rss
August 31, 2023

Set up your own instance of Jitsi

The whole process below took me 3 hours.

Set up a Virtual Private Server (VPS)

Set up a Virtual Private Server (VPS). I picked a free GNU/Linux distribution, Trisquel. I documented the whole process there: https://yctct.com/trisquel-vps

Next step is to set up a SSH connection between our laptop and the VPS.

Generate a SSH key pair and set up a SSH connection

Follow the instruction from: https://landchad.net/sshkeys/

Install Uncomplicated Firewall on your VPS

From Landchad:

Uncomplicated Firewall (UFW) is a front-facing program for the more involved iptables firewall program installed in most GNU/Linux distributions. We can use UFW to restrict machines on the internet to only access the services (SSH, websites etc) you want them to, but it can also be used to prevent programs on the computer itself from accessing parts of the internet it shouldn’t.

Follow the instruction from the sections How to get it” and First-Time Setup” from: https://landchad.net/ufw/

Update the operating system on your VPS:

# apt update
# apt upgrade

Point subdomain to the VPS

Set up the DNS for meet.domain.com (e.g. mine is talk.yctct.com) to point to the IP address of the VPS. Follow the instructions from Jitsi’s guide.

Install required packages and repository updates

Install the required packages and repository updates:

# apt install gpg apt-transport-https nginx python3-certbot-nginx curl

Look at Jitsi’s documentation to check whether your system requires other packages.

Set up the Fully Qualified Domain Name (FQDN)

Follow the instruction on Jitsi’s guide.

Add Prosody and Jitsi package repository

Add the Prosody package repository. Copy the command from Jitsi’s guide. That is if you want to restrict access to your instance. I personally don’t restrict access but I installed it for eventual use.

Add the Jitsi package repository. Copy the command from Jitsi’s guide.

Update all package sources:

# apt update

Configure the firewall with UFW

We installed UFW earlier.

Open required ports with UFW. Run:

# ufw allow 80/tcp
# ufw allow 443/tcp
# ufw allow 10000/udp
# ufw allow 22/tcp
# ufw allow 3478/udp
# ufw allow 5349/tcp
# ufw enable

Some explanations from Jitsi’s documentation:

80 TCP => For SSL certificate verification / renewal with Let’s Encrypt. Required

443 TCP => For general access to Jitsi Meet. Required

10000 UDP => For General Network Audio/Video Meetings. Required

22 TCP => For Accessing your Server using SSH (change the port accordingly if it’s not 22). Required

3478 UDP => For querying the stun server (coturn, optional, needs config.js change to enable it).

5349 TCP => For fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn. Required

Check status:

# ufw status verbose

should print this:

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), disabled (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
80/tcp                     ALLOW IN    Anywhere                  
443/tcp                    ALLOW IN    Anywhere                  
10000/udp                  ALLOW IN    Anywhere                  
22/tcp                     ALLOW IN    Anywhere                  
3478/udp                   ALLOW IN    Anywhere                  
5349/tcp                   ALLOW IN    Anywhere                  
80/tcp (v6)                ALLOW IN    Anywhere (v6)             
443/tcp (v6)               ALLOW IN    Anywhere (v6)             
1000/udp (v6)              ALLOW IN    Anywhere (v6)             
22/tcp (v6)                ALLOW IN    Anywhere (v6)             
3478/udp (v6)              ALLOW IN    Anywhere (v6)             
5349/tcp (v6)              ALLOW IN    Anywhere (v6)

Generate a SSL certificate for your subdomain

Two options:

  1. If that is the first time you have nothing else running on your VPS, you could follow the suggestion of Landchad.
  2. If you already have a website running on this VPS and have followed my other tutorial Set up your own webserver (& a webpage) with nginx, LetsEncrypt and Certbot, follow the second Fedfree option.

Landchad option

Run:

# certbot --nginx certonly -d meet.domain.com --register-unsafely-without-email

I read from Landchad that the command will ask for an email address email. Landchad explains why: this is so when the certificates need to be renewed in three months, you will get an email about it.” However, Landchad writes that we don’t need to give an email address. We can renew the certificate from the command line, and then automate renewal. The instructions to do so are in the section titled Setting up certificate renewal” on the page: https://landchad.net/basic/certbot/

Fedfree option

You want to read: https://fedfree.org/docs/http/debian-nginx.html#add-the-new-tls-certificate to add a new TLS certificate.

If, when you set up a first website on this VPS you’ve generated 2048-bit when you created dhparam.pem1 then you need not to pass any options. The default is 2048-bit.
However, if you generated a 4096-bit key size, then you need to pass –rsa-key-size 4096.

You might also want to add –must-staple. To learn more, read https://fedfree.org/docs/http/debian-nginx.html#ocsp-must-staple

In the end, to generate a SSL certificate to talk.yctct.com, I run:

# certbot certonly --webroot --must-staple --rsa-key-size 4096 --agree-tos -w /var/www/letsencrypt -d talk.yctct.com --register-unsafely-without-email

You can verify that the certificate exists by checking that directory meet.domain.com exists in /etc/letsencrypt/live.

Back it up: https://yctct.com/backup-letsencrypt-folder-from-remote-to-local

Install Jitsi

# apt install jitsi-meet

The install set up differs from the instructions give in the Jitsi’s guide we generated our own certificate. Thus I will paraphrase the instructions from Landchad below.

First, the interface will ask for the subdomain: i.e. meet.domain.com. Then, select: I want to use my own certificate and input the paths to the certification key and the cert files which you should find further up in the shell where we generated a SSL certification, i.e. /etc/letsencrypt/live/meet.example.org/privkey.pem and /etc/letsencrypt/live/meet.example.org/fullchain.pem, respectively.

Run:

# nginx -t

We are done.

Go to your subdomain. Your instance of Jitsi should be up and running.

First issue

I had one issue when I first tried to start a call: one participant would get disconnected as soon as the other join. The interface of Jitsi would print You’ve been disconnected” on the screen.
I found on the forum of Jitsi a user with a similar issue who wrote that Jitsi worked fine after he ran:

# systemctl restart prosody
# systemctl restart jicofo
# systemctl restart jitsi-videobridge2
# systemctl restart nginx

This also worked for me.

See debugging tips from Jitsi if you have issues.

Uninstall Jitsi

To uninstall Jitsi, copy the command from Jitsi’s guide.

  1. https://fedfree.org/docs/http/debian-nginx.html#diffie-hellman-parameters↩︎


personal computing command-line interface (cli) gnu linux office applications wiki hosting

No affiliate links, no analytics, no tracking, no cookies. This work © 2016-2024 by yctct is licensed under CC BY-ND 4.0 .   about me   contact me   all entries & tags   FAQ   GPG public key

GPG fingerprint: 2E0F FB60 7FEF 11D0 FB45 4DDC E979 E52A 7036 7A88