Run your own Video Conference Service with Jitsi
Recently Zoom as a company is in the news daily, both in positive and negative notes. With current global lockdown, more and more PC dependent users start using Video Conferencing tools to keep interacting with the world and do their jobs from the remote location.
I am a long time Zoom user, and I used in the past many other VC tools like Skype, Google Meet, Bluejeans, MS Teams, etc. No tool is perfect. Zoom was working fine until news related to security and data privacy start to pop-up once the tool becomes popular. Zoom was standing out from the crowd on video quality as it was designed from ground up as a distributed system. One thing I wasn’t very happy with zoom is consistency in video/audio quality and specifically around very aggressive audio encoding.
I started looking for a viable alternative that provides a good secure video and sound quality and also can share the screen and can work on mobile and doesn’t require dedicated application installation on Win, Mac, and Linux. And to be Open Source.
After a short search on GitHub and Google, it didn’t take very long until I stumble upon Jitsi.
Jitsi is not a single product; it is a set of open-source projects that allows you to easily build and deploy secure videoconferencing solutions. Jitsi, you can use for free at meet.jit.si and create your own room and share the link. Jitsi runs entirely in the browser. Jitsi has a mobile implementation for Android and iOS. “I tested android version and worked flawlessly” But most important is allows you to deploy your own servers both in the cloud or on-premises “even in your home if bandwidth allows it” your own Video Conferencing Server that you can control configure and secure it.
From Documentation on Jitsi web site you can find jitsi is composed primary:
- Jitsi Meet — Secure, Simple and Scalable Video Conferences that you use as a standalone app or embed in your web application
- Jitsi Videobridge — the media server engine (aka Selective Forwarding Unit (SFU)) that powers all of Jitsi’s multi-party video conferences
- Jigasi — a gateway service that connects SIP telephony to a Jitsi Videobridge conference
- Jibri — a broadcaster and recorder used for saving video call recordings and streaming to YouTube Live
- Jidesha — a Chrome and Firefox extension for screensharing
Before we can even begin, we need to have a domain name that will be used for our VC service in SSL certificates, and we can encrypt incoming and outgoing traffic to avoid any sniffing in the process.
Multiple services online are available for Domain management and purchase Domain registrars like Google Domains, AWS Route 53, or more dedicated services like Domain.com, GoDaddy, OnlyDomains, or you can consult the full list.
Before we can deploy Jitsi as our own VC server, we need a physical or virtual server that can sustain our daily VC calls with multiple participants.
It is important to keep costs under control as we do not want to pay extra for the in-house solution than using a commercial one.
If you do not own a Data Center, a good start would be to run Jitsi in the cloud, and we have a few big cloud providers that can comfortably accommodate our bandwidth and computing needs like Microsoft Azure, Google Cloud, Amazon AWS, etc. Or we can pick up from a list of smaller players with much better price/performance proposition where you do not need to be Professionally certified to run your computing needs on a smaller scale like Linode, Digital Ocean, Vultr, etc. where you can run your video conferencing solution just for 5 USD/Month. I tested on all three VM providers, and Jitsi performs remarkably well in all instances, with only a small difference in configuring Linux hostname.
In the below example, I am using the Vulrt VM provider as I just recently discovered for myself and have less experience with the provided service. This project gives me an excellent opportunity to try it out.First, get yourself an account assuming you already have a domain name.
Once logged in, you can proceed to spin-up a new Virtual Machine in the closest location to you as latency will play a big role in the quality of communication.
In the below example, I selected the closest location to me “Singapore” and cheapest option available $5/mo and with most new users friendly Linux distribution Ubuntu.
Very important to add the correct hostname with a fully qualified domain name (FQDN) as in the below example I am using my domain name mudrii.com with added subdomain vc
You can enable few additional options like IPv6 to add auto backups for a price or add your ssh key, and all this is optional.
It will take 1 to 2 minutes for a server to be ready.
Once the server is up and running, you can find credentials by clinking the server, and in the Password section, click on show password to view the password to login as root user by using IP Address in the section with the same name.
The 1st time you logged in ssh will ask you to add the key into the knownhosts key file and provide the password. Once completed you will be greeted with raw Ubuntu bash shell.
First, we need to confirm we set the correct hostname and is matching our DNS entry.
Step nr. Two is a good idea to update and upgrade our OS to the latest version and patch any security holes. Run below commands in the shell
apt update
apt full-upgrade -yIs a good idea to restart virtual machine especially after lengthy Linux Kernel update. Just run
Once VM reboots completed, you can ssh back into the VM using the same credentials.
We are ready to install and configure Jitsi
The first step in the installation process is to add Jitsi repository to your package manager.
echo 'deb https://download.jitsi.org stable/' >> /etc/apt/sources.list.d/jitsi-stable.list
wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add -Update Ubuntu repository and install Jitsi Meet
apt update
apt install jitsi-meet -yNote: During installation, you will need to provide FQDN and Generate a new self-signed certificate.
Once installation is completed and before generating SSL/TLS certificates for your domain we need to configure DNS entry to point to the IP address of the instance on Vulrt.
Use same IP as you ssh into the box.
In my case I am using AWS Route 53 to configure DNS record set in the hosting zone for the domain mudrii.com.
One more step before generating certificates for your domain to configure Vulrt Reverse DNS with your FQDN
Now we are ready to generate a publicly-usable SSL/TLS certificate with Let’s Encrypt, Jitsi provides an automated script for this.
/usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh
Now you should be able to access jitsi in your web browser.
Make sure to accept access to your audio and video in the browser when you start a new meeting.
Optional: If you install Jitsi in one of your servers in your house. To make Jitsi work behind NAT, you will need to change a few configuration settings on the server and NAT router.
On NAT router you will need to forward ports TCP/443 and UDP/10000 to the server’s internal IP address.
# edit /etc/jitsi/videobridge/sip-communicator.properties
vim /etc/jitsi/videobridge/sip-communicator.propertiesAdd two lines with your router IP
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>Note: Jitsi, by default, is configured without secure credentials, anybody who knows your domain name entrees can access your server and initiate a jitsi meeting. It is a good idea to secure and permission jitsi to only authorized users who can launch new VC’s
Let’s secure our VC servers and allow only authorized users to launch VC sessions. To require authentication to create or join a room will need to edit Prosody configuration file
Note: pay attention to the name of the file as is containing FQDN vc.mudrii.com.cfg.lua. Replace domain name with your own domain name.
vim /etc/prosody/conf.avail/vc.mudrii.com.cfg.lua
Replace entry authentication = “anonymous” with
authentication = "internal_plain"
We need to add one more entry into Jifoco configuration file.
vim /etc/jitsi/jicofo/sip-communicator.propertiesAt the end of the file add org.jitsi.jicofo.auth.URL=XMPP:vc.mudrii.com
Now we can create a Prosody user that can start/join VC session.
prosodyctl register YourUserName vc.mudrii.com Passw0rd
Note: replace YourUserName and Passw0rd with desired credentials.
Note: pay attention to the name of the domain used containing FQDN vc.mudrii.com replace with your domain name.
We can now restart Jitsi meet associated services to bring up latest configuration changes.
systemctl restart prosody
systemctl restart jicofo
systemctl restart jitsi-videobridge2Now once trying to access the webpage and initiate new meeting Jitsi will ask for your credentials
At this point, only users with usernames and passwords can start and join the jitsi meeting. We do not want to manage every single user who is just entering the meeting and not requires to have a separate account in prosody.
As a meeting host, you can set a separate password just for joining the VC.
In the next step, we will need to allow anonymous users to join the meeting without a username and password.
In /etc/prosody/conf.avail/vc.mudrii.com.cfg.lua we need to add a new VirtualHost section to the bottom of the file:
VirtualHost "guest.vc.mudrii.com"
authentication = "anonymous"
c2s_require_encryption = false
Once more change needs to be done in /etc/jitsi/meet/vc.mudrii.com-config.js find and uncomment and set the “anonymousdomain” option > anonymousdomain: 'guest.vc.mudrii.com',
Now we can restart the services to activate the latest changes in configuration.
Note: pay attention to the name of the domain used both in the file name and as configuration entry containing FQDN vc.mudrii.com replace with your domain name.
systemctl restart prosody
systemctl restart jicofo
systemctl restart jitsi-videobridge2Now you should have complete Vido Conferencing service you can control and with dedicated bandwidth only for your use.
You can accommodate any number of users. It will depend on instance type CPU/RAM and bandwidth.
I tested the above configuration with ten concurrently connected users and shared desktop, and all worked very well without any issues.
If you intend to use Jitsi as a permanent solution is a good idea to secure the server.
- change root password
- create new user Ex. jitsiadmin
adduser jitsiadmin
usermod -aG sudo jitsiadmin
3. Configure SSH by changing the port for ssh and do not allow user root to ssh directly into the server and allow only ssh sessions with ssh_key
3a. on your local machine if you do not have yet create ssh key
ssh-keygenOnce ssh key is created copy key to the remote jitsi server and jitsiadmin user
ssh-copy-id jitsiadmin@45.77.254.192
ssh jitsiadmin@45.77.254.19You should be able to login to jitsi admin account without a password.
3b. now ssh back as root, and we will configure ssh server to allow only for non-root users to ssh and do not allow password only ssh_keys
vim /etc/ssh/sshd_configChange SSH port you can pick up any port above 1024, disable root login with ssh and do not allow password authentication only with ssh keys.
Once ssh configuration was changed, we need to restart sshd service
sudo systemctl reload sshd4. Firewall configuration. Last part we need a firewall to allow only ports used only by jitsi
Allow only your ip to ssh into the jitsi server
sudo ufw allow from YourIP to any port 2222Replace YourIP with your static IP provided by your ISP
Or if you have dynamic IP allocation from your ISP all access to port 2222 from anywhere
sudo ufw allow 2222We need to allow additional ports for jitsi to function correctly
sudo ufw allow http
sudo ufw allow https
sudo ufw allow in 10000:20000/udpEnable firewall on the jitsi server and view configured rules
sudo ufw enable
sudo ufw status5. If you are not using IPv6 you can disable it in Ubuntu by editing /etc/sysctl.conf and adding below entries:
sudo vim /etc/sysctl.confnet.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
Reload sysctl
sudo sysctl -p
Now you should have fully functional and secure Video Conferencing Server running only for your needs.