Mumble Server Setup
This post will cover the complete process of setting up a Mumble server utilising Digital Ocean as a VPS provider and using a custom domain bought through a domain registrar. The following was created on a Ubuntu 16.04 droplet but should be very similar if not the same on other distributions. Although the majority of people have moved to proprietary options such as Discord, I prefer to use Mumble as it is the better option for privacy and freedom. Usually I run a Mumble server on a Raspberry Pi 2 in my homelab, however I recently set it up on Digital Ocean and thought I would document the process as I did not find any posts detailing the entire procedure.
Part 0 - Prerequisites
In order to follow this, you will need a Digital Ocean account and a domain you have purchased from your registrar of choice. As always I am using Gandi for this.
You will also need to use the following software: a browser, a terminal, SSH, a text editor, Mumble-Server and the Mumble client.
Part 1 - Droplet Creation
1. Generate SSH Keys
NOTE: If you already have SSH keys setup you can skip this step.
$ ssh-keygen
Hit enter to use the standard name and location for your keys. Next you will be asked for a passphrase, whether you choose to use this is up to you, however I would suggest doing so.
Keys are stored in the .ssh/
folder and are suitably named.
2. Creating a Droplet
To create the droplet, simply go to the Create
dropdown menu on the top right of your Digital Ocean account and select droplet. You will then be taken to a basic configuration page for a new droplet. The following is what will need to be changed/selected.
- Choose operating system - here we have chosen Ubuntu 16.04
- Choose droplet specs - the first basic option will do for a Mumble server (1GB mem/1vCPU)
- Choose datacenter region closest to you
- Copy and paste SSH public key you created/already had(alternatively you can add one later, it’s covered in step 6)
- Choose hostname
- Click
Create
3. SSH into Droplet
Now that you have created the droplet, let’s attempt to connect using SSH.
$ ssh root@your_server_ip
Since we pasted in our public key, we were able to SSH into the droplet easily. If you did not setup SSH in the droplet creation stage you would be asked for a password when attempting to connect. This would have been sent to you via email if no public SSH key was entered.
Part 2 - Ubuntu Configuration
4. Update VPS
On a Ubuntu machine updates can be achieved by carrying out the following commands:
This will update the package lists on the machine.
$ apt update
This will show which packages have updates available.
$ apt list --upgradable
Finally this will upgrade those packages.
$ apt upgrade -y
5. Add New User
Generally it is not considered good security practice to run services as root when not required. As such we will make a new user aptly called mumble
.
$ adduser mumble
We will then add this user to the sudo group with the following command:
$ usermod -aG sudo mumble
Change to the user by running:
$ su - mumble
6. Add SHH Key for New User
Since we created a key pair earlier we will use the same one for the mumble user. On your own machine view your public key by using:
$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf localuser@machine.local
Now copy all of this to your clipboard so we can paste it to the server in a minute.
On the server, let’s create the SSH folder and restrict it’s permissions.
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
Now create a file called authorized_keys
in that .ssh/
folder and paste your public key inside.
$ nano ~/.ssh/authorized_keys
Save and exit once you have pasted the public key inside this new file. Finally, restrict the file permissions.
$ chmod 600 ~/.ssh/authorized_keys
If you now exit as your user and exit again as root you should be able to SSH into the droplet as your new user using the following:
$ ssh mumble@your_server_ip
7. Add Rules and Enable UFW
Next we will setup Uncomplicated Firewall (UFW) and allow SSH. We can see the OpenSSH profile by typing:
$ sudo ufw app list
Available applications:
OpenSSH
To allow SSH and then enable the firewall, enter the following:
$ sudo ufw allow OpenSSH
$ sudo ufw enable
To determine whether SSH has been allowed, use the following to verify:
$ sudo ufw status
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
8. Disable SSH Password Authentication
Since we setup SSH keys we should remove the ability to login using a password.
If you entered your public key when creating the droplet this option will already be disabled. If not, open the SSH config file.
$ sudo nano /etc/ssh/sshd_config
Look for the line, PasswordAuthentication
and change it to the following:
PasswordAuthentication no
Make sure the line has been uncommented by removing any #
at the beginning of the line. Save the changes and exit.
Now reload the SSH daemon:
$ sudo systemctl reload sshd
Part 3 - Install and Configure Mumble
9. Install Mumble
On Ubuntu installing Mumble as a server is as simple as running:
$ sudo apt install mumble-server
NOTE: Ubuntu has both a package for the Mumble client and server, these are mumble
and mumble-server
respectively.
10. Configure Mumble
10.1. Server Boot, High Priority and SuperUser
Now run the following configuration wizard:
$ sudo dpkg-reconfigure mumble-server
You will be asked whether you want to start Mumble on boot, I suggest selecting ‘Yes’. You will also be asked whether you want to allow Mumble to use higher priority, again I suggest selecting ‘Yes’ to aid server latency. You will then be prompted to enter a password for the SuperUser within Mumble. As always, this should be a strong password.
10.2. Configuration File Changes
For further configuration you will need to edit the config file located at /etc/mumble-server.ini
. The file is fairly self explanatory, however if you don’t understand any of the parameters you can simply look at the documentation on the Mumble website.
The parameters that I typically change are the following:
- Welcome text
- Server password
- Bandwidth
- Users
- Register name
- SSL cert/SSL key
The welcome text is viewable when someone joins the server and allows for HTML.
welcometext="Welcome to this server."
The server password will be a requirement for users to enter in order to join the server.
NOTE: If you enter a server password your Mumble server will not show in the public listing, this isn’t an issue if you only intend on using it between people you know.
serverpassword=ExamplePassword
Setting the bandwidth limit to 128000 allows for high audio quality.
bandwidth=128000
User limits will largely depend on what device your server is running on and how many people you intend on using the server.
users=30
Changing the registerName will change the main channel name to whatever you specifiy. By default if you don’t change this it will be Root
.
registerName=Test Mumble Server
The SSL cert and SSL key will be added once the Let’s Encrypt certificates have been provisioned. If you do not enter any certificates here, the server will automatically use self-signed certificates which must be manually allowed by all users.
sslCert=
sslKey=
There are many more settings, so it is up to you whether you make further amendments. If you would like your server to be publically available in the listing you must also change the registerHostname
, registerName
, registerPassword
and registerUrl
parameters as well as not including a server password as mentioned above.
Anytime changes are made to the config file, you must restart the service for ammendments to be applied.
$ sudo service mumble-server restart
Part 4 - Add DNS Record for VPS
11. Add A Record at Domain Registrar
In order to use our domain we need to create an A record to point at the IP address of the Digital Ocean droplet that we are using.
In this example I have use the ‘mumble’ subdomain so that the domain can also be used for other things in an orderly fashion. As such, people would use mumble.example.com
to connect, for example.
12. Attempt to Connect from Mumble Client
Now that we have added updated the DNS records you should be able to determine whether the Mumble server is reachable using your domain. To work this out, we will first install the Mumble client. Either go to the Mumble website and get the download you require or if on Ubuntu enter the following in your terminal:
$ sudo apt install mumble
Now let’s attempt to connect to the server from within the client. Do this by going to Add New
to add a new server.
As we can see in the second image, without connecting to the server we can already tell it is reachable (ping). As such we can confirm the DNS record change has been successful.
Part 5 - Let’s Encrypt Certificates
13. Install Certbot
First add the package repository.
$ sudo add-apt-repository ppa:certbot/certbot
Then update the package lists and install Certbot.
$ sudo apt update
$ sudo apt install certbot
14. Allow Through Firewall
NOTE: Port 80 or 443 must be allowed through the firewall in order for this to work.
To allow port 80 or 443 through the firewall, simply add a rule to allow.
$ sudo ufw allow 443
$ sudo ufw allow 80
$ sudo ufw enable
15. Run Certbot
Now to run Certbot, remember to change the domain and email address to your own.
NOTE: If your domain entry is not valid for the subdomain/domain you are about to use, this will not work. Make sure you have configured that first.
$ sudo certbot certonly --standalone -d mumble.example.com --email your-email@example.com --agree-tos --non-interactive
You should see a Congratulations!
message if everything worked as well as the location of the certificates.
16. Add Certs Group
We will make a group for the certificates aptly named certs
.
$ sudo addgroup certs
17. Add User to Certs Group
Now we will add the mumble
user to the certs
group so they are able to read the certificates.
$ sudo usermod -aG certs mumble
18. Change Certificate Permissions
Now we need to change the permissions of the folders where the certificates are stored.
$ sudo chown root:certs /etc/letsencrypt/live
$ sudo chmod 750 /etc/letsencrypt/live
$ sudo chown root:certs /etc/letsencrypt/archive
$ sudo chmod 750 /etc/letsencrypt/archive
19. Automatic Renewal
As Let’s Encrypt certificates only last 90 days, automatic renewal is important to set up. With the current Certbot package a Cronjob is automatically created to renew the certificate (this was not the case with previous versions). However it is worth checking every now and then by simply typing the following:
$ sudo certbot renew
20. Add Let’s Encrypt to Mumble Configuration
Now that we have our certificates, we need to enter the location of these in the Mumble config file.
$ sudo nano /etc/mumble-server.ini
Scroll down to the lines where sslCert
and sslKey
are and enter the location of the ones created with Let’s Encrypt.
sslCert=/etc/letsencrypt/live/mumble.example.com/fullchain.pem
sslKey=/etc/letsencrypt/live/mumble.example.com/privkey.pem
Now save and restart the Mumble service.
$ sudo service mumble-server restart
Part 6 - Mumble Client Configuration
21. Join Server as SuperUser
To join as SuperUser simply enter the username (case sensitive), you will then be prompted with a password for the SuperUser below username. As SuperUser you can add channels/ACL rules, set privileges etc.
22. Join Server as Generic User
Once a username has been selected and you attempt to connect, you will be prompted with a server password. This is the password that all users will have to enter in order to connect to the server.
23. Run Through Audio Wizard
I advise running through the audio wizard which can be found through Configure > Audio Wizard
as it is beneficial to set tolerances for your microphone so as to not clip or activate speech whilst silent. Other users will thank you. I also advise setting the quality settings to high in the wizard.
You should now have a fully fledged Mumble server using your own custom domain and Let’s Encrypt certificates.