creation Mode – Import
Public Key – Paste your public key, generated earlier.
Click OK to create the key pair in the cloud.
Creating a Security Group
Before creating the virtual machine, you must set up a security group (firewall).
Go to Network & Security → Security Groups:
Click Create Security Group:
Specify the following security group parameters:
Security Group – A custom name for your security group.
Network – Your selected network. If it doesn’t exist yet, click "Create VPC" to the right.
Security Group – Basic Security Group.
Click Create Security Group.
Creating the Virtual Machine
Go to Instances & Images → Instances:
Click Create Instance to create a new virtual machine:
Select your VM parameters:
Billing Method – Choose how you’ll pay for the VM.
Region, Network, and Zone – Select the region and zone to match your needs.
Instance – Pick a configuration for your VM.
Configure additional VM parameters:
Image – Custom Images → Choose the previously imported image.
Storage – Select the type and size of the System Disk (20 GB is the minimum for Alibaba Cloud).
Add a second disk by clicking Add Data Disk, specifying its type and size.
Choose the network parameters for your VM. The security group created earlier will be assigned automatically:
Click Create Order.
Connecting to the MikoPBX Console
In the Instances section, open the newly created VM by clicking its name.
Connecting via Built-in Cloud Console
Click Connect.
Select VNC. A new tab will open in your browser with console access.
Connecting via SSH
Enter the following command to connect via SSH:
Replace:
C:\Users\username\.ssh\id_ed25519 with the path to your SSH key,
root if you changed the default user when creating the VM,
ip-adress with the external IP address of your MikoPBX instance.
You will then connect via SSH:
First Login to the Web Interface
On the VM’s main page, you’ll see important parameters for logging into the MikoPBX web interface.
Paste the IP address into your browser’s address bar to access the MikoPBX web interface login page.
External firewall for Docker
ℹ️ Available starting from MikoPBX 2026.2.76. On earlier versions the firewall-bouncer LAPI endpoint, the Firewall page banner, and the "Create bouncer token" button do not exist.
The problem
In Docker mode, MikoPBX's built-in firewall and fail2ban do not protect the web interface:
AWS deployment guide
Full installation guide for MikoPBX using AWS
Sign in to the service Amazon Web Services
To follow the instructions, install the Amazon Command Line Utility by opening Terminal and entering the following command
Let's get started with the setup
Copying access keys
The firewall-export endpoint
ℹ️ Available starting from MikoPBX 2026.1.76.
Technical reference for developers writing their own bouncers and for integrating MikoPBX with edge providers (Cloudflare, AWS WAF, custom nftables generators).
Basics
Image Name – A custom, unique name for your image.
OS Type – Linux
OS Version – Others Linux
Architecture – 64-bit OS
Uncheck "Check After Import"
Resource Group – Choose your resource group.
Resource Group – Your resource group.
Allow all inbound connections (see example below). Outbound is allowed by default.
With Docker's default userland-proxy=true, the container sees the HTTP client as the docker0 gateway (e.g. 172.17.0.1), not the real attacker IP. Nginx-level ACLs and the fail2ban jail for the web form block only the gateway — i.e. nobody.
SIP protection still works: UDP DNAT preserves the source IP, Asterisk sees the real address, fail2ban writes the ban to Redis, and module reload acl rejects subsequent REGISTERs. Only the HTTP segment is broken.
The fix is to export ban decisions outside the container and apply them in the real host firewall (or edge CDN, or cloud security group) via an external bouncer.
Step 1. Check whether this applies to you
The Security → Web access page shows a yellow banner — "Docker bridge: external firewall enforcement required" — when MikoPBX detects the failure mode. If you see it, this document is for you.
"External firewall required" banner on the firewall page in Docker bridge mode
The Check my IP visibility button calls the system:checkClientIpVisibility endpoint and reports one of three verdicts:
ip_visible — the real client IP is visible; no action needed.
ip_not_visible — the real client IP has been replaced by the Docker bridge gateway. HTTP firewall rules will not protect you.
proxy_detected — a reverse proxy is in front of the PBX, and the PBX deliberately does not trust proxy headers. Configure the proxy to expose the real source IP, or deploy an external bouncer.
Step 2. Choose an approach
Option A — network_mode: host (minimum effort)
If the host is dedicated to the PBX and there are no port conflicts, flip the container to host mode:
The container shares the host network namespace; Asterisk and Nginx see real source IPs, and the built-in firewall works as on bare metal. Best for SIP-heavy installations.
Limitations: only one host-mode container per host, no side-by-side PBX copies, conflicts with other processes on standard ports.
Option B — cs-firewall-bouncer apt package on the host
The MikoPBX container stays in bridge mode. On the Linux host, install cs-firewall-bouncer (open-source, CrowdSec project). It polls the MikoPBX endpoint every 10 seconds and translates decisions into the host's iptables / nftables.
Recommended for most installations.
1. Create an API token
Open System → API keys.
Click Create bouncer token (pre-fills the correct path restriction).
A token-creation form opens. The description ("External firewall bouncer (CrowdSec-compatible)") and the API key are pre-filled — optionally pick a Network filter to restrict the source IP the bouncer is allowed to call from. Leave Full access permissions off: the Create bouncer token button has already scoped the token to /api/v3/firewall-bouncer, so it has no access to the rest of the API.
Token creation form with the description and key pre-filled
Save. A modal will pop up with a ready-to-paste cs-firewall-bouncer.yaml snippet — copy it immediately, the API key is shown only once.
Modal with the cs-firewall-bouncer preset config after creating the token
2. Install the bouncer on the host
3. Configure
Open /etc/crowdsec/bouncers/cs-firewall-bouncer.yaml and replace api_url / api_key with the values from step 1:
📌 api_url is the base URL — cs-firewall-bouncer appends /v1/decisions/stream itself and sends the token in the X-Api-Key header. Do not put the full decisions path in api_url, and do not prefix the key with Bearer — the bouncer manages both.
⚠️ If your MikoPBX listens on HTTPS with a self-signed certificate, add insecure_skip_verify: true or install the CA certificate on the host.
🚨 iptables_chains: [INPUT, FORWARD, DOCKER-USER] is not the CrowdSec default (default is INPUT only). Without DOCKER-USER, traffic Docker routes to the container goes via the DOCKER chain and never sees the bouncer's DROP rule — the ban appears in iptables but actually does nothing. This is the single most common trap when wiring CrowdSec to a Docker-hosted PBX.
4. Verify
The bouncer log should show received N new decisions, 0 deleted.
sudo iptables -L CROWDSEC -n (or the IPv6 counterpart for crowdsec-firewall-bouncer-iptables-v6) lists the applied bans.
Manually ban a test IP via the Firewall → Networks UI or trigger a fail2ban ban, and confirm the entry appears in the host iptables within 30 seconds.
Production deployment notes
Protect SSH (and other admin ports) from the bouncer
CrowdSec bouncers ban at IP level, not protocol level — a single ipset entry drops every TCP and UDP packet from the banned address. That includes port 22. If an operator's source IP ends up in the ban list by mistake (say, fail2ban detects three failed auth:login attempts from the office NAT), SSH gets dropped too, and the operator can lock themselves out of the host.
Insert a high-priority ACCEPT for the admin port above the bouncer's DROP rule, so administrative access stays reachable even when the operator's own IP gets banned:
Repeat for any other port you administer through (Wireguard, the cloud provider's serial console, etc.) — anything you do not want the bouncer to ever drop.
Optional: safety-net auto-flush timer
For installations where losing access to the host has a high cost, add a systemd-timer that periodically flushes the bouncer's ipset. The bouncer will re-apply current bans on the next poll, so this is a bounded-blast-radius safety net rather than a feature disable:
30 minutes is a reasonable default — short enough that an accidental lockout self-recovers before the operator's coffee gets cold, long enough that real attacks still get blocked for a meaningful window.
Bouncer bans cover every protocol — by design
CrowdSec maps decisions to a single ipset per IP family. iptables rules then drop all traffic from listed IPs, regardless of protocol or port. So a mikopbx/http ban (web brute-force) will also silently drop the same IP's SIP / IAX / AMI / SSH packets — and the reverse: a mikopbx/sip ban (Asterisk fail2ban jail) will drop the same IP's HTTP and AMI too. MikoPBX feeds all four ban categories (sip, http, ami, iax) into the same stream, so once the bouncer is wired every ban becomes IP-wide.
For most installations that's the right behaviour — if an IP is hostile to HTTP it has no business reaching SIP either, and vice versa. But if you deliberately want per-protocol isolation (e.g. block HTTP brute-forcers without affecting their SIP), do not deploy the bouncer for that PBX. The existing in-Docker SIP defence path (fail2ban → Redis → pjsip ACL inside Asterisk) keeps SIP bans isolated to Asterisk, but only as long as those bans never reach the host ipset — which is exactly what the bouncer changes.
Endpoint response shape
GET /pbxcore/api/v3/firewall-bouncer/v1/decisions/stream returns a snapshot of currently active decisions in the exact shape stock cs-firewall-bouncer expects — {new, deleted} at the top level, no MikoPBX envelope:
new[] carries the full snapshot of currently active bans on every poll — bouncers refresh their entry timeouts to the value of duration, so an active ban stays alive at the source's declared lifetime. deleted[] is computed per-token (MikoPBX stores the previous snapshot per ApiKey id) and contains decisions that disappeared since the last poll. Operator-triggered unbans propagate to the bouncer's ipset in one poll cycle (≈ 5–10 seconds), not at natural-TTL decay.
?startup=true on the first poll after bouncer restart resets the per-token cursor and emits deleted: [] — so a freshly-restarted bouncer never sees phantom evictions for state it never tracked.
Both header forms authenticate the same token:
Whitelist sibling endpoint (custom)
GET /pbxcore/api/v3/firewall-bouncer/v1/whitelist returns the operator-defined whitelist as a flat JSON array:
This endpoint is MikoPBX-specific. Stock cs-firewall-bouncer does not poll it (CrowdSec LAPI has no "allow" decision type, and the bouncer uses its own whitelists.yaml). Provided for MikoPBX-aware integrations that want server-side whitelist consistency with the PBX's NetworkFilters.
api_url: http://<MIKOPBX-HOST>/pbxcore/api/v3/firewall-bouncer/
api_key: <token-from-modal>
update_frequency: 10s
mode: iptables
log_mode: stdout
log_level: info
# CRITICAL for Docker deployments: the rule MUST be inserted in
# DOCKER-USER, otherwise traffic Docker forwards to the container
# bypasses INPUT/FORWARD entirely and the ban is silently
# ineffective.
iptables_chains:
- INPUT
- FORWARD
- DOCKER-USER
# Disable IPv6 unless Docker has an IPv6 bridge configured. ip6tables
# does not have a DOCKER-USER chain on hosts without docker IPv6, and
# the bouncer fatals at startup when it tries to insert there.
disable_ipv6: true
sudo systemctl restart crowdsec-firewall-bouncer.service
sudo systemctl status crowdsec-firewall-bouncer.service
From the dropdown menu, select Security credentials
If you don't have an access key, do the following
Under the Access keys table, select Create access key
Copy the Access key and Secret access key
If you already have an access key, simply copy the Access key and Secret access key
Creating a bucket
Open Services / Storage / S3
On the tab select Create bucket
Enter a unique bucket name
Use default values for other fields
After entering the values, click Create bucket
Open the created bucket and select Upload
On the opened tab select Add files
Upload the file from the MikoPBX distribution with the .raw extension
Click Upload
Wait for the file to finish uploading
Adding permissions and attaching policies
If not done previously for this cloud
Create a separate folder for files on your computer
Create a file named trust-policy.json in the folder
Open Terminal and navigate to the created folder
Run the command vi trust-policy.json
Enter editing mode by pressing i and paste the text
Press ESC and type :wq to save the file
Similarly, create a file named role-policy.json and change the bucket name value in the text to the name of your created bucket
Similarly, create a file named import-image.sh, change the DEFAULT_BUCKET parameter value to the name of your created bucket and the DEFAULT_IMAGE parameter value to the name of the image uploaded to the bucket
Run the command aws configure, specify the region and copied Access key and Secret access key
Run the command
Run the command
Run the command
If the command executes successfully, a unique AMI identifier will be generated
Creating a virtual machine
Open Services / Compute / EC2 and navigate to Images / AMIs
Select the created image and click Launch an instance from AMI to create a virtual machine
Enter the virtual machine name, for example mikopbx-vm
Specify the instance type - t3.micro
If you have an SSH key
Specify the SSH key in the Key pair field
If you don't have an SSH key
Select Create new key pair and specify the key pair name, for example mikopbx_key
Follow the instructions further
In the Network settings section, check Allow SSH traffic and Allow HTTPS traffic
If necessary, change the size of the storage disk in Configure storage, default size is 50Gb
For other fields use default values
Click Launch instance
Starting MikoPBX
Go to the created virtual machine mikopbx-vm
On the opened tab, select Connect / EC2 serial console, wait for the system to fully load until the authentication parameters are displayed
Copy the external address of the created virtual machine and enter it in the browser's address bar
Use the login and password provided in EC2 serial console for login
#!/bin/bash
# Default variable definition
DEFAULT_IMAGE="mikopbx-2024.1.40-dev-x86_64.raw"
DEFAULT_BUCKET="mikopbx-bucket"
DEFAULT_DESCRIPTION="MikoPBX the best open source PBX on asterisk"
DEFAULT_NAME="MikoPBX 2024.1.40-dev"
# Overriding variables with environment variable values, if set
IMAGE="${IMAGE:-$DEFAULT_IMAGE}"
BUCKET="${BUCKET:-$DEFAULT_BUCKET}"
DESCRIPTION="${DESCRIPTION:-$DEFAULT_DESCRIPTION}"
NAME="${NAME:-$DEFAULT_NAME}"
# JSON file for import-snapshot command
JSON_FILE="disk_container.json"
# Creating JSON file
cat <<EOF> ${JSON_FILE}
{
"Description": "${DESCRIPTION} image",
"Format": "raw",
"UserBucket": {
"S3Bucket": "${BUCKET}",
"S3Key": "${IMAGE}"
}
}
EOF
# Importing the snapshot
IMPORT_TASK_ID=$(aws ec2 import-snapshot --description "${DESCRIPTION} image" --disk-container "file://${JSON_FILE}" --query 'ImportTaskId' --output text)
echo "Import task started with ID: $IMPORT_TASK_ID"
# Waiting for snapshot import to complete
while true; do
STATUS=$(aws ec2 describe-import-snapshot-tasks --import-task-ids $IMPORT_TASK_ID --query 'ImportSnapshotTasks[0].SnapshotTaskDetail.Status' --output text)
echo "Current status: $STATUS"
if [ "$STATUS" == "completed" ]; then
break
fi
sleep 30
done
# Getting SnapshotId
SNAPSHOT_ID=$(aws ec2 describe-import-snapshot-tasks --import-task-ids $IMPORT_TASK_ID --query 'ImportSnapshotTasks[0].SnapshotTaskDetail.SnapshotId' --output text)
# Registering AMI
AMI_ID=$(aws ec2 register-image \
--name "$NAME" \
--description "$DESCRIPTION" \
--architecture x86_64 \
--sriov-net-support simple \
--virtualization-type hvm \
--ena-support \
--boot-mode legacy-bios \
--root-device-name "/dev/sda1" \
--block-device-mappings "[{\"DeviceName\": \"/dev/sda1\", \"Ebs\":{\"DeleteOnTermination\":true, \"VolumeSize\":1, \"SnapshotId\":\"$SNAPSHOT_ID\"}}, {\"DeviceName\": \"/dev/sdb\", \"Ebs\":{\"VolumeSize\":50}}]" \
--query 'ImageId' \
--output text)
echo "AMI created with ID: $AMI_ID"
aws configure
aws iam create-role --role-name vmimport --assume-role-policy-document "file://trust-policy.json"
aws iam put-role-policy --role-name vmimport --policy-name vmimport --policy-document "file://role-policy.json"
sh import-image.sh
To deploy the PBX use two disks:
A 1 Gb disk for the main system
A 50+ Gb disk for storing call recordings
Make sure to configure the Firewall on the MikoPBX
Base URL:https://<MIKOPBX-HOST>/pbxcore/api/v3/firewall-bouncer/
Endpoints:
GET /v1/decisions/stream — full decision snapshot in CrowdSec LAPI format. Stock cs-firewall-bouncer polls this path automatically by appending it to api_url.
GET /v1/whitelist — operator allow-list as a flat JSON array (MikoPBX extension, see ).
Auth: the bouncer token can be sent in either header:
X-Api-Key: <token> — what stock cs-firewall-bouncer sends.
Authorization: Bearer <token> — convenient for curl, Postman, or custom HTTP clients. Both forms validate the same ApiKeys row, so path restrictions and ACLs apply identically.
Permission scope:firewall_bouncer. Issue tokens with allowed_paths: {"/api/v3/firewall-bouncer": "read"} — the UI preset in the ApiKeys section does this for you.
Compatibility: the decisions/stream response shape matches the CrowdSec LAPI exactly ({new, deleted} at the top level, no envelope). Existing CrowdSec bouncers (cs-firewall-bouncer, cs-cloudflare-bouncer, cs-nginx-bouncer, and dozens of community plugins) work out of the box.
Decisions stream
GET /pbxcore/api/v3/firewall-bouncer/v1/decisions/stream
mikopbx-fail2ban (Redis) or mikopbx-networkfilters (operator DB).
Mapping to CrowdSec
MikoPBX
CrowdSec
Source
mikopbx-fail2ban
aggregated origin
Redis keys firewall:<cat>:<ip>
mikopbx-networkfilters
aggregated origin
m_NetworkFilters.deny table
Polling semantics
Every poll returns the full snapshot of currently active bans in new. Bouncers refresh their ipset / nftables entry timeouts on every appearance, so a still-active ban stays alive at the source's declared duration.
deleted carries the per-bouncer diff since the previous poll. MikoPBX stores the last-served snapshot per ApiKey id (Redis key _PH_REDIS_CLIENT:fwbouncer:cursor:<token-id>, TTL 1 h refreshed on every poll — the cursor expires only after one hour of bouncer silence). Decisions that disappeared between two polls — operator-triggered unban, ban TTL elapsed, NetworkFilters entry deleted — appear in deleted as full decision objects on the next poll, so the bouncer evicts the entry from its local store immediately rather than waiting for natural ipset timeout.
update_frequency: 5–10s is the recommended polling interval.
The bouncer-sent query parameters behave as follows:
Param
Behaviour
startup
startup=true ignores the stored cursor for this poll only — full snapshot in new, empty deleted — then writes the just-served snapshot to the cursor. The NEXT poll diffs against that fresh snapshot normally. Bouncers send this on the first poll after restart. Other values (including false) are treated as steady-state polls.
scopes
Accepted but ignored. MikoPBX only emits scope=Ip and scope=Range; no filtering applied server-side.
origins
Accepted but ignored. Both origins (mikopbx-fail2ban, mikopbx-networkfilters) always present in the response. Bouncers that want to filter must do so client-side.
Cursor isolation lets multiple independent bouncers (e.g. one running nftables locally, another driving a Cloudflare endpoint) each track their own delta — issue one ApiKey per bouncer. Sharing one ApiKey between two or more bouncers makes them share a single cursor: polls from different bouncers interleave their snapshot writes, producing nondeterministic deleted[] timing and missed eviction events for short-lived bans.
Examples
curl
Minimal custom bouncer (Python)
Note that the JSON body is the LAPI shape at the top level — there is no {result, data, ...} envelope around new / deleted.
Whitelist
GET /pbxcore/api/v3/firewall-bouncer/v1/whitelist returns the operator-defined allow-list as a flat JSON array:
Sources merged into the response:
NetworkFilters rows with newer_block_ip = '1',
Fail2BanRules.whitelist.
This endpoint is MikoPBX-specific. Stock cs-firewall-bouncer does not poll it — CrowdSec LAPI has no "allow" decision type and the bouncer uses its own whitelists.yaml. Provided for MikoPBX-aware integrations that want server-side whitelist consistency.
MikoPBX additionally enforces the whitelist on the write side (via DockerNetworkFilterService::isIpWhitelisted), but that's defence in depth — your bouncer should still subtract the whitelist from new before applying bans.
Security
The whitelist endpoint exposes operator allow-list networks. Never expose this endpoint without authentication.
Optimally, bind the bouncer token to a NetworkFilter that permits only the bouncer host's IP. Calls from any other source will return 403.
After compromise — revoke the token in the ApiKeys UI; the bouncer will stop receiving new decisions, and its local bans will start expiring after 30 seconds (if that mode is enabled).
# Read the bouncer API key from an env var / secret manager on the host
# where you run this — never paste it inline in scripts that get checked
# into version control.
TOKEN=$BOUNCER_API_KEY
# CrowdSec-style:
curl -H "X-Api-Key: $TOKEN" \
"https://pbx.example.com/pbxcore/api/v3/firewall-bouncer/v1/decisions/stream?startup=true" \
| jq
# Bearer-style (equivalent):
curl -H "Authorization: Bearer $TOKEN" \
"https://pbx.example.com/pbxcore/api/v3/firewall-bouncer/v1/decisions/stream" \
| jq
import requests, time
BASE = "https://pbx.example.com/pbxcore/api/v3/firewall-bouncer"
HEADERS = {"X-Api-Key": TOKEN}
# Bouncer-local whitelist (refreshed less often than decisions).
whitelist = set(requests.get(f"{BASE}/v1/whitelist", headers=HEADERS).json())
while True:
resp = requests.get(f"{BASE}/v1/decisions/stream", headers=HEADERS).json()
bans = {d["value"] for d in resp["new"]}
apply_iptables(bans - whitelist)
time.sleep(10)
["10.0.0.0/8", "192.168.1.0/24"]
You can navigate through the menu items using the arrow keys.
All data on the disk where MikoPBX is being installed will be lost
The disk where MikoPBX will be installed is referred to as the system disk (SYSTEM). You can choose a disk with a size larger than 500MB as the system disk.
Approximately, 1 hour of conversation takes up 14MB of disk space.
Default creditionals for the first login are:
Username - admin
Password - admin
System will ask to change them after the first login. It is important for the security of your MikoPBX.
Button for creating a new VM
Parameters of the new VM
Parameters of the new VM
Parameters of the new VM
Summary configuration
"Settings" button
Creating a new hard disk
Creating a new hard disk
Creating a new hard disk
Creating a new hard disk
Creating a new hard disk
Selecting a new hard disk
Mounting an image
Mounting an image
List of MikoPBX images option. You need .iso image!
"Network" tab
Button for starting the created VM
Installation process
Installation process
Installation process
Installation process
Installation process
MikoPBX Console Page
IP address of your MikoPBX
Web-interface of MikoPBX
Telephony providers
Connecting and configuring telephony providers in MikoPBX
General Information
"Telephony Providers" in MikoPBX is a section of the system where connections to external telecom operators via Internet protocols for IP telephony are configured. Here, administrators can add and configure SIP trunk accounts or other types of connections that allow the system to make and receive calls from landline and mobile numbers.
To make or receive external phone calls via the public switched telephone network or the Internet, you must create at least one provider account. Each technology has its own account type. To add a new account or change an existing one, go to "Call Routing" -> "Telephony Providers":
The provider overview contains a list of all available service providers. A green icon next to the provider's name indicates that MikoPBX has registered this provider, and you can start using this provider. You can enable or disable the use of the provider using the switch on the left.
To connect a new provider account, click Connect SIP or Connect IAX depending on the type of account you are connecting.
Setting up SIP Provider
General Settings
In the general settings of the SIP provider, specify the following settings:
Provider Name - an arbitrary name that is convenient for you. It will be displayed in the selection lists in the corresponding menus.
Account Type - the type of registration for the provider account.
Provider host URL or IP Address - can be either a URL or an IP address.
Username and Password provided by your provider.
DTMF Mode - determines how DTMF signals are transmitted over SIP. There are different standards used to transmit DTMF to SIP providers. Try using different standards to find the mode that suits you.
inband sends keypresses as "tones." To use this standard, you need a high-quality audio codec.
Auto, rfc, and info transmit keypresses through SIP encoding.
Advanced SIP Provider Settings
Additional provider hosts or ip
In this section, list all communication service provider addresses from which incoming calls can arrive. Access to these addresses for SIP and RTP ports will be automatically opened on the firewall.
SIP Connection Port
By default, it is set to 5060. The SIP protocol describes how a client application (e.g., a softphone) can request the initiation of a connection from another, possibly physically remote client in the same network using its unique name. The protocol defines how clients agree on opening exchange channels based on other protocols that can be used for direct information transmission (e.g., RTP).
Transport Protocol
Allows you to specify the transport protocol used for this provider account.
Outbound Proxy
This is the provider's SIP proxy server for processing requests. The actual SIP server may differ from this address. The outbound proxy takes on primary requests and forwards them to the appropriate server.
Support NAT Session
When this option is enabled, Asterisk will send SIP OPTIONS packets. This is necessary to support NAT tunneling on your router.
Specify the frequency with which Asterisk will send OPTIONS-type SIP messages to check if this device is working and available for making calls.
If this device does not respond within the specified period (default is 60 seconds), Asterisk considers it turned off and unavailable for making calls.
Redefining SIP Header "From"
You can disable the use of the fromuser field of the SIP packet header.
The fromuser and fromdomain parameters in the pjsip.conf file are used for outgoing calls from Asterisk to the SIP device.
You can override:
the username in the From field in SIP packets (fromuser).
the domain name in the From field in SIP packets (fromdomain).
The fields User and Domain serve this purpose.
Additional Parameters
In this field, you can modify Asterisk configuration files.
You can override almost all parameters. For example, when using chan_pjsip, the provider is described with the following sections:
To override fields in sections, fill in the Additional Parameters field as follows:
To complete the configuration, click Save Settings.
Multiple Providers on One IP (Host)
There are cases when you need to connect multiple accounts from one communication service provider. In this case, the settings Host or IP Address and SIP Connection Port may be the same for all accounts.
Asterisk handles this situation differently. The PBX will not be able to correctly route the call to the desired provider, and the call will be dropped.
As a solution, in older versions of the PBX, you could describe additional inbound routes for which you would fill in the Additional Number (DID) field with the Username value for each account of the provider. This required creating N number of additional routes, equal to the number of provider accounts.
An alternative is the "" instruction. This approach was not very intuitive.
The Username field, in most cases, will be used as the destination number Additional Number (DID) for incoming calls. Considering that outgoing routes for all Usernames will be configured, the call will be correctly processed by the PBX.
More about Registration Types
1. Outgoing Registration
This option is used when connecting most providers.
Registration is necessary when the provider cannot know from which IP address the client will connect. For example, when the PBX is behind NAT. The provider's server is usually on a public IP address.
2. Incoming Registration
This option is relevant for the operation of some FXO / GSM gateways when an external device must connect to your PBX using a login and password.
This option is also relevant when the remote device is behind NAT, and MikoPBX cannot know its IP address.
3. IP Authentication, No Password
Relevant for secure private networks. For example, Rostelecom often lays its network cable and connects the client to its local network.
In this case, the PBX and the provider must be in the same network.
Extensions
Setting Primary Phone Numbers
Extensions in MikoPBX are individual users of the system who are assigned internal numbers for making and receiving calls. They have personal accounts that allow you to configure access rights, call forwarding and other personal settings in the system.
Extensions List
The "Extensions" section displays a list of internal user accounts for employees. On the left side of each employee, the status of the authorized device is displayed. If the device is successfully authorized under the respective internal user account, a green circle is shown; otherwise, it appears gray.
Application dialplans
Creating and Configuring Dialplan Applications
Dialplan applications are programmable voice applications in PHP and Asterisk Dialplan. MikoPBX comes with several pre-configured applications. With some basic knowledge of Asterisk dialplans, additional applications can be easily created. Like a phone account, applications can have an extension assigned in the settings.
MikoPBX comes with several pre-configured applications. With some basic knowledge of Asterisk dialplan, you can easily create additional applications. Like a phone extension, applications can have an internal number assigned in the settings.
Below you will see a description of the basic applications included in MikoPBX:
Application Number
Application Description
type
string
Always "ban".
scope
string
"Ip" for a single address or "Range" for a CIDR.
value
string
IP address or CIDR.
duration
string
Remaining time until expiry, e.g. "3600s" or "8760h".
scenario
string
mikopbx/sip, mikopbx/http, mikopbx/ami, mikopbx/iax, or mikopbx/manual.
[REG-AUTH-***]
type = auth
; ----
[REG-***]
type = registration
transport = transport-udp
; ----
[***-OUT]
type = auth
; ----
[***]
type = aor
max_contacts = 1
; ----
[***]
type = identify
; ----
[***]
type = endpoint
context = incoming
; ----
[registration-auth]
; Describe authentication parameters for [REG-AUTH-***]
[registration]
; Describe registration parameters on the remote server [REG-***]
[endpoint-auth]
; Describe authentication parameters for outgoing calls through the provider
[identify]
; This section is responsible for matching registration and endpoint. When an incoming call arrives,
; an identity parameter check will be carried out according to the INVITE.
[aor]
; Edit the AOR section for the endpoint
[endpoint]
; Edit endpoint parameters
In the search bar, you can find the desired contact. You can search by the employee's name, internal number, mobile number, or email address.
Search for an employee by email
The form also provides the ability to sort the list of employees by name, internal number, mobile number, or email address. There are buttons for copying the account password to the clipboard, editing the account, and deleting the account.
Sorting employees and functions in the main menu
Adding an extension
Adding Employees One by One
To add a new employee, click the "Add new employee" button.
Button "Add new employee"
Importing and Exporting Employees from a CSV File
There is an option to export and import employees for configuration convenience. To do this, click the arrow to the right of the "Add New Employee" button.
3 options are available:
Import from CSV — load employees from a CSV file into MikoPBX.
Export to CSV — download employees to a CSV file from MikoPBX (employees will not be deleted from the station).
Download template — download a CSV table template to fill in and subsequently import into MikoPBX.
Options for bulk employee import/export
Import
Click "Select CSV file" and choose the previously prepared file with data in the table. It is recommended to use templates from the "Template" tab.
"Import" section
After selecting the file, information about all detected users in the table will be displayed. Select a duplicate handling strategy and click "Confirm import" to start the process.
Employee import parameters
After the process is complete, you will see the employee creation status as well as a notification about the end of the import.
Click "Back to list" to return to the employee list.
Successful employee import
Export
There is an option to export a CSV file with all the data of current employees. Several export formats are available:
Minimal:
number — Internal number (required)
user_username — Employee full name (required)
user_email — Email address
mobile_number — Mobile number
sip_secret — SIP password (will be generated if not specified)
fwd_ringlength — Ring time (seconds) before forwarding
sip_transport — Transport (udp/tcp/tls), default udp,tcp
sip_enableRecording — Call recording (true/false)
fwd_forwardingonbusy — Forwarding number if busy
fwd_forwardingonunavailable — Forwarding number if unavailable
Full:
All parameters from Minimal and Standard.
user_avatar — Photo URL
sip_acceptMultipleCalls — Accept multiple calls at the same time (true/false)
sip_manualattributes — Additional SIP parameters
You can also specify a range of internal employee numbers to export (the "Filter by number range" section).
Click "Export employees". The file will be downloaded to your device.
"Export" section
Template
On this tab, you can download a blank file template with the specified "columns" to fill in and subsequently import into MikoPBX.
Select the template format (see the "Export" section for more details), then click "Download CSV template".
"Template" section
Main Account Settings
Employee Account Settings Tab
On the "Basic Parameters" tab, you can configure the general settings for an employee's internal account:
Username: This value will be used for name substitution and displayed in the corresponding field on the phone screen.
Internal Number: This is the employee's internal extension number, which is also used as the login when connecting the phone.
Mobile Number: It is used for additional routing purposes.
Email Address: It is used for email notifications.
Password for SIP
Advanced Account Settings
Accesses the Advanced drop-down list:
Advanced settings option
Redefining the set string
In the "Redefining the set string" field, enter the dialing rule for mobile numbers according to your provider's requirements.
Call recording
If you want employees to have the ability to record conversations, you can enable the Сall recording feature.
DTMF Mode
The setting determines how DTMF (Dual Tone Multi-Frequency) signals are transmitted over the SIP protocol. DTMF signals are used, for example, when dialing phone numbers or interacting with IVR systems.
Transport protocol
This setting allows you to specify the transport protocol used for this account. The transport protocol determines how data is transmitted over the network. The most common transport protocols used in SIP (Session Initiation Protocol) are UDP (User Datagram Protocol), TCP (Transmission Control Protocol), and TLS (Transport Layer Security)
Network filter
The subnet described in the "Network Firewall" section specifies the allowed subnet for this account. It determines which IP addresses or networks are permitted to connect to this account. Connections originating from other subnets will result in authentication errors.
Manual additional attributes for SIP
This field is used to modify/override the configuration files of Asterisk. You can override almost all parameters. For example, when using chan_pjsip, a SIP account for an employee is described by the following sections:
To override fields in the sections, you should fill in the "Additional Parameters" field as follows:
Routing Settings
"Routing settings" section
On this tab, you can set rules for call forwarding when the employee is unavailable, busy, or does not answer.
Set the time period in seconds during which the call will be directed to the employee's internal account. If the employee cannot answer the call within the specified time, indicate to which number the call should be forwarded. By default, the call will be redirected to the employee's mobile number.
You can also specify the numbers to which the call should be redirected in case of busy and unavailable status.
Feel free to configure these parameters according to your preferences and requirements.
[acl]
; Describe access parameters from different subnets [acl_***]
[auth]
; Describe authentication parameters for outbound calls
[aor]
; Edit AOR section for the endpoint
[endpoint]
; Edit endpoint parameters
There are two ways to add employees:
1) Adding employees one by one by entering data in the Web interface.
2) Importing multiple employees from a CSV file.
Please set strong passwords for SIP accounts. MikoPBX validates the password length and strength when the account is saved. A secure SIP password should use a non-dictionary combination of uppercase and lowercase letters, digits, and special characters.
By setting complex passwords, you can enhance the security of the user accounts and protect them from unauthorized access.
000063
The application reads the internal number of the employee used to call the application and voices it to the employee, i.e. the employee is voiced his internal number on the PBX
000064
0000MILLI - Generates a constant sound signal with a frequency of 1000 Hz. Used to check the quality of the connection.
10003246
The Echo application sends the received audio signals back to the user so that the delay duration can be determined. In general, you hear what you say. The application is mainly used for testing.
Creating applications
MikoPBX applications are created from several plans of the Asterisk application suite. There are many examples of ready-to-run applications in the system. To add a new MikoPBX application, click on "Add a New" in the application menu.
"Add a new" button
In just a few steps, you can create your own applications. First, define the Name and Call Number for the application, and optionally fill in the Comment field.
Possible application code types:
PHP-AGI script - AGI is an embedded method in Asterisk for executing external scripts (similar to CGI for HTTP servers), which can extend Asterisk's functionality using other programming languages, particularly PHP. AGI scripts can control call handling in the dialplan and are invoked from the extensions.conf file.
Asterisk Dialplan - The configuration of the dialplan is contained in the Asterisk configuration file called extensions.conf. This is one of the most important configuration files where the processing and routing of incoming and outgoing calls are defined. This file governs the behavior of all connections passing through your PBX (Private Branch Exchange).
Parameters of the new dialplan application
Let's clarify: we will refer to MikoPBX applications as "applications" and Asterisk dialplan functions as "functions". For example, Answer(), NoOP(), Set(), and Wait() are functions. These are individual target functions in Asterisk that are then combined in MikoPBX to create more powerful MikoPBX applications.
Describe the logical operations in the text field of the Programme Code. Please note that only one command is allowed per line, for example:
"Programme code" section
The figure shows an example of the simplest application for the number 000063. After dialing the number, you will hear the robot voice your internal number.
Description of Asterisk functions that you can use in your applications:
Наименование команды
Описание
answer
Transfer the call to the answered state.
channel status
Returns the status of the connected channel.
control stream file
Sending a preset audio file to the channel, with the ability to control its playback (pause/rewind/resume playback) using the DTMF digits received from the subscriber, if specified. (Asterisk 1.2)
List of basic Application dialplans
MikoPBX will check the commands used. It is possible that incorrectly programmed operations may affect the performance of your telephone system.
Running MikoPBX using docker compose
MikoPBX Installation Guide using Docker compose
To work with MikoPBX in a container, you need to install Docker and Docker Compose following the instructions
Here is an example of a docker-compose.yml file that can be used to manage your MikoPBX container via Docker Compose:
docker-compose.yml
services:
mikopbx:
container_name: "mikopbx"
image: "ghcr.io/mikopbx/mikopbx-x86-64"
network_mode: "host"
cap_add:
- NET_ADMIN
entrypoint: "/sbin/docker-entrypoint"
hostname: "mikopbx-in-a-docker"
volumes:
- /var/spool/mikopbx/cf:/cf
- /var/spool/mikopbx/storage:/storage
tty: true
environment:
- ID_WWW_USER=${ID_WWW_USER}
- ID_WWW_GROUP=${ID_WWW_GROUP}
# Change the station name through environment variables
- PBX_NAME=MikoPBX-in-Docker
# Change the default SSH port to 23
- SSH_PORT=23
# Change the default WEB port to 8080
- WEB_PORT=8080
# Change the default WEB HTTPS port to 8443
- WEB_HTTPS_PORT=8443
Save the contents into a file named docker-compose.yml, make the necessary adjustments, and launch MikoPBX using the command:
Running Multiple MikoPBX Instances on One Host
Mode Without Network Isolation Between Host and Containers (–net=host)
It is also possible to organize the launch of multiple MikoPBX containers on a single host. However, you need to consider Docker's port handling features. If the –net=host mode is not used, it will lead to a high load on the host system's CPU because Docker creates a separate rule in Iptables for each allocated port.
With the –net=host mode enabled, you need to manually monitor the distribution of available ports between the running containers and built-in applications. For instance, to run two MikoPBX containers on one host, you can use the following configuration file:
Save the contents into a file named docker-compose.yml, make the necessary adjustments, and launch MikoPBX using the command:
Network Bridge Mode (–net=bridge)
There is an option to launch MikoPBX containers in the –net=bridge mode. However, as mentioned above, to use this mode you either need to significantly limit the range of RTP ports or open them on the host machine without using Docker's capabilities.
For this, you will need to write a small script to determine the name of the current bridge interface and the IP address of each container. After running Docker Compose, you will then need to add the necessary iptables rules for the RTP port range as follows:
Let's describe several containers in the docker-compose.yaml file, specify different ports for the web interface, SIP ports, and ranges of RTP ports to ensure they do not overlap.
Creating a directory for scripts
Save the start-multiple-mikopbx.sh and docker-compose.yaml files into this folder.
Install the necessary dependencies for the script.
Navigate to our folder, add execution rights and launch our script.
While waiting for the containers to start, check the firewall settings on the host, and if necessary, open the ports specified in our docker-compose.yaml file, specifically:
TCP/UDP ports 5060 and 6060 for SIP
UDP ranges 10000-10800 and 20000-20800 for RTP voice transmission
TCP ports 8443 and 9443 for HTTPS protocol, for web interface operation.
Access each station in turn at the addresses:
https://<host machine IP>:8443
https://<host machine IP>:9443
To access the web interface of the first MikoPBX, use the login admin and the password mikopbx-first-password
To access the web interface of the second MikoPBX, use the login admin and the password mikopbx-second-password
Each machine should have NAT mode enabled, indicating that the container is behind a router in the network interface settings. If the stations will be used within a local network, then in the external IP field, enter the local IP address of the host machine, otherwise its public IP address.
With that, the setup is complete, and you can configure accounts and make calls.
Environment variables for configuring MikoPBX
Below are some of the environment variables that will allow you to adjust the MikoPBX ports and settings used.
SSH_PORT - port for SSH (22)
WEB_PORT - port for the web interface via HTTP protocol (80)
WEB_HTTPS_PORT - port for the web interface via HTTPS protocol (443)
A full list of all possible setting parameters is available in the source code .
Google Cloud deployment guide
MikoPBX Installation deployment Guide using Google Cloud
Если у вас есть нет ключа SSH, сразу перейдите к пункту 19
Для других полей используйте значения по умолчанию
Завершив ввод значений, нажмите кнопку CREATE
Настройка портов для входящих соединений
Откройте Navigation menu / VPC network / Firewall
Выберите CREATE FIREWALL RULE для создания нового правила для входящего соединения
Введите имя нового правила (Name), например http-80
Запуск АТС MikoPBX
Откройте вкладку Compute Engine перейдите в раздел Virtual machines / VM Instance
Скопируйте External IP созданной виртуальной машины
Введите в строке браузера External IP
Откройте созданную виртуальную машину
ARI Access
Short description of ARI (Asterisk REST Interface)
ARI is a RESTful API with WebSocket support that gives full control over Asterisk channels, bridges, and media streams in real time. Unlike the MikoPBX REST API, ARI works directly with the Asterisk core and is designed for building custom telephony applications.
What is it used for?
ARI is used when the standard PBX features are not enough and custom call handling logic is required:
General settings
Description of the main system settings
This section configures the core system parameters. It is recommended to complete these settings immediately after installing the PBX.
Main
PBX system name - displayed on the MikoPBX main page.
Execution of the specified Command. (Commands are functions that you use when describing the set plan in the extensions.conf file).
get data
Get data from the channel.
get option
Behaves similarly to the "STREAM FILE" command, but is used with a specified value for timeout. (Asterisk 1.2)
get variable
Get the value of the channel variable.
hangup
Break the connection (Hangup) on the current channel.
noop
An empty command. Does nothing.
receive char
Accepts one character from the channel if it supports this feature.
receive text
Accepts a text string from a channel if it supports this feature.
record file
Writes to the specified file.
say alpha
Pronounces the specified string of characters. (Asterisk 1.2)
say date
Pronounces the date. (Asterisk 1.2)
say datetime
Pronounces the date and time according to the specified format. (Asterisk 1.2)
say digits
Pronounces the specified string of digits.
say number
Pronounces the specified number.
say phonetic
Pronounces the specified string of characters.
say time
Pronounces the time.
send image
Sends the image to the channel if it supports this feature.
send text
Sends text to the channel if it supports this feature.
set autohangup
Automatic termination of the connection (Autohangup) on the channel at the specified time.
set callerid
Setting the caller id for the current channel.
set context
Setting the context for the current channel.
set extension
Change the extension for the current channel.
set music
Включение/Выключение музыки ожидания (Music on hold), например: «SET MUSIC ON default».
set priority
Enabling/Turning off the standby music (Music on hold), for example: "SET MUSIC ON default".
set variable
Setting the channel variable.
stream file
Sending an audio file to the channel.
tdd mode
Setting the TDD mode for a channel that can support it to enable interaction with TDD.
verbose
Writing a message to the verbose log of the asterisk server.
wait for digit
Waiting for the DTMF button to be pressed
SIP_PORT - port for connecting a SIP client (5060)
TLS_PORT - port for connecting a SIP client with encryption (5061)
RTP_PORT_FROM - beginning of the RTP port range, voice transmission (10000)
RTP_PORT_TO - end of the RTP port range, voice transmission (10800)
IAX_PORT - port for connecting IAX clients (4569)
AMI_PORT - AMI port (5038)
AJAM_PORT - AJAM port used for connecting the telephony panel for 1C (8088)
AJAM_PORT_TLS - AJAM port used for connecting the telephony panel for 1C (8089)
BEANSTALK_PORT - port for the Beanstalkd queue server (4229)
REDIS_PORT - port for the Redis server (6379)
GNATS_PORT - port for the gnatsd server (4223)
ID_WWW_USER - identifier for www-user (can be set with the expression
$(id -u www-user), where www-user is NOT a root user)
ID_WWW_GROUP - group identifier for www-user (can be set with the expression
$(id -g www-user), where www-user is NOT a root group)
WEB_ADMIN_LOGIN - login for Web interface access
WEB_ADMIN_PASSWORD - password for Web interface access
Important note!
One of our containers uses port forwarding from SIP port changing its value from 5060 to 6060.
In this case, for the system to function correctly, you need to add the external value of the SIP port in the NAT settings in the network interfaces section of MikoPBX.
This setting can also be made by setting the corresponding value of the environment variable EXTERNAL_SIP_PORT=6060 in the docker-compose file.
In the default bridge mode the built-in MikoPBX firewall does not protect the web interface — the container cannot manage host iptables. See External firewall for Docker.
#!/bin/bash
COMPOSE_FILE="$1"
if [ -z "$COMPOSE_FILE" ]; then
echo "Usage: $0 path/to/docker-compose.yaml"
exit 1
fi
# We will obtain the user ID for running the container
export ID_WWW_USER=$(id -u www-user)
export ID_WWW_GROUP=$(id -g www-user)
# Stop current containers if they are running
docker compose -f "$COMPOSE_FILE" down
# Remove them
docker compose -f "$COMPOSE_FILE" rm
# Start containers in the background
docker compose -f "$COMPOSE_FILE" up -d
sleep 60
# Create a label for IPTABLES rules
IPTABLES_COMMENT="mikopbx-custom-rule"
# Determine the project identifier, used when creating a network bridge
project_prefix=$(cat "$COMPOSE_FILE" | yq e '.x-project-name' -)
# If the prefix is not set, use a default value
if [ -z "$project_prefix" ]; then
project_prefix="default_prefix"
fi
# Function to get container IP address
function get_container_ip() {
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' "$1"
}
# Function to get the name of the bridge interface
function get_bridge_name() {
local network_name="$1"
local prefix="$2"
local network_id=$(docker network inspect "${prefix}_${network_name}" -f '{{.Id}}')
if [ -z "$network_id" ]; then
echo "Error: Network ${prefix}_${network_name} not found."
return 1
fi
local bridge_name=$(ip link show type bridge | grep -o "br-${network_id:0:12}\b")
echo $bridge_name
}
echo "Delete tagged iptables rules"
# Delete all iptables rules tagged with our comment
iptables -S | grep "$IPTABLES_COMMENT" | sed 's/-A /-D /' | while read rule; do
echo "Delete rule $rule"
iptables $rule
done
# Delete all NAT iptables rules tagged with our comment
iptables -S -t nat | grep "$IPTABLES_COMMENT" | sed 's/-A /-D /' | while read rule; do
echo "Delete rule $rule"
iptables -t nat $rule
done
# Parse the docker-compose file and obtain all necessary parameters.
echo "Parsing docker-compose file and configuring iptables rules"
cat "$COMPOSE_FILE" | yq e '.services[] | select(.environment[] | test("RTP_PORT_FROM")) | {"container_name": .container_name, "environment": .environment, "network": .networks[0]}' -o=json | jq -c '.' | while read -r service; do
container_name=$(echo $service | jq -r '.container_name')
network_name=$(echo $service | jq -r '.network')
bridge_name=$(get_bridge_name "$network_name" "$project_prefix")
container_ip=$(get_container_ip "$container_name")
RTP_PORT_FROM=$(echo $service | jq -r '.environment[] | select(contains("RTP_PORT_FROM")) | split("=")[1]')
RTP_PORT_TO=$(echo $service | jq -r '.environment[] | select(contains("RTP_PORT_TO")) | split("=")[1]')
echo "Configuring iptables for $container_name ($container_ip) on $bridge_name from port $RTP_PORT_FROM to $RTP_PORT_TO"
iptables -A DOCKER -t nat ! -i "$bridge_name" -p udp -m udp --dport $RTP_PORT_FROM:$RTP_PORT_TO -j DNAT --to-destination $container_ip:$RTP_PORT_FROM-$RTP_PORT_TO -m comment --comment "$IPTABLES_COMMENT"
iptables -A DOCKER -d $container_ip/32 ! -i "$bridge_name" -o "$bridge_name" -p udp -m udp --dport $RTP_PORT_FROM:$RTP_PORT_TO -j ACCEPT -m comment --comment "$IPTABLES_COMMENT"
iptables -A POSTROUTING -t nat -s $container_ip/32 -d $container_ip/32 -p udp -m udp --dport $RTP_PORT_FROM:$RTP_PORT_TO -j MASQUERADE -m comment --comment "$IPTABLES_COMMENT"
echo "Don't forget to open UDP ports $RTP_PORT_FROM to $RTP_PORT_TO on external firewall if it exists"
done
echo "iptables configuration completed successfully."
docker-compose.yaml
services:
mikopbx-first:
container_name: "mikopbx-first"
image: "ghcr.io/mikopbx/mikopbx-x86-64"
entrypoint: "/sbin/docker-entrypoint"
hostname: "mikopbx-in-docker-first"
volumes:
- /var/spool/mikopbx/first/cf:/cf
- /var/spool/mikopbx/first/storage:/storage
tty: true
cap_add:
- net_admin
networks:
- network-bridge1
environment:
- ID_WWW_USER=${ID_WWW_USER}
- ID_WWW_GROUP=${ID_WWW_GROUP}
- PBX_NAME=MikoPBXFirst
- RTP_PORT_FROM=10000 # UDP range 10000-10800 on host will be directed to the container
- RTP_PORT_TO=10800
- WEB_ADMIN_PASSWORD=mikopbx-first-password
- ENABLE_USE_NAT=1
- PBX_FIREWALL_ENABLED=1
- PBX_FAIL2BAN_ENABLED=1
ports:
- "8443:443" # TCP port 8443 on the host is directed to port 443 in the container
- "5060:5060/udp" # UDP port 5060 on the host is directed to port 5060 in the container
mikopbx-second:
container_name: "mikopbx-second"
image: "ghcr.io/mikopbx/mikopbx-x86-64"
tty: true
cap_add:
- net_admin
networks:
- network-bridge2
entrypoint: "/sbin/docker-entrypoint"
hostname: "mikopbx-in-docker-second"
volumes:
- /var/spool/mikopbx/second/cf:/cf
- /var/spool/mikopbx/second/storage:/storage
environment:
- ID_WWW_USER=${ID_WWW_USER}
- ID_WWW_GROUP=${ID_WWW_GROUP}
- PBX_NAME=MikoPBXSecond
- RTP_PORT_FROM=20000 # UDP range 20000-20800 on host will be directed to the container
- RTP_PORT_TO=20800
- EXTERNAL_SIP_PORT=6060 # Inform MikoPBX about its external SIP port
- WEB_ADMIN_PASSWORD=mikopbx-second-password
- ENABLE_USE_NAT=1
- PBX_FIREWALL_ENABLED=1
- PBX_FAIL2BAN_ENABLED=1
ports:
- "9443:443" # TCP port 9443 on the host is directed to port 443 in the container
- "6060:5060/udp" # UDP port 6060 on the host is directed to port 5060 in the container
x-project-name: mikopbx # This parameter must be present
networks:
network-bridge1:
driver: bridge
network-bridge2:
driver: bridge
Stasis — a dialplan application that passes a channel to your ARI application for control
Typical scenario: a call enters the dialplan → Stasis() passes the channel to your application → the application controls the call via REST API and receives events via WebSocket.
Configuring an ARI User
Before starting, you need to enable the ARI interface (it is disabled by default). Go to "System" → "General Settings".
"General settings" section in MikoPBX
Go to the "AMI & ARI" tab and toggle the "Use ARI Interface" switch. In the "CORS allowed origins" field, specify the domains from which requests to ARI will be made. CORS is a browser security mechanism that restricts cross-domain API requests.
Value
When to use
(empty)
Access from the same domain only
http://localhost:3000
Local development
https://app.mycompany.com
Production application
Enabling ARI
Go to "System" → "ARI Access".
"ARI Access" section in MikoPBX
Click "Add User".
"Add User" button
Fill in the following parameters:
Username — login for connection, e.g. ari_user.
Password — password for connection.
Description — description for the current user, e.g. "WebRTC Demo".
Applications — specify the names of Stasis applications the user has access to. Leave the field empty for access to all applications.
Save the settings.
Configuring user access to the ARI
Connection Parameters
WebSocket
Type
URL
Regular
ws://your-mikopbx.com:8088/asterisk/ari/events
Secure (TLS)
wss://your-mikopbx.com:8089/asterisk/ari/events
Replace [application] with the name of your Stasis application.
REST API
Type
URL
HTTP
http://your-mikopbx.com:8088/asterisk/ari
HTTPS
https://your-mikopbx.com:8089/asterisk/ari/
Authentication: HTTP Basic Auth — ARI user login and password.
Example: Hello World
This is a minimal ARI example — a channel enters a Stasis application, the application plays a sound file and ends the call.
In MikoPBX, go to "Routing" → "Dialplan Applications", create an application with the type "Asterisk Dialplan" and the following code:
Assign the application to the required incoming route.
Step 3 — Make a Call
When an incoming call arrives, the WebSocket will receive a StasisStart event:
Step 4 — Play Sound via REST API
Open a new terminal window and run the following command:
On successful playback, you will see the following output in the terminal:
Step 5 — End the Call
After the call ends, the WebSocket will send a StasisEnd event:
Example: Presence Monitor
A live employee status table in the terminal — no incoming route or Stasis application configuration required. Works by subscribing to all station events.
Install dependencies:
As calls are made, the table will update in real time:
Full ARI documentation is available on the Asterisk website: docs.asterisk.org
Detailed ARI documentation is available on the official Asterisk website: Asterisk REST Interface
# REST API request via curl
curl -u username:password https://your-mikopbx.com:8089/asterisk/ari/asterisk/info
import asyncio
import websockets
import json
import os
from datetime import datetime
ARI_HOST = 'your-mikopbx.com'
ARI_USER = 'ari_user'
ARI_PASS = 'your-ari-password'
peers = {}
STATES = {
'NOT_INUSE': ('🟢', 'Available'),
'BUSY': ('🔴', 'Busy'),
'UNAVAILABLE': ('⚫', 'Unavailable'),
}
def draw():
print('\033[2J\033[H', end='')
now = datetime.now().strftime('%H:%M:%S')
print(f'MikoPBX — Presence Monitor [{now}]')
print('─' * 50)
print(f' {"Number":<10} {"Name":<20} {"Status":<15} {"Updated"}')
print('─' * 50)
for number, info in sorted(peers.items()):
icon, label = STATES.get(info['state'], ('❓', info['state']))
print(f' {number:<10} {info["name"]:<20} {icon} {label:<12} {info["updated"]}')
print('─' * 50)
print(f' Employees: {len(peers)}')
async def run():
uri = (
f"wss://{ARI_USER}:{ARI_PASS}@{ARI_HOST}:8089/asterisk/ari/events"
f"?app=auto-receptionist&subscribeAll=true"
)
async with websockets.connect(uri) as ws:
draw()
async for message in ws:
event = json.loads(message)
etype = event.get('type')
if etype == 'DeviceStateChanged':
ds = event.get('device_state', {})
name = ds.get('name', '')
state = ds.get('state', '')
if not name.startswith('PJSIP/'):
continue
number = name.replace('PJSIP/', '')
if number not in peers:
peers[number] = {'name': number, 'state': state, 'updated': '—'}
peers[number]['state'] = state
peers[number]['updated'] = datetime.now().strftime('%H:%M:%S')
draw()
elif etype == 'PeerStatusChange':
ep = event.get('endpoint', {})
number = ep.get('resource', '')
state = ep.get('state', '')
if not number:
continue
if number not in peers:
peers[number] = {'name': number, 'state': 'unknown', 'updated': '—'}
if state == 'online':
peers[number]['state'] = 'NOT_INUSE'
elif state == 'offline':
peers[number]['state'] = 'UNAVAILABLE'
peers[number]['updated'] = datetime.now().strftime('%H:%M:%S')
draw()
elif etype == 'ContactStatusChange':
ep = event.get('endpoint', {})
number = ep.get('resource', '')
ci = event.get('contact_info', {})
status = ci.get('contact_status', '')
if not number:
continue
if number not in peers:
peers[number] = {'name': number, 'state': 'unknown', 'updated': '—'}
if status == 'Reachable':
peers[number]['state'] = 'NOT_INUSE'
elif status in ('Unreachable', 'NonQualified'):
peers[number]['state'] = 'UNAVAILABLE'
peers[number]['updated'] = datetime.now().strftime('%H:%M:%S')
draw()
asyncio.run(run())
MikoPBX — Presence Monitor [11:34:43]
──────────────────────────────────────────────────
Number Name Status Updated
──────────────────────────────────────────────────
202 202 🟢 Available 11:34:25
243 243 ⚫ Unavailable 11:34:43
252 252 🔴 Busy 11:34:41
──────────────────────────────────────────────────
Employees: 3
Never use * in production. Only specify trusted domains over HTTPS.
Common applications
ari-app: Main ARI application
stasis: Base Stasis application
It is recommended to use secure connections (wss:// and https://) with a valid SSL certificate. Regular ws:// and http:// are acceptable only in an isolated test environment.
Use the channel id from the StasisStart event!
Additional description - visible to system administrators only.
Language of system audio messages - language used for voice announcements.
Maximum length of internal numbers - the maximum length of an employee's internal extension number.
Allow incoming calls from any servers - allows accepting SIP calls from unauthorized devices and servers without registration.
Restart PBX every night — automatic restart of Asterisk at night (at 01:00 AM system time).
Send crash information to developers — when an error occurs, its description is sent to developers (requires internet access).
Click "Save".
"General" tab in system settings
Call Recording
Call Recording - enable or disable recording of all calls.
Recordinginternal conversations- enable or disable recording of calls between employees.
Below, you can select audio files to be used as a recording notification (different audio files can be selected for incoming and outgoing calls).
"Call Recording" tab in system settings
Phone calls are saved in WebM format with the Opus codec. File size depends on call quality: if at least one participant uses a high-quality codec (e.g., G.722 or Opus), the recording is saved at a higher bitrate — this takes more disk space but improves speech recognition quality.
Call Transfers
Parking (Hold)
Call Parking is a way to temporarily place a customer on hold while you look up information. The caller hears music while waiting.
MikoPBX supports two parking methods:
Dial *2 during a call — the call will be placed on hold and you will be told the parking slot number. Any employee can pick up the call by dialing that number.
In the settings, configure a parking number — when a call is transferred to this number, MikoPBX will place it on hold and announce the slot number. Any employee can retrieve the call.
The parking slot range and parking number can be configured in this section:
Call parking number — the number to transfer a call to in order to place it on hold, default is 800.
Parking slot range — the range of parking slot numbers, default is 801–820.
Call Transfers
MikoPBX supports two types of transfers:
Attended (Consultative) Transfer — you can speak with a colleague before transferring the call to them. The caller is on hold during this time. The transfer completes when you hang up.
Blind (Unattended) Transfer — the call is transferred immediately, without a prior conversation with the colleague. Useful when a second call comes in while you are already busy — the call can be instantly transferred to a free employee.
The key combinations for transfers can be changed in this section:
Combination for attended transfer — default is ##.
Combination for blind transfer — default is **.
Timeouts
Call return time if no answer after attended transfer — if no one answers after an attended transfer, the call returns. Set in seconds, default is 45 sec.
Maximum timeout between digits when entering an extension number (in milliseconds) — the wait time for the next digit when dialing an extension. Set in milliseconds, default is 2500 ms.
Call Pickup
If a colleague's phone is ringing, you can pick up the call without leaving your desk:
*8<ColleagueNumber> — pick up a specific employee's call.
*8 — pick up any incoming call when the colleague's number is unknown.
The pickup combination can be changed in the "Combination for intercepting incoming calls" field, default is *8.
"Call Transfers" tab in system settings
SIP
Session Initiation Protocol (SIP) is the signaling protocol used by most VoIP phones. You can change the SIP port (default 5060) to improve security.
SIP Signaling Port and RTP Range Settings
RTP (Real-time Transport Protocol) defines the standard format for transmitting audio and video over IP networks. The default port range is 10000–10800. Some routers and firewalls may require additional range configuration. Another reason to expand the range is a large number of concurrent calls: each active call uses two RTP ports, meaning 200 ports support no more than 100 simultaneous calls. If load is higher — expand the range.
SIP port for registering phones on this station — the port for phone registration on the station, default 5060. Changing the port can improve system security.
SIP TLS port (encrypted calls) — the port for encrypted calls, default 5061.
RTP port range — the port range for audio transmission, default 10000–10800.
Additional Parameters
STUN server address — helps when the PBX is behind NAT, including when using WebRTC.
Auth Username prefix for authorization — by default, the username for SIP account authorization matches the employee's internal extension (e.g., 101). When this setting is filled in, the specified prefix will be appended to the auth username: username remains 101, but AuthUsername becomes 101MIKO. This approach significantly complicates password brute-forcing for SIP accounts.
Use WebRTC — additional settings will be applied for WebRTC connections. For example, for internal extension 201, an additional endpoint will be created, accessible via WebRTC using the URL sip:201-WS@IP_PBX.
Registration Duration Settings
Some firewalls close ports after a period of inactivity — in such cases, it is advisable to reduce the registration timeout. Different SIP providers may also require different timeout values.
Default time in seconds to send Keep-alive — the interval for sending keep-alive packets in seconds, default 120 seconds.
Minimum Registration Time (SIPMiniExpiry) — default 60 seconds.
Maximum Registration Time (SIPMaxExpiry) — default 3600 seconds.
"SIP" tab in system settings
Audio/Video Codecs
This section configures the allowed audio and video codecs for the entire PBX.
"Audio/Video Codecs" section in system settings
AMI&ARI
Asterisk Manager Interface (AMI) is a powerful and convenient software interface (API) for Asterisk that allows external programs to manage the system. Through AMI, external programs can connect to Asterisk via TCP, initiate command execution, read results, and receive real-time event notifications. AMI is often used for integration with business processes and CRM (Customer Relationship Management) systems.
Asynchronous Javascript Asterisk Manager (AJAM) is a technology that allows web browsers or other HTTP-capable applications to directly access the Asterisk Manager Interface (AMI) via HTTP/HTTPS.
Asterisk REST Interface (ARI) is a RESTful API with WebSocket support that provides full control over Asterisk channels, bridges, and media streams in real time. Designed for developing custom telephony applications.
AMI Settings
Use AMI Interface — enable or disable AMI.
AMI Port — the port for connecting external programs to AMI, default 5038. A client application connects to AMI through this port and authenticates, after which Asterisk responds to requests and sends notifications about state changes in specified subsystems.
HTTP Server Settings
HTTP Port (AJAM and ARI) — the port for HTTP connections, default 8088.
HTTPS Port (AJAM and ARI) — the port for HTTPS connections, default 8089.
AJAM Settings
Use AJAM Interface — enable or disable AJAM.
ARI Settings
Use ARI Interface — enable or disable ARI. Disabled by default.
CORS allowed origins — domains from which requests to ARI are permitted. CORS is a browser security mechanism that restricts cross-domain API requests.
"AMI&ARI" tab in system settings
SSH
SSH (Secure Shell) is an encrypted protocol commonly used for interacting with and remotely managing servers. An SSH server can authenticate users using various algorithms. The most popular is password authentication. It is fairly simple but not very secure: passwords are transmitted over a secure channel, but are not complex enough to withstand brute-force attempts. The computational power of modern systems combined with specialized scripts makes brute-forcing very easy.
A more secure authentication method is SSH keys. Each pair consists of a public and private key: the private key is stored on the client, and the public key is uploaded to the server in the ~/.ssh/authorized_keys file. When connecting, the server sends a message encrypted with the public key — if the client decrypts it with the private key and returns the correct response, authentication is considered successful.
Section Parameters
SSH port — the port for SSH connections, default 22.
SSH console login — the username for connecting.
Disable password authentication — enabled by default in MikoPBX (password authentication is disabled).
SSH password — the login password (available only if password authentication is not disabled).
Authorized SSH Keys — add your public SSH key here using the "+ Add Key" button. If you have multiple keys, add each one separately.
System Public SSH Key — the public SSH key of the current PBX. It can be copied into the "Authorized SSH Keys" field on another station — this allows connecting to the remote server without additional authentication.
"SSH" tab in system settings
HTTP/HTTPS
To improve security, you can change the HTTP port (default 80) or enable HTTPS mode. HTTPS encrypts traffic between the browser and the PBX using SSL/TLS protocols. The default TCP port is 443.
HTTP port — the port for accessing the web interface via HTTP, default 80.
HTTPS port — the port for accessing the web interface via HTTPS, default 443.
Redirect to HTTPS — when the web interface is opened via HTTP, the user will be automatically redirected to HTTPS.
HTTPS Public Key (SSL/TLS Certificate)
An SSL/TLS certificate is a digital document that verifies the server's identity and ensures encrypted communication between the browser and the PBX. In MikoPBX, the certificate is used for:
HTTPS access to the web interface
WebRTC connections (required for browser-based calls)
Secure AJAM and ARI connections via HTTPS
Secured REST API for integrations
The certificate must be in PEM format — beginning with -----BEGIN CERTIFICATE----- and ending with -----END CERTIFICATE-----. If you have intermediate certificates, add them after the main certificate in the same field.
Ways to obtain a certificate:
Let's Encrypt Module — automatic issuance and renewal of free certificates. Recommended method.
Purchase from a Certificate Authority (DigiCert, Comodo, GlobalSign, etc.)
Self-signed Certificate — automatically generated on first PBX startup, but causes browser warnings.
HTTPS private key
The secret key used to decrypt SSL/TLS connections. It must exactly match the public certificate — if they do not match, HTTPS will not work.
The key must be in PEM format — beginning with -----BEGIN RSA PRIVATE KEY----- or -----BEGIN PRIVATE KEY-----.
Security recommendations:
Keep a backup copy of the key in a secure location.
Use keys of at least 2048 bits in length (4096 recommended).
Regularly renew certificates and keys.
"HTTP/HTTPS" tab in system settings
WEB interface password
In this section, you can change the login and password for accessing the web interface, and configure login via Passkeys.
Login — the username for logging into the web interface.
Password — the password for logging into the web interface.
Passkeys (Biometric Authentication)
Passkeys are a modern passwordless login method using biometrics or a hardware security key: Face ID, Touch ID, Windows Hello, or YubiKey. This is faster and more secure than traditional passwords.
To add a Passkey, click the "+ Add Passkey" button and follow the browser instructions.
"WEB Interface Password" tab in system settings
System settings deletion
This section allows you to fully reset the system to its factory state. The reset will permanently delete all settings, call history, call recording files, and installed extension modules.
To confirm, type delete everything in the input field and click "Save".
"System Settings Reset" section in system settings
"General Settings" section in the MikoPBX web interface
Enabling this option may pose a security risk. Make sure your network is properly protected and filtering rules are in place!
Approximately 1 hour of conversation takes 14–28 MB of disk space depending on recording quality.
Combinations are entered from the phone during an active call, followed by the internal extension number of the employee to transfer to.
Never use * in production. Only specify trusted domains over HTTPS.
In MikoPBX, password authentication is disabled by default — SSH keys must be used to connect. A key can be added in this section or when creating a virtual machine in the cloud (it will be automatically applied during MikoPBX installation).
You can read more about connecting to MikoPBX via SSH .
We recommend using the Let's Encrypt module for automatic certificate management. Learn more .
Never share your private key with third parties. If the key is compromised, an attacker will be able to intercept encrypted traffic. In case of compromise — replace the key pair immediately.
Default MikoPBX credentials:
Login: admin
Password: admin — it is recommended to change this immediately.
You can read more about this .
This action is irreversible. Before clearing the system, make sure you have a backup of all important data.
external-media: Working with external media streams
Instructions for deploying MikoPBX in AWS via Terraform script
This guide describes deploying MikoPBX in AWS using the Infrastructure as Code (IaC) approach with Terraform. The entire infrastructure — EC2 instance, network rules, disks, and IP address — is declared in code, ensuring reproducibility, versioning, and the ability to quickly redeploy in any environment.
General process:
Download .raw → Upload to S3 → Import as AMI → Deploy via Terraform
Note: AMI image import cannot be performed directly via Terraform — AWS does not support this process through the Terraform provider. A separate bash script is used for the import, after which Terraform uses the created AMI.
Prerequisites
Terraform >= 1.3.0
AWS CLI configured with access keys (aws configure)
Bash (macOS / Linux)
IAM permissions: ec2:*, s3:*, iam:CreateRole, iam:PutRolePolicy
Configuring AWS CLI
Uploading the Image to S3
Go to the MikoPBX releases page:
Download the latest image with the .raw extension.
Go to the .
Navigate to Services → Storage → S3.
Click Create bucket. Enter a unique bucket name in the Bucket name field. Use default values for all other fields.
Confirm by clicking Create bucket.
Open the created bucket by clicking its name. Click Upload and select the disk image file with the .raw extension.
Click Upload to confirm.
Configuring the IAM Role for Import
AWS requires a special IAM role vmimport for image imports. Perform these steps once per account.
Create a file trust-policy.json with the following content:
Create a file role-policy.json with the following content:
Replace mikopbx-bucket with your S3 bucket name.
Run the following commands to apply the policies:
Importing the Image as an AMI
Save the script below as import-image.sh and edit the variables DEFAULT_BUCKET, DEFAULT_IMAGE, and DEFAULT_NAME.
import-image.sh
Run the script:
Once complete, the script will output the AMI ID — save it, as it will be needed for Terraform.
Deploying via Terraform
Create all of the following files (directory structure):
Below we walk through each file and the content to add to each:
main.tf
The main configuration file describing all AWS resources to be created: EC2 instance, Security Group, EBS disks, and Elastic IP. By default, the Security Group opens only the ports required for MikoPBX to operate: SSH, HTTP/HTTPS, SIP, and RTP.
Warning: Be sure to configure the Firewall in MikoPBX after your first login!
variables.tf
Declares variables with their types, descriptions, and default values. Does not contain specific values on its own — only the schema.
outputs.tf
Defines what data Terraform will output after a successful apply: the web interface URL, and the login and password for the first login. Convenient for quickly retrieving credentials without opening the AWS Console.
terraform.tfvars
Contains the specific variable values for your environment: region, AMI ID, instance type, etc. This is the file that changes when moving between environments (dev/staging/prod).
Note: Specify your own parameters in this file — replace aws_region, instance_name, instance_type, storage_disk_size, allowed_ssh_cidr, create_key_pair, and public_key_path as needed. Be sure to replace custom_ami_id with the ID of the AMI you created earlier.
Running Terraform
Make sure all 4 files are created, then run the following commands:
You will see the following output:
Run the following command to preview the configuration:
You will see the configuration that Terraform has parsed and plans to create. Review all parameters, then run:
Enter yes to confirm. Upon successful creation of the MikoPBX instance, the required credentials will be displayed:
Connecting to MikoPBX
After a successful terraform apply:
Copy the URL from the output values.
Open it in your browser: https://<URL>
Use the credentials displayed during infrastructure creation to log in.
⚠️ After logging in, be sure to configure the Firewall in MikoPBX.
Destroying Resources
⚠️ The AMI and the S3 bucket containing the image are not deleted automatically — they must be removed manually via the AWS Console or CLI if no longer needed.
Common Errors
Error: InvalidAMIID.NotFound
Cause: The AMI exists in a different region.
Solution: Make sure the region in terraform.tfvars matches the region where the import script was run.
Error: OptInRequired during import
Cause: The vmimport role has not been created or lacks the required permissions.
Solution: Repeat the IAM role configuration step.
Error: import status error
Cause: Corrupted .raw file or incorrect format.
Solution: Verify that the original image was downloaded correctly and that the filename in DEFAULT_IMAGE is accurate.
Slow snapshot import
Importing a large image can take 10–30 minutes. The script automatically waits for completion, polling the status every 30 seconds.
==========================================
AMI successfully created: ami-0c8820696110d0613
Use this ID in terraform.tfvars:
custom_ami_id = "ami-0c8820696110d0613"
==========================================
variable "aws_region" {
description = "AWS region"
type = string
default = "us-east-1"
}
variable "custom_ami_id" {
description = "ID of the custom AMI created by import-image.sh"
type = string
# Value must be provided via terraform.tfvars
}
variable "instance_name" {
description = "EC2 instance name"
type = string
default = "mikopbx-vm"
}
variable "instance_type" {
description = "EC2 instance type"
type = string
default = "t3.micro"
}
variable "storage_disk_size" {
description = "Size of the recordings disk (GB)"
type = number
default = 50
}
variable "allowed_ssh_cidr" {
description = "CIDR block for SSH access"
type = string
default = "0.0.0.0/0"
}
variable "create_key_pair" {
description = "Create an SSH Key Pair (true) or use an existing one (false)"
type = bool
default = true
}
variable "public_key_path" {
description = "Path to the public SSH key"
type = string
default = "~/.ssh/id_rsa.pub"
}
variable "existing_key_pair_name" {
description = "Name of an existing Key Pair (if create_key_pair = false)"
type = string
default = ""
}
output "first_login" {
description = "Credentials for the first login to the MikoPBX web interface"
value = <<-EOT
======================================
MikoPBX is ready!
======================================
URL: https://${aws_eip.mikopbx_eip.public_ip}
Login: admin
Password: ${aws_instance.mikopbx.id}
======================================
EOT
}
cd mikopbx-aws-custom # Navigate to the directory with the created files
terraform init
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
# Delete the AMI
aws ec2 deregister-image --image-id ami-0a1b2c3d4e5f67890
# Delete the snapshot (ID can be found in AWS Console → EC2 → Snapshots)
aws ec2 delete-snapshot --snapshot-id snap-xxxxxxxxxxxxxxxxx
# Delete the file from S3
aws s3 rm s3://mikopbx-bucket/mikopbx-2026.1.223-x86_64.raw
# Delete the bucket (if empty)
aws s3 rb s3://mikopbx-bucket
Error: InvalidAMIID.NotFound: The image id 'ami-xxxx' does not exist
MikoPBX Web-Interface (Deployed using terraform in AWS)
REST API Usage Examples
Instructions with examples on creating and using API keys
Working with the REST API follows the OpenAPI standard. To get the current list of endpoints, use the "Documentation" section inside the PBX. Below are examples of working with the main features of the MikoPBX REST interface.
If you do not have a trusted certificate — add verify=False to each request and disable warnings:
It is strongly recommended to issue a trusted certificate. The easiest way to do this is by using the Let's Encrypt module.
Connection
To run all examples in this guide, create an API key and configure the following access permissions (see the general article for details):
Resource
Access Level
Used for
In this article we will be working with Python, so you need to install the required dependencies:
Below is a connection template for accessing the station via an API key. Use it before all scripts in this guide. The API key is passed directly in the request header — no additional authentication is required:
Working with Employees
Endpoint:POST /pbxcore/api/v3/employees
The table below lists the parameters for this request.
Field
Req.
Type / constraints
Description
Creating a Single Employee
Example API response (HTTP 201):
Possible response codes:
Code
Description
On successful execution, you will see the following console output:
Employees 283 and 284 will be created on the station.
Listing Employees
On successful execution, you will see the following console output:
Group Employee Creation
On successful execution, you will see the following console output:
3 employees will be created on the station.
Working with SIP Providers
Endpoint:POST /pbxcore/api/v3/sip-providers
Field
Req.
Type
Description
Creating a Provider
On successful execution, you will see the following console output:
A provider will be created on the station:
Listing All Providers
On successful execution, you will see the following console output:
Retrieving Call History (CDR)
Endpoint:GET /pbxcore/api/v3/cdr — read-only.
Parameter
Type
Description
On successful execution, you will see the following console output:
Statistics for a Period
On successful execution, you will see the following console output:
CDR Record Fields
Field
Type
Description
Monitoring: SIP Statuses and Active Calls
Employee and SIP Provider Registration Statuses
Endpoints:GET /pbxcore/api/v3/sip , GET /pbxcore/api/v3/sip-providers
On successful execution, you will see the following console output:
Employee statuses (status field)
Value
Description
Provider statuses (state field)
Value
Description
Active Calls in Real Time
Endpoint:GET /pbxcore/api/v3/pbx-status
On successful execution, you will see the following console output:
The full list of endpoints and interactive documentation is available in the section.
Created: 283 (John Smith), id=113
Created: 284 (Anna Johnson), id=114
Process finished with exit code 0
def list_employees(search: str = '', limit: int = 100, offset: int = 0) -> list:
params = {'limit': limit, 'offset': offset}
if search: params['search'] = search
r = requests.get(f'{BASE_URL}/employees', headers=HEADERS, params=params)
return r.json().get('data', {}).get('data', [])
for emp in list_employees():
print(f" {emp.get('number'):>6} {emp.get('user_username', '')}")
202 Brown Brandon
203 Collins Melanie
201 Smith James
283 John Smith
284 Anna Johnson
Process finished with exit code 0
import time
employees = [
{'number': '291', 'name': 'John Smith', 'secret': 'Pass#9201'},
{'number': '292', 'name': 'Anna Johnson', 'secret': 'Pass#9202'},
{'number': '293', 'name': 'Peter Brown', 'secret': 'Pass#9203'},
]
created, failed = [], []
for emp in employees:
r = requests.post(
f'{BASE_URL}/employees',
headers=HEADERS,
json={
'number': emp['number'],
'user_username': emp['name'],
'sip_secret': emp['secret'],
}
)
result = r.json()
if result.get('result'):
created.append(emp['number'])
print(f" {emp['number']} {emp['name']}")
else:
failed.append(emp['number'])
print(f" {emp['number']}: {result.get('messages', {}).get('error', [])}")
time.sleep(0.2) # small pause between requests
print(f'Created: {len(created)}, Errors: {len(failed)}')
291 John Smith
292 Anna Johnson
293 Peter Brown
Created: 3, Errors: 0
Process finished with exit code 0
def create_sip_provider(
description: str,
host: str,
username: str = '',
password: str = '',
registration_type: str = 'outbound',
qualify: bool = True,
) -> dict:
payload = {
'description': description,
'host': host,
}
if username: payload['username'] = username
if password: payload['secret'] = password
if registration_type: payload['registration_type'] = registration_type
if not qualify: payload['qualify'] = qualify
r = requests.post(f'{BASE_URL}/sip-providers', headers=HEADERS, json=payload)
result = r.json()
if result.get('result'):
print(f" Provider created: {description}")
else:
print(f" Error: {result.get('messages', {}).get('error', [])}")
return result
create_sip_provider(
description='Zadarma',
host='sip.zadarma.com',
username='316811',
password='mysecretpass',
)
Provider created: Zadarma
Process finished with exit code 0
def list_providers() -> list:
r = requests.get(f'{BASE_URL}/sip-providers', headers=HEADERS)
return r.json().get('data', [])
for prov in list_providers():
print(f" {prov.get('id'):<20} {prov.get('description', '')} [{prov.get('type', '')}]")
SIP-TRUNK-34F7CAFE [SIP]
SIP-TRUNK-7B5977ED [SIP]
Process finished with exit code 0
from datetime import datetime, timedelta
def get_cdr(
offset: int = 0,
limit: int = 20,
date_from: str = None,
date_to: str = None,
src_num: str = None,
dst_num: str = None,
disposition: str = None,
) -> list:
params = {'offset': offset, 'limit': min(limit, 100)}
if date_from: params['dateFrom'] = date_from
if date_to: params['dateTo'] = date_to
if src_num: params['src_num'] = src_num
if dst_num: params['dst_num'] = dst_num
if disposition: params['disposition'] = disposition
r = requests.get(f'{BASE_URL}/cdr', headers=HEADERS, params=params)
return r.json().get('data', {}).get('records', [])
now = datetime.now()
then = now - timedelta(days=7)
for row in get_cdr(
date_from=then.strftime('%Y-%m-%dT%H:%M:%S'),
date_to=now.strftime('%Y-%m-%dT%H:%M:%S'),
):
print(
str(row.get('start', ''))[:16],
row.get('src_num', ''), '→', row.get('dst_num', ''),
row.get('disposition', ''), row.get('totalBillsec', 0), 's'
)
2026-03-17 13:30 252 → 202 ANSWERED 48 s
2026-03-17 13:30 243 → 252 BUSY 0 s
2026-03-17 13:30 243 → 89161111111 CHANUNAVAIL 0 s
2026-03-17 13:29 202 → 243 NOANSWER 0 s
2026-03-17 13:29 202 → 202 ANSWERED 2 s
2026-03-17 13:29 202 → 243 NOANSWER 0 s
2026-03-17 13:29 202 → 10003246 NOANSWER 0 s
2026-03-17 13:28 202 → 243 NOANSWER 0 s
Process finished with exit code 0
def cdr_stats(days: int = 1) -> dict:
now = datetime.now()
then = now - timedelta(days=days)
records = get_cdr(
date_from=then.strftime('%Y-%m-%dT%H:%M:%S'),
date_to=now.strftime('%Y-%m-%dT%H:%M:%S'),
limit=100
)
answered = [r for r in records if r.get('disposition') == 'ANSWERED']
missed = [r for r in records if r.get('disposition') in ('NO ANSWER', 'NOANSWER')]
total_dur = sum(r.get('totalBillsec', 0) for r in answered)
return {
'total': len(records),
'answered': len(answered),
'missed': len(missed),
'avg_sec': total_dur // len(answered) if answered else 0,
}
stats = cdr_stats(days=7)
print(f"Calls over 7 days: {stats['total']}")
print(f"Answered: {stats['answered']}")
print(f"Missed: {stats['missed']}")
print(f"Avg. duration: {stats['avg_sec']}s")
Calls over 7 days: 13
Answered: 2
Missed: 5
Avg. duration: 25s
Process finished with exit code 0
from datetime import datetime
def show_employees():
r = requests.get(f'{BASE_URL}/sip:getStatuses', headers=HEADERS)
peers = r.json().get('data', {})
for number, info in peers.items():
icon = '🟢' if info.get('status') == 'Available' else '🔴'
print(f" {icon} {number:>6} {info.get('callerid', '')} [{info.get('status', '')}]")
def show_providers():
r = requests.get(f'{BASE_URL}/sip-providers:getStatuses', headers=HEADERS)
providers = r.json().get('data', {}).get('sip', {})
for prov_id, info in providers.items():
icon = '🟢' if info.get('state') == 'registered' else '🔴'
print(f" {icon} {info.get('description', prov_id):>20} {info.get('username', '')}@{info.get('host', '')} [{info.get('state', '')}]")
if __name__ == '__main__':
print(f'MikoPBX Monitor [{datetime.now().strftime("%Y-%m-%d %H:%M:%S")}]')
print('\n── Employees ───────────────────────────────')
show_employees()
print('\n── Providers ───────────────────────────────')
show_providers()
MikoPBX Monitor [2026-03-17 16:47:35]
── Employees ───────────────────────────────
🔴 201 Smith James [Unavailable]
🟢 202 Brown Brandon [Available]
🔴 203 Collins Melanie [Unavailable]
🔴 243 John Smith [Unavailable]
🟢 244 Anna Johnson [Available]
🔴 251 John Smith [Unavailable]
🟢 252 Anna Johnson [Available]
🔴 253 Peter Brown [Unavailable]
── Providers ───────────────────────────────
🔴 Demo provider [email protected] [rejected]
🟢 Zadarma [email protected] [registered]
Process finished with exit code 0
Active calls: 1
243 → 252 [John Smith → Anna Johnson]
Process finished with exit code 0
import urllib3
urllib3.disable_warnings()
Interactive Documentation and Endpoint List
Description of documentation and endpoint table for working with REST API in MikoPBX
MikoPBX REST API follows the OpenAPI standard. The interactive documentation is built directly into the PBX and always contains the current list of endpoints, parameters, and schemas for your version of the system.
How to Open the Documentation
Go to "System" → "API Keys".
Click the "API Documentation" button.
Interactive Documentation Features
The documentation is built on the OpenAPI standard and provides a complete description of all MikoPBX REST API endpoints.
Endpoint navigation — in the left panel, all endpoints are grouped by section.
For each endpoint, a brief description is shown along with the request method (GET, POST, PUT, PATCH, DELETE) and the endpoint with the PBX address substituted. All available request parameters are displayed below.
Code examples — ready-made request examples in different languages are available for each endpoint. The switcher is located below the parameters panel — Shell / cURL is shown by default, other languages are also available (click the language name to switch — in this guide, Python 3).
A server response example is shown below.
Online request execution — the documentation allows you to send real requests directly from the browser and receive responses from your PBX. The server is determined automatically from the current page address.
At the bottom of the page you will find possible response codes with brief explanations, as well as all body parameters for the selected response.
Endpoint List
Base prefix for all paths: /pbxcore/api/v3
Telephony and Routing
Employees
Method
Path
Description
Extensions
Method
Path
Description
SIP Providers
Method
Path
Description
IAX Providers
Method
Path
Description
Providers (combined SIP + IAX list)
Method
Path
Description
Call Queues
Method
Path
Description
IVR Menu
Method
Path
Description
Incoming Routing
Method
Path
Description
Outbound Routing
Method
Path
Description
Off-Work Time
Method
Path
Description
Conference Rooms
Method
Path
Description
Dialplan Applications
Method
Path
Description
Sound Files
Method
Path
Description
System File Customization
Method
Path
Description
Monitoring and Statistics
PBX Status
Method
Path
Description
SIP Devices
Method
Path
Description
SIP Providers (Monitoring)
Method
Path
Description
IAX Providers (Monitoring)
Method
Path
Description
Providers (Monitoring)
Method
Path
Description
Call Records (CDR)
Method
Path
Description
Advice and Recommendations
Method
Path
Description
Authentication and Access
Authentication
Method
Path
Description
API Keys
Method
Path
Description
AMI Users
Method
Path
Description
ARI Users
Method
Path
Description
Passkeys
Method
Path
Description
Passwords
Method
Path
Description
Users
Method
Path
Description
Network Filters
Method
Path
Description
System Settings
System Operations
Method
Path
Description
General Settings
Method
Path
Description
Network Interfaces and Routing
Method
Path
Description
Firewall
Method
Path
Description
Intrusion Prevention (Fail2Ban)
Method
Path
Description
Time Settings
Method
Path
Description
Mail Settings
Method
Path
Description
Storage
Method
Path
Description
S3 Cloud Storage
Method
Path
Description
Modules
Method
Path
Description
Licensing
Method
Path
Description
File Operations
Method
Path
Description
Diagnostics
System Information
Method
Path
Description
System Logs
Method
Path
Description
OpenAPI Documentation
Method
Path
Description
Search
Method
Path
Description
Documentation Links
Method
Path
Description
User Activity Tracking
Method
Path
Description
Technical endpoints
— exports ban decisions for external bouncers (CrowdSec-compatible). Available starting from MikoPBX 2026.1.76.
