cqrenet/matrix-docker-ansible-deploy
3
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2026-02-28 01:43:10 +00:00
Code Issues Wiki Activity
Files
f96dcff028816ed5b5f5d5c42a2c93a2645cd994
matrix-docker-ansible-deploy/docs/configuring-playbook-livekit-server.md
Slavi Pantaleev f96dcff028 LiveKit TURN docs and defaults update
2026-02-21 16:20:07 +02:00

3.8 KiB
Raw Blame History

Setting up LiveKit Server (optional)

The playbook can install and configure LiveKit Server for you.

LiveKit Server is an open source project that provides scalable, multi-user conferencing based on WebRTC. It's designed to provide everything you need to build real-time video audio data capabilities in your applications.

💡 LiveKit Server is automatically installed and configured when either Element Call or the Matrix RTC stack is enabled, so you don't need to do anything extra.

The Ansible role for LiveKit Server is developed and maintained by the MASH (mother-of-all-self-hosting) project. For details about configuring LiveKit Server, you can check them via:

Adjusting firewall rules

To ensure LiveKit Server functions correctly, the following firewall rules and port forwarding settings are required:

  • 7881/tcp: ICE/TCP

  • 7882/udp: ICE/UDP Mux

  • 3479/udp: TURN/UDP. Also see the Limitations section below.

  • 5350/tcp: TURN/TCP. Also see the Limitations section below.

💡 The suggestions above are inspired by the upstream Ports and Firewall documentation based on how LiveKit is configured in the playbook. If you've using custom configuration for the LiveKit Server role, you may need to adjust the firewall rules accordingly.

TURN TLS handling

When matrix_playbook_reverse_proxy_type is playbook-managed-traefik (which is the default for this playbook), TURN over TCP is terminated by Traefik and forwarded to LiveKit with turn.external_tls = true. In this playbook default, this mode is enabled automatically when SSL is enabled and TURN is enabled.

  • The playbook installs a dedicated Traefik TCP entrypoint for TURN (matrix-livekit-turn) by default and binds it to tcp/5350.
  • livekit_server_config_turn_external_tls is automatically enabled for this setup.
  • Because Traefik handles TLS, LiveKit no longer needs certificate-file paths for TURN in this mode.

If your setup uses other-traefik-container or another reverse-proxy, behavior is unchanged by default and still relies on certificates being available inside the container as before.

Deployments using other-traefik-container can opt into the same Traefik-terminated mode there, by setting:

livekit_server_config_turn_external_tls: true
livekit_server_container_labels_turn_traefik_enabled: true
livekit_server_container_labels_turn_traefik_entrypoints: "<your-livekit-turn-traffic-entrypoint>"

and configuring their own Traefik TCP entrypoint dedicated to LiveKit TURN traffic.

Limitations

For some reason, LiveKit Server's TURN ports (3479/udp and 5350/tcp) are not reachable over IPv6 regardless of whether you've enabled IPv6 for your server.

It seems like LiveKit Server intentionally only listens on udp4 and tcp4 as seen here and here.