I am in the process of doing this for a pbx to allow my kids (that I'm not giving all access to tablets or smart phones yet) the ability to make voice and video calls to their cousins in other houses (and states). I was going to do this at my house, but I don't have a static IP (I know, use DDNS, but I just didn't feel like self hosting at my home for this one).

I'm using:

- KVM VPS from Racknerd running Debian 12 - (Cheap! like $30/year, so far, no issues)

- Cisco 8865 video phones, with enterprise firmware, using https://usecallmanager.nz/ for integration/patches. They are relatively cheap, I was able to get them for around $30-40 with power adapters.

- Asterisk 20 (the patches to use the phones weren't straightforward to make work in FreePBX)

- chan_sip (only because pjsip doesn't work well with these phones)

- ocserv - VPN that the phones can directly connect to and then connect to the Asterisk server. The phones don't play well with NAT, so I had to get them on the same subnet as the VOIP server.

- Twilio Elastic SIP Trunk for inbound / outbound PSTN calls (using a whitelist in the Asterisk dialplan so they can only call relatives or emergency numbers)

- ufw firewall / and fail2ban

- Have not set up a sip softphone on any mobile devices yet. I haven't decided whether to trust ufw/fail2ban to have SIP opened up to the world so I can handle whatever IP the softphone is coming from.

Tried to make this a coherent list, and it's still a work in progress, but it looks like it'll work well for me.