As I mentioned in a recent post, I set up a private Mumble server for the richer set of options for working around a friend’s network problems and, given that Discord continues their steps toward demanding that you share personal information with people who are likely to eventually get hacked , opening you up to identity theft (i.e. age verification), that’s not the only reason I’m happy with my choice.
…so, here’s a quick overview of how you too can set up a private Mumble server with good security for voice (but not video) calls that you control. It’s not the most visually polished set of instructions, but it’s better than they were when I was just taking notes for my own future reference.
(If you’re running a podcast and want to be able to fine-tune the mix or want clean audio for a local transcription model like WhisperX (which apparently has the highest accuracy) when people might be talking over each other, it’s also nice that Mumble has built-in, open-source (i.e. auditable) support for recording each participant to a separate audio track that and doesn’t depend on a third-party server. Craig on the other hand… let’s just say I’m glad I haven’t needed more than OBS can do with a Mic vs. Firefox split yet.)
Instructions for Administrator:
Here are the steps for the most technically competent (or most willing to learn) person in your group to follow. You can run the server on Windows, macOS, or Linux and, since I run Kubuntu Linux LTS, I’ll also be providing more specific instructions that should work on any Debian-based Linux, including Mint.
First, you’re going to set up the server and your client, register an account with your preferred name, and grant it administrator privileges.
- If you’re running your server off your home PC, sign up with a free Dynamic DNS service so you can have a stable domain name for friends to add to their favourites/bookmarks.
(I recommend one that’s compatible with the DNS-based version of Let’s Encrypt verification such as Dynu (what I use) or DuckDNS so you can have encryption without self-signed certificates and without having to open port 80 or 443 to passing bots.) - Download and install both the mumble client and server. I installed both on my home PC. If you’re running a Debian-lineage distro, the packages to install are
mumbleandmumble-serverand they should come with a ready-made set of systemd sandboxing rules, as can be inspected usingsystemd-analyze security mumble-server.service. (Overall exposure level for mumble-server.service: 2.1 OK 🙂if you scroll to the bottom) …or you can run the client through Flatpak if you’re on Linux. - If your install method didn’t do it for you, run the mumble server. This happens automatically with the Debian packages and, if you only want it to run some of the time, use
sudo systemctl disable mumble-server.serviceto keep it from running on startup. You can usesudo systemctl start mumble-server.serviceandsudo systemctl stop mumble-server.serviceto turn it on and off. (If anyone’s interested, maybe I’ll write a quick guide on how to make double-clickable shell scripts out of them, including sudo prompts, and a tip on how to make those specific commands passwordless with/etc/sudoers) - Open the mumble client. It should initially display the dialog from
Configure > Audio Wizard...to set up your audio. - Click the globe icon in the toolbar if the
Mumble Server Connectdialog doesn’t open automatically, - Set up a Favorites entry: You should see a single LAN entry for the server running on the same PC you’re on now. To avoid having to enter your username every time, right-click it and choose “Add to Favourites”, then the entry added to Favorites, choose
Edit..., and fill out theusernamefield. (If you don’t see it under LAN, clickAdd New...and fill in the IP address, your preferred username, and a friendly label manually.) - Close the connect dialog and use
Configure > Certificate Wizard...to create a certificate so you can authenticate without using a password every time. - Click the Globe icon to re-open the connect dialog and double-click the entry in Favorites to re-connect to your server with your new certificate.
- Use
Self > Register...to permanently bind your certificate to an entry in the server’s user database. (This will also lock the username associated with your certificate) - Open the Mumble server’s log and look for a line that says
Password for 'SuperUser' set to '...'. (If using Debian packages, runjournalctl --unit mumble-server.serviceand type/Passwordfollowed by pressing Enter.) - Login as SuperUser: Click the globe icon again, double-click the entry for the server under
LAN(notFavorites) and enterSuperUseras the username and whatever password you got from that line in the log. - Grant yourself admin permissions: Right-click
Rootin the channel/user list and chooseEdit.... In theGroupstab, select “admin” from the drop-down box in the topGroupsection and then look down to theMemberssection and add yourself to theMembersbox (the left-most one) using the drop-down below it and the Add button. Then clickOK. Your normal user now has admin privileges.
NOTE: This dialog is how you control all permissioning. TheRootchannel is the server-wide permissions that everything will inherit from and you can create channels inside it with different permissions.
NOTE: If Mumble doesn’t prompt you about the “mute cue”, it’s a sound that plays if you try to talk while muted and can be disabled by going intoConfigure > Settings..., selecting theAudio Inputtab, scrolling down to theMiscsection, and uncheckingMute cue.
By default, Mumble will allow all connections. The simplest way to restrict access is to editmumble-server.iniand restart the server. (/etc/mumble/mumble-server.iniwith Debian packages)
My suggestion is to setserverpasswordto some easy-to-communicate thing to block port-scanning bots from stumbling into where they can see the list of users and channels, and setcertrequired=trueso that the authentication flow is “Trusted user uses the certificate wizard and then enters the password the first time, administrator registers them, and then that removes the password requirement and locks them into place in the permissions system”.
You can then set it so, until users are registered, they can’t do anything but see the user and channel list. I suggest this guide for understanding the permissions system. The two details I found either missing or insufficiently clear in the official guide are how permissions are resolved (last/lowest matching entry wins) and what each permission does.
Other lines in the server config file that you may want to change are:
welcometext=takes a chunk of the dialect of HTML supported by Qt’s rich text controls which you can use to make a pretty/helpful welcome banner with hyperlinks and the like. (Example)
You can also embed images without needing an external server using a data URI generator.port=lets you set a non-default port so port-scanning bots that want to find Mumble servers have to scan all your ports instead of just checking the default one and then moving on to the next IP address. (Don’t worry. Mumble has a built-in mechanism for temp-banning IPs that try to brute-force the password.)allowping=falsewill prevent the current and maximum user count and maximum bandwidth from being exposed to the Connect dialog in users’ clients before they successfully login.imagemessagelength=0will remove the length limit on messages containing embedded images. If you only have a few friends in your server, this shouldn’t hurt anything and improved the visible quality of the resultant images in my testing.registerName=without the otherregister*=parameters allows you to keep your server secret but change the name of the root channel fromRootto something else.sslCert=/path/to/fullChain.pem,sslKey=/path/to/privkey.pem, (andsslCA=/path/to/fullChain.pemaccording to Archwiki) are what to set if you have a TLS certificate from Let’s Encrypt.
Beyond that, you can also run a copy of miniserve as a companion file server for exchanging files with your friends without needing “the cloud” and link to it from your Mumble welcome message. (That’s what the script from my previous post is used for.) It can also accept that TLS certificate via --tls-cert=/path/to/fullChain.pem and --tls-key=/path/to/privkey.pem for encrypted connections, and you can restrict access by giving your friends username-password pairs and storing them in a file you feed to --auth-file=.
Don’t forget to forward the ports on your router and set exceptions in your PC’s firewall or none of this will be visible from outside.
Instructions for clients:
- Download the client. Unlike Discord, Mumble has no in-browser option unless the administrator is running a separate web client for you.
- The first time you open the mumble client, it should open the dialog from
Configure > Audio Wizard...to set up your audio. Follow the steps. (See theTransmissionandAudio Processingsections inConfigure > Settings... > Audio Inputfor additional options.) - If the
Mumble Server Connectdialog opens automatically after you finish the audio wizard, close it. Instead, useConfigure > Certificate Wizard...with theCreate a new certificateoption to create a certificate so you can authenticate without using a password every time. (Put whatever nick you want in the name field and leave the e-mail field empty.) - Click the globe icon in the toolbar to reopen the
Mumble Server Connectfield. - Click the
Add New…button and fill in the details given to you by the friend who is running the server. - Double-click the entry that has appeared under
Favoriteto connect. - Mumble’s default layout is a little unusual so you’ll probably want to grab the divider between the narrow chat panel on the left and the wide channel/user list on the right and drag it to produce a more Discord-like Layout. (For more customization, see the “User Interface” tab in
Configure > Settings.... I recommend selecting theHybridlayout so the text chat field will allow longer messages before it starts to scroll.) - While you wait for the person running the server to verify your identity and then register your certificate to unlock more access, you’ll probably want to set these options under
Configure > Settings...:User Interface > Look and Feel > Show transmit mode dropdown in toolbarNetwork > Connection > Reconnect to last server on startup
- Once you’re testing the call quality, the settings to play with are:
- If your voice is too quiet,
Audio Input > Audio Processing > Max. Amplificationis the sender-side control to adjust. Recipients also have a local adjustment for themselves only in the context menu for each user in the list. - If ambient noise is a problem, try changing the type of
Audio Input > Audio Processing > Noise Suppression. I’ve found that the default Speex noise suppression isn’t the best at excluding things like fans, and I useBoth. - If your audio sound “crunchy” or blown out, double-check that the
QualityandAudio per packetsettings underAudio Input > Compressiondidn’t get set too low. I’ve found that none of my friends see any problem with40.0 kb/sand20 ms. and, since these values are in kilobits, that’s still a per-user bandwidth load that could fit in an old dial-up Internet connection.
- If your voice is too quiet,
If you experience cut-outs or voices going robotic, that indicates that packet loss is occurring between someone and the server. Identify whose connection is experiencing packet loss by right-clicking usernames and selecting Information and then checking the Lost column in the UDP Network statistics section.
If they have plenty of free bandwidth but are experiencing packet loss nonetheless, that indicates a problem with someone’s network, but a short-term workaround is to have them try Network > Connection > Force TCP mode. (Using TCP will resend lost data, which can increase latency and bandwidth use, but, if congestion isn’t the problem, it should just appear to fix things with no noticeable downsides… I can vouch for this since a friend’s Internet being flaky was why I switched from Discord to Mumble for this feature.)
Setting Up A Private Mumble Server by Stephan Sokolow is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

By submitting a comment here you grant this site a perpetual license to reproduce your words and name/web site in attribution under the same terms as the associated post.
All comments are moderated. If your comment is generic enough to apply to any post, it will be assumed to be spam. Borderline comments will have their URL field erased before being approved.