Works even in the parking lot: how to deploy your own communication node based on Matrix Synapse, Coturn, and Element

This text isn’t about renting. It’s about forging keys, erecting walls, and raising a flag over your own, unbreakable digital citadel. We’ll deploy a full communication node on a Selectel server: Matrix Synapse, Coturn call server, and the Element web client. No containers, no magic. Just a clean system, the command line, and one hundred percent control.

Note! In this guide, the domain chat.lservers.ru and IP address 45.131.42.83 are used as examples. Make sure to replace them with your actual data in all configuration files and commands.

Chapter 1. Laying the Foundation

90% of future problems are born at this stage because of haste. Don’t rush. A properly laid foundation is the key to stable operation.

Server and DNS Preparation

Matrix Synapse is pretty resource-hungry, especially when it comes to RAM. For stable chat and call performance, even for a small team, you need some power in reserve.

We’ll use a virtual server, which fits these tasks perfectly.

Preparing the Server

1. Go to the Selectel control panel. In the top menu select Products → Cloud Servers and click Create Server.

2. Now choose your configuration. Minimum recommended: 2 vCPU and 2 GB RAM. This will keep the interface responsive and message processing fast. For the OS, select Debian 12 (Bookworm).

3. You definitely need to add a public IP. In our example, it’s 45.131.42.83.

Setting up DNS

Now you need to let the world know where to find your future citadel.

1. In your domain registrar’s control panel, create one A record.

• Type: A.

• Name (host): chat.

• Value: 45.131.42.83.

2. For full federation (talking with users outside your server) it’s highly recommended to set up a PTR record.

• Let's go back to the control panel.

• Go to your server's card. In the network settings, find the IP address and the option to edit the PTR record.

• Specify the full server name. For example, chat.lservers.ru.

First Connection and Update

Connect to the server via SSH and first bring the system up to date.

sudo apt update && sudo apt upgrade -y

Security Center

We discuss best practices and cybersecurity tools, requirements, and changes in legislation.

Explore →

Chapter 2. Mounting of Load-Bearing Structures

Install all the software before moving on to the configuration.

Web Server and Utilities Installation

Apache will be our gateway, and Certbot is the key to encryption.

sudo apt install -y apache2 certbot

Let's immediately enable all necessary Apache modules for further work.

sudo a2enmod proxy proxy_http ssl headers rewrite

Matrix Synapse and Coturn Installation

1. Install dependencies and add the Matrix repository.

sudo apt install -y lsb-release wget apt-transport-https
sudo wget -O /usr/share/keyrings/matrix-org-archive-keyring.gpg https://packages.matrix.org/debian/matrix-org-archive-keyring.gpg
echo "deb [signed-by=/usr/share/keyrings/matrix-org-archive-keyring.gpg] https://packages.matrix.org/debian/ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/matrix-org.list

2. Install Synapse and Coturn.

sudo apt update
sudo apt install -y matrix-synapse-py3 coturn

During the installation of Synapse, a dialog box will appear. Enter your server name. For example: chat.lservers.ru.

Chapter 3. Engineering Systems and Communications

This is the most critical stage. Accuracy here is the key to success.

Obtaining SSL Certificates

We will obtain the certificates before the full service setup, as they are required for both Apache and Coturn.

1. Temporarily stop Apache to free up port 80 for Certbot verification.

sudo systemctl stop apache2

2. Obtain the certificate in standalone mode.

sudo certbot certonly --standalone -d chat.lservers.ru

Configuring Synapse: The Single Source of Truth

The Synapse package for Debian has its own philosophy: the main file homeserver.yaml should not be touched, and all changes should be made in the conf.d directory.

1. Set the server name — this is a critically important step. The Debian package expects the server name to be specified in a separate, specially designated file.

sudo nano /etc/matrix-synapse/conf.d/server_name.yaml

Delete all contents of the file and insert this line only:

server_name: "chat.lservers.ru"

2. Create a file with the remaining settings.

sudo nano /etc/matrix-synapse/conf.d/90-custom.yaml

Insert the verified config into it. Be sure to generate new unique keys using the openssl rand -hex 32 command and insert them.

# Allow registration during setup
enable_registration: true
enable_registration_without_verification: true

# Secret key for session tokens. REQUIRED to start.
macaroon_secret_key: "YOUR_GENERATED_MACAROON_KEY"

# Settings for calls via Coturn
turn_uris:
  - "turn:chat.lservers.ru:3478?transport=udp"
  - "turn:chat.lservers.ru:3478?transport=tcp"

# Secret key for Coturn connection. Must match the key in turnserver.conf.
turn_shared_secret: "YOUR_GENERATED_TURN_KEY"

turn_user_lifetime: 86400000
turn_allow_guests: true
max_upload_size: 4G

Database Note: By default, Synapse uses SQLite3, which works well for starting. For high-load systems, it is recommended to switch to PostgreSQL.

Coturn Setup

1. Open the configuration file.

sudo nano /etc/turnserver.conf

2. Replace all its content with your domain and secret key from the previous step.

listening-port=3478
tls-listening-port=5349
fingerprint
use-auth-secret
static-auth-secret=YOUR_GENERATED_TURN_KEY
realm=chat.lservers.ru
lt-cred-mech
cert=/etc/letsencrypt/live/chat.lservers.ru/fullchain.pem
pkey=/etc/letsencrypt/live/chat.lservers.ru/privkey.pem
no-multicast-peers
no-cli

3. Enable autostart. To do this, in the /etc/default/coturn file, change TURNSERVER_ENABLED=0 to 1.

Element Web Client Setup

1. Go to the /tmp directory, find the link to the latest version on the Element release page and replace it.

cd /tmp

wget https://github.com/vector-im/element-web/releases/download/v1.11.80/element-v1.11.80.tar.gz

sudo mkdir -p /var/www/element
sudo tar -xzvf element-v*.tar.gz -C /var/www/element --strip-components=1
sudo cp /var/www/element/config.sample.json /var/www/element/config.json

2. Open config.json and specify base_url (https://chat.lservers.ru) and server_name (chat.lservers.ru).

sudo nano /var/www/element/config.json
sudo chown -R www-data:www-data /var/www/element

Apache Setup

Now we configure Apache as a reverse proxy. Its task is to accept all requests from the internet that go to the domain and properly distribute them: regular browser requests go to the Element web client files, while service requests from Matrix clients are redirected to the Synapse server running "inside" the system.

Create the /etc/apache2/sites-available/chat.lservers.ru.conf file with the following content:

# This block handles all unencrypted traffic (HTTP).
# Its only task is to forcefully redirect the user to the secure HTTPS version of the site.

    ServerName chat.lservers.ru
    Redirect permanent / https://chat.lservers.ru/


# This is the main working section, which handles encrypted traffic (HTTPS).

    ServerName chat.lservers.ru
    # We specify that when accessing the root of the site, the Element web client files should be served.
    DocumentRoot /var/www/element

    # Enable encryption and specify paths to SSL certificates obtained from Certbot.
    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/chat.lservers.ru/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/chat.lservers.ru/privkey.pem

    # This is the most important part. All requests starting with /_matrix or /_synapse (Matrix service API paths),
    # Apache redirects inside the server to port 8008, where Synapse listens.
    ProxyPass /_matrix http://127.0.0.1:8008/_matrix nocanon
    ProxyPassReverse /_matrix http://127.0.0.1:8008/_matrix
    ProxyPass /_synapse http://127.0.0.1:8008/_synapse nocanon
    ProxyPassReverse /_synapse http://127.0.0.1:8008/_synapse

    # This section sets file access permissions for the web client.
    
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    

Chapter 4. Commissioning

Before starting your Matrix server, it's important to correctly configure network security, activate the necessary services, and create the first administrator.

Configure the firewall

To ensure the security of the system, access to the server should be restricted to only necessary ports.

1. Install the ufw utility, which allows you to easily manage firewall rules.

sudo apt install -y ufw

2. Allow incoming SSH connections to be able to manage the server remotely.

sudo ufw allow ssh

3. Allow HTTP and HTTPS traffic for the Apache web server.

sudo ufw allow 'Apache Full'

4. Open the ports used for the TURN server (e.g., Coturn), which provides NAT translation for WebRTC.

sudo ufw allow 3478
sudo ufw allow 5349

5. Enable the firewall by activating all the previously set rules.

sudo ufw enable

Recommendation. Before enabling, make sure all necessary ports are open, and you can connect to the server via SSH.

Activation and Starting Systems

Next, you need to enable and start the necessary server components to get it running.

1. Enable the Apache virtual host configuration for your domain (replace chat.lservers.ru.conf with your configuration file).

sudo a2ensite chat.lservers.ru.conf

2. Enable and start the TURN server coturn, which provides NAT translation for WebRTC.

sudo systemctl enable --now coturn

3. Restart the Apache web server to apply changes.

sudo systemctl restart apache2

4. Restart the Matrix Synapse server to apply new settings.

sudo systemctl restart matrix-synapse

Recommendation. Check the service status after restarting with the command systemctl status .

Creating the First User

Finally, we can register the first administrator to manage the server.

sudo register_new_matrix_user -c /etc/matrix-synapse/homeserver.yaml http://127.0.0.1:8008 -u your-login -p your-password --admin

Chapter 5. Sealing the Perimeter

Go to the link to your service (https://chat.lservers.ru) and ensure everything works. After that, perform the most important step — close public registration.

For this, simply set the parameter enable_registration to false in the /etc/matrix-synapse/conf.d/90-custom.yaml file and restart Synapse.

sudo nano /etc/matrix-synapse/conf.d/90-custom.yaml
# ... change 'true' to 'false' ...
sudo systemctl restart matrix-synapse

Now your citadel is not only working but also securely protected from unwanted guests.

How Not to Do It

This guide was born from real mistakes. I admit: at some point, while working through the file manager, I accidentally erased homeserver.yaml. This triggered a chain of problems that helped develop this bulletproof method. Don't repeat my mistakes, but know how to fix them.

• “FileNotFoundError” Error. After accidentally deleting the file, Synapse couldn’t start. The solution — force the config generation with the command ... -m synapse.app.homeserver ... --generate-config.

• “Invalid server name 'None'” Error. The generated config turned out to be a template where the server name was not set. Synapse didn’t know what it was.

• “trusted_key_servers... must be a list” Error. The same generated config contained empty parameters that caused a failure.

The main lesson. Don’t fight the system — understand it. The Synapse package for Debian “wants” the server name to be in /etc/matrix-synapse/conf.d/server_name.yaml, and other settings in different files. Following this logic, you can get a stable system.

Conclusion

You've built more than just a server. You've built a space where your conversations belong to you alone. The silence you now hear in the air, with no advertising bots and analytics scripts, is the sound of your digital sovereignty.

Take control yourself!