Jitsi is a video conferencing application that is fully open source, and allows you to easily build and deploy your own video conferencing server. This guide will show you how to set up a secure Vultr hosted virtual server that runs Jitsi – you can be video conferencing in less than an hour!
The first thing you need for this guide is an account set up with Vultr (or Digital Ocean) – if you click on the Vultr link below, you can sign up using my referral code which gets me a few bucks for the referral – thanks!
SPECIAL OFFER! With my Vultr link – you currently get $100.00 FREE CREDIT towards your virtual servers for signing up! Click the Vultr logo below or use this link: https://www.vultr.com/?ref=8473585-6G
*** NOTE: As I said, the rest of this document will be focused on a Vultr install. I will be keeping this guide up to date periodically as things change with the setup – check back if you ever find that something isn’t working, and comment below if you have any trouble with any of the steps!
Also – here’s a Digital Ocean referral link if that floats your boat (pun intended): https://m.do.co/c/6de2bc2df3b8
Already have a Vultr and/or Digital Ocean account? You can always:
Part 1 – Install Vultr Virtual Server
Log into Vultr and get to the main dashboard. Click on ‘Products’ from the left hand menu followed by the blue circled ‘+’ symbol in the upper right. This will bring you to the new server setup page.
Make sure you have selected ‘Cloud Compute’ and then select your location. Pick whichever data center you want – I however, tend to choose the data center closest to my (or my client’s) geographic location. In this case, I’m going to pick Seattle.
The next step is where we select our server type. Click on Ubuntu and choose ‘19.10 x64’ from the drop-down.
Next, select your server size. Jitsi will run on anything in the $5.00/month size or higher. For a production system with a lot of usage however, you may want to bump this up to a higher tier.
Finally, you can select any options (Auto Backups are highly recommended for a production server), and then give your server a hostname. Hostname should be something like jitsi.company.com. For our demo, we’re going to use jitsi.crosstalksolutions.com. This step is NOT optional – we’ll be using a Let’s Encrypt certificate to secure HTTPS access to this server.
Click ‘Deploy Now’ and you’re off to the races! You are taken back to the server summary screen. It will take 1-2 minutes for the server to spin up, so be patient. Once the ‘Status’ changes from ‘Installing’ to ‘Running,’ you should wait about another 30 seconds, and then you’re good to go. Click on the name of your server to see its detail screen.
Once the server is in a ‘Running’ state, you’ll see your IP address. Copy or make note of that IP address – we’re going to use it to create our DNS A record in the next step. You’ll also want to make note of or copy your default root password. (We will change that password immediately upon logging in). You can show the password by clicking the ‘eye’ icon, or simply copy it to your clipboard by clicking the copy icon.
Part 2 – Create DNS A Record
Since you now know your IP address, you should log into your DNS hosting provider or DNS server and create a new A record that points the hostname that you created in Step 1 to the IP address of your Vultr server. This will be needed in the future to connect to the server and to set up Let’s Encrypt.
Part 3 – Log into your new server
At this point, you should have your Vultr username (root) and password from the server details. Copy the password to your clipboard and then open up PuTTY.
Enter in the IP address or hostname of your server and then click ‘Open.’
PuTTY will open up a terminal window and first ask you if you want to accept the new host (click ‘YES’). Then you will be given a login prompt. Use the information from the Vultr server properties:
Password: (the password from the Vultr server properties – you can do SHIFT+INS or right-click to paste it in)
The very first thing that you should do is change your root password.
You will be asked to enter your root password twice – make sure it is a STRONG password. We will be disabling root access to this box later in this guide, but you will still need to know the root password in order to run sudo commands.
Part 4 – Create New User
Most Linux machines in the world have root as the default user. The first line of defense is to create a separate login account with the same privileges and then disable root.
Start by creating a new user – for simplicity, for this exercise, our username will be ‘jitsiadmin‘:
This command will have you set a password for the new user, and you can also optionally enter in some additional information such as their real name and contact info.
Next give root (sudo group) privileges to the newly created user:
usermod -aG sudo jitsiadmin
This new user will now be able to use the ‘sudo’ command to run commands as root.
At this point, we have created our new user, but we haven’t yet disabled root – we will do that in a moment. First, we will enable private key authentication as a second line of defense.
Part 5 – Create Private Key Pair
Let’s now create our public and private key pair. The public key lives on the server, and the private key will be used to unlock access from any device that needs it.
When asked where to put the file, take the default. You can choose whether or not to enter in a passphrase – having a passphrase means that you need both the private key and passphrase to gain access. It provides an additional layer of security.
Once your keys have been created, you will find them in /home/root/.ssh – there should be id_rsa (private key) and id_rsa.pub (public key) files in that directory.
Next, we need to copy that key to the newly created user’s account:
ssh-copy-id jitsiadmin@[server IP]
Choose ‘yes’ when asked if you want to continue, and enter jitsiadmin’s password when prompted.
This command will copy the public key to the jitsiadmin user’s ~/.ssh directory as an authorized_keys file. You can now use the private key to authenticate with this server as user jitsiadmin.
Part 6 – Modify SSH Settings
The next step is to modify the SSH settings so that we will both disable root user access and password authentication. Start by editing the SSH configuration file:
nano -w /etc/ssh/sshd_config
Start by changing the default SSH port from 22 to something non-standard.
Find the line that says:
And change it to:
Port [different port number]
You can use any port number for your SSH connection, but I typically use port 2222 when I change to something non-standard.
Now scroll down until you find the line that says:
And change ‘yes’ to ‘no’:
This disables root user login. Next scroll down further and find:
Remove the # at the beginning and again change ‘yes’ to ‘no’:
This disables password based authentication. (Private key authentication should already be enabled by default – you can verify this by ensuring that PubkeyAuthentication is set to ‘yes’ in the SSH config file).
Press CTRL+X followed by ‘Y’ and ‘Enter’ to save and exit.
*** NOTE: This next command commits these changes. If you lose connectivity because you made any mistakes, you should just destroy the Vultr server and start over. ALSO – keep this original PuTTY session open as you go through the next few steps…even after we restart SSH, this session will still be connected, so if you can’t connect in with the private key, you still have the opportunity to make changes.
Restart SSH with:
systemctl reload sshd
Part 7 – Download Private Key File
Now we need to download our private key file. Start by showing the contents of the id_rsa file:
Select the entire contents of the file with your mouse and press CTRL+INS to copy the text to your clipboard.
Next, open up a text editor such as Notepad and paste the entire block of text into a blank file. Save this file in a secure location.
Once saved, you can delete the id_rsa file from the server (though, you should probably test connectivity first if this is your first time making these changes):
Part 8 – Covert Private Key to PuTTY format
Before you can use your private key with PuTTY, you need to convert it to .PPK format. To do this, we’ll use another free program from the creators of PuTTY called PuTTYgen (you can download it from the same link as PuTTY above).
First, run PuTTYgen and click the ‘Load’ button. Browse to the private key file that you saved in step 7. When browsing for your private key, change the file type you are searching for from ‘PuTTY Private Key Files (*.ppk)’ to ‘All Files (*.*).’
Open your private key file, and you should receive a notice that the private key was successfully imported. Click OK to get off of this notification.
Now, click the ‘Save private key’ button and save your private key as a .ppk file (I usually just use the same directory that I used to save the original private key). You can now close PuTTYgen.
Part 9 – Log in as New User
Start a new PuTTY session – you can do this from the existing window by clicking the PuTTY icon in the upper left-hand corner and choosing ‘New Session.’
In the PuTTY window, enter the hostname of the server in the Host Name field and also change the SSH port to the port you changed SSH to in Part 6 of this guide.
Then, in the left-hand menu, expand the ‘SSH’ section underneath ‘Connection.’ Then click on ‘Auth.’ Here you will see a place to browse to your PuTTY .PPK private key file. Click ‘Browse…’ and find the .PPK file we created in Part 8.
Once you have the file loaded, click back on ‘Session’ at the top of the left-hand menu.
If you want to SAVE these connection details, you should now enter in a friendly name into the ‘Saved Sessions’ box and click the ‘Save.’ button.
Now click ‘Open,’ and you should get a ‘Login as:’ prompt. Enter in the name of the user that you created in Part 4 (in our case, it was jitsiadmin) and you should now connect to the server. If you have a passphrase on your private key pair, you will also be prompted for that passphrase.
Part 10 – Enable UFW Firewall
At this point, we have now secured our SSH connection pretty well. Now, let’s secure our server even more by using some firewall rules to lock everything down.
Ubuntu uses the UFW firewall, however it is not enabled by default. First, we are going to add all of the firewall rules that we need to connect to Jitsi, and then we will turn it on.
First, let’s allow our new SSH port and lock it down so that connections to this port are only allowed from our IP address:
sudo ufw allow from [IP address] to any port [SSH port number]
In this example, if your IP address is 220.127.116.11, and your SSH port is 2222, the command should be:
sudo ufw allow from 18.104.22.168 to any port 2222
Let’s also add a rule for Cockpit – which is an optional server monitoring GUI (don’t add this rule if you don’t plan on running Cockpit – it is optional…more info on Cockpit in Part 16 below):
sudo ufw allow from 22.214.171.124 to any port 9090
Once again, substitute 126.96.36.199 with your own IP address.
Next, let’s open up access to the ports that Jitsi needs. We’re going to allow connections to this server on HTTP, HTTPS, and UDP 10,000-20,000.
sudo ufw allow http sudo ufw allow https sudo ufw allow in 10000:20000/udp
At this point, we will now turn on our UFW firewall and take a look at the rules that we created.
sudo ufw enable
When prompted whether or not to proceed, choose yes.
Let’s take a look at our rules:
sudo ufw status
You should see something similar to this:
The firewall is now running, and if you test your PuTTY connection again, you should still be able to connect. But – if you test connecting in on the standard SSH port 22, you will not be able to connect.
Part 11 – Update Server
Now that access to the server is secured, let’s run our system updates.
sudo apt update sudo apt upgrade -y sudo apt dist-upgrade -y
It’s possible that no updates will be needed, but if you are asked whether or not to proceed on any of these steps, just answer Y.
Part 12 – Configure Time Zone
Set up your Time Zone by running:
sudo dpkg-reconfigure tzdata
A pink bordered window will appear – select your geographic area (use America for United States) and then select your city/time zone from the list. You can press TAB, arrow keys, and SPACE to move around these screens and make selections.
Once your time zone has been selected, press OK, and you’re done with Step 6.
Part 13 – Configure NTP
NTP (Network Time Protocol) can be installed by running:
sudo apt install ntp
You can make sure the NTP service has started and is running by typing:
service ntp status
You should see that NTP is ‘active (running).’ If you type:
Your local time should show correctly (in 24-hour format).
Part 14 – Install Cockpit (optional)
Next we are going to install Cockpit – Cockpit is a system monitoring software for viewing CPU/RAM/Disk space. You can read more about Cockpit here: https://cockpit-project.org/
Install Cockpit by running:
sudo apt install cockpit -y
Once installed, you should be able to browse to https://[server IP or FQDN]:9090. Log in with the credentials you created in Part 4. Note that this service may get blocked in Google Chrome (try FireFox).
Part 15 – Set up autoremove
As you run updates to your server, older versions of the Linux kernel are no longer needed, and they can potentially fill up your boot volume. To prevent this from happening, we can run:
sudo apt autoremove -y
(Go ahead and run this now). This clears out older versions that are no longer necessary, but this command should also be scheduled to run on a regular basis. To do this,
sudo sh -c 'echo "sudo apt autoremove -y" >> /etc/cron.monthly/autoremove'
This creates a new file called ‘autoremove’ in the /etc/cron.monthly directory which will automatically run once a month – but in order to run, this file must be made executable:
sudo chmod +x /etc/cron.monthly/autoremove
Now we’re good to go.
Part 16 – Install Jitsi
Finally it’s time to install Jitsi! First, we will add the Jitsi package repository and GPG key with these two commands:
sudo wget -qO - https://download.jitsi.org/jitsi-key.gpg.key | sudo apt-key add - sudo sh -c "echo 'deb https://download.jitsi.org stable/' > /etc/apt/sources.list.d/jitsi-stable.list"
Next update your package list:
sudo apt update
And finally install the full Jitsi package (I say full Jitsi package because it is possible to install various Jitsi components separately – however, that is beyond the scope of this guide):
sudo apt install jitsi-meet -y
During installation, you will be asked for the hostname of the server – enter in your hostname (ie. jitsi.crosstalksolutions.com).
You will also be asked if you want to generate a new self-signed certificate, or if you want to use your own certificate. Choose option 1 since we will be installing Let’s Encrypt in the next step.
Installation should only take about 1 minute or so. Once complete, run this command to install Let’s Encrypt:
You will be prompted for your email address – enter it and press ENTER.
You have now successfully installed Jitsi! Let’s test it out. Open your browser and navigate to https://[your Jitsi FQDN] – you should see a screen like this:
Type a name for your conference in the box (or take one of their randomly generated names) and then press ‘GO.’ Your video conference has now started!
As the moderator of the Jitsi conference, use the ‘i’ info box in the bottom right-hand corner of the screen to copy your Jitsi link and share it with others. You can also add a password for your Jitsi video conference if you want (recommended).
That’s it – you’re up and running – enjoy your new Jitsi server!
If you found this guide helpful, you can always:
Now that you’ve set up your Jitsi server – how about adding some authentication so that it’s not open to the whole wide world? Check out my other blog post How To: Jitsi Server Authentication!