{"id":13556406,"url":"https://github.com/PC-Admin/PC-Admins-Synapse-Setup-Guide","last_synced_at":"2025-04-03T09:31:19.527Z","repository":{"id":145409149,"uuid":"109549156","full_name":"PC-Admin/PC-Admins-Synapse-Setup-Guide","owner":"PC-Admin","description":"A complete guide on how to setup Matrix's Synapse software on Debian 10 on its own domain.","archived":false,"fork":false,"pushed_at":"2020-06-23T04:58:29.000Z","size":238,"stargazers_count":25,"open_issues_count":1,"forks_count":6,"subscribers_count":2,"default_branch":"master","last_synced_at":"2024-11-04T05:33:54.856Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"cc-by-sa-4.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/PC-Admin.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2017-11-05T03:36:12.000Z","updated_at":"2024-03-29T13:34:51.000Z","dependencies_parsed_at":"2024-01-19T18:03:07.212Z","dependency_job_id":null,"html_url":"https://github.com/PC-Admin/PC-Admins-Synapse-Setup-Guide","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PC-Admin%2FPC-Admins-Synapse-Setup-Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PC-Admin%2FPC-Admins-Synapse-Setup-Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PC-Admin%2FPC-Admins-Synapse-Setup-Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/PC-Admin%2FPC-Admins-Synapse-Setup-Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/PC-Admin","download_url":"https://codeload.github.com/PC-Admin/PC-Admins-Synapse-Setup-Guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246976246,"owners_count":20863046,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T12:03:49.044Z","updated_at":"2025-04-03T09:31:18.059Z","avatar_url":"https://github.com/PC-Admin.png","language":null,"funding_links":[],"categories":["Others","others"],"sub_categories":[],"readme":"\n# PC-Admins Synapse Setup Guide\n\n\nThis guide covers complete Synapse setup for Debian 10 with Postgresql. It includes the often missing sections on how to configure postgresql and coturn with Synapse.\n\nYou can use this guide to make an encrypted chat server on its own domain.\n\nYou will need at least a 1GB VPS although I recommend 2GB for a small server. You will need a desired domain name. This guide will setup a Matrix service at ‘example.org’ with Riot-Web hosted through NGINX on the same server at ‘chat.example.org‘.\n\nFor a guide on how to make a Matrix/Riot/Coturn service alongside your existing website please see: https://github.com/PC-Admin/PC-Admins-Synapse-Setup-Guide-2\n\nJoin the discussion at: #synapsesetupguide:matrix.org if you get stuck or have an edit in mind.\n***\n## Licensing\n\nThis work is licensed under Creative Commons Attribution Share Alike 4.0, for more information on this license see here: https://creativecommons.org/licenses/by-sa/4.0/\n***\n## Server Setup\n\nConfigure a Debian 10 server with auto-updates, security and SSH access. Ports 80/tcp, 443/tcp, 8448/tcp, 3478/udp, 5349/udp, 50001-50100/udp will need to be open for the web service, synapse federation and a coturn service.\n***\n## DNS Records\n\nSet up 2 simple A records. With ‘example.org’ and ‘chat.example.org‘ pointed to your servers IP. \nAdditionally you might setup a DNS SRV record, though it's only necessary, when you changed your federation port to listen on another port the the default port 8448.\n\nExample DNS SRV record:\n```\n_matrix._tcp        3600 IN SRV     10 0 8448 example.org.\n```\n\n***\n## Installing Synapse\n\nFollow [the official Debian install instructions](https://github.com/matrix-org/synapse/blob/master/INSTALL.md#debianubuntu) using the matrix.org packages.\n\nYou will be asked to set the name of your server after `apt install`, enter your desired domain name here. (eg: example.org)\n\nFinally check that the synapse server is shutdown\n\n`$ sudo systemctl stop matrix-synapse`\n\n***\n## Installing Postgresql\nThe default synapse install generates a config that uses sqlite. It has the advantage of being easy to setup as there's no db server setup to take care about. But from my experience the performance penalty is quite big and if you want to do something more then testing or running a small non federated server, switching to postgres should be a mandatory step.\n\nSo let's install postgresql:\n\n`$ sudo apt install postgresql postgresql-client`\n\nCreate Role and Database\n\n`$ sudo -i -u postgres`\n\n`$ createuser synapse -P --interactive`\n```\npostgres@VM:~$ createuser synapse -P --interactive\nEnter password for new role: \nEnter it again: \nShall the new role be a superuser? (y/n) n\nShall the new role be allowed to create databases? (y/n) n\nShall the new role be allowed to create more new roles? (y/n) n\n```\nRemember the db user password, you'll need it later\n\nNow we're back at $postgres. Let's create a database for Synapse with correct settings and set the owner to be the user we just created:\n\nType: `psql`\n\n..And create the database as follows:\n\n`postgres=# CREATE DATABASE synapse WITH ENCODING 'UTF8' LC_COLLATE 'C' LC_CTYPE 'C' TEMPLATE template0 OWNER synapse;`\n\nExit from psql by typing `'\\q'` \n\nAll done. Let's exit from postgres account by typing 'exit' so land back at our own user.\n\n***\n## Adapt Synapse config to use Postgresql\nNow as we have created the db and a user to be able to connect, we need to change the synapse config to use it:\n\n`$ sudo nano /etc/matrix-synapse/homeserver.yaml`\n\nBefore the change it should look like this:\n```\n# For more information on using Synapse with Postgres, see `docs/postgres.md`.\n#\ndatabase:\n  name: sqlite3\n  args:\n    database: /var/lib/matrix-synapse/homeserver.db\n```\n\nModify it to look like this:\n```\ndatabase:\n    name: psycopg2\n    args:\n        user: synapse\n        password: \"your-db-user-password\"\n        database: synapse\n        host: localhost\n        cp_min: 5\n        cp_max: 10\n```\n\n***\n## Certbot Setup\n\n`$ sudo apt install certbot`\n\nTest if server IP can be pinged first, if it can then run:\n\n`$ sudo certbot certonly --rsa-key-size 4096 -d example.org -d chat.example.org -d turn.example.org`\n\nChoose ‘spin up a temporary webserver’\n\nenter a recovery email\n\nenter ‘example.org’ as the domain\n\n```\nPerforming the following challenges:\nhttp-01 challenge for example.org\nhttp-01 challenge for chat.example.org\nhttp-01 challenge for turn.example.org\nWaiting for verification...\nCleaning up challenges\n\nIMPORTANT NOTES:\n - Congratulations! Your certificate and chain have been saved at:\n   /etc/letsencrypt/live/example.org/fullchain.pem\n   Your key file has been saved at:\n   /etc/letsencrypt/live/example.org/privkey.pem\n```\n\n***\n## Setup SSL Auto-renewal\n\nfor monthly renewal, set a crontab:\n\n`$ sudo crontab -e`\n\nInsert Line:\n\n`@monthly certbot renew --rsa-key-size 4096 --quiet --post-hook \"systemctl reload nginx\"`\n\n***\n## Configure NGINX with A+ SSL\n\nGenerate dhparam key and move it to your letsencrypt folder:\n```\n$ openssl dhparam -out dhparam4096.pem 4096\n$ sudo mv ./dhparam4096.pem /etc/letsencrypt/live/example.org/dhparam4096.pem\n$ sudo chown root:root /etc/letsencrypt/live/example.org/dhparam4096.pem\n```\nInstall NGINX and configure:\n```\n$ sudo apt install nginx -y\n```\nRemove default NGINX configuration:\n```\n$ sudo rm /etc/nginx/sites-available/default\n$ sudo rm /etc/nginx/sites-enabled/default\n```\nEdit a new NGINX configuration for example.org:\n```\n$ sudo nano /etc/nginx/sites-available/example.org.conf\n```\nAdd:\n```\nserver {\n    listen         80;\n    server_name    example.org;\n    return         301 https://$server_name$request_uri;\n}\n\nserver {\n    listen 443 ssl http2;\n    listen 8448 ssl http2;  # for federation (skip if pointing SRV or .well-known to port 443)\n    gzip off;\n    server_name example.org;\n\n    ssl_certificate     /etc/letsencrypt/live/example.org/fullchain.pem;\n    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;\n    ssl_session_cache   shared:NGX_SSL_CACHE:10m;\n    ssl_session_timeout 12h;\n    ssl_protocols       TLSv1.3 TLSv1.2;\n    ssl_ciphers\t\t\"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256\";\n    ssl_dhparam         /etc/letsencrypt/live/example.org/dhparam4096.pem;\n    ssl_ecdh_curve      X25519:secp521r1:secp384r1:prime256v1;\n\n    add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains\" always;\n    add_header X-Content-Type-Options \"nosniff\" always;\n\n    location / {  \n        return 301 https://chat.example.org;\n    }\n\n    location /_matrix {\n        proxy_pass http://127.0.0.1:8008;\n        proxy_set_header X-Forwarded-For $remote_addr;\n    }\n\n    # This can be skipped if you're using port 8448 on example.org for federation:\n    location /.well-known/matrix/server {\n        return 200 '{ \"m.server\": \"example.org:8448\" }';\n        add_header content-type application/json;\n    }\n\n    location /.well-known/matrix/client {\n        return 200 '{ \"m.homeserver\": { \"base_url\": \"https://example.org\" }, \"im.vector.riot.jitsi\": { \"preferredDomain\": \"jitsi.riot.im\" } }';\n        add_header access-control-allow-origin *;\n        add_header content-type application/json;\n    }\n\n}\n```\n\n^ Make sure to replace the server name here with yours!\n\nCreate a symbolic link for it like so:\n\n`$ sudo ln -s /etc/nginx/sites-available/example.org.conf /etc/nginx/sites-enabled/example.org.conf`\n\nRestart service and renew SSL:\n\n`$ sudo certbot renew --rsa-key-size 4096 --quiet --post-hook \"systemctl reload nginx\"`\n\nIf you get a 'Cert not yet due for renewal' error wait a few hours and try again.\n\n\nNow synapse should be ready and we can see if it starts without errors:\n\n`$ sudo systemctl start matrix-synapse`\n\n`$ sudo systemctl status matrix-synapse`\n\n***\n## Fine Tune Synapse\nThere're two files that manage the behaviour of synapse:\n \n- Server config file in /etc/matrix-synapse/homeserver.yaml\n- Env file in /etc/default/matrix-synapse\n\nThe first is used to do the configuration of synapse, the second is used to setup the environment synapse is running in.\n\n### Registration and guest access\n\n- Set web_client_location:\n\n    File: /etc/matrix-synapse/homeserver.yaml: `web_client_location: https://chat.example.org/`\n\n- Set minimum version for federation TLS:\n\n    File: /etc/matrix-synapse/homeserver.yaml: `federation_client_minimum_tls_version: 1.2`\n\n- Federation Blacklist (optional):\n\n    File:  /etc/matrix-synapse/homeserver.yaml: \n```\n    federation_ip_range_blacklist:\n    #  - '127.0.0.0/8'\n    #  - '10.0.0.0/8'\n    #  - '172.16.0.0/12'\n    #  - '192.168.0.0/16'\n    #  - '100.64.0.0/10'\n    #  - '169.254.0.0/16'\n    #  - '::1/128'\n    #  - 'fe80::/64'\n    #  - 'fc00::/7'\n```\n\n- Allow public room list to federate (optional)\n\n    File:  /etc/matrix-synapse/homeserver.yaml: `allow_public_rooms_over_federation: true`\n\n- Registration (optional)\n\n    File:  /etc/matrix-synapse/homeserver.yaml: `enable_registration: true`\n\n- Admin email (optional)\n\n    File: /etc/matrix-synapse/homeserver.yaml: `admin_contact: 'mailto:admin@example.org’`\n\n\n**There are other settings here you may want to adjust. I would do so one at a time, testing each change as you go.**\n\n### Cache factor\n\nFor a small server (\u003c=2GB), an adoption of the cache factor might improve performance. Some time ago the advice was to lower the cache factor to use less RAM. Experience has shown that the effect is quite the opposite, see [Issue](https://github.com/matrix-org/synapse/pull/4276).\n\nSo the new advice is to **raise the cache factor to use less RAM**, with a value of 2 being a good starting point:\n\n- Cache factor\n\n    File: /etc/default/matrix-synapse: \n```\nSYNAPSE_CACHE_FACTOR=2.0\n```\n \n***\n\n\u003cspan style=\"color:red\"\u003e**Don't forget to restart synapse and examine the RAM usage after each change:**\u003c/span\u003e\n\n`$ sudo systemctl restart matrix-synapse`\n\n***\n## Load Riot-Web client into NGINX\n\nNGINX content location: /var/www/chat.example.org\n```\n$ sudo mkdir /var/www/chat.example.org\n```\n\nEdit NGINX configuration for chat.example.org:\n```\n$ sudo nano /etc/nginx/sites-available/chat.example.org.conf\n```\nAdd:\n```\nserver {\n    listen         80;\n    server_name    chat.example.org;\n    return         301 https://chat.example.org$request_uri;\n}\n\nserver {\n    listen 443 ssl http2;\n    gzip off;\n    server_name chat.example.org;\n\n    ssl_certificate     /etc/letsencrypt/live/example.org/fullchain.pem;\n    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;\n    ssl_session_cache   shared:NGX_SSL_CACHE:10m;\n    ssl_session_timeout 12h;\n    ssl_protocols       TLSv1.3 TLSv1.2;\n    ssl_ciphers\t\t\"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256\";\n    ssl_dhparam         /etc/letsencrypt/live/example.org/dhparam4096.pem;\n    ssl_ecdh_curve      X25519:secp521r1:secp384r1:prime256v1;\n\n    add_header Strict-Transport-Security \"max-age=31536000; includeSubdomains\" always;\n    add_header X-Content-Type-Options \"nosniff\" always;\n\n    root /var/www/chat.example.org;\n    index index.html; \n\n    location / {\n        try_files $uri $uri/ =404;\n    }\n\n}\n```\n\nCreate a symbolic link for it like so:\n```\n$ sudo ln -s /etc/nginx/sites-available/chat.example.org.conf /etc/nginx/sites-enabled/chat.example.org.conf\n```\n\nhttps://github.com/vector-im/riot-web/releases/latest\n\nDownload latest riot-web and move contents into nginx folder:\n```\n$ wget https://packages.riot.im/riot-release-key.gpg\n$ gpg --import riot-release-key.gpg\n$ wget https://github.com/vector-im/riot-web/releases/download/v1.6.0/riot-v1.6.0.tar.gz\n$ wget https://github.com/vector-im/riot-web/releases/download/v1.6.0/riot-v1.6.0.tar.gz.asc\n$ gpg --verify riot-v1.6.0.tar.gz.asc riot-v1.6.0.tar.gz\ngpg: Signature made Fri 01 May 2020 03:37:12 PM UTC\ngpg:                using RSA key 5EA7E0F70461A3BCBEBE4D5EF6151806032026F9\ngpg:                issuer \"releases@riot.im\"\ngpg: Good signature from \"Riot Releases \u003creleases@riot.im\u003e\" [unknown]\n$ tar -zxvf ./riot-v1.6.0.tar.gz\n$ sudo mv ./riot-v1.6.0/* /var/www/chat.example.org/\n$ rm -r ./riot-v*\n```\nCreate and edit config.json in nginx directory:\n\nFeel free to customize config.json to suit your needs. All of the lines in config.json are optional.\n```\n$ sudo cp /var/www/chat.example.org/config.sample.json /var/www/chat.example.org/config.json\n\n$ sudo nano /var/www/chat.example.org/config.json\n```\nAdd:\n```\n{\n    \"default_server_config\": {\n        \"m.homeserver\": {\n            \"base_url\": \"https://example.org\",\n            \"server_name\": \"example.org\"\n        },\n        \"m.identity_server\": {\n            \"base_url\": \"https://vector.im\"\n        }\n    },\n    \"disable_custom_urls\": false,\n    \"disable_guests\": false,\n    \"disable_login_language_selector\": false,\n    \"disable_3pid_login\": false,\n    \"brand\": \"Riot\",\n    \"integrations_ui_url\": \"https://scalar.vector.im/\",\n    \"integrations_rest_url\": \"https://scalar.vector.im/api\",\n    \"integrations_widgets_urls\": [\n        \"https://scalar.vector.im/_matrix/integrations/v1\",\n        \"https://scalar.vector.im/api\",\n        \"https://scalar-staging.vector.im/_matrix/integrations/v1\",\n        \"https://scalar-staging.vector.im/api\",\n        \"https://scalar-staging.riot.im/scalar/api\"\n    ],\n    \"bug_report_endpoint_url\": \"https://riot.im/bugreports/submit\",\n    \"defaultCountryCode\": \"AU\",\n    \"showLabsSettings\": false,\n    \"features\": {\n        \"feature_pinning\": \"labs\",\n        \"feature_custom_status\": \"labs\",\n        \"feature_custom_tags\": \"labs\",\n        \"feature_state_counters\": \"labs\"\n    },\n    \"default_federate\": true,\n    \"default_theme\": \"dark\",\n    \"roomDirectory\": {\n        \"servers\": [\n            \"matrix.org\",\n            \"perthchat.org\"\n        ]\n    },\n    \"welcomeUserId\": \"@riot-bot:matrix.org\",\n    \"piwik\": {\n        \"url\": \"https://piwik.riot.im/\",\n        \"whitelistedHSUrls\": [\"https://matrix.org\"],\n        \"whitelistedISUrls\": [\"https://vector.im\", \"https://matrix.org\"],\n        \"siteId\": 1\n    },\n    \"enable_presence_by_hs_url\": {\n        \"https://matrix.org\": false,\n        \"https://matrix-client.matrix.org\": false\n    },\n    \"settingDefaults\": {\n        \"breadcrumbs\": true\n    },\n    \"jitsi\": {\n        \"preferredDomain\": \"jitsi.riot.im\"\n    }\n}\n```\n\nReset NGINX:\n\n`$ sudo systemctl restart nginx`\n\nYou should be able to view and use Riot-Web through your URL now, test it out.\n\n***\n## Configure TURN service:\n\nYour matrix server still cannot make calls across NATs (different routers), for this we need to configure coturn.\n\nConfigure a simple A DNS record pointing turn.example.org to your servers IP.\n\nInstall coturn:\n\n`$ sudo apt install coturn`\n\nEdit coturn configs:\n```\n$ sudo nano /etc/default/coturn\n\n#\n# Uncomment it if you want to have the turnserver running as\n# an automatic system service daemon\n#\nTURNSERVER_ENABLED=1\n```\n\nCreate certs that turnserver user can access:\n```\nmkdir -p /etc/coturn/certs\nchown -R turnserver:turnserver /etc/coturn/\nchmod -R 700 /etc/coturn/\nnano /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh\nchmod 700 /etc/letsencrypt/renewal-hooks/deploy/coturn-certbot-deploy.sh\n```\n\nIn the renewal hook insert:\n```\n#!/bin/sh\n\nset -e\n\nfor domain in $RENEWED_DOMAINS; do\n        case $domain in\n        example.org)\n                daemon_cert_root=/etc/coturn/certs\n\n                # Make sure the certificate and private key files are\n                # never world readable, even just for an instant while\n                # we're copying them into daemon_cert_root.\n                umask 077\n\n                cp \"$RENEWED_LINEAGE/fullchain.pem\" \"$daemon_cert_root/$domain.cert\"\n                cp \"$RENEWED_LINEAGE/privkey.pem\" \"$daemon_cert_root/$domain.key\"\n\n                # Apply the proper file ownership and permissions for\n                # the daemon to read its certificate and key.\n                chown turnserver \"$daemon_cert_root/$domain.cert\" \\\n                        \"$daemon_cert_root/$domain.key\"\n                chmod 400 \"$daemon_cert_root/$domain.cert\" \\\n                        \"$daemon_cert_root/$domain.key\"\n\n                service coturn2 restart \u003e/dev/null\n                ;;\n        esac\ndone\n```\n\nRenew certbot:\n\n`$ sudo certbot renew --force-renewal`\n\nGenerate a ‘shared-secret-key’ and record it, this can be done like so:\n```\n$ \u003c /dev/urandom tr -dc _A-Z-a-z-0-9 | head -c${1:-64};echo;\n5PFhfL1Eoe8Wa6WUxpR4wcwKUqkcl3UUg9QeOmpfnGHpW2O9cOsZ5yIoCDgMMdVP\n```\n\nGenerate a cli-password and record it, then generate a ’hash’ from it using turnadmin:\n```\n$ turnadmin -P -p \"your-cli-password\"\n$5$6fc2691fa3d289f9$8a7079825a7d4bfce772ed278c4d1549936b96b27ab1b3014a090492437feb45\n```\n\nEdit turnserver config like so:\n```\n$ sudo nano /etc/turnserver.conf\n```\n\nAdd:\n```\n# Append this to the bottom of the new turnserver config:\nlistening-port=3478\ntls-listening-port=5349\nlt-cred-mech\nfingerprint\nstale-nonce\nuse-auth-secret\nstatic-auth-secret=shared-secret-key\ncli-password=hash\nserver-name=turn.example.org\nrealm=turn.example.org\ncert=/etc/coturn/certs/example.org.cert\npkey=/etc/coturn/certs/example.org.key\ndh2066\nuserdb=/var/lib/turn/turndb\n#no-stdout-log\nlog-file=/var/tmp/turn.log\n#syslog\nsimple-log\nmobility\nno-tlsv1\nno-tlsv1_1\nno-tcp-relay\n#allowed-peer-ip=10.0.0.1\nuser-quota=12\ntotal-quota=1200\nno-multicast-peers\nno-tcp\nmin-port=55001\nmax-port=50100\n```\n\nEdit homeserver.yaml:\n```\n$ sudo nano /etc/matrix-synapse/homeserver.yaml\n\nturn_uris: [ \"turn:turn.example.org:3478?transport=udp\", \"turn:turn.example.org:5349?transport=udp\" ]\nturn_shared_secret: shared-secret-key\nturn_user_lifetime: 1h\nturn_allow_guests: true\n```\n\nRestart both the new coturn service and matrix-synapse, then test cross-NAT calling:\n```\n$ sudo systemctl start coturn\n$ sudo systemctl restart matrix-synapse\n```\n\n***\n## Done!\n\nYour Synapse is now up and running and your hosting the latest Riot through the Nginx web server. You're also running a jitsi-meet instance.\n\nYou should familiarise yourself with the Synapse wiki: https://github.com/matrix-org/synapse/wiki\n\nFind extra steps to configure your Synapse server here: https://github.com/PC-Admin/PC-Admins-Synapse-Extras\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPC-Admin%2FPC-Admins-Synapse-Setup-Guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FPC-Admin%2FPC-Admins-Synapse-Setup-Guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FPC-Admin%2FPC-Admins-Synapse-Setup-Guide/lists"}