Setting Up A Private Mumble Server

As I mentioned in a recent post, I set up a private Mumble server for the richer set of options for working around a friend’s network problems and, given that Discord continues their steps toward demanding that you share personal information with people who are likely to eventually get hacked , opening you up to identity theft (i.e. age verification), that’s not the only reason I’m happy with my choice.

…so, here’s a quick overview of how you too can set up a private Mumble server with good security for voice (but not video) calls that you control. It’s not the most visually polished set of instructions, but it’s better than they were when I was just taking notes for my own future reference.

(If you’re running a podcast and want to be able to fine-tune the mix or want clean audio for a local transcription model like WhisperX (which apparently has the highest accuracy) when people might be talking over each other, it’s also nice that Mumble has built-in, open-source (i.e. auditable) support for recording each participant to a separate audio track that and doesn’t depend on a third-party server. Craig on the other hand… let’s just say I’m glad I haven’t needed more than OBS can do with a Mic vs. Firefox split yet.)

Instructions for Administrator:

Here are the steps for the most technically competent (or most willing to learn) person in your group to follow. You can run the server on Windows, macOS, or Linux and, since I run Kubuntu Linux LTS, I’ll also be providing more specific instructions that should work on any Debian-based Linux, including Mint.

First, you’re going to set up the server and your client, register an account with your preferred name, and grant it administrator privileges.

  1. If you’re running your server off your home PC, sign up with a free Dynamic DNS service so you can have a stable domain name for friends to add to their favourites/bookmarks.
    (I recommend one that’s compatible with the DNS-based version of Let’s Encrypt verification such as Dynu (what I use) or DuckDNS so you can have encryption without self-signed certificates and without having to open port 80 or 443 to passing bots.)
  2. Download and install both the mumble client and server. I installed both on my home PC. If you’re running a Debian-lineage distro, the packages to install are mumble and mumble-server and they should come with a ready-made set of systemd sandboxing rules, as can be inspected using systemd-analyze security mumble-server.service. (Overall exposure level for mumble-server.service: 2.1 OK 🙂 if you scroll to the bottom) …or you can run the client through Flatpak if you’re on Linux.
  3. If your install method didn’t do it for you, run the mumble server. This happens automatically with the Debian packages and, if you only want it to run some of the time, use sudo systemctl disable mumble-server.service to keep it from running on startup. You can use sudo systemctl start mumble-server.service and sudo systemctl stop mumble-server.service to turn it on and off. (If anyone’s interested, maybe I’ll write a quick guide on how to make double-clickable shell scripts out of them, including sudo prompts, and a tip on how to make those specific commands passwordless with /etc/sudoers)
  4. Open the mumble client. It should initially display the dialog from Configure > Audio Wizard... to set up your audio.
  5. Click the globe icon in the toolbar if the Mumble Server Connect dialog doesn’t open automatically,
  6. Set up a Favorites entry: You should see a single LAN entry for the server running on the same PC you’re on now. To avoid having to enter your username every time, right-click it and choose “Add to Favourites”, then the entry added to Favorites, choose Edit..., and fill out the username field. (If you don’t see it under LAN, click Add New... and fill in the IP address, your preferred username, and a friendly label manually.)
  7. Close the connect dialog and use Configure > Certificate Wizard... to create a certificate so you can authenticate without using a password every time.
  8. Click the Globe icon to re-open the connect dialog and double-click the entry in Favorites to re-connect to your server with your new certificate.
  9. Use Self > Register... to permanently bind your certificate to an entry in the server’s user database. (This will also lock the username associated with your certificate)
  10. Open the Mumble server’s log and look for a line that says Password for 'SuperUser' set to '...'. (If using Debian packages, run journalctl --unit mumble-server.service and type /Password followed by pressing Enter.)
  11. Login as SuperUser: Click the globe icon again, double-click the entry for the server under LAN (not Favorites) and enter SuperUser as the username and whatever password you got from that line in the log.
  12. Grant yourself admin permissions: Right-click Root in the channel/user list and choose Edit.... In the Groups tab, select “admin” from the drop-down box in the top Group section and then look down to the Members section and add yourself to the Members box (the left-most one) using the drop-down below it and the Add button. Then click OK. Your normal user now has admin privileges.

    NOTE: This dialog is how you control all permissioning. The Root channel is the server-wide permissions that everything will inherit from and you can create channels inside it with different permissions.

    NOTE: If Mumble doesn’t prompt you about the “mute cue”, it’s a sound that plays if you try to talk while muted and can be disabled by going into Configure > Settings..., selecting the Audio Input tab, scrolling down to the Misc section, and unchecking Mute cue.

    By default, Mumble will allow all connections. The simplest way to restrict access is to edit mumble-server.ini and restart the server. (/etc/mumble/mumble-server.ini with Debian packages)

    My suggestion is to set serverpassword to some easy-to-communicate thing to block port-scanning bots from stumbling into where they can see the list of users and channels, and set certrequired=true so that the authentication flow is “Trusted user uses the certificate wizard and then enters the password the first time, administrator registers them, and then that removes the password requirement and locks them into place in the permissions system”.

    You can then set it so, until users are registered, they can’t do anything but see the user and channel list. I suggest this guide for understanding the permissions system. The two details I found either missing or insufficiently clear in the official guide are how permissions are resolved (last/lowest matching entry wins) and what each permission does.

Other lines in the server config file that you may want to change are:

  • welcometext= takes a chunk of the dialect of HTML supported by Qt’s rich text controls which you can use to make a pretty/helpful welcome banner with hyperlinks and the like. (Example)
    You can also embed images without needing an external server using a data URI generator.
  • port= lets you set a non-default port so port-scanning bots that want to find Mumble servers have to scan all your ports instead of just checking the default one and then moving on to the next IP address. (Don’t worry. Mumble has a built-in mechanism for temp-banning IPs that try to brute-force the password.)
  • allowping=false will prevent the current and maximum user count and maximum bandwidth from being exposed to the Connect dialog in users’ clients before they successfully login.
  • imagemessagelength=0 will remove the length limit on messages containing embedded images. If you only have a few friends in your server, this shouldn’t hurt anything and improved the visible quality of the resultant images in my testing.
  • registerName= without the other register*= parameters allows you to keep your server secret but change the name of the root channel from Root to something else.
  • sslCert=/path/to/fullChain.pem, sslKey=/path/to/privkey.pem, (and sslCA=/path/to/fullChain.pem according to Archwiki) are what to set if you have a TLS certificate from Let’s Encrypt.

Beyond that, you can also run a copy of miniserve as a companion file server for exchanging files with your friends without needing “the cloud” and link to it from your Mumble welcome message. (That’s what the script from my previous post is used for.) It can also accept that TLS certificate via --tls-cert=/path/to/fullChain.pem and --tls-key=/path/to/privkey.pem for encrypted connections, and you can restrict access by giving your friends username-password pairs and storing them in a file you feed to --auth-file=.

Don’t forget to forward the ports on your router and set exceptions in your PC’s firewall or none of this will be visible from outside.

    Instructions for clients:

    1. Download the client. Unlike Discord, Mumble has no in-browser option unless the administrator is running a separate web client for you.
    2. The first time you open the mumble client, it should open the dialog from Configure > Audio Wizard... to set up your audio. Follow the steps. (See the Transmission and Audio Processing sections in Configure > Settings... > Audio Input for additional options.)
    3. If the Mumble Server Connect dialog opens automatically after you finish the audio wizard, close it. Instead, use Configure > Certificate Wizard... with the Create a new certificate option to create a certificate so you can authenticate without using a password every time. (Put whatever nick you want in the name field and leave the e-mail field empty.)
    4. Click the globe icon in the toolbar to reopen the Mumble Server Connect field.
    5. Click the Add New… button and fill in the details given to you by the friend who is running the server.
    6. Double-click the entry that has appeared under Favorite to connect.
    7. Mumble’s default layout is a little unusual so you’ll probably want to grab the divider between the narrow chat panel on the left and the wide channel/user list on the right and drag it to produce a more Discord-like Layout. (For more customization, see the “User Interface” tab in Configure > Settings.... I recommend selecting the Hybrid layout so the text chat field will allow longer messages before it starts to scroll.)
    8. While you wait for the person running the server to verify your identity and then register your certificate to unlock more access, you’ll probably want to set these options under Configure > Settings...:
      • User Interface > Look and Feel > Show transmit mode dropdown in toolbar
      • Network > Connection > Reconnect to last server on startup
    9. Once you’re testing the call quality, the settings to play with are:
      • If your voice is too quiet, Audio Input > Audio Processing > Max. Amplification is the sender-side control to adjust. Recipients also have a local adjustment for themselves only in the context menu for each user in the list.
      • If ambient noise is a problem, try changing the type of Audio Input > Audio Processing > Noise Suppression. I’ve found that the default Speex noise suppression isn’t the best at excluding things like fans, and I use Both.
      • If your audio sound “crunchy” or blown out, double-check that the Quality and Audio per packet settings under Audio Input > Compression didn’t get set too low. I’ve found that none of my friends see any problem with 40.0 kb/s and 20 ms. and, since these values are in kilobits, that’s still a per-user bandwidth load that could fit in an old dial-up Internet connection.

    If you experience cut-outs or voices going robotic, that indicates that packet loss is occurring between someone and the server. Identify whose connection is experiencing packet loss by right-clicking usernames and selecting Information and then checking the Lost column in the UDP Network statistics section.

    If they have plenty of free bandwidth but are experiencing packet loss nonetheless, that indicates a problem with someone’s network, but a short-term workaround is to have them try Network > Connection > Force TCP mode. (Using TCP will resend lost data, which can increase latency and bandwidth use, but, if congestion isn’t the problem, it should just appear to fix things with no noticeable downsides… I can vouch for this since a friend’s Internet being flaky was why I switched from Discord to Mumble for this feature.)

    CC BY-SA 4.0 Setting Up A Private Mumble Server by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

    This entry was posted in Geek Stuff. Bookmark the permalink.

    Leave a Reply

    Your email address will not be published. Required fields are marked *

    By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.

    All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.