Are any of you using TLS PRIMARILY on Freepbx/Asterisk in general? I am just using UDP for my clients. None are government agencies, so I’m not really super concerned about it but it has come to mind that it could be MIM’d (i think?).
One thing keeping me from going this route is that I couldn’t use SNGREP to diagnose issues as easily.
Thoughts?
I’m assuming your PBX is cloud hosted… it’s not encrypted traffic so in a compromised circumstance it could be intercepted and possibly exploited.
You are also right you definitely, lose troubleshooting ability going TLS/SRTP. One option would be to have the traffic route to an SBC encrypted, and then Decrypted from the SBC to the PBX.
I am currently working on this with mixed success.
It may be worth looking at Dsiprouter, LibreSBC, or Opensips and seeing if any of those options look like appealing endeavors.
I’m using kamailio as a headend… no TLS set up on it though and only really using it for outbound.
Is there documentation for TLS With DSIP router?? I use it for roaming clients but most are just NAT through a virtual router.
I host my own stuff in a colo with proxmox as a hypervisor.
So don’t quote me but I believe DSIP is set up to use TLS out the gate… Basically all those options are running Kamailio under the hood, which you probably knew that. If you go to https://dsiprouter.org/ they have a demo site to check it out before using. Then search YouTube for Kamailio and FreePBX. It seems pretty straightforward. I just spun up a VM myself to try it as well. Would love to stay in touch if either of us have progress/issues. 
@fredposner is a Kamailio expert and his whole business is consulting on it.
I also believe @AMI does a lot of consulting with it also.
Thanks Tony. I have seen Fred’s videos on Youtube and have contact’s that have consulted with him on kamailio configs too!
Taylor - I hope to dig into this further this coming week. I was not aware that DSIP could work with TLS out of the box. Hopefully this can be something awesome and easy for me to work on w/ my clients! Thanks for the input.
@Eris keep me posted, if you would like! 
Thanks for kind words!
On something like this, it depends on the scale (imo). This said, normally what I like to do is use Kamailio as a TLS/SRTP bridge.
Basically, keep the pbx completely private, and have Kamailio bridge the public side to TLS and SRTP. Then to the pbx it uses UDP and RTP.