Mumble Server Setup

Posted on Nov 21, 2018

This post will cover the complete process of setting up a Mumble server utilising Digital Ocean as a VPS provider and using a custom domain bought through a domain registrar. The following was created on a Ubuntu 16.04 droplet but should be very similar if not the same on other distributions. Although the majority of people have moved to proprietary options such as Discord, I prefer to use Mumble as it is the better option for privacy and freedom. Usually I run a Mumble server on a Raspberry Pi 2 in my homelab, however I recently set it up on Digital Ocean and thought I would document the process as I did not find any posts detailing the entire procedure.

Part 0 - Prerequisites

In order to follow this, you will need a Digital Ocean account and a domain you have purchased from your registrar of choice. As always I am using Gandi for this.

You will also need to use the following software: a browser, a terminal, SSH, a text editor, Mumble-Server and the Mumble client.

Part 1 - Droplet Creation

1. Generate SSH Keys

NOTE: If you already have SSH keys setup you can skip this step.

$ ssh-keygen

Hit enter to use the standard name and location for your keys. Next you will be asked for a passphrase, whether you choose to use this is up to you, however I would suggest doing so.

Keys are stored in the .ssh/ folder and are suitably named.

2. Creating a Droplet

To create the droplet, simply go to the Create dropdown menu on the top right of your Digital Ocean account and select droplet. You will then be taken to a basic configuration page for a new droplet. The following is what will need to be changed/selected.

  • Choose operating system - here we have chosen Ubuntu 16.04
  • Choose droplet specs - the first basic option will do for a Mumble server (1GB mem/1vCPU)
  • Choose datacenter region closest to you
  • Copy and paste SSH public key you created/already had(alternatively you can add one later, it’s covered in step 6)
  • Choose hostname
  • Click Create

3. SSH into Droplet

Now that you have created the droplet, let’s attempt to connect using SSH.

$ ssh root@your_server_ip

Since we pasted in our public key, we were able to SSH into the droplet easily. If you did not setup SSH in the droplet creation stage you would be asked for a password when attempting to connect. This would have been sent to you via email if no public SSH key was entered.

Part 2 - Ubuntu Configuration

4. Update VPS

On a Ubuntu machine updates can be achieved by carrying out the following commands:

This will update the package lists on the machine.

$ apt update

This will show which packages have updates available.

$ apt list --upgradable

Finally this will upgrade those packages.

$ apt upgrade -y

5. Add New User

Generally it is not considered good security practice to run services as root when not required. As such we will make a new user aptly called mumble.

$ adduser mumble

We will then add this user to the sudo group with the following command:

$ usermod -aG sudo mumble

Change to the user by running:

$ su - mumble

6. Add SHH Key for New User

Since we created a key pair earlier we will use the same one for the mumble user. On your own machine view your public key by using:

$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local

Now copy all of this to your clipboard so we can paste it to the server in a minute.

On the server, let’s create the SSH folder and restrict it’s permissions.

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh

Now create a file called authorized_keys in that .ssh/ folder and paste your public key inside.

$ nano ~/.ssh/authorized_keys

Save and exit once you have pasted the public key inside this new file. Finally, restrict the file permissions.

$ chmod 600 ~/.ssh/authorized_keys

If you now exit as your user and exit again as root you should be able to SSH into the droplet as your new user using the following:

$ ssh mumble@your_server_ip

7. Add Rules and Enable UFW

Next we will setup Uncomplicated Firewall (UFW) and allow SSH. We can see the OpenSSH profile by typing:

$ sudo ufw app list
Available applications:
  OpenSSH

To allow SSH and then enable the firewall, enter the following:

$ sudo ufw allow OpenSSH
$ sudo ufw enable

To determine whether SSH has been allowed, use the following to verify:

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)

8. Disable SSH Password Authentication

Since we setup SSH keys we should remove the ability to login using a password.

If you entered your public key when creating the droplet this option will already be disabled. If not, open the SSH config file.

$ sudo nano /etc/ssh/sshd_config

Look for the line, PasswordAuthentication and change it to the following:

PasswordAuthentication no

Make sure the line has been uncommented by removing any # at the beginning of the line. Save the changes and exit.

Now reload the SSH daemon:

$ sudo systemctl reload sshd

Part 3 - Install and Configure Mumble

9. Install Mumble

On Ubuntu installing Mumble as a server is as simple as running:

$ sudo apt install mumble-server

NOTE: Ubuntu has both a package for the Mumble client and server, these are mumble and mumble-server respectively.

10. Configure Mumble

10.1. Server Boot, High Priority and SuperUser

Now run the following configuration wizard:

$ sudo dpkg-reconfigure mumble-server

You will be asked whether you want to start Mumble on boot, I suggest selecting ‘Yes’. You will also be asked whether you want to allow Mumble to use higher priority, again I suggest selecting ‘Yes’ to aid server latency. You will then be prompted to enter a password for the SuperUser within Mumble. As always, this should be a strong password.

10.2. Configuration File Changes

For further configuration you will need to edit the config file located at /etc/mumble-server.ini. The file is fairly self explanatory, however if you don’t understand any of the parameters you can simply look at the documentation on the Mumble website.

The parameters that I typically change are the following:

  • Welcome text
  • Server password
  • Bandwidth
  • Users
  • Register name
  • SSL cert/SSL key

The welcome text is viewable when someone joins the server and allows for HTML.

welcometext="Welcome to this server."

The server password will be a requirement for users to enter in order to join the server.

NOTE: If you enter a server password your Mumble server will not show in the public listing, this isn’t an issue if you only intend on using it between people you know.

serverpassword=ExamplePassword

Setting the bandwidth limit to 128000 allows for high audio quality.

bandwidth=128000

User limits will largely depend on what device your server is running on and how many people you intend on using the server.

users=30

Changing the registerName will change the main channel name to whatever you specifiy. By default if you don’t change this it will be Root.

registerName=Test Mumble Server

The SSL cert and SSL key will be added once the Let’s Encrypt certificates have been provisioned. If you do not enter any certificates here, the server will automatically use self-signed certificates which must be manually allowed by all users.

sslCert=
sslKey=

There are many more settings, so it is up to you whether you make further amendments. If you would like your server to be publically available in the listing you must also change the registerHostname, registerName, registerPassword and registerUrl parameters as well as not including a server password as mentioned above.

Anytime changes are made to the config file, you must restart the service for ammendments to be applied.

$ sudo service mumble-server restart

Part 4 - Add DNS Record for VPS

11. Add A Record at Domain Registrar

In order to use our domain we need to create an A record to point at the IP address of the Digital Ocean droplet that we are using.

Create DNS Record

In this example I have use the ‘mumble’ subdomain so that the domain can also be used for other things in an orderly fashion. As such, people would use mumble.example.com to connect, for example.

12. Attempt to Connect from Mumble Client

Now that we have added updated the DNS records you should be able to determine whether the Mumble server is reachable using your domain. To work this out, we will first install the Mumble client. Either go to the Mumble website and get the download you require or if on Ubuntu enter the following in your terminal:

$ sudo apt install mumble

Now let’s attempt to connect to the server from within the client. Do this by going to Add New to add a new server.

Mumble Client Connect
Mumble Server Reachable

As we can see in the second image, without connecting to the server we can already tell it is reachable (ping). As such we can confirm the DNS record change has been successful.

Part 5 - Let’s Encrypt Certificates

13. Install Certbot

First add the package repository.

$ sudo add-apt-repository ppa:certbot/certbot

Then update the package lists and install Certbot.

$ sudo apt update
$ sudo apt install certbot

14. Allow Through Firewall

NOTE: Port 80 or 443 must be allowed through the firewall in order for this to work.

To allow port 80 or 443 through the firewall, simply add a rule to allow.

$ sudo ufw allow 443
$ sudo ufw allow 80
$ sudo ufw enable

15. Run Certbot

Now to run Certbot, remember to change the domain and email address to your own.

NOTE: If your domain entry is not valid for the subdomain/domain you are about to use, this will not work. Make sure you have configured that first.

$ sudo certbot certonly --standalone -d mumble.example.com --email your-email@example.com --agree-tos --non-interactive

You should see a Congratulations! message if everything worked as well as the location of the certificates.

16. Add Certs Group

We will make a group for the certificates aptly named certs.

$ sudo addgroup certs

17. Add User to Certs Group

Now we will add the mumble user to the certs group so they are able to read the certificates.

$ sudo usermod -aG certs mumble

18. Change Certificate Permissions

Now we need to change the permissions of the folders where the certificates are stored.

$ sudo chown root:certs /etc/letsencrypt/live
$ sudo chmod 750 /etc/letsencrypt/live
$ sudo chown root:certs /etc/letsencrypt/archive
$ sudo chmod 750 /etc/letsencrypt/archive

19. Automatic Renewal

As Let’s Encrypt certificates only last 90 days, automatic renewal is important to set up. With the current Certbot package a Cronjob is automatically created to renew the certificate (this was not the case with previous versions). However it is worth checking every now and then by simply typing the following:

$ sudo certbot renew

20. Add Let’s Encrypt to Mumble Configuration

Now that we have our certificates, we need to enter the location of these in the Mumble config file.

$ sudo nano /etc/mumble-server.ini

Scroll down to the lines where sslCert and sslKey are and enter the location of the ones created with Let’s Encrypt.

sslCert=/etc/letsencrypt/live/mumble.example.com/fullchain.pem
sslKey=/etc/letsencrypt/live/mumble.example.com/privkey.pem

Now save and restart the Mumble service.

$ sudo service mumble-server restart

Part 6 - Mumble Client Configuration

21. Join Server as SuperUser

To join as SuperUser simply enter the username (case sensitive), you will then be prompted with a password for the SuperUser below username. As SuperUser you can add channels/ACL rules, set privileges etc.

22. Join Server as Generic User

Once a username has been selected and you attempt to connect, you will be prompted with a server password. This is the password that all users will have to enter in order to connect to the server.

23. Run Through Audio Wizard

I advise running through the audio wizard which can be found through Configure > Audio Wizard as it is beneficial to set tolerances for your microphone so as to not clip or activate speech whilst silent. Other users will thank you. I also advise setting the quality settings to high in the wizard.

You should now have a fully fledged Mumble server using your own custom domain and Let’s Encrypt certificates.