Open Source SBC Options: What’s Actually Available and When It’s the Right Call

Open toolbox representing an open source SBC stack requiring assembly, next to a sealed ProSBC product box representing a complete commercial session border controller solution

The phrase “open source SBC” suggests a single project you can download, install, and put at the edge of your voice network the way you would deploy a commercial Session Border Controller. That product does not exist. What does exist is a set of open source SIP signaling engines, media engines, and supporting tools that, properly assembled and hardened, can perform the same job. The license cost of that stack is zero. The engineering and operational cost is not.

This page maps the realistic open source options, describes what each one actually does, lays out what you have to build yourself to reach feature parity with a commercial SBC, and helps you decide whether building, buying, or taking a hybrid path is the right call for your team.

Key Terms and Concepts

A quick-reference glossary for terms used throughout this article.

Session Border Controller (SBC)A device or software instance at the border between two SIP networks. It manages signaling and media on both sides independently, handling encryption, normalization, routing, and security. Commercial SBCs package these capabilities into a single product. Open source equivalents require the operator to assemble them from multiple projects.

B2BUA (Back-to-Back User Agent)An SBC architecture where the device fully terminates the incoming SIP dialog and re-originates a new, independent one on the other side. This gives the operator complete control over every header and media parameter on both legs. Some open source SIP projects are proxies, not B2BUAs, which limits how much they can normalize or rewrite.

SIP ProxyA SIP element that forwards requests between endpoints without terminating sessions. Proxies are faster than B2BUAs at high signaling volumes but cannot rewrite SIP headers freely, terminate TLS on one leg and not the other, or perform per-leg media anchoring.

Media EngineThe component responsible for handling RTP, SRTP, codec negotiation, transcoding, and media anchoring. In an open source SBC stack, the media engine is a separate project from the SIP signaling engine. RTPengine, rtpproxy, FreeSWITCH, and Asterisk are the most common choices.

OpenSIPSAn open source SIP server written in C, descended from the original OpenSER project. Performs SIP routing, registration, NAT traversal, and load balancing at very high signaling rates. Not a media engine. Uses scripted configuration in its own language to define call handling behavior.

KamailioAn open source SIP server, also descended from OpenSER, focused on SIP routing, registration, and signaling. Architecturally similar to OpenSIPS with a different feature emphasis and module ecosystem. Like OpenSIPS, it relies on a separate media engine for RTP handling.

drachtioAn open source SIP server controlled programmatically from Node.js. Provides a programmable SIP application layer rather than a configuration-driven one. Often paired with RTPengine or FreeSWITCH for media.

RTPengineAn open source media proxy that handles RTP, SRTP, ICE, and transcoding. Designed to sit alongside a SIP proxy such as Kamailio or OpenSIPS. Provides the media-handling functions a SIP proxy cannot perform on its own.

FreeSWITCHAn open source telephony platform with a multi-threaded media engine. Functions natively as a B2BUA and handles SIP, RTP, SRTP, transcoding, and WebRTC. Can be configured as an SBC but was designed primarily as a media server and conferencing platform.

AsteriskThe most widely deployed open source telephony platform, originally a PBX. Operates as a B2BUA and handles both signaling and media. Can act as an SBC, with feature gaps in areas such as carrier-scale routing and DoS protection that must be addressed externally.

STI-ASThe external service that signs STIR/SHAKEN PASSporT tokens. Open source SBC operators integrate with commercial STI-AS providers (TransNexus, Iconectiv, Neustar).

Why There Is No Single Open Source SBC

A commercial SBC is a packaged product. SIP signaling, media handling, security, routing, fraud detection, STIR/SHAKEN integration, monitoring, and high availability are designed and tested together, shipped as a single artifact, and supported by one vendor.

Open source telecom evolved differently. The signaling layer and the media layer grew up as separate projects, written in different languages, with different release cadences, communities, and design philosophies. OpenSIPS and Kamailio are direct descendants of the original SIP Express Router, optimized for SIP processing at high rates. RTPengine and rtpproxy were built as companion media handlers because the SIP servers do not touch RTP at all. FreeSWITCH and Asterisk were designed as media-handling telephony platforms, not as edge SBCs, although both can be configured into the SBC role.

An “open source SBC” is therefore a stack the operator assembles. The license cost of every component is zero. The integration work, the operational hardening, the upgrades across multiple projects, the security cadence, the STIR/SHAKEN signing integration, and the production support are all engineering work the operator owns.

The Realistic Open Source SBC Options

The six projects below are what teams actually reach for when they want to run an SBC on open source software. They fall into two groups: SIP signaling engines that need a separate media engine, and media-capable platforms that can run B2BUA-style SBC duty on their own.

OpenSIPS

OpenSIPS is a SIP proxy and routing engine optimized for carrier-scale signaling. It handles registration, routing, load balancing, NAT traversal, and basic security policy at high transaction rates. The configuration model uses its own scripting language, which is powerful but unfamiliar to teams without prior OpenSIPS experience.

OpenSIPS does not handle RTP. To anchor media, transcode codecs, or terminate SRTP, you pair it with RTPengine or rtpproxy on the same or adjacent hosts. End-of-life replacement of OpenSIPS deployments is a recurring driver for commercial SBC evaluations because the operational complexity compounds as the deployment grows.

Kamailio

Kamailio shares OpenSIPS’ lineage and architecture. It is a SIP server, not a B2BUA, with a different module ecosystem and a slightly different configuration style. Kamailio is widely used as the SIP front-end in large carrier and CPaaS deployments, often in active/standby pairs with floating IPs for redundancy.

Like OpenSIPS, Kamailio relies on a companion media engine for RTP. Teams operating Kamailio at scale typically write their own configuration libraries, deploy fail2ban or custom rate limiters for DoS protection, and integrate external systems for STIR/SHAKEN signing and fraud scoring. The signaling layer is strong; everything around it is the operator’s responsibility.

drachtio

drachtio offers a programmable SIP server controlled from Node.js applications. Instead of editing a configuration file in a dedicated scripting language, the operator writes a JavaScript or TypeScript application that receives SIP events and decides what to do with them. drachtio is paired with RTPengine or FreeSWITCH for media.

drachtio fits teams that already run a Node.js stack and want the SIP layer to feel like an application they own. It does not provide carrier-grade security tooling, monitoring, or DoS protection by default. Those layers are still the operator’s to build.

RTPengine

RTPengine is the most common media-handling companion for Kamailio and OpenSIPS. It runs as a separate daemon that the SIP server signals to, instructing it to relay or transcode media for each call. RTPengine handles SRTP, ICE, basic transcoding, and packet capture. It is a media component, not a complete SBC.

FreeSWITCH as an SBC

FreeSWITCH is a media-first telephony platform that operates as a B2BUA. It handles SIP, RTP, SRTP, WebRTC, and codec transcoding natively, which makes it a closer single-project match for the SBC role than OpenSIPS or Kamailio. Service providers in Latin America and elsewhere have deployed FreeSWITCH at the edge for carrier-scale traffic.

The trade-off is that FreeSWITCH was designed as a media server and conferencing platform. Using it as a public-internet-facing SBC means hardening the configuration against SIP flood attacks, building rate-limiting and registration-scanning protection yourself, integrating an external STIR/SHAKEN signing service, and writing the monitoring layer your operations team needs. If you have already chosen FreeSWITCH for your platform stack, repurposing it as the SBC is reasonable. If you have not, starting from FreeSWITCH because of its license cost is a bigger commitment than the download page implies.

Asterisk as an SBC

Asterisk is the most widely deployed open source telephony platform in the world. It functions as a B2BUA and handles both signaling and media. Asterisk-based SBC configurations exist, often built around the chan_pjsip channel driver, and the FreePBX ecosystem has packaged some of this functionality.

For low-volume, single-tenant deployments where Asterisk is already in the stack, treating Asterisk as the SBC keeps the architecture simple. At carrier scale, in multi-tenant environments, or where DoS protection and per-tenant routing isolation matter, Asterisk requires significant external work to reach the operational profile a commercial SBC ships with.

What You Build vs What You Get

Capability	Open source stack	Commercial SBC (e.g., ProSBC)
SIP signaling	Included	Included
B2BUA architecture	FreeSWITCH/Asterisk yes; Kamailio/OpenSIPS no	Full B2BUA
Media anchoring, SRTP, transcoding	Separate component or native to FS/Asterisk	Native
SIP header manipulation engine	Scripted in config language	Per-NAP rules engine
DoS/DDoS protection	Operator builds	Native
SIP registration scanning protection	Operator builds	Native
Dynamic blacklisting, ACLs, greylisting	Modules + custom work	Native
STIR/SHAKEN signing integration	Operator integrates external STI-AS	Pre-built TransNexus / Neustar modules
1+1 high availability	VRRP/keepalived + custom state replication	Productized in ProSBC+
Programmable routing API	Native (config scripting)	Ruby routing engine
Monitoring, MOS, CDRs, packet capture	Requires external tool integration	Native plus MaaS option
Vendor support and SLAs	Community or paid commercial-OSS support	9×5 or 24×7 support contracts
License cost	Zero	Starting from $1.25/session/server/year

The areas where the open source column is empty or partial are not gaps in the projects. They are scope decisions: OpenSIPS, Kamailio, drachtio, RTPengine, FreeSWITCH, and Asterisk were not built to be drop-in commercial SBCs. Reaching a production SBC posture means building, integrating, and operating the layers above.

When Open Source SBC Is the Right Answer

Open source genuinely is the right call in a meaningful number of situations.

You have a strong in-house SIP engineering team with multi-year experience operating OpenSIPS, Kamailio, FreeSWITCH, or Asterisk in production. The team has a documented configuration repository, a known-good upgrade path, and at least two engineers who can be paged at 2 a.m. without panic.

Your traffic profile is well-defined and stable, with predictable peaks and a known SIP peer set. The customization advantages of open source pay off when the deployment is stable enough to make custom work last.

You need to do something a commercial SBC will not let you do, such as a non-standard protocol bridge, a custom signaling experiment, or an integration that no vendor has built or will build.

Your compliance posture lets you self-support because you are not bound to a carrier SLA, a regulatory uptime requirement, or an enterprise procurement process that demands a vendor on the contract.

When the License-Free Math Stops Working

Fully loaded engineering cost

A network or voice engineer with SBC-level experience runs $60,000 to $100,000 per year fully loaded in the North American market. Even at 20 percent of one engineer’s time on SBC work, that is $12,000 to $20,000 per year in staff cost alone. A 500-session ProSBC deployment starts from $625 per year.

Security cadence

An internet-facing SBC sees SIP scanning, registration flood attacks, malformed-packet probes, and DDoS attempts continuously. A commercial SBC ships with these mitigations built in and patched on a vendor cadence.

STIR/SHAKEN compliance

Configuring the open source signaling engine to query an external STI-AS for A-level attestation, handle signing failures, manage P-Identity-Bypass fallback, and survive a signing service outage without dropping calls is original engineering work.

Upgrade discipline

A multi-project open source stack drifts. OpenSIPS releases on its own schedule, RTPengine on another, Linux kernel and TLS libraries on a third. Coordinating upgrades, regression-testing the integration, and rolling back cleanly when something breaks is a real engineering job.

The on-call reality

Voice is real-time. A two-person rotation is the minimum sustainable on-call structure for SBC infrastructure, and three is realistic if you want to avoid burnout.

Hybrid Paths: Programmability Without the Stack

Many teams that look at open source are not in love with the operational burden. They are looking for programmability.

ProSBC’s routing engine is configured in Ruby, with a documented filter chain (before_filter, after_filter, after_remap_filter) and pre-built modules for STIR/SHAKEN signing with TransNexus ClearIP and Neustar, fraud scoring with SecureLogix and YouMail, and external HTTP-based REST API routing integrations. The team writes scripts. The vendor maintains the SBC core, the security stack, and the upgrade discipline.

For teams whose reason for considering open source was control, this hybrid path is often the practical middle ground.

Frequently Asked Questions

Is there a single open source project that ships as a complete SBC?

No. The commonly cited candidates split into SIP signaling engines (OpenSIPS, Kamailio, drachtio) and media-handling platforms (RTPengine, FreeSWITCH, Asterisk). FreeSWITCH and Asterisk come closest to a single-project SBC, but neither was designed as an edge SBC and both require external work for production security, multi-tenancy, and STIR/SHAKEN.

Can I use the ProSBC Lab free license to test an SBC before committing to anything?

Yes. ProSBC Lab is a permanently free, 3-session ProSBC license intended for evaluation and lab work. Many teams use it to compare against an open source stack they already operate.

Does running open source SBC software fail FCC STIR/SHAKEN compliance?

No. What matters is whether the operator has registered with the FCC, obtained an SPC token and STI certificate, integrated with an STI-AS, and is signing calls correctly. Open source operators can do all of that; they are responsible for building and maintaining the integration.

How do open source SBCs handle 1+1 high availability?

Most open source deployments use VRRP or keepalived for floating IPs between an active and standby pair. Session state replication is where the gap with a commercial SBC tends to show up. ProSBC HA provides active/standby redundancy for maximum uptime and minimal downtime.

What’s the practical cost difference once engineering time is included?

A 500-session ProSBC self-hosted deployment starts at $625 per year. An open source equivalent has a zero license cost but typically consumes 10 to 20 percent of a senior engineer’s time. At a $60,000 to $100,000 fully loaded engineer cost, that is $6,000 to $20,000 per year in staff time.

Can a commercial SBC be programmed like an open source SIP engine?

A meaningful subset, yes. ProSBC exposes a Ruby routing engine with a documented filter chain and pre-built modules for STIR/SHAKEN, fraud scoring, and external HTTP routing.

Conclusion

“Open source SBC” is a stack the operator assembles, not a product they download. OpenSIPS, Kamailio, and drachtio handle SIP signaling; RTPengine handles media for those signaling engines; FreeSWITCH and Asterisk can run as B2BUAs that do both. None of them was designed to be a drop-in commercial SBC.

For a team with a strong SIP engineering bench, stable traffic, and a low compliance burden, open source is a defensible choice and sometimes the right one. For a team that wanted open source for programmability, a commercial SBC with a real routing API often delivers the same control without the operational tax. For everyone else, the math on engineering time usually points toward a commercial SBC with a starting price that is small relative to the salaries of the people who would otherwise build and maintain the stack.

Get the Programmability Without the Stack

ProSBC is a carrier-grade, software-based Session Border Controller designed for the operators who were looking at open source because they wanted control. It ships as a full B2BUA with SIP signaling, media anchoring, SRTP, DoS/DDoS protection, dynamic blacklisting, and SIP registration scanning protection built in, so the security and operational layers are not yours to assemble.

The routing engine is configured in Ruby with a documented filter chain and pre-built modules for STIR/SHAKEN with TransNexus ClearIP and Neustar, fraud scoring with SecureLogix and YouMail, and external HTTP routing integrations for billing, CRM, and LNP. Teams that wanted scripting freedom keep it. Teams that wanted zero license cost trade it for $1.25 per session per server per year starting price, which is consistently smaller than the engineering hours an open source stack consumes.

ProSBC supports Microsoft Teams Direct Routing, runs on AWS, Azure, VMware, KVM, Proxmox, and baremetal, and is available as a self-hosted license, a fully managed service, or a permanent free 3-session lab license for evaluation alongside whatever you are running today.

Prefer to evaluate on your own first? Start your 30-day free trial.