User Tools

Site Tools


video conferencing


Many people communicate on a day to day basis using tools like Google Hangouts, Skype, Whatsapp and what have you. What do most of these tools have in common? Well, though they're meant to communicate, they're only open as long as you communicate with other people who make use of the same proprietary solution, i.e. they don't support open standards like XMPP or SIP. Google used to support XMPP in Google Talk, however XMPP isn't supported anymore since they moved to the current Google Hangouts.

Anyway, the good news is: we can do it ourselves…, oh, Yes We Can 8-)

Let's build a solution that allows us to chat, transfer files, phone and videophone without having to use a proprietary tool and without having to get an additional contract with a service provider or telco.

We'll use the ejabberd software as backend XMPP-solution as it is an open source, scalable, robust and secure solution that is available through the default Debian Wheezy software repository. In addition to the server we chose to install Jitsi on the clients as Jitsi is an open source XMPP-client that is full featured. Also, Jitsi packages are available for many desktop platforms and packages for mobile devices are being developed.


prepare DNS

First we have to plan which domain we'll use for our XMPP-server. Assuming we chose the domain '' to be configured on our XMPP-server named 'jabber', then the identity of our XMPP-users, which is called 'JID', would become, etc. Just like e-mail, that is. Also just like e-mail, we have to tell DNS how the XMPP-clients and external XMPP-servers can reach our server. In order to prepare DNS, add SRV-records like so to the '' domain (assuming an A-record for '' already exists):

_xmpp-client._tcp 900 IN SRV 5 0 5222
_xmpp-server._tcp 900 IN SRV 5 0 5269
_jabber._tcp      900 IN SRV 5 0 5269

You can check your new entries like so:

dig -t srv

prepare firewall

After installation of the ejabberd server, several TCP-ports will be opened up on the server. It's advisable to only allow external traffic to and from the following ports (as long as you don't change the default values):

allow for public
  • tcp/5222 # XMPP-client traffic
  • tcp/5269 # XMPP-server traffic
  • tcp/7777 # XMPP-filetransfer traffic (via mod_proxy65 (SOCKS5 bytestreams)
allow for admin only
  • tcp/4369 # ejabberdctl tool
  • tcp/5280 # HTTP admin-interface
  • tcp/5275 # video-bridge traffic

install ejabberd server

Installation of the ejabberd server is rather easy as a pre-compiled software package is available through the default Debian Wheezy software repository. So, just install the server:

apt-get install ejabberd

server configuration

During the installation process a basic setup is stored in the ejabberd database (this is a mnesia-database as ejabberd is written in Erlang). Let's customize the newly created ejabberd configuration. The main configuration file is /etc/ejabberd/ejabberd.cfg When you take a look at this file you'll notice that comments start with '% %' characters, and lines finish with a ‘.’ character. Ok, first we have to tell ejabberd that we want to override the initial configuration. Uncomment the 'override_acls.'-directive:

%% Remove the Access Control Lists before new ones are added.

Then configure the admin-user:

%% Admin user
{acl, admin, {user, "fred", ""}}.

Check the hostname of the server.

%% Hostname
{hosts, [""]}.

If you want to serve more domains, you can configure a hosts-directive like so:

%% hosts: Domains served by ejabberd.
%% You can define one or several, for example:
{hosts, ["", "", ""]}.

Now let's adjust the default XMPP client-listener (c2s) so that ejabberd also supports IPv6. In addition, we want TLS to be required for all of the client connections. The self-signed certificate '/etc/ejabberd/ejabberd.pem' has been created by debconf. Of course you could use your own certificate instead.

  {5222, ejabberd_c2s, [
                        {access, c2s},
                        {shaper, c2s_shaper},
                        {max_stanza_size, 65536},
                        starttls, starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"}

Now we want to also allow inter XMPP-server traffic (s2s) over IPv6. Here we don't have to add a starttls-directive as tls is enabled by default for s2s traffic.

{5269, ejabberd_s2s_in, [
                         {shaper, s2s_shaper},
                         {max_stanza_size, 131072}

and further below we can modify these optione:

%% Outgoing S2S options
%% Preferred address families (which to try first) and connect timeout
%% in milliseconds.
%%{outgoing_s2s_options, [ipv4, ipv6], 10000}.
{outgoing_s2s_options, [ipv6, ipv4], 5000}.

If you change the name/location of the certificate, don't forget to check the server to server-directive around line numer 206 of the configuration file:

%% s2s_certfile: Specify a certificate file.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

Fine, now we're done. Let's restart the server and check if things are OK. Ejabberd logfiles are stored in /var/log/ejabberd

service ejabberd restart

Check the status of ejabberd:

ejabberdctl status

or check if the listeners have come up:

netstat -nalp |egrep '5222|5269'

If you encounter any UUP's (i.e. Unidentified Unsolved Problems), you might want to increase the ejabberd server's loglevel from 4 to 5:

{loglevel, 5}.

server administration

Most of the ejabberd server administration can be done through the 'ejabberdctl' tool. Try:

ejabberdctl help help

You can create and register a new user like so:

ejabberdctl register fred 'h1spassw00rd'
ejabberdctl register user2 'h1spassw00rd'
ejabberdctl register user3 'h1spassw00rd'

Look who is connected to your server:

ejabberdctl connected_users
ejabberdctl connected_users_info   

There is also 'Web Admin', a small admin webinterface you can check out at:

More information on 'Web Admin' is available at

However, we prefer the cli anyway :-)


For conferencing by using a central-server, with all clients connected to this in a star-topology, a bridge is available from jitsi. It is named 'video-bridge'.


Get the software from

Create a useraccount:

groupadd jitsi
useradd -d /opt/jitsi-videobridge-linux-x64 -s /bin/bash -g jitsi jitsi
chown -R jitsi.jitsi /opt/jitsi-videobridge-linux-x64

Add an entry to /etc/hosts

... yourhostname

Install software from the debian-repository:

apt-get install  unzip  default-jre-headless

Install the video-bridge:

su - jitsi
unzip /tmp/
mv jitsi-videobridge-linux-x64-65/lib .
mv jitsi-videobridge-linux-x64-65/ .
mv jitsi-videobridge-linux-x64-65/jitsi-videobridge.jar jitsi-videobridge-v65.jar

Create a start-script /opt/jitsi-videobridge-linux-x64/start-bridge with content:

${HOME}/ --secret=VerySecretpw --domain='' --host='localhost' --port=5275

Set the properties:

chmod 700 start-bridge

Now we have to make some additions/changes to the /etc/ejabberd/ejabberd.cfg

Add a listener in the ejabberd Use the same port as mentioned above.

  {5275, ejabberd_service, [
                {host, "", [{password, "VerySecretpw"}]}

Raise the traffic-shaper values in ejabberd

%% The "normal2" shaper limits traffic speed to 300.000 B/s while using the jitsi-videobridge
{shaper, normal2, {maxrate, 100000}}.

Activate the trafficshaper, at the paragraph 'ACCESS RULES' and replace normal for normal2:

%% For all users except admins used "normal" shaper
{access, c2s_shaper, [{none, admin},
                       {normal2, all}]}.

Restart ejabberd.

Check for the Listener-port to open.

Start the bridge by running the start-bridge script as the user jitsi:

nohup ./start-bridge &


Use the client from

picoenterprise/xmpp.txt · Last modified: 2013/12/09 16:49 by Luc Nieland