Jitsi behind NAT, not working

I followed this install guide :

In short , the jitsi machine sits on a vm, hosted behind a NAT.
Machine posts to the local network, and is joinable locally, yet clients don’t see eachother, and seem to join empty rooms

I have an A-record pointing to my public ip, ports are forwarded in the router, and opened on the VM,'s ufw firewall.
The public Ip is semi fixed, meaning, it didn’t change last 3 years.

it’s not posting on the public IP at all ( not sure, that’s a problem from the machine, or provider )
if I ping the domainname, I do get a rsponse, from “IP.provider”

SSL certificate didn’t work either

Next problem I run in, is to create accounts, for allowed users.
in another guide, they explained to use : prosodyctl register yourusernamehere jitsi.example.com P@ssw0rd, previous install, this command worked, now it doesn’t.

Prosody was unable to find the configuration file.
“We looked for: /etc/prosody/prosody.cfg.lua
A sample config file is included in the Prosody download called prosody.cfg.lua.dist
It seems hard, to find a full manual.

some help would be really appreciated

The manual is only targeted at server on the public network. If you want to use it on a private network you are mostly on your own and have to figure out the networking details.
In short, it’s very hard (in fact I don’t know a way to do it :-)) to have a server on a private network that is accessed both by internal users on a private IP address and from the public network. So there are only 2 ways forward;

  • a pure private server: it’s accessed only from the internal network. In this case you configure JVB without the NAT setup. Despite the thing being private, it’s still easier to use a public certificate and redirect the ‘public’ name to an internal IP address through hosts files or internal DNS than to use self-signed certificates.

  • a mixed use server: in this case the NAT settings apply (see above) so far the only way I can see is to redirect internal users to access your server through the public IP address. Only problem is that you are depending on the ISP router to allow it. Some ISP boxes can’t do that. In this case you are out of luck.

you were doing your previous config under root now you are running under an unprivileged user (good !) so you need to use sudo.

Thank you for the reply.

I followed settings as written in the manual, for NAT.
I need to check, if I changed anything in JVB, can’t remember doing something there.

tomorrow, I’ll be having a serious conversation with the provider, as that provider box is already a long time an ulcer…
I’ve been used to have fixed ip connecttions, and provider ‘just as is’ services, and now I’m sitting with this nanny box…
Either they offer me a full open connection, either I use a PCIE modem , or I move providers…

Concerning Prosody, if I sudo, I get the following respons : “Error: Account creation/modification not supported”

I’ll be looking I missed some settings

what’s value for ‘authentication’ in your host ? should be internal_plain or internal_hashed.

couldn’t do much today, ran in a network problem, and bit later got systemd in panic on my computer, and had to do a full reinstall, as there was no way, getting anywhere on the system.
Tomorrow, I’ll check all settings concerning that.
I did not change that setting, as in the previous version, it all magically worked, but didn’t like, all installed as root.
The whole ‘manual’ was also completely different.

Hello again,
Considering the prosody problem, that seem to be solved, after changing to internal_plain.
What is exactly the difference between those two factors ?
Been looking into the config from Jicofo, JVB and sip-communicator.properties .

in sip-communicator.properties,
how to comment on that ? change to own server ?
added :

do I need to add here also the line org.jitsi.jicofo.auth.URL=XMPP:your.domain ?

Where should sip-communcator be ? under jitsi/jicofo ? on my machine, that sits under /videobridge

JVB at this point is :
videobridge {
http-servers {
public {
port = 9090
websockets {
enabled = true
domain = “***********:443”
tls = true

Are there any serious guides, to start messing in these scrypts ?
I should get it configured, that only logged in users can use the server.

I have these ports open :

80/tcp , 443/tcp ,10000/udp ,3478/udp , 5349/tcp
but, when I see on the Public ip, I don't see the 10000, 3478 and the 5349 ports
I do see other ports open for xmpp, , 5269 -xmpp-server, 5280 xmpp-bosh, 8010 xmpp,  all tcp.
under open ports on the modem, there is no way to find 3478.5349, nor 10000.
If these ports are absolutely necessary, I will have again a talk with them, that they will need to config these ports.
I'm also thinking, to find a way to bypass the their modem anyway. If necessary, I go talk with another provider.

longer message, I appreciate all your help

Hello again, any further advice ?

for secure domain you can follow the manual here

Hello again,

moved the machine to an external server, all works now.
provider would not open the necessary ports.

that said, can I create several users in prosodyctl , and let them all use their own password, to join the room ?

The general idea is to have one room very secure, and also offer the possibility, to have authenticated users, create their own room.

generally, is there also a way to hardlimit the amount of rooms, as this machine is not too powerfull


you can protect a room (any room, it’s available for any authenticated user creating a room) using lobby and/or room password.

I don’t think it’s a feature available in standard Jitsi-meet, but it may not be that relevant because even a limited server could handle quite a few rooms, however about high resolution video users, that’s another story.
In short a limited server could handle 100 rooms each having 2 users (using P2P), but not one room with 30 users using high resolution video.