- Jitsi on mobile – download our apps and start a meeting from anywhere. Hello, Slack fans! Very pleased to meet you! There's no need to create an account.
- Feb 21, 2021 Jitsi Meet is a free and open-source video conferencing service solution packed with various premium features, such as superior sound quality, high-grade encryption and privacy, and universal multi-platform availability.
- May 03, 2020 Having set up various WordPress sites, created a Hugo static site, created a Swift static site, created a Jitsi server, and created a Nextcloud server, and all the while reduced my server cost by going to Linode and most importantly, got those SSL locks on my domain addresses, I am now at the end of this adventure.
After successfully experimenting with a Linode Nanode for a jitsi server I needed a new project. I chose to give Linode Object Storage a try and integrated it for external media and downloads with a download manager plugin in WordPress. Linode Object Storage. Object Storage is a flat rate of 5$ per month and includes 250 GB. Jitsi Meet server: Note: By default, anyone who has access to your Jitsi Meet server will be able to start a conference: if your server is open to the world, anyone can have a chat with anyone else. If you want to limit the ability to start a conference to registered users, follow the instructions to set up a secure domain.
So I decided to host my own jitsi video conferencing server.
I started this project after searching for video conferencing solutions with privacy in mind. After someone made me aware of Jitsi I started doing some research into this software. Jitsi is a free an open source software which pretty much exactly does what I want. Driven by curiosity I wanted to try this myself.
The Software
Jitsi is free and open source software that uses WebRTC to establish the connections between endpoints. The Code is available here on GitHub. Jitsi consists basically of two main components, a SFU (selective forwarding unit) called the Jitsi Videobridge (JVB), and the Jitsi Meet Application.
If there are just two participants on the call the link is established via a P2P WebRTC session, which means that the server is not needed to do anything more than to connect the participants. In this case, the two endpoints communicate directly end-to-end encrypted via DTLS-SRTP.
WebRTC is (currently) not able to offer end-to-end encrypted connections for more than two participants. In this use case, the connection of all participants to the server is still encrypted with DTLS-SRTP. The JVB decrypts the video streams only while they are traversing it, however this data is never stored (except going through memory, of course, but not persistently). Jitsi have an article up about security, which I encourage everyone to read.
Jitsi can handle the switch between P2P and JVB seamlessly and automatically. Also, the JVB is able to detect connection quality and available bandwidth and adjust the video quality automatically.
Since Jitsi can be deployed on own servers (this is even encouraged), everyone can host their own instance which they can therefore trust.
A great thing about the JVB is that no transcoding of the video streams is necessary. This should reduce the load on the cpu significantly.
If needed, Jitsi can even be configured to use a SIP gateway (Jigasi) for phone connections.
Installation
I set up a new Linode server, hosted in Germany. Since I mainly was curious and wanted to test the software, and it is intended for my personal use only, I decided to go with a Linode Nano. This is the server: Ubuntu 18.04 LTS, Nanode 1GB: 1 CPU, 25GB Storage, 1GB RAM. The Nanode comes with 1 TB of monthly outbound traffic.
After the server got deployed by Linode I just made the A and AAAA DNS entries with the servers IPv4 and IPv6 addresses.
The installation itself is described in detail in the quick install document. They described the setup of the FQDN as optional. I made sure to update the
The same name has to be entered during the setup process.
/etc/hostname
and /etc/hosts
to contain my chosen domain name.The same name has to be entered during the setup process.
Per default the firewall on the Ubuntu install is not enabled, so I enabled it and added the rules for Jitsi to work properly. Jitsi uses Port 10000 for a UDP session and 4443 (TCP) as fallback. Of course 443 should also be allowed, as well as SSH if needed.
After installation I once ran into the problem of not being able to access the landing page of Jitsi but only default nginx page. After searching online the simplest solution was to just deploy the server again with a fresh install of Ubuntu and run the setup process again. Everything is so fast and easy that this wasn’t a significant hurdle.
Jitsi, installed with default settings, creates it’s own self signed certificate. Optionally another certificate can be used. They also provide a handy script to obtain a Let’s Encrypt certificate. This is the option I used.
The renewal with
The renewal with
certbot-auto
can be automated with a cronjob. I didn’t bother with this at the moment (but will probably later) as I just wanted to try the software.All in all Jitsi seems to work as promised. A few test calls using devices in my home were successful. Now I will continue to test Jitsi and use it for video calls.
Important details
- The mobile clients (iOS/Android) need a connection with a valid certificate, otherwise they won’t connect to the server at all.
- Firefox is (currently) not fully supported. Jitsi discourages the use of Firefox at the moment, as it may be detrimental to the connection quality, even for other participants. This is among other things due to a lack of multicast support in firefox (or their implementation thereof). The community seems to be working on this issue.
- Safari doesn’t support WebRTC video (with H.264) at all (no matter the (video conferencing) software used).
- Chrome (and derivatives like Chromium, Opera, etc.) work just fine.
- There even exists a cross platform Electron App for Windows, macOS, and GNU/Linux. For this to work the external API needs to be activated. I didn’t bother with this.
- Let’s Encrypt only issues certificates for Domains. If the Server is only reachable via an IP Address, Let’s Encrypt can’t be used for certificate generation.
Update
2020-04-11: Cron
Turns out, certificate renewal for Let’s Encrypt is way easier than expected. It seems to me that the install script for the certificate didn’t install certbot. Eve online guides. So I installed certbot with
apt-get install certbot
.I let it run once with
certbot-auto
and told it to renew all available certificates and to let nginx redirect all http traffic to https.Future renewals of the certificate should be easy with
cerbot renew
.As it turns out, cerbot automatically creates a cronjob at
/etc/cron.d/certbot
.So this way there should be no more worry about manual certificate renewal.
Thesesites were helpful to me.
Hi all,
Over the last few weeks there's been huge increase in interest from folkswanting the security and autonomy of running their remote collaborationservices, rather than being at the mercy of traditional proprietarycentralised apps. Meanwhile, the Matrix.org homeserver has been veryoverloaded (although we're at last making excellent progress in radicallyimproving Synapse's performance) - so it's particularly important right now tohelp folks run their own servers.
Therefore we're very happy to announce that it's easier than ever before now toself-host your own video conferencing alongside Riot & Synapse: as of Riot/Web1.5.15 (released last week), it's now a single config option to point Riot ata specific Jitsi rather than needing to hook up to an integration manager!
Meanwhile, over the last 18 months, it's got easier and easier to run yourown Matrix deployments: the Debian packages are unrecognisably better now, andwith
.well-known
URL support it's trivial to set up federation withoutneeding to worry about complicated DNS, TLS or load balancer configurations.So, to try to show off just how smooth this has become, we thought we'd do arun-through video showing installing Synapse, Riot & Jitsi on a completelyfresh Debian install. It's (almost) filmed in a single shot, and takes about20 minutes from beginning to end.
Please note that this does assume you're pretty familiar with Linux systemadministration. If you're not, then we'd recommend using a Matrix hostingprovider such as Modular.im (which directly supports development of the core team),Ungleich.ch, or StartupStack.
Finally, while the video shows how to install on Debian via Debian packages,there are many many other environments and architectures (e.g. installingunder Docker) - this is just one relatively easy way to skin the cat. Perhapsthere will be other 'speed-run' videos in future :)
If you want to follow along at home without listening to the video (and I can't blame you if you do ;) the high level steps are as follows:
Debian & DNS
- Take one fresh Debian 10 install.
- Point the DNS for your domain to it. You should use separate subdomains for the various services as a hygiene measure to make cross-site scripting attacks less effective. In this example, we set up DNS for:
dangerousdemos.net
(general website, and for hosting a .well-known path to advertise the Matrix service)matrix.dangerousdemos.net
(Synapse)riot.dangerousdemos.net
(Riot/Web)jitsi.dangerousdemos.net
(Jitsi video conferencing)- In practice, we used a
*.dangerousdemos.net
wildcard DNS record for the three subdomains in this instance.
Nginx and LetsEncrypt
- Install nginx as a webserver:
apt-get update && apt -y install nginx
- Go to
/etc/nginx/sites-enabled
and copy the vhost configuration block from the bottom ofdefault
to new files calleddangerousdemos.net
,matrix.dangerousdemos.net
, andriot.dangerousdemos.net
. We don't set upjitsi.dangerousdemos.net
at this point as the jitsi installer handles it for us.- Rename the
server_name
field in the new files to match the hostname of each host, and pointroot
to an appropriate location per domain (e.g./var/www/dangerousdemos.net
for the main domain, or/var/www/riot.dangerousdemos.net/riot
for riot) - For the Synapse domain (
matrix.dangerousdemos.net
here), you should replace the contents of thelocation
block withproxy_pass http://localhost:8008;
- telling nginx to pass the traffic through to synapse, which listens by default for plaintext HTTP traffic on port 8008. (N.B. do not put a trailing slash on the URL here, otherwise nginx will mangle the forwarded URLs.)
- Rename the
- Enable TLS via LetsEncrypt on nginx, by:
apt install -y python3-certbot-nginx && certbot --nginx -d dangerousdemos.net -d riot.dangerousdemos.net -d matrix.dangerousdemos.net
(or whatever your domains are). - You should be able to go to https://dangerousdemos.net at this point and see a page with valid HTTPS.
Synapse
- Then, install Synapse via Debian packages using the instructions at https://github.com/matrix-org/synapse/blob/master/INSTALL.md#debianubuntu (see below). If you're not on Debian, keep an eye out for all the other OSes we support too!
- You should specify the server name to be the domain you want in your matrix IDs - i.e.
dangerousdemos.net
in this example. - Please report anonymous aggregate stats to us so we can gauge uptake and help justify funding for Matrix!
- You should specify the server name to be the domain you want in your matrix IDs - i.e.
- You should now be able to go to https://matrix.dangerousdemos.net and see a valid 'It works! Synapse is running' page.
- Then, you should enable registration on your synapse by switching
enable_registration: true
in/etc/matrix-synapse/homeserver.yaml
and restarting synapse viasystemctl restart matrix-synapse
. - Now you need to tell the rest of Matrix how to find your server. The easiest way to do this is to publish a file at https://dangerousdemos.net/.well-known/matrix/server which tells everyone the hostname and port where they can find the synapse for dangerousdemos.net - in this instance, it's
matrix.dangerousdemos.net:443
:
- Alternatively, you could advertise the server via DNS, if you don't have write access to
/.well-known
on your main domain. However, to prove you are allowed to host the Matrix traffic for dangerousdemos.net, you would have to configure nginx to use the dangerousdemos.net TLS certificate for the matrix.dangerousdemos.net vhost (i.e. the 'wrong' one), and in general we think that/.well-known
is much easier to reason about. In this case you would advertise the server with an SRV record like this:
Riot/Web
- Then, install Riot/Web. Grab the latest .tgz release from https://github.com/vector-im/riot-web/releases. You should check its GnuPG signature too:
- You then tweak the
config.json
to change thebase_url
of the homeserver to behttps://matrix.dangerousdemos.net
(i.e. where to find the Client Server API for your server), and change theserver_name
to bedangerousdemos.net
(i.e. the name of your server). - You should then be able to go to https://riot.dangerousdemos.net, register for an account, sign in, and talk to the rest of Matrix!
Jitsi
- Finally, we install Jitsi so you can run your own video conferencing. We take the instructions from Jitsi's quick install guide:
- We give the installer the hostname
jitsi.dangerousdemos.net
. Make sure this DNS is already set up, otherwise the installer will fail! - The installer magically detects you have nginx installed and adds in an appropriate vhost!
- We select a self-signed certificate for now, and then upgrade it to LetsEncrypt after the fact with
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
.- Alternatively, you could have specified manual certificates, and then used
certbot
alongside the rest of nginx to create a certificate forjitsi.dangerousdemos.net
- both work.
- Alternatively, you could have specified manual certificates, and then used
- You should now be able to go to https://jitsi.dangerousdemos.net and use the Jitsi directly.
- Apple laptop restart. Finally, and this is the cool new bit: you can now point Riot to use the new Jitsi by going to its config.json at
/var/www/riot.dangerousdemos.net/riot/config.json
and changing thepreferredDomain
of thejitsi
block fromhttps://jitsi.riot.im
to your own self-hostedhttps://jitsi.dangerousdemos.net
. - You then refresh your Riot/Web, and you should be all set to use Jitsi from within your new Riot - as Riot/Web 1.5.15 and later has the ability to natively embed Jitsi straight into the app without needing to use an integration manager.
Conclusion
Matrix nowadays provides an excellent alternative to the centralised solutions. It gives:
- Full autonomy over how to host and store your own conversations
- Full freedom to talk to anyone else on the wider global Matrix network (or indeed anyone else bridged into Matrix)
- Full privacy via full end-to-end-encryption for chats, file transfer and 1:1 voice/video calls (when enabled)
- Full transparency by being 100% open source (as well as benefiting from the overall open source community)
Linode Jitsi App
Hopefully this gives some confidence that it's pretty easy to run your own fully functional Matrix instance these days.If not, then hopefully someone will do a similar one to show off Docker!And if that's still too scary, please take a look at a hosting services like Modular.im.
Linode Jitsi Meet
(Comments over at HN and here too)