Matrix Messaging

,

Hi guys,

Matrix is the new standard for instant messaging, VOIP and video: http://matrix.org/
It’s a decentralized system like Yunohost, with bridges to legacy protocols, as explained in this presentation at Fosdem 2016 (PDF)

It would be great to have a Matrix server in Yunohost

Thanks :slight_smile:

Questions ? The Matrix core devs are here: https://riot.im/app/#/room/#matrix-dev:matrix.org

Une partie importante des devs sont Français :wink: https://riot.im/app/#/room/#matrix-fr:matrix.org

I have tested Matrix with Riot client recently and communication work very well. Group messages of course, but also voip 1:1 are excellent quality and reliable, even when connection is not really good.
Just the encryption mechanism is not full functional : for instance if I start an encrypted conversation with Riot on my desktop and I want to continue through Riot for Android, then I can’t read on Android the messages I wrote on my desktop. Sure the dev will improve encryption mechanism to allow multiple devices conversation.

Few days ago, I tried to install Matrix Synapse server on my server where Yunohost is running without success so far. Synapse is installed on a specific subdomain managed by Yunohost. Synapse server is working but I can’t connect to it from riot.im.
I have to identify yet what to modify on Nginx or the firewall to allow the communication on port 8448 to arrive to Synapse server, as Synapse is not recognize by Yunohost so far.

See u

Crou²

1 Like

Thanks for the feedback :slight_smile:

This is a rather recent tutorial about the Matrix server (aka Synapse) on Debian
https://xo.tc/seting-up-matrix-synapse-and-riot-on-debian-8-jessie.html

if you need support, the experts are here: https://riot.im/app/#/room/#matrix-dev:matrix.org

Thanks for these links.
I have read them before starting, they are very informative, particularly the one on https://xo.tc/.

Indeed I think the problem is not Matrix / synapse but rather my very limited knowledge on how Yunohost is designed and the role of Nginx.
As I declared the sub-domain where I want to install Synapse on the Yunohost system, I guess Yunohost is managing completely this subdomain and so Synapse can’t use it.
I think either I have to remove this sub-domain form the management of Yunohost or to find the way to let synapse connected with Internet (maybe modifying Nginx). I have read instruction on how to modify Apache, but not Nginx so far.

This is what happen when a beginner try to make a rocket takes off, it doesn’t always starts … :wink:

1 Like

Not sure if it applies to Yunohost but this is a tutorial with nginx :slight_smile:
https://matrix.org/blog/2016/02/10/advanced-synapse-setup-with-lets-encrypt/

I’ve also found these nginx instructions on github: https://github.com/matrix-org/synapse/blob/master/README.rst#using-a-reverse-proxy-with-synapse

Welcome to the forum @swift11 and thanks for the links. Are you affiliated with Matrix?

When you say it’s the new standard, is it your opinion or did I miss something in the news?
For me the standard in this paradigm is still xmpp (and Matrix does not support e2e encryption for the moment).
Although I am interested in different paradigms like tox that works without servers.
I understand from the presentation that the advantage of Matrix in this regard is its possible future connections to other platforms. Is there anything else from the user perspective?

1 Like

Thanks @bastien,
First of all, I’m just a stupid user, nothing more :slight_smile:

Regarding XMPP, this article (published today !) sums it up imo
https://disroot.org/disroot-joins-the-matrix-network/

I’m certainly not an expert but I’ve heard that Tox doesn’t work very well on mobile: battery problems, etc
But the main point of Matrix is that any client should be able to join the federation.

As a conclusion, I would say: just try it ! :wink: https://riot.im/

Thanks for the info, I will add it to my research.

1 Like

Thanks again @swift11 for the links about Nginx.
My synapse server seems running well, I can connect to it from Riot, but the federation doesn’t works. I didn’t want to touch on the Yunohost Nginx config files, fearing to break everything.
I have the feeling the Matrix servers connect to Yunohost Nginx and so the SSO, and not to Synapse, even if I set the 8448 port when connecting from Riot. Maybe I’ll find the way to exclude some port from the management of Yunhost server.
I’ll look for information and try when I have some time, but now it is more family time :slight_smile:

Merry Christmas !

1 Like

Hello,
Some information on what I did to install Synapse on matrix. example.com
I have currently yunohost running on mon.example.com

  • I modified the DNS of example.com to send matrix.example.com to my yunohost server. I took profit to add the specific SRV Record for Matrix _matrix._tcp.matrix.example.com 3600 IN SRV 10 0 8448 matrix. example.com
  • I created on Yunohost an additionnal sub domain specifically for Matrix : matrix.example.com (with domain section of Yunohost), in addition of the main “subdomain” that is still mon.example.com
  • Install Let’s Encrypt certificate for this new sub-domain with Let’s Encrypt app of Yunohost
  • Install synapse server adding the debian repository

add-apt-repository -s "https://matrix.org/packages/debian/"
gpg --keyserver pgp.mit.edu --recv-keys AD0592FE47F0DF61
apt-get update
apt-get install matrix-synapse

  • I moved the certificate and changed their owner

cd /etc/matrix-synapse/
cp /etc/letsencrypt/live/matrix.exemple.com/* .
chown matrix-synapse *.pem

  • Change the address of the certificate in the config of Synapse changing in /etc/matrix-synapse/homeserver.yaml :

tls_certificate_path: "/etc/matrix-synapse/fullchain.pem"
tls_private_key_path: “/etc/matrix-synapse/privkey.pem”

  • I added in /etc/nginx/conf.d/matrix.exemple.com.conf , in the section “443” :
location /_matrix {
    proxy_pass http://localhost:8008;
        }  
  • I opened the port 8448 of yunohost firewall (but not the 8008)

And that’s all.

At the end Synapse is working status says “Running”, I can connect to it (from riot.im, for instance).
Users of the same server can talk to each other but federation is not working : I can’t chat with a user of another matrix server.

Any idea what I should change to allow federation ?

I tried to install matrixtool to test my server but install with cpan App::MatrixTool failed.

1 Like

Pretty cool, that sounds like it could be easily packaged into an app :wink: !

Not sure that’s a good practice to do this. LE certificates are only valid 90 days and will be renewed at some point. You might want to use a symbolic link instead (e.g. ln -s /etc/yunohost/cert/domain.tld/file.pem ./file.pem). If the program isn’t launched as root somehow, you can set the group owner to ssl-cert (which metronome is in for instance) and put your program user in the ssl-cert group.

2 Likes

congrats ! :slight_smile:
this could be useful info for federation imo https://github.com/matrix-org/synapse/blob/master/README.rst#reverse-proxying-the-federation-port

and support for matrix is always available here :wink:
https://riot.im/app/#/room/#matrix-dev:matrix.org

I forgot to mention the LDAP auth plugin https://github.com/matrix-org/matrix-synapse-ldap3

@swift11 thanks for your support and advices !

If I test my server with https://matrix.org/federationtester/api/report?server_name=<your_server_name> everything seems correct (certificate, port,…)

I am looking for tools to diagnose the problem I face. I am less and less sure it is a problem of the way Yunohost handle Nginx.
I will contact people on #matrix-dev:matrix.org to have more advices…

Why do you think I should set up a proxy for the federation post ? I understood it is possible but not really encouraged.
For the LDAP, I think I will go that way on second steps, once “my matrix” is working fully.

1 Like

I’ve just read this discussion on dev:matrix, seems to be the same problem you’re facing :wink:
https://riot.im/app/#/room/!XqBunHwQIXUiqCaoxq:matrix.org/$14828420302778128LJwnU:matrix.org

I discovered that the problem was :
InvalidAddressError: IPv4 port write() called with IPv6 address

According to https://github.com/matrix-org/synapse/issues/1002 we can’t resolve DNS through IPV6… but Yunohost only do through IPV6.
My /etc/resolv.conf included only :

nameserver 2001:41d0:3:163::1
nnameserver 2001:41d0:1:e2b8::1

So I changed this file to :

#nameserver 2001:41d0:3:163::1
#nameserver 2001:41d0:1:e2b8::1
nameserver 91.121.161.184

(indeed my Internet provider is OVH so I keep the OVH DNS resolver for my server)

And miracle ! I can talk with other Matrix server ! Youpi tralala :slight_smile:

But… it seems the /etc/resolv.conf is overwritten by Yunohost regularly so this is not a sustainable way of solving my problem.
Is there another way to change from IPV6 to IPV4 DNS resolver, waiting Matrix to handle properly IPV ?
Has this change consequence on the Yunohost server ?

1 Like

they seem to consider that IPV6 should work :slight_smile: https://github.com/matrix-org/synapse/pull/1696

edit: you’re right, it’s a bug in Twisted (the networking engine) https://twistedmatrix.com/trac/ticket/8877

As this patch doesn’t seems to for now, do you know how I can permanently change DNS resolver in Yunohost ?
This would solve my problem for the time being…

En attendant le patch du serveur “Synapse”, une solution qui permet d’avoir un DNS resolver en IPV4 à DNS resolver : how to add permanently an IPV4 server?
Avec ce changement, la fédération entre serveur Yunohost fonctionne (chat, appels, …).

Je n’ai cependant pas la confirmation des dev’ de Yunohost que ma solution n’a pas de conséquence sur le fonctionnement et la sécurité de mon serveur Yunohost…

[Edit : I wrote in French indeed, sorry for that… translation below + an addition]

Waiting for the patch of the Synapse Server, a solution that allows (in my case) to have a DNS resolver working with IPV4 at DNS resolver : how to add permanently an IPV4 server?
With this change, federation works (chat, calls,…)
However, I am waiting for the confirmation of Yunohost dev that my proposed solution has no consequences on the running and the security of Yunohost server.

In addition, I added a turn server to facilitate voice/video calls (instruction at https://github.com/matrix-org/synapse/blob/master/docs/turn-howto.rst).
Everything seems working ! :relaxed:
What a great chat / voice / video solution, decentralized, secured, and free software !

1 Like