Host Your Own Videoconferencing Server Using Galene
last updated 2020-12-27 11:06:06 by Simon Vandevelde
This page contains a how-to guide for setting up a self-hosted Galène videoconferencing server.
Galène is a free and open source videoconferencing server, similar to Jitsi.
However, in my experience, it is much easier to set up.
Before we start with the guide, let's first go over the benefits of hosting your own videoconferencing server:
The catch is that the current configuration only works locally. To set up Galène to work over the internet, we need a so-called TURN server. This extra step is necessary to ensure that every peer is able to connect to the server.
Once you have coturn installed, we need configure it. By default, it comes with a long configuration file, which we're going to replace with something simpler. However, we should first copy the original config file (note that it might be located elsewhere depending on your distro).
Once certbot is installed, we can create our certificates using the following command:
Now that we have our certificates, we can set up the turn server to accept them. Add the following to your
- More control over your own data
- More secure: WebRTC is only encrypted in transport, and not end-to-end, meaning the server can see your data. If you self-host, you can always trust your server.
- Bragging rights!
Requirements:
- Computer running a Linux flavour;
- Have the Go language installed;
- A working internet connection;
- A domain name, with access to the DNS records;
- Knowledge on how to port-forward your router;
Set up Galène
Downloading and building Galène is easy.$ git clone https://github.com/jech/galene && cd galene $ CGO_ENABLED=0 go build -ldflags='-s -w'Galene requires a server certificate, as this is what enables transport encryption through TLS. Later on in the guide we will create a "real" certificate using Let's Encrypt, but for testing purposes we will first create a self-signed certificate.
$ mkdir data $ openssl req -newkey rsa:2048 -nodes -keyout data/key.pem -x509 -days 365 -out data/cert.pemNow we can set up a so-called group, which is basically a conference room. To do so, we first need to create the
groups
folder.
$ mkdir groupsThe next step is to create a json file in the folder containing information about the group. The name of the file will be the name of the group, so e.g.
groups/meeting.json
with the following:
{ "public": true, "op": [{"username":"name","password":"pwd"}], "presenter": [{}], "max-users": 10 }And... that's it! Incredible but true, Galène is already set up. You can test if it works by running the
./galene
command, and surfing in your browser to https://localhost:8443, where you should be able to join the meeting
group (just ignore the self-signed certificate warning that your browser will give).
The catch is that the current configuration only works locally. To set up Galène to work over the internet, we need a so-called TURN server. This extra step is necessary to ensure that every peer is able to connect to the server.
Self-host a TURN server: coturn
Luckily, self-hosting a TURN server is made easy by the coturn project, an open-source TURN server with extensive functionalities. Installing the server is different depending on what platform you're on. For Arch-linux users, there exists thecoturn
package.
Once you have coturn installed, we need configure it. By default, it comes with a long configuration file, which we're going to replace with something simpler. However, we should first copy the original config file (note that it might be located elsewhere depending on your distro).
$ sudo mv /etc/turnserver/turnserver.conf /etc/turnserver/turnserver.conf.bakNext, create a new
turnserver.conf
file and paste in the following (but make sure to edit the correct fields).
realm=yourdomain.com server-name=your-machine-name listening-ip=0.0.0.0 external-ip=your-external-ip listening-port=3478 min-port=10000 max-port=20000 fingerprint log-file=/var/log/turnserver.log verbose user=testuser:testpwd lt-cred-mechYou can now start the server using systemd.
$ sudo systemctl start turnserverAt this point, you should set up a domain such as
turn.yourdomain.com
and make sure that your machine is reachable through port 80, by e.g. port-forwarding.
To set up our TURN server with https (which is heavily advised), we first need to generate a TLS certificate.
Luckily, we can do so easily using Let's Encrypt's certbot.
Follow the installation guide on their website to install certbot.
Once certbot is installed, we can create our certificates using the following command:
$ sudo certbot certonly --standalone --preferred-challenges http -d turn.yourdomain.comIt's also a good idea to already create certificates for your video conferencing domain, such as
conference.yourdomain.com
.
You can do so by running the command again, but with a different domain.
(After this, you can close port 80 again.)
Now that we have our certificates, we can set up the turn server to accept them. Add the following to your
turnserver.conf
.
cert=/etc/letsencrypt/live/turn.yourdomain.com/cert.pem pkey=/etc/letsencrypt/live/turn.yourdomain.com/privkey.pem tls-listening-port=443Now make sure that port 443 on the machine can be reached from outside (by e.g. port-forwarding), and you're done setting up the TURN server! Don't forget to restart the TURN server!
Adding the TURN to Galène
All that rests us now is to make sure that Galène is able to find and use the TURN server. To do that, create thedata/ice-server.json
file in the Galène directory.
Next, paste in the following (but don't forget to change some fields):
[ { "urls":["turn:turn.yourdomain.com:443"], "username":"testuser", "credential":"testpwd" }, { "urls":["turn:turn.yourdomain.com:443?transport=tcp"], "username":"testuser", "credential":"testpwd" } ]We also need to make sure that Galène can reach the certificates which we created earlier. To do this, we move the certificates into the data folder, and we set ourselves as owners.
$ sudo cp /etc/letsencrypt/live/conference.yourdomain.com/cert.pem data/cert.pem $ sudo cp /etc/letsencrypt/live/conference.yourdomain.com/privkey.pem data/key.pem $ sudo chown sva data/*.pemThe only remaining problem now is that Galène has to be started manually. To solve this, we will create a systemd service file similar to the one the turnserver has. Create a file called
galene.service
and paste in the following (but again, change some fields):
[Unit] Description=Galene After=network.target [Service] Type=simple WorkingDirectory=/path/to/galene ExecStart=/path/to/galene/galene LimitNOFILE=65536 [Install] WantedBy=multi-user.targetNow we need to move this file into the correct directory, after which we can start our Galène server.
$ mv galene.service /etc/systemd/system/galene.service $ sudo systemctl start galeneAnd.. that's it! Now make sure that your server's port 8443 is reachable from outside, and everything should work! If you can visit
conference.yourdomain.com
and join a room succesfully, congratulations!