Skip to content

OpenVidu Single Node COMMUNITY installation: On-premises#

This section contains the instructions to deploy a production-ready OpenVidu Single Node COMMUNITY deployment on-premises. It is a deployment based on Docker and Docker Compose, which will automatically configure all the necessary services for OpenVidu to work properly.

This is how the architecture of the deployment looks like:

OpenVidu Single Node On Premises Architecture
OpenVidu Single Node On Premises Architecture

All services are deployed on a single machine, which includes:

  • OpenVidu Server (LiveKit compatible).
  • Ingress and Egress services.
  • OpenVidu Dashboard, a web application interface to visualize your Rooms, Ingress, and Egress services.
  • MinIO as an S3 storage service for recordings.
  • Redis as a shared database for OpenVidu Server and Ingress/Egress services.
  • MongoDB as a database for storing analytics and monitoring data.
  • Caddy as a reverse proxy. It can be deployed with self-signed certificates, Let's Encrypt certificates, or custom certificates.
  • OpenVidu Meet, an optional high-quality video calling service.
  • Grafana, Mimir, Promtail, and Loki (Observability module) form an optional observability stack for monitoring, allowing you to keep track of logs and deployment statistics for OpenVidu.

Prerequisites#

Before starting the installation process, make sure you have the following prerequisites:

  • A machine with at least 4GB RAM and 4 CPU cores and Linux installed (Ubuntu recommended).
  • Generous disk space (100GB recommended) if you are going to record your sessions.
  • The machine must have a Public IP. An FQDN (Fully Qualified Domain Name) is optional. If not provided, an autogenerated domain using sslip.io will be used.

Port rules#

Ensure all these rules are configured in your firewall, security group, or any kind of network configuration that you have in your machine.

Inbound port rules:

Protocol Ports
Source
Description
TCP 80 0.0.0.0/0, ::/0 Redirect HTTP traffic to HTTPS and Let's Encrypt validation.
TCP 443 0.0.0.0/0, ::/0 Allows access to the following:
  • LiveKit API.
  • OpenVidu Dashboard.
  • OpenVidu Meet.
  • WHIP API.
  • TURN with TLS.
  • Custom layouts
UDP 443 0.0.0.0/0, ::/0 STUN/TURN server over UDP.
TCP 1935 0.0.0.0/0, ::/0 Needed if you want to ingest RTMP streams using Ingress service.
TCP 7881 0.0.0.0/0, ::/0 Needed if you want to allow WebRTC over TCP.
UDP 7885 0.0.0.0/0, ::/0 Needed if you want to ingest WebRTC using WHIP protocol.
TCP 9000 0.0.0.0/0, ::/0 Needed if you want to expose MinIO publicly.
UDP 50000 - 60000 0.0.0.0/0, ::/0 WebRTC Media traffic.

Outbound port rules:

Typically, all outbound traffic is allowed.

Guided Installation#

Before the installation, ensure that your machine meets the prerequisites and the port rules. Then, execute the following command on the machine where you want to deploy OpenVidu:

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh)

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

A wizard will guide you through the installation process. You will be asked for the following information:

  • Domain name (Optional): The domain name for your deployment. If left empty, an autogenerated domain using sslip.io (e.g., 10-20-30-40.sslip.io) will be used based on your machine's public IP. For production environments, it's recommended to provide your own FQDN.
  • Select which certificate type to use:

    • Self Signed Certificate: It will generate a self-signed certificate. It is not recommended for production environments, but it is useful for testing or development purposes.
    • Let's Encrypt: It will automatically generate a certificate for your domain.
    • ZeroSSL: It will automatically generate a certificate for your domain using ZeroSSL. An API Key is required and will be asked later in the wizard. Note: This option is only available when providing an FQDN (Fully Qualified Domain Name).
    • Own Certificate: It will ask you for the certificate and key files. Just copy and paste the content of the files when the wizard asks for them. Note: This option is only available when providing an FQDN (Fully Qualified Domain Name).

    Note

    If you want to manage the certificate in your proxy own proxy server instead of relaying in the Caddy server deployed with OpenVidu, take a look to this How-to guide: How to deploy OpenVidu with an external proxy.

  • (Optional) Turn domain name: The domain name for your TURN server with TLS. If no main domain is provided and this is also left empty, an autogenerated domain using sslip.io will be used. This is recommended if users who are going to connect to your OpenVidu deployment are behind restrictive firewalls.

  • Modules to enable: Select the modules you want to enable. You can enable the following modules:
    • OpenVidu Meet: A high-quality video calling service based on OpenVidu.
    • Observability: Grafana stack, which includes logs and monitoring stats.

The rest of the parameters are secrets, usernames, and passwords. If empty, the wizard will generate random values for them.

When the installation process finishes, you will see the following message:

> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <
>                                                                             <
>  🎉 OpenVidu Community Installation Finished Successfully! 🎉               <
>                                                                             <
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - <

OpenVidu will be installed at /opt/openvidu and configured as a systemd service. You can start the service with the following command:

systemctl start openvidu

If everything goes well, all containers will be up and running without restarts, and you will be able to access any of the following services:

Configure your application to use the deployment#

To point your applications to your OpenVidu deployment, check the following files:

  • /opt/openvidu/config/meet.env: Contains the OpenVidu Meet parameters.
  • /opt/openvidu/config/openvidu.env: Contains all the credentials of services deployed with OpenVidu Platform.

The most relevant parameters are:

OpenVidu Meet:

  • MEET_INITIAL_ADMIN_USER: User to access OpenVidu Meet Console. It is always admin.
  • MEET_INITIAL_ADMIN_PASSWORD: Password to access OpenVidu Meet Console.
  • MEET_INITIAL_API_KEY: API key to use OpenVidu Meet Embedded and OpenVidu Meet REST API.

Note

The MEET_INITIAL_ADMIN_USER, MEET_INITIAL_ADMIN_PASSWORD, and MEET_INITIAL_API_KEY values are initial and cannot be changed from the meet.env file. They can only be changed from the Meet Console.

OpenVidu Platform:

  • LIVEKIT_URL: The URL to use LiveKit SDKs, which can be wss://yourdomain.example.io/ or https://yourdomain.example.io/ depending on the client library you are using.
  • LIVEKIT_API_KEY: API Key for LiveKit SDKs.
  • LIVEKIT_API_SECRET: API Secret for LiveKit SDKs.

Non-interactive installation#

If you want to automate the installation process, you can generate a command with all the parameters needed to install OpenVidu by answering the wizard questions. You can do this by running the following command:

docker run --pull always --rm -it \
    openvidu/openvidu-installer:latest \
    --deployment-type=single_node

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

This is going to generate a command like this, but it may vary depending on the answers you provide. Here are examples of the command you can run depending on the certificate type and domain configuration:

Example using Let's Encrypt certificates with autogenerated sslip.io domain:

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --enabled-modules='observability,openviduMeet' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='letsencrypt'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

Example using self-signed certificates with autogenerated sslip.io domain:

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --enabled-modules='observability,openviduMeet' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='selfsigned'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

Example using Let's Encrypt certificates with an FQDN (Fully Qualified Domain Name):

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='letsencrypt'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

Example using self-signed certificates with an FQDN (Fully Qualified Domain Name):

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='selfsigned'

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

Example using custom certificates with an FQDN (Fully Qualified Domain Name):

CERT_PRIVATE_KEY=$(cat privkey.pem | base64 -w 0)
CERT_PUBLIC_KEY=$(cat fullchain.pem | base64 -w 0)

# Optional, only if you want to enable TURN with TLS
CERT_TURN_PRIVATE_KEY=$(cat turn-privkey.pem | base64 -w 0)
CERT_TURN_PUBLIC_KEY=$(cat turn-fullchain.pem | base64 -w 0)

sh <(curl -fsSL http://get.openvidu.io/community/singlenode/latest/install.sh) \
    --no-tty --install \
    --domain-name='openvidu.example.io' \
    --enabled-modules='observability,openviduMeet' \
    --turn-domain-name='turn.example.io' \
    --livekit-api-key='xxxxx' \
    --livekit-api-secret='xxxxx' \
    --dashboard-admin-user='xxxxx' \
    --dashboard-admin-password='xxxxx' \
    --redis-password='xxxxx' \
    --minio-access-key='xxxxx' \
    --minio-secret-key='xxxxx' \
    --mongo-admin-user='xxxxx' \
    --mongo-admin-password='xxxxx' \
    --mongo-replica-set-key='xxxxx' \
    --grafana-admin-user='xxxxx' \
    --grafana-admin-password='xxxxx' \
    --meet-initial-admin-password='xxxxx' \
    --meet-initial-api-key='xxxxx' \
    --certificate-type='owncert' \
    --owncert-private-key="$CERT_PRIVATE_KEY" \
    --owncert-public-key="$CERT_PUBLIC_KEY" \
    --turn-owncert-private-key="$CERT_TURN_PRIVATE_KEY" \
    --turn-owncert-public-key="$CERT_TURN_PUBLIC_KEY"

Note

In case you want to deploy a specific version, just replace latest with the desired version. For example: 3.4.0.

  • Note that you just need to pass --owncert-private-key and --owncert-public-key with the content of the private and public key files in base64 format. The installation script will decode them and save them in the proper files.
  • --turn-owncert-private-key and --turn-owncert-public-key are optional. You only need to pass them if you want to enable TURN with TLS.

You can run that command in a CI/CD pipeline or in a script to automate the installation process.

Some notes about the command:

  • The argument --domain-name is optional. If not provided, an autogenerated domain using sslip.io will be used based on your machine's public IP.
  • The argument --turn-domain-name is optional. You define it only if you want to enable TURN with TLS in case users are behind restrictive firewalls. If no main domain is provided and this is also left empty, an autogenerated domain using sslip.io will be used.
  • When using autogenerated domains (no FQDN (Fully Qualified Domain Name) provided), only selfsigned and letsencrypt certificate types are available.
  • In the argument --enabled-modules, you can enable the modules you want to deploy. You can enable openviduMeet OpenVidu Meet service and observability (Grafana stack).
  • If no media appears in your conference, reinstall specifying the --public-ip parameter with your machine's public IP. OpenVidu usually auto-detects the public IP, but it can fail. This IP is used by clients to send and receive media.

To start OpenVidu, remember to run:

systemctl start openvidu

Configuration and administration#

Once you have OpenVidu deployed, you can check the Administration section to learn how to manage your OpenVidu Single Node deployment.