Host Your Own Videoconferencing Server Using Galene

last updated 2020-12-27 11:06:06 by Simon Vandevelde

This page contains a how-to guide for setting up a self-hosted Galène videoconferencing server. Galène is a free and open source videoconferencing server, similar to Jitsi. However, in my experience, it is much easier to set up. Before we start with the guide, let's first go over the benefits of hosting your own videoconferencing server:
  • More control over your own data
  • More secure: WebRTC is only encrypted in transport, and not end-to-end, meaning the server can see your data. If you self-host, you can always trust your server.
  • Bragging rights!
Now that the benefits are clear, let's commence.

Requirements:

  • Computer running a Linux flavour;
  • Have the Go language installed;
  • A working internet connection;
  • A domain name, with access to the DNS records;
  • Knowledge on how to port-forward your router;

Set up Galène

Downloading and building Galène is easy.

$ git clone https://github.com/jech/galene && cd galene
$ CGO_ENABLED=0 go build -ldflags='-s -w'

Galene requires a server certificate, as this is what enables transport encryption through TLS. Later on in the guide we will create a "real" certificate using Let's Encrypt, but for testing purposes we will first create a self-signed certificate.

$ mkdir data
$ openssl req -newkey rsa:2048 -nodes -keyout data/key.pem -x509 -days 365 -out data/cert.pem

Now we can set up a so-called group, which is basically a conference room. To do so, we first need to create the groups folder.

$ mkdir groups

The next step is to create a json file in the folder containing information about the group. The name of the file will be the name of the group, so e.g. groups/meeting.json with the following:

{
  "public": true,
  "op": [{"username":"name","password":"pwd"}],
  "presenter": [{}],
  "max-users": 10
}

And... that's it! Incredible but true, Galène is already set up. You can test if it works by running the ./galene command, and surfing in your browser to https://localhost:8443, where you should be able to join the meeting group (just ignore the self-signed certificate warning that your browser will give).

The catch is that the current configuration only works locally. To set up Galène to work over the internet, we need a so-called TURN server. This extra step is necessary to ensure that every peer is able to connect to the server.

Self-host a TURN server: coturn

Luckily, self-hosting a TURN server is made easy by the coturn project, an open-source TURN server with extensive functionalities. Installing the server is different depending on what platform you're on. For Arch-linux users, there exists the coturn package.

Once you have coturn installed, we need configure it. By default, it comes with a long configuration file, which we're going to replace with something simpler. However, we should first copy the original config file (note that it might be located elsewhere depending on your distro).

$ sudo mv /etc/turnserver/turnserver.conf /etc/turnserver/turnserver.conf.bak

Next, create a new turnserver.conf file and paste in the following (but make sure to edit the correct fields).

realm=yourdomain.com
server-name=your-machine-name
listening-ip=0.0.0.0
external-ip=your-external-ip
listening-port=3478
min-port=10000
max-port=20000
fingerprint
log-file=/var/log/turnserver.log
verbose
user=testuser:testpwd
lt-cred-mech


You can now start the server using systemd.

$ sudo systemctl start turnserver

At this point, you should set up a domain such as turn.yourdomain.com and make sure that your machine is reachable through port 80, by e.g. port-forwarding. To set up our TURN server with https (which is heavily advised), we first need to generate a TLS certificate. Luckily, we can do so easily using Let's Encrypt's certbot. Follow the installation guide on their website to install certbot.

Once certbot is installed, we can create our certificates using the following command:

$ sudo certbot certonly --standalone --preferred-challenges http -d turn.yourdomain.com

It's also a good idea to already create certificates for your video conferencing domain, such as conference.yourdomain.com. You can do so by running the command again, but with a different domain. (After this, you can close port 80 again.)

Now that we have our certificates, we can set up the turn server to accept them. Add the following to your turnserver.conf.

cert=/etc/letsencrypt/live/turn.yourdomain.com/cert.pem
pkey=/etc/letsencrypt/live/turn.yourdomain.com/privkey.pem
tls-listening-port=443

Now make sure that port 443 on the machine can be reached from outside (by e.g. port-forwarding), and you're done setting up the TURN server! Don't forget to restart the TURN server!

Adding the TURN to Galène

All that rests us now is to make sure that Galène is able to find and use the TURN server. To do that, create the data/ice-server.json file in the Galène directory. Next, paste in the following (but don't forget to change some fields):

[
    {
        "urls":["turn:turn.yourdomain.com:443"],
        "username":"testuser",
        "credential":"testpwd"
    },
    {
        "urls":["turn:turn.yourdomain.com:443?transport=tcp"],
        "username":"testuser",
        "credential":"testpwd"
    }
]

We also need to make sure that Galène can reach the certificates which we created earlier. To do this, we move the certificates into the data folder, and we set ourselves as owners.

$ sudo cp /etc/letsencrypt/live/conference.yourdomain.com/cert.pem data/cert.pem
$ sudo cp /etc/letsencrypt/live/conference.yourdomain.com/privkey.pem data/key.pem
$ sudo chown sva data/*.pem

The only remaining problem now is that Galène has to be started manually. To solve this, we will create a systemd service file similar to the one the turnserver has. Create a file called galene.service and paste in the following (but again, change some fields):

[Unit]
Description=Galene
After=network.target

[Service]
Type=simple
WorkingDirectory=/path/to/galene
ExecStart=/path/to/galene/galene
LimitNOFILE=65536

[Install]
WantedBy=multi-user.target

Now we need to move this file into the correct directory, after which we can start our Galène server.

$ mv galene.service /etc/systemd/system/galene.service
$ sudo systemctl start galene

And.. that's it! Now make sure that your server's port 8443 is reachable from outside, and everything should work! If you can visit conference.yourdomain.com and join a room succesfully, congratulations!