MATRIX calls…
…from behind the NAT. Can you hear it?
What (are you smoking)?
Haven’t you heard? In the ocean of FOSS tools and VoIP clients that is out there, fighting for dominance, especially in times of COVID, it can be easy to lose the way and end up using proprietary cr… stuff.
Do not fret however! There is still hope and it comes in the form of one matrix.org!
What (is MATRIX)?
MATRIX is a dedicated chat service that (potentially) provides everything from text-based conversations to VoIP-based conference calls where you and your colleagues watch the same Michael Reeves PissBot video at the same time.
I said potentially
Why potentially? Well…
“Come closer…” I say as I look left and right, completely unsuspiciously, yet still fearing the wrath of the Teams and Slack gods that currently rule this disease-riddled mess of a planet.
“And the best thing? It’s all end-to-end encrypted! Isn’t that just amaz- THEY NOTICED US! RUN!”
What (do I need to do)?
You can either use the centrally hosted service of matrix.org or, like a big boy, host a synapse server yourself.
For this, the process is pretty straight forward:
- Setup a linux server.
- Install and configure MATRIX synapse.
- Install and configure a TURN server.
- Reconfigure MATRIX synapse to use that TURN server.
What (are we waiting for)?
That’s the spirit!
Linux server installation
First, you need a linux system with at least 1GB of Memory. It also helps if the system is reachable via the following ports:
| Port | Protocol | Function | Comment |
|---|---|---|---|
| 443 | TCP | HTTPS | Needed for general client functionality. |
| 3478 | UDP | TURN (VoIP) | Only neccessary if the TURN server is installed on the same Linux system. Can be ignored if the TURN traffic should be encrypted. |
| 5349 | TCP | TURNs (VoIP) | Only neccessary if the TURN server is installed on the same Linux system and the TURN traffic should be encrypted. |
Everything else is pretty much fair game and completely up to your use-case.
Feel free to experiment!
MATRIX synapse installation
After the linux system is setup and ready, you can proceed with the installation of MATRIX synapse.
For simplicities sake, please follow the documentation provided by matrix.org:
Please also make sure you check out the following segments:
Once you are done, you should be able to connect to your new synapse server over a MATRIX client like Element.
TURN server installation
At this moment, there are two ways to establish voice and video calls with your new synapse instance:
- Peer-to-Peer connection
- This requires both clients to enable this setting in a client, that actually supports Peer-to-Peer VoIP calls. Also this makes your Public IP address visible to other clients.
- Let your synapse server delegate calls to turn.matrix.org.
- It should be obvious that this more or less defeats the purpose of a self-hosted MATRIX synapse instance.
To circumvent this, you have to set up a TURN server. This server has the specific job to handle calls for your MATRIX synapse instance so you don’t have to worry about external factors.
This TURN server can be hosted on the same system as your synapse server. Just make sure the two services can reach each other and the client can reach both of them.
Please follow the following documentation to set up your TURN server:
Once you restarted the TURN server, the synapse server, and your client, you are able to place and receive calls over your new synapse instance.
The NAT part
One part that seems to be an ongoing issue with TURN(s) communication via NAT.
So, how did we solve this?
First, we made our Proxmox Host available via 5349 (TCP) and routed incoming traffic to the firewall. From there we routed the pakets over to our TURN/Synapse server:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
+--------+
|Internet|
+----+---+
|
+----
5349 +--+ external ip on proxmox
| | nat via iptables to firewall
| | +----
| |
+---------------------+--------ProxMox-+ |
| | +----+
| +----v---+ |
| +----+Firewall| |
| | +--------+ |
| | |
| NAT 5349 |
| | |
| | |
| | +-------------------+ |
| +-->Synapse/TURN server| |
| +-------------------+ |
| |
| |
+--------------------------------------+
After we had all this in place, it was time for the all important test call:
We are still working on that weird bug that makes me look like a low budget version of Chica from “Five Nights At Freddy’s”.
Other than that, we have yet to notice any problems with using this setup.
With that said, I hope you will have just as much success in setting up your MATRIX synapse instance! Good luck!