Skip to content

OpenVidu Single Node PRO installation: On-premises#

This section contains the instructions to deploy a production-ready OpenVidu Single Node PRO deployment on-premises. It is a deployment based on Docker and Docker Compose, which will automatically configure all the necessary services for OpenVidu to work properly.

This is how the architecture of the deployment looks like:

OpenVidu Single Node On Premises Architecture
OpenVidu Single Node On Premises Architecture

All services are deployed on a single machine, which includes:

  • OpenVidu Server (LiveKit compatible).
  • Ingress and Egress services.
  • OpenVidu Dashboard, a web application interface to visualize your Rooms, Ingress, and Egress services.
  • MinIO as an S3 storage service for recordings.
  • Redis as a shared database for OpenVidu Server and Ingress/Egress services.
  • MongoDB as a database for storing analytics and monitoring data.
  • Caddy as a reverse proxy. It can be deployed with self-signed certificates, Let's Encrypt certificates, or custom certificates.
  • OpenVidu Meet, an optional high-quality video calling service.
  • OpenVidu V2 Compatibility (v2compatibility module) is an optional service that provides an API designed to maintain compatibility for applications developed with OpenVidu version 2.
  • Grafana, Mimir, Promtail, and Loki (Observability module) form an optional observability stack for monitoring, allowing you to keep track of logs and deployment statistics for OpenVidu.

Prerequisites#

Before starting the installation process, make sure you have the following prerequisites:

  • A machine with at least 4GB RAM and 4 CPU cores and Linux installed (Ubuntu recommended).
  • Generous disk space (100GB recommended) if you are going to record your sessions.
  • The machine must have a Public IP. An FQDN (Fully Qualified Domain Name) is optional. If not provided, an autogenerated domain using sslip.io will be used.

Port rules#

Ensure all these rules are configured in your firewall, security group, or any kind of network configuration that you have in your machine.

Inbound port rules:

Protocol Ports
Source
Description
TCP 80 0.0.0.0/0, ::/0 Redirect HTTP traffic to HTTPS and Let's Encrypt validation.
TCP 443 0.0.0.0/0, ::/0 Allows access to the following:
  • LiveKit API.
  • OpenVidu Dashboard.
  • OpenVidu Meet.
  • WHIP API.
  • TURN with TLS.
  • Custom layouts
UDP 443 0.0.0.0/0, ::/0 STUN/TURN server over UDP.
TCP 1935 0.0.0.0/0, ::/0 Needed if you want to ingest RTMP streams using Ingress service.
TCP 9000 0.0.0.0/0, ::/0 Needed if you want to expose MinIO publicly.
TCP 7881 0.0.0.0/0, ::/0 Needed for WebRTC media traffic over TCP with Pion.
UDP 7885 0.0.0.0/0, ::/0 Needed if you want to ingest WebRTC using WHIP.
UDP 50000-60000 0.0.0.0/0, ::/0 Needed for WebRTC media traffic over UDP.
TCP 50000-60000 0.0.0.0/0, ::/0 Needed for WebRTC media traffic over TCP with Mediasoup.

Outbound port rules:

Typically, all outbound traffic is allowed.

Guided Installation#

Before the installation, ensure that your machine meets the prerequisites and the port rules. Then, execute the following command on the machine where you want to deploy OpenVidu:

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh)

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

A wizard will guide you through the installation process. You will be asked for the following information:

  • Write your OpenVidu PRO License: Write your OpenVidu PRO License.
  • Domain name (Optional): The domain name for your deployment. If left empty, an autogenerated domain using sslip.io (e.g., 10-20-30-40.sslip.io) will be used based on your machine's public IP. For production environments, it's recommended to provide your own FQDN.
  • Select which certificate type to use:

    • Self Signed Certificate: It will generate a self-signed certificate. It is not recommended for production environments, but it is useful for testing or development purposes.
    • Let's Encrypt: It will automatically generate a certificate for your domain.
    • ZeroSSL: It will automatically generate a certificate for your domain using ZeroSSL. An API Key is required and will be asked later in the wizard. Note: This option is only available when providing an FQDN (Fully Qualified Domain Name).
    • Own Certificate: It will ask you for the certificate and key files. Just copy and paste the content of the files when the wizard asks for them. Note: This option is only available when providing an FQDN (Fully Qualified Domain Name).

    Note

    If you want to manage the certificate in your proxy own proxy server instead of relaying in the Caddy server deployed with OpenVidu, take a look to this How-to guide: How to deploy OpenVidu with an external proxy.

  • (Optional) Turn domain name: The domain name for your TURN server with TLS. If no main domain is provided and this is also left empty, an autogenerated domain using sslip.io will be used. This is recommended if users who are going to connect to your OpenVidu deployment are behind restrictive firewalls.

  • Select which RTC engine to use: Select the WebRTC engine you want to use. You can choose between Pion (the default engine used by LiveKit) and Mediasoup (with a boost in performance). Learn more about the differences here.
  • Modules to enable: Select the modules you want to enable. You can enable the following modules:
    • OpenVidu Meet: A high-quality video calling service based on OpenVidu.
    • Observability: Grafana stack, which includes logs and monitoring stats.
    • OpenVidu V2 Compatibility: Compatibility API for applications developed with OpenVidu v2.

The rest of the parameters are secrets, usernames, and passwords. If empty, the wizard will generate random values for them.

When the installation process finishes, you will see the following message:

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <
>                                                                             <
>  🎉 OpenVidu Single Node PRO Installation Finished Successfully! 🎉         <
>                                                                             <
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <

OpenVidu will be installed at /opt/openvidu and configured as a systemd service. You can start the service with the following command:

systemctl start openvidu

If everything goes well, all containers will be up and running without restarts, and you will be able to access any of the following services:

Configure your application to use the deployment#

To point your applications to your OpenVidu deployment, check the following files:

  • /opt/openvidu/config/meet.env: Contains the OpenVidu Meet parameters.
  • /opt/openvidu/config/openvidu.env: Contains all the credentials of services deployed with OpenVidu Platform.

The most relevant parameters are:

OpenVidu Meet:

  • MEET_INITIAL_ADMIN_USER: User to access OpenVidu Meet Console. It is always admin.
  • MEET_INITIAL_ADMIN_PASSWORD: Password to access OpenVidu Meet Console.
  • MEET_INITIAL_API_KEY: API key to use OpenVidu Meet Embedded and OpenVidu Meet REST API.

Note

The MEET_INITIAL_ADMIN_USER, MEET_INITIAL_ADMIN_PASSWORD, and MEET_INITIAL_API_KEY values are initial and cannot be changed from the meet.env file. They can only be changed from the Meet Console.

OpenVidu Platform:

  • LIVEKIT_URL: The URL to use LiveKit SDKs, which can be wss://yourdomain.example.io/ or https://yourdomain.example.io/ depending on the client library you are using.
  • LIVEKIT_API_KEY: API Key for LiveKit SDKs.
  • LIVEKIT_API_SECRET: API Secret for LiveKit SDKs.

OpenVidu V2 Compatibility Credentials

This section is only needed if you want to use OpenVidu v2 compatibility.

  • URL: The URL to access OpenVidu, which is formed by the DOMAIN_NAME as https://yourdomain.example.io/
  • Username: Basic auth user for OpenVidu v2 compatibility. It is always OPENVIDUAPP.
  • Password: Basic auth password for OpenVidu v2 compatibility is the same as LIVEKIT_API_SECRET.

Non-interactive installation#

If you want to automate the installation process, you can generate a command with all the parameters needed to install OpenVidu by answering the wizard questions. You can do this by running the following command:

docker run --pull always --rm -it \
    openvidu/openvidu-installer:latest \
    --deployment-type=single_node_pro

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

This is going to generate a command like this, but it may vary depending on the answers you provide. Here are three examples of the command you can run depending on the certificate type you choose:

Example using Let's Encrypt certificates with autogenerated sslip.io domain:

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh) \
    --no-tty --install \
    --openvidu-pro-license='xxxxx' \
    --enabled-modules='observability,v2compatibility,openviduMeet' \
    --rtc-engine='pion' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='letsencrypt'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • --openvidu-pro-license is mandatory. You can get a 15-day free trial license key by creating an OpenVidu account.
  • Depending on the RTC engine, the argument --rtc-engine can be pion or mediasoup.

Example using self-signed certificates with autogenerated sslip.io domain:

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh) \
    --no-tty --install \
    --openvidu-pro-license='xxxxx' \
    --enabled-modules='observability,v2compatibility,openviduMeet' \
    --rtc-engine='pion' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='selfsigned'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • --openvidu-pro-license is mandatory. You can get a 15-day free trial license key by creating an OpenVidu account.
  • Depending on the RTC engine, the argument --rtc-engine can be pion or mediasoup.

Example using Let's Encrypt certificates:

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh) \
    --no-tty --install \
    --openvidu-pro-license='xxxxx' \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,v2compatibility,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --rtc-engine='pion' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='letsencrypt'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • --openvidu-pro-license is mandatory. You can get a 15-day free trial license key by creating an OpenVidu account.
  • Depending on the RTC engine, the argument --rtc-engine can be pion or mediasoup.

Example using self-signed certificates:

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh) \
    --no-tty --install \
    --openvidu-pro-license='xxxxx' \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,v2compatibility,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --rtc-engine='pion' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='selfsigned'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • --openvidu-pro-license is mandatory. You can get a 15-day free trial license key by creating an OpenVidu account.
  • Depending on the RTC engine, the argument --rtc-engine can be pion or mediasoup.

Example using custom certificates:

CERT_PRIVATE_KEY=$(cat privkey.pem | base64 -w 0)
CERT_PUBLIC_KEY=$(cat fullchain.pem | base64 -w 0)

# Optional, only if you want to enable TURN with TLS
CERT_TURN_PRIVATE_KEY=$(cat turn-privkey.pem | base64 -w 0)
CERT_TURN_PUBLIC_KEY=$(cat turn-fullchain.pem | base64 -w 0)

sh <(curl -fsSL http://get.openvidu.io/pro/singlenode/latest/install.sh) \
    --no-tty --install \
    --openvidu-pro-license='xxxxx' \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,v2compatibility,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --rtc-engine='pion' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='owncert' \
    --owncert-private-key="$CERT_PRIVATE_KEY" \
    --owncert-public-key="$CERT_PUBLIC_KEY" \
    --turn-owncert-private-key="$CERT_TURN_PRIVATE_KEY" \
    --turn-owncert-public-key="$CERT_TURN_PUBLIC_KEY"

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • Note that you just need to pass --owncert-private-key and --owncert-public-key with the content of the private and public key files in base64 format. The installation script will decode them and save them in the proper files.
  • --openvidu-pro-license is mandatory. You can get a 15-day free trial license key by creating an OpenVidu account.
  • Depending on the RTC engine, the argument --rtc-engine can be pion or mediasoup.
  • --turn-owncert-private-key and --turn-owncert-public-key are optional. You only need to pass them if you want to enable TURN with TLS.

You can run that command in a CI/CD pipeline or in a script to automate the installation process.

Some notes about the command:

  • The argument --domain-name is optional. If not provided, an autogenerated domain using sslip.io will be used based on your machine's public IP.
  • The argument --turn-domain-name is optional. You define it only if you want to enable TURN with TLS in case users are behind restrictive firewalls. If no main domain is provided and this is also left empty, an autogenerated domain using sslip.io will be used.
  • When using autogenerated domains (no FQDN (Fully Qualified Domain Name) provided), only selfsigned and letsencrypt certificate types are available.
  • At the argument --enabled-modules, you can enable the modules you want to deploy. You can enable openviduMeet OpenVidu Meet service, observability (Grafana stack) and v2compatibility (OpenVidu v2 compatibility API).
  • If no media appears in your conference, reinstall specifying the --public-ip parameter with your machine's public IP. OpenVidu usually auto-detects the public IP, but it can fail. This IP is used by clients to send and receive media.

To start OpenVidu, remember to run:

systemctl start openvidu

Configuration and administration#

Once you have OpenVidu deployed, you can check the Administration section to learn how to manage your OpenVidu Single Node deployment.