After the arrest of Pavel Durov, I wanted to move from Telegram to something end-to-end encrypted. I know Signal is pretty good, but I think it is better to have our messages in my own server.
I have already looked in XMPP, but it required SSL certs and I did not have the mood to configure them.
Do you know any other selfhosted messaging service for a group of 4-5 friends, or an easy way to configure an XMPP server? Or shall I use Signal after all (I don’t really care that much about being selfhosted, I just thought it would be more privacy friendly)?
UPDATE: I managed to set up an XMPP server using prosody with the SSL certs. We have been testing it with my friend and it seems to go well.
If setting up TLS is too much work, better stay with a service. Signal is nice.
SSL certs is so easy with let’s encrypt, that really shouldn’t be a blocker.
If you want something easy I think you have your answer with Signal
I know, but for some reason my router does not let me access my domain (with duckdns) when connected to my network. So even if I get certs for the domain, I will not be able to access it. I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don’t know if it possible to get certs for that, since it is not a real domain.
EDIT: Fixed it. (See reply for fix)
I have set up local DNS entries (with Pi-Hole) to point to my srrver, but I don’t know if it possible to get certs for that, since it is not a real domain.
So long as your certs are for your fully qualified domain there’s no problem. I do this, as do many people — mydoman.com is fully qualified, but on my own network I override the DNS to the local address. Not a problem at all — DNS is tied to the hostname, not the IP.
Can confirm, I do this as well for my local services (especially important for Jellyfin), I just point my local DNS server at my local IP and everything works perfectly.
Are you using a *.duckdns.com domain or is that only for Dynamic DNS pointed to something like jelly.domain.com? I’m not sure if you’ll be able to get a cert in the former scenario.
Your router won’t let you access it because you’re trying to connect from your internal network to your external network, so you’re just connecting in a loop and not getting routed properly. This could work if you had a firewall that would let you set up a loopback NAT, but my guess is your router won’t let you setup NAT rules like that.
You won’t be able to get a certificate using a local domain from a public certificate authority (like Let’s Encrypt). You would want to define the FQDN you want to use, like jelly.domain.com, and generate the certificate for this domain. You can do this manually with certbot and import the certificate to jellyfin, or put jellyfin behind a reverse proxy like Caddy or Nginx and let it handle automatic renewal for you.
The local DNS entries would then redirect internal requests for jelly.domain.com to your local server, which presents the same certificate for jelly.domain.com regardless of whether you’re accessing it via the private or public IP.
A bonus of using something like Caddy is being able to open a single port on your router for every service. I have multiple services all accessed via the same port, and Caddy just reads the requested subdomain (jelly.domain.com, nextcloud.domain.com, etc) to route the traffic to the corresponding local server. This lets it handle every cert for all services with no manual steps needed for any of them after the initial setup, and reduces your attack surface by only having one port open.
Why not use a different DDNS service? There are plenty out there. :) I think this may solve your issue. I’ve been using freemyip.com’'s for a while and have had no problem in the past issusing LetsEncrypt SSL’s. At the moment, I’m on Cloudflare tunnels so it’s automatic with them, which I know is a huge trust issue for a lot of people, but I don’t mind it for my stuff. But I do like to have my DDNS as a backup service from time to time.
Most people use either Matrix or XMPP. Both work.
There is a nice overview of chat protocols here: https://www.messenger-matrix.de/
I mostly use matrix as of today. I think it’s alright. It’s a bit difficult to explain encryption and device verification to other people… I think that could be designed better. But apart from that it works very well. So does XMPP which I’ve used before that. Have a look at the messenger matrix and all the options before deciding on an ecosystem. I’d take one of the friends and do some evaluation before dragging the whole group in. You can do that with some pre-existing servers before learning how to host the server part.
And btw: With most of them you can just use some public servers. You should do that unless you’re willing to put in the effort to maintain an own server. That’d give you complete control over the infrastructure… But it’s also a liability to maintain a server, do the updates etc for a group of friends and maybe years to come… End to end encryption will keep the content of your messages private, anyways. (If you use it.)
Use XMPP. Thanks to Let’s Encrypt being implemented in basically every reverse proxy, setting it up is a matter of seconds.
Signal is more likely to have more mass appeal. Matrix can bridge just about anything but is (IMHO) a pain to setup the first time. XMPP is reliable and available just about anywhere. I use the first two.
Ask your friends though.