Open and secure videoconferencing with Jangouts

Anastasiia Bobko, 123RF

Private Chats

Jangouts, an open and free drop in for Skype and Hangouts, when installed on a Raspberry Pi provides a videoconferencing solution for up to 40 users for under $50.

In November 2016, SUSE released a SLES 12 SP2 based Raspberry Pi image. At the time it was the first Enterprise grade Linux Distribution bringing the AARCH64 instruction set to the Raspberry Pi 3 B [1][2].

This article will demonstrate how to set up Janus, an easy to use videoconferencing program which uses web technology based on SUSE Linux Enterprise Server 12. Jangouts is an open source project created during SUSE Hack Week 12 [3].

The Janus project team describes its software as as solution inspired by Google Hangouts. The name stems from Hangouts and the Janus WebRTC Gateway. Janus consists of static web content, mostly HTML and JavaScript, which in turn uses the WebRTC functionality of the browser. Any HTTP server such as Apache2 or nginx can serve the static Janus content.

WebRTC

WebRTC is the acronym for Web Real-Time Communication. It is a collection of protocols which enable browsers to exchange audio and video data. A third party server is usually employed to negotiate a communication path. This is where Janus, upon which Jangouts is based, comes into play.

Janus is the active server side component in the Jangouts setup. It acts as a signalling server and helps establish connections between all users. WebRTC can send streams directly from peer-to-peer (Figure 1). This requires all users to send video and audio to one another. For most Internet connections, upload speeds are the limiting factor. In light of this, the setup with Jangouts will use the Janus gateway as a multiplexer. This reduces the upload bandwidth for individual users, but all users still receive streams from one another (Figure 2).

Figure 1: A common WebRTC setup: As defined by WebRTC, a signaling server helps the clients to establish direct peer-to-peer connections.
Figure 2: Jangouts uses the Janus server as a multiplexer for all connections. This reduces the required upload bandwidth for all connected users.

This setup comes at a price: clients must manage encoding and decoding of all streams by themselves, which can cause significant CPU loads. Each user who enables video and audio consumes bandwidth of about 45 KiB/s (Figure 3). As encryption is required, a Raspberry Pi 3 B CPU can handle roughly 50 simultaneous audio/video streams.

Figure 3: The download bandwidth for two streams is around 90 KiB/s.

If 50 users are using Jangouts at the same time, the total output of the Janus gateway will be 2 MiB/s. Bear this in mind if users connect to the video conference from outside your LAN. Low-end to medium DSL connections will not usually provide enough bandwidth for Jangouts on a Raspberry Pi running at full capacity.

However, you can reduce the bandwidth of video conferences by freezing the thumbnails of other users. You can also disable cameras altogether to save upstream bandwidth.

While this system has its limitations, it provides an easy to use, secure and open videoconferencing solution for small companies and independent organizations for less than $50.

Installation

You can use Jangouts on SLES (SUSE Linux Enterprise Server) or on the version of openSUSE available on the cover DVD.

If you decide to use SLES, before installing Jangouts install the current SLES image (available from the SUSE website [4]) onto a microSD card. The following steps closely match the extensive guide provided in the SLES documentation [5]. This article describes how to prepare the SD card from virtually any Linux distribution. The SUSE website also provides instructions on preparing an SD card in Microsoft Windows.

To download the image, you need to create an account on the SUSE Customer Center website [6]. When the image file download starts, new users will automatically receive an activation code entitling you to free SLES updates for one year. The activation code is available in the SUSE Customer Center.

After downloading the image, you need to extract it to an SD card. Make sure that no partitions of the card are mounted before copying the image to it.

# xz -cd SLES-12-SP2-ARM-X11-raspberrypi3_aarch64.aarch64-2016.10.04-GM.raw.xz | dd of=/dev/mmcblk0 bs=4096

If instead you decide to use the image we provide on the DVD, copy over the raw image to your hard disk, and, if you use Linux, you can copy the image over to your SD card using

dd bs=4M if=openSUSE-Leap42.2-ARM-E20-raspberrypi3.aarch64.raw of=/dev/mmcblk0 iflag=fullblock oflag=direct; sync;

You must execute the instruction as root or using sudo.

From Windows, you will a need a special tool, like Win32DiskImager to copy the image over correctly, the same as you would with Raspbian.

Depending on the size of your card, it may take a while for the image to be copied.

When the copy process is finished, eject the SD card safely, then plug the card immediately into the Raspberry Pi. The graphical setup will start on first boot. There's no need to resize the root partition manually. Both SLES and openSUSE will automatically do this using the maximum available space before the graphical setup starts.

If you go with SLES, you need to obtain your registration code from the SUSE Customer Center website and register the SLES installation. SUSE will only provide updates for packages once you have done this. SLES 12 SP2 is very similar toopenSUSE 42.2, so you can switch to using the repositories for openSUSE later on if you wish.

Having finished the initial setup, SLES and openSUSE will boot into the desktop environment. The default (and only) user name is root and the password is linux. You should create more users later on, because working exclusively with root is dangerous!

To continue, open Terminal with root privileges on the Raspberry Pi. You can use a virtual terminal from the desktop, as well as a pure command line interface, accessible via the key combination [Ctrl]+[Alt]+[F1]. After logging in, obtain root privileges with the command su.

Once you have logged in, all installed packages can be upgraded with zypper:

# zypper dup

Before installing Jangouts, you must add two new repositories. The first repository provides Jangouts and Janus with some dependencies:

# zypper ar http://download.opensuse.org/repositories/network:/jangouts/openSUSE_Leap_42.2_Ports/network:jangouts.repo

One required library is currently not available in the SLES and Jangouts repositories for the AARCH64 architecture. However it is available from the compatible openSUSE 42.2 repository. So, if you are using SLES, add the repository with the following commands:

# zypper ar http://download.opensuse.org/ports/aarch64/distribution/leap/42.2/repo/oss/suse/ openSUSE_42.2

Of course you can skip the above step if you are using openSUSE.

Once the openSUSE repository is added, using zypper dup may replace packages from the SLES repository with openSUSE packages. Instead use the command

# zypper up

Because then you will not change the repository for an already installed package. The following command will read metadata from all repositories and accept all new certificates permanently:

# zypper ref

When installing packages, by default the system will list other necessary and recommended packages. You can tell zypper to ignore these recommendations and just fulfil the minimal requirements.

# zypper in --no-recommends jangouts janus-gateway

Setup is now almost complete, but you still need to modify some configuration files. You must also generate a key and certificate to use HTTPS encrypted connections. These files can be directly created in the already existing Apache2 configuration directory. Let's assume that the Raspberry Pi's domain name is myserver.mydomain. Use OpenSSL to create the necessary encryption keys and certificates:

# cd /etc/apache2 # openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout ssl.key/jangouts.key -out ssl.crt/jangouts.crt

Visitors to your site will probably see a certificate warning, as they cannot recognize the issuer. However, most browsers can disable this warning and permanently accept this new self-signed certificate. You can also use certificates from an official Certificate Authority, such as Let's Encrypt [7] and the warnings will go away..

Self-signed certificates are no less secure than those issued by Certificate Authorities. However browser warning messages are sometimes confusing. If the self-signed certificate changes, the browser will show another warning. Users can then verify if the new certificate was issued by the Jangouts admin or whether someone is attacking your secure connection.

Jangouts provides a configuration template for Apache2. You need to change the file extension to .conf and add path to the SSL key and certificate:

# cp /etc/apache2/vhosts.d/Jangouts-ssl.conf{.template,}
# vi /etc/apache2/vhosts.d/Jangouts-ssl.conf

The necessary lines are already in the file, so you only need to uncomment them. Remove the # characters in front of the keywords SSLCertificateFile and SSLCertificateKeyFile and add the paths to the .key and .pem files. The resulting file should contain the following lines:

SSLCertificateKeyFile /etc/apache2/ssl.key/Jangouts.key
SSLCertificateChainFile /etc/apache2/ssl.crt/Jangouts.crt

For the sake of convenience, the server should be available via HTTP, but for security reasons redirect to HTTPS. To do this, create a new configuration file /etc/apache2/vhosts.d/Jangouts.conf with the content shown in Listing 1:

Listing 1

Jangouts.conf

01 <VirtualHost *:80>
02  RewriteEngine On
03  RewriteCond %{HTTPS} !=on
04  RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]
05 </VirtualHost>

The Apache2 configuration is now complete and the necessary modules have to be enabled.

The Apache2 standard configuration is already able to accept SSL connections. However you still need to set the SSL flag. Do this from the command line with the tool a2enflag.

# a2enflag SSL

The configuration template for Apache2 provided by Jangouts tells Apache2 to act as a proxy server for Janus. Because Janus should be using secure HTTPS connections, you should enable the proxy modules:

# a2enmod proxy
# a2enmod proxy_wstunnel

The Jangouts.conf file tells Apache to forward all HTTP connections to HTTPS. This also requires an additional module named mod_rewrite.

# a2enmod rewrite

Restart the Apache2 service to load all changes to the configuration.

# systemctl restart apache2

By default, Apache2 does not start on boot in SLES 12. To change this, use the tool systemctl to modify the systemd configuration.

# systemctl enable apache2

After restarting Apache2, you need to modify the configuration of Janus and Jangouts. In this setup, Janus and Jangouts are on the same physical machine and do not need an encrypted communication path. Janus does requires dummy certificates however, which you can create with OpenSSL.

# openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout /etc/Janus/cert.key -out /etc/Janus/cert.pem -subj "/C=DE/ST=/L=/O=/CN=Jangouts.local"
# chown Janus:Janus /etc/Janus/cert.*
# chmod 0400 /etc/Janus/cert.*

After the certificates are generated and available for the user Janus, restart the Janus daemon and enable it on boot.

# systemctl restart Janus
# systemctl enable Janus

Finally, you need to modify the file /etc/Jangouts/config.json. This provides Jangouts with the URLs to the Janus daemon and tells it to use HTTPS. See Listing 2.

Listing 2

config.json

01 {
02  "JanusServer": "ws://myserver.mydomain/Janus/",
03  "JanusServerSSL": "wss://myserver.mydomain/Janus/",
04  "JanusDebug": false,
05  "httpsAvailable": true,
06  "httpsUrl": null,
07  "videoThumbnails": true
08 }

Now that setup is finished, launch Jangouts in your browser of choice. Go to https://myserver.mydomain. After the initial setup, there is only one chat room available. You can add further rooms by modifying the configuration file /etc/Janus/Janus.plugin.videoroom.cfg.

When creating a new room, copy the existing section and just change the name of the room in the brackets. You can also change other parameters, such as the number of allowed users.

Using Jangouts

When opening the URL https://myserver.mydomain in a browser, users may see a warning message depending on the kind of certificate you used. If the communication has to be secure, ask your users to double check the certificate fingerprint by verifying it over a secure channel by getting in touch with you in some way. You could for example use e-mail signed with GnuPG as a secure channel to communicate the fingerprint.

Jangouts is quite easy to use. Firstly you need to create a username and enter a room. Registration is not required and users can choose any name (Figure 4). Users can use the checkbox "Video thumbnails" to decide whether they want to see others. You can change this setting at any time during the video conference. Users can also enter any room which has not yet reached the limit of allowed users.

Figure 4: The Jangouts login screen.

Admins can restrict access to rooms using passwords however. Set these by modifying the Janus room configuration file.

Figure 5: The user interface of Jangouts allows you to mute users and disable their video streams.

After signing in, the minimal interface provides a couple of useful options (Figure 6). The camera button in the top left corner can freeze the thumbnails of all users to save bandwidth and CPU. The pushpin switches to the resizing and rearranging mode.

Figure 6: The interface provides options to freeze the thumbnails of all users to save bandwidth and CPU and the pushpin switches to the resizing and rearranging mode.

The buttons in the top right are for sharing windows or the whole desktop. To use this in Firefox and Chrome, you'll need to change your browser configuration. After clicking the button, Jangouts displays a message, listing which settings need to be changed. In Firefox, the user has to type about:config in the address bar and add the domain of the Jangouts server:

media.getusermedia.sreensharing.allowed_domains

Set the following parameter to true:

media.getusermedia.screensharing.enabled

The rightmost buttons allow you to set a push-to-talk button. Select the browser window to use this feature. The last button either disables the microphone or shows the status of the push-to-talk button.

Clicking on a user's thumbnail shows them in the main video area. Another click on the same user selects a specific Jangouts user. Usually this is the person that is currently speaking. The icons on each thumbnail allow you to mute or ignore a user.

Zypper Software Manager

All SUSE distributions use a tool called zypper to manage software installation. Web servers, called repositories provide the software packages and relevant metadata. This metadata helps zypper to locate a package and any other packages that are required for the software to work properly. As soon as zypper knows where it can find a certain package, it can install it with all necessary dependencies using a single command. The integrity of packages is verified with signatures. After having added a new repository, zypper asks whether to accept the digital 'key' for verifying packages from the new repository.

Buy this article as PDF

Express-Checkout as PDF

Pages: 5

Price $2.95
(incl. VAT)

Buy Raspberry Pi Geek

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Getting up close and personal with openSUSE 42.2

    openSUSE is a Linux based, free and open source operating system sponsored by SUSE, the oldest Linux company in existence. You can now run openSUSE on your Pi. In this article you’ll learn how.

  • The Pi Wire
    • First 64-bit OS for Pi 3
    • LTE Connectivity
    • 3rd Generation Pi Drive
    • Pi will outsell the Commodore 64
    • Tighter Security for your Pi
  • Installing and testing Nextcloud

    NextCloud is a fork of the OwnCloud Project as well as a company in its own right. Founded by former Owncloud Developers and captained by the previous OwnCloud Project founder Frank Karlitsheck, Nextcloud aims to strike a better balance between companies, clients and users.

  • Apache, Installing

    Simple instructions for installing an Apache web server.

  • Using openSUSE's YaST on the Raspberry Pi

    The almighty YaST configuration tool makes it much easier to transform your Raspberry Pi running openSUSE into a file server.