If you've ever tried to build a live streaming app, you know the "0.5-second latency" dream can quickly turn into a firewall nightmare. I recently set up a sub-second latency streaming backend using OvenMediaEngine (OME) on Oracle Cloud, and I'm sharing the exact steps to save you hours of troubleshooting.
The Challenge
Traditional streaming solutions like RTMP deliver video with 20-60 second latency. For interactive applications—live auctions, gaming, webinars, or financial trading—this lag breaks the user experience. WebRTC solves this with sub-second delivery, but the setup is notoriously complex.
The biggest culprits? Firewalls, misconfigured security rules, and incorrect IP configuration in the media server.
The Solution Stack
Our architecture combines industry-standard tools for maximum reliability:
- OBS Studio: Professional RTMP encoder for ingest
- OvenMediaEngine: Lightweight, high-performance media server (container-based)
- Oracle Cloud (Ubuntu 22.04): Reliable cloud infrastructure
- WebRTC: Modern protocol for ultra-low latency delivery
- OvenPlayer SDK: Browser-based playback with automatic quality adjustment
Architecture Overview
[OBS Studio]
|
RTMP (1935)
|
[OvenMediaEngine - Docker Container]
|
├─ WebRTC Signalling (TCP 3333)
└─ Media Streaming (UDP 10000-10005)
|
[Web Browser with OvenPlayer SDK]
Prerequisites
Before we begin, you'll need:
- An Oracle Cloud account (or AWS/GCP/Azure—the steps are similar)
- Ubuntu 22.04 LTS instance (minimum 2 vCPU, 4GB RAM)
- OBS Studio installed locally
- Basic Linux command-line knowledge
- A text editor (nano, vim, or your preference)
Step 1: Prepare the Cloud Instance
Launch an Ubuntu instance on your cloud provider. Before touching the terminal, open the firewall gates in your Cloud Dashboard.
Configure Security Lists (Oracle Cloud)
Navigate to Networking → Virtual Cloud Networks → Security Lists and add these ingress rules:
| Protocol | Port Range | Source CIDR | Purpose |
|---|---|---|---|
| TCP | 1935 | 0.0.0.0/0 | RTMP Ingest from OBS |
| TCP | 3333 | 0.0.0.0/0 | WebRTC Signalling |
| UDP | 10000-10005 | 0.0.0.0/0 | WebRTC Media Streaming |
Critical Setting: Ensure these rules are Stateful (the "Stateless" option must be unchecked). WebRTC relies on connection state tracking. If you enable Stateless mode, the server cannot maintain the connection handshake, and you'll see "Connection terminated unexpectedly" errors.
For AWS Users
In EC2 → Security Groups, add these inbound rules:
Type: Custom TCP Rule | Port: 1935 | CIDR: 0.0.0.0/0
Type: Custom TCP Rule | Port: 3333 | CIDR: 0.0.0.0/0
Type: Custom UDP Rule | Port Range: 10000-10005 | CIDR: 0.0.0.0/0
Step 2: Install Docker and OvenMediaEngine
SSH into your instance and install Docker:
# Update system packages
sudo apt update && sudo apt upgrade -y
# Install Docker
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
# Add your user to docker group (so you don't need sudo every time)
sudo usermod -aG docker $USER
newgrp docker
# Verify installation
docker --version
Create a persistent directory for OME configuration:
# Create configuration directory
mkdir -p ~/ome/conf
mkdir -p ~/ome/logs
# Get the default configuration from Docker image
docker run --rm -v ~/ome/conf:/opt/ovenmediaengine/conf \
airensoft/ovenmediaengine:latest cp -r /opt/ovenmediaengine/conf/* /opt/ovenmediaengine/conf/
Launch the OvenMediaEngine container:
# Get your public IP address
PUBLIC_IP=$(curl -s https://checkip.amazonaws.com)
echo "Your Public IP: $PUBLIC_IP"
# Run the container with port mappings
docker run -d \
--name ome \
-p 1935:1935 \
-p 3333:3333 \
-p 10000-10005:10000-10005/udp \
-e OME_HOST_IP=$PUBLIC_IP \
-v ~/ome/conf:/opt/ovenmediaengine/conf \
-v ~/ome/logs:/opt/ovenmediaengine/logs \
--restart unless-stopped \
airensoft/ovenmediaengine:latest
Verify the container is running:
docker ps | grep ome
docker logs -f ome # View real-time logs (Ctrl+C to exit)
The environment variable OME_HOST_IP is crucial—it tells the media server which IP address to advertise to clients. This prevents the infamous "Connection terminated unexpectedly" error caused by broadcasting internal Docker IPs.
Step 3: Configure the Magic IP Settings
This is where 90% of people get stuck. OvenMediaEngine must know which external IP to advertise to browsers.
Edit Server.xml
nano ~/ome/conf/Server.xml
Find the <IceCandidates> section (there should be two—one in <Providers> and one in <Publishers>). Update both sections:
<IceCandidates>
<IceCandidate>$YOUR_PUBLIC_IP:10000-10005/udp</IceCandidate>
<TcpRelay>$YOUR_PUBLIC_IP:3478</TcpRelay>
<TcpForce>false</TcpForce>
</IceCandidates>
Replace $YOUR_PUBLIC_IP with your actual public IP (e.g., 203.0.113.45).
Common Mistake: Leaving the default 127.0.0.1 or localhost in this section. The browser has no idea how to reach localhost on the server—it needs the public IP!
Also, ensure the <Applications> section has both <Provider> (for OBS ingest) and <Publisher> (for playback):
<Application>
<Name>app</Name>
<Type>live</Type>
<Provider>
<Type>rtmp</Type>
<Properties>
<Port>1935</Port>
</Properties>
</Provider>
<Publisher>
<Type>webrtc</Type>
<Properties>
<Port>3333</Port>
</Properties>
</Publisher>
</Application>
Restart the container to apply changes:
docker restart ome
docker logs -f ome
Step 4: Disable Ubuntu's Internal Firewall
The cloud dashboard isn't enough. Ubuntu's iptables often blocks UDP traffic by default. Force the ports open with highest priority rules:
# Add rules at the TOP of the INPUT chain (priority -I 1)
sudo iptables -I INPUT 1 -p tcp --dport 1935 -j ACCEPT
sudo iptables -I INPUT 1 -p tcp --dport 3333 -j ACCEPT
sudo iptables -I INPUT 1 -p udp --dport 10000:10005 -j ACCEPT
# Save rules persistently
sudo apt install -y iptables-persistent
sudo netfilter-persistent save
# Verify rules are in place
sudo iptables -L -n | grep -E "1935|3333|10000"
Test connectivity from your local machine:
# Test RTMP port
nc -zv YOUR_PUBLIC_IP 1935
# Test WebRTC signalling port
nc -zv YOUR_PUBLIC_IP 3333
# Test UDP media ports (may show connection refused, which is OK for UDP)
nc -uz YOUR_PUBLIC_IP 10001
Step 5: Configure OBS Studio
Open OBS Studio on your local machine and configure the stream settings:
- Settings → Stream
- Service: Custom
-
Server:
rtmp://YOUR_PUBLIC_IP/app -
Stream Key:
test(or any identifier you want)
Configure output settings:
- Settings → Output → Streaming
- Encoder: libx264 or NVIDIA NVENC (if available)
- Bitrate: 4000 Kbps (adjust based on your internet)
- Keyframe Interval: 2 seconds
- Settings → Audio
- Sample Rate: 48kHz (WebRTC is strict about this!)
- Audio Codec: AAC (not Opus)
Click Start Streaming. You should see New connection from in the OME logs.
Pro Tip: For ultra-low latency, use a hardware encoder (NVIDIA NVENC or Intel Quick Sync). Software encoding introduces 100-200ms of extra latency.
Step 6: Build the Frontend Player
Create an HTML page with the OvenPlayer SDK to view your stream. Since we're using HTTP (not HTTPS), use the ws:// protocol:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Ultra-Low Latency Stream Viewer</title>
<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/ovenplayer@latest/dist/ovenplayer.css">
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, sans-serif;
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
padding: 20px;
}
.container {
width: 100%;
max-width: 1200px;
background: white;
border-radius: 12px;
overflow: hidden;
box-shadow: 0 20px 60px rgba(0,0,0,0.3);
}
.header {
background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
color: white;
padding: 20px;
text-align: center;
}
.header h1 {
font-size: 28px;
margin-bottom: 5px;
}
.header p {
opacity: 0.9;
font-size: 14px;
}
.player-wrapper {
position: relative;
width: 100%;
padding-bottom: 56.25%; /* 16:9 aspect ratio */
background: #000;
}
#player {
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
}
.info {
padding: 20px;
background: #f8f9fa;
border-top: 1px solid #e9ecef;
}
.info h2 {
font-size: 18px;
margin-bottom: 10px;
color: #333;
}
.stats {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(200px, 1fr));
gap: 15px;
margin-bottom: 15px;
}
.stat {
background: white;
padding: 12px;
border-radius: 6px;
border-left: 4px solid #667eea;
}
.stat-label {
font-size: 12px;
color: #666;
text-transform: uppercase;
margin-bottom: 5px;
}
.stat-value {
font-size: 16px;
font-weight: bold;
color: #333;
}
.status-indicator {
display: inline-block;
width: 12px;
height: 12px;
border-radius: 50%;
background: #dc3545;
margin-right: 8px;
animation: pulse 2s infinite;
}
.status-indicator.live {
background: #28a745;
animation: pulse 1s infinite;
}
@keyframes pulse {
0% { opacity: 1; }
50% { opacity: 0.5; }
100% { opacity: 1; }
}
</style>
</head>
<body>
<div class="container">
<div class="header">
<h1>🎬 Ultra-Low Latency Stream</h1>
<p>Powered by OvenMediaEngine & WebRTC</p>
</div>
<div class="player-wrapper">
<div id="player"></div>
</div>
<div class="info">
<h2>
<span class="status-indicator" id="statusIndicator"></span>
Stream Status
</h2>
<div class="stats">
<div class="stat">
<div class="stat-label">Latency</div>
<div class="stat-value" id="latency">— ms</div>
</div>
<div class="stat">
<div class="stat-label">Bitrate</div>
<div class="stat-value" id="bitrate">— kbps</div>
</div>
<div class="stat">
<div class="stat-label">Resolution</div>
<div class="stat-value" id="resolution">— </div>
</div>
<div class="stat">
<div class="stat-label">Connection State</div>
<div class="stat-value" id="state">Connecting...</div>
</div>
</div>
</div>
</div>
<script src="https://cdn.jsdelivr.net/npm/ovenplayer@latest/dist/ovenplayer.js"></script>
<script>
// Replace with your PUBLIC IP
const PUBLIC_IP = 'YOUR_PUBLIC_IP'; // e.g., '203.0.113.45'
const STREAM_URL = `ws://${PUBLIC_IP}:3333/app/test`;
console.log('🔗 Connecting to:', STREAM_URL);
const player = OvenPlayer.create('player', {
controls: true,
autoplay: true,
mute: false,
sources: [
{
type: 'webrtc',
file: STREAM_URL
}
]
});
// Update status and stats
player.on('statechanged', (state) => {
console.log('📊 State changed:', state);
const stateText = state.toString();
document.getElementById('state').textContent = stateText;
if (stateText === 'Playing') {
document.getElementById('statusIndicator').classList.add('live');
document.getElementById('statusIndicator').textContent = '●';
} else {
document.getElementById('statusIndicator').classList.remove('live');
}
});
player.on('error', (error) => {
console.error('❌ Player error:', error);
document.getElementById('state').textContent = 'Error: ' + error.message;
});
// Attempt to extract stats (varies by browser)
setInterval(() => {
const stats = player.getStats();
if (stats) {
if (stats.latency) {
document.getElementById('latency').textContent = Math.round(stats.latency) + ' ms';
}
if (stats.bitrate) {
document.getElementById('bitrate').textContent = Math.round(stats.bitrate / 1000) + ' kbps';
}
if (stats.resolution) {
document.getElementById('resolution').textContent = stats.resolution.width + 'x' + stats.resolution.height;
}
}
}, 1000);
</script>
</body>
</html>
Save this as stream-player.html and open it in a browser. Replace YOUR_PUBLIC_IP with your actual public IP address.
Step 7: Enable HTTPS for Production
For production deployments, you'll want HTTPS. Use Let's Encrypt and Certbot:
# Install Certbot
sudo apt install -y certbot python3-certbot-nginx
# Obtain a certificate (requires a domain name)
sudo certbot certonly --standalone -d your-domain.com
# Update your frontend to use WSS (WebSocket Secure)
# Change: ws://YOUR_PUBLIC_IP:3333/app/test
# To: wss://your-domain.com:3333/app/test
Update OME's configuration to use TLS:
<Publisher>
<Type>webrtc</Type>
<Properties>
<Port>3333</Port>
<Tls>
<CertPath>/opt/ovenmediaengine/certs/certificate.crt</CertPath>
<KeyPath>/opt/ovenmediaengine/certs/private.key</KeyPath>
</Tls>
</Properties>
</Publisher>
Troubleshooting "Error 511: Connection terminated unexpectedly"
Diagnosis
If your player shows "Error 511" or logs show New client connected followed immediately by Client disconnected, check these in order:
1. Verify UDP Port Range
# Check if UDP ports are open
sudo netstat -uln | grep -E "10000|10001|10002|10003|10004|10005"
# If missing, re-add the iptables rules
sudo iptables -I INPUT 1 -p udp --dport 10000:10005 -j ACCEPT
sudo netfilter-persistent save
2. Check Cloud Security Rules
- Oracle Cloud: Ensure the rule is NOT Stateless
- AWS: Ensure the security group rule is present and doesn't have a restrictive source CIDR
- GCP: Check the firewall rules in VPC Network → Firewall
Test from your local machine:
# Test if UDP port responds
echo "test" | nc -u YOUR_PUBLIC_IP 10001
3. Verify Server.xml Configuration
# Check if the correct IP is in Server.xml
grep -A 3 "IceCandidates" ~/ome/conf/Server.xml
# Should show your PUBLIC IP, not 127.0.0.1 or internal IP
4. Check for Mixed Content Issues
If your website is HTTPS, your stream URL must be WSS (WebSocket Secure):
// ❌ Wrong (HTTPS page + WS stream)
file: 'ws://YOUR_PUBLIC_IP:3333/app/test'
// ✅ Correct (HTTPS page + WSS stream)
file: 'wss://your-domain.com:3333/app/test'
5. Monitor Real-Time Logs
docker logs -f ome | grep -E "New client|disconnected|error|failed"
Performance Optimization
Reduce Latency Further
-
Set Keyframe Interval to 1 second in OBS
- Settings → Output → Advanced → Keyframe Interval = 1
-
Enable Hardware Encoding
- NVIDIA NVENC is 100ms faster than libx264
- Settings → Output → Encoder → NVIDIA NVENC H.264
-
Increase Media Port Range
- If you have high concurrent viewers, expand the UDP range from 10000-10005 to 10000-10099
- Update Security Rules, iptables, and Server.xml accordingly
Memory & CPU Usage
Check OME container resource usage:
docker stats ome
# Monitor over time
docker stats ome --no-stream
If CPU exceeds 80%, consider:
- Reducing input bitrate
- Using hardware transcoding
- Scaling to multiple OME instances
Monitoring & Logging
Enable Detailed Logging
Edit ~/ome/conf/Logger.xml:
<Logger version="2">
<LogPath>./logs/</LogPath>
<LogLevel>debug</LogLevel>
<LogToPipe>
<Conn_Monitoring>debug</Conn_Monitoring>
<HTTP>debug</HTTP>
<RTMP>debug</RTMP>
<WEBRTC>debug</WEBRTC>
</LogToPipe>
</Logger>
Restart the container:
docker restart ome
docker logs ome | tail -50
Set Up Log Rotation
sudo tee /etc/logrotate.d/ome > /dev/null <<EOF
/home/$(whoami)/ome/logs/*.log {
daily
rotate 7
compress
missingok
notifempty
create 0640 $(whoami) $(whoami)
}
EOF
Deployment Checklist
Before going live:
- [ ] Cloud security rules are configured and NOT stateless
- [ ] iptables rules are applied and saved
- [ ] OME container is running and public IP is in Server.xml
- [ ] OBS can successfully stream to RTMP endpoint
- [ ] WebRTC player connects without Error 511
- [ ] Latency is under 2 seconds
- [ ] HTTPS/WSS is configured for production
- [ ] Monitoring and logging are enabled
- [ ] Backup and restore procedures documented
Production Use Cases
This setup powers:
- Live Auctions: Sub-second latency for real-time bidding
- Gaming Platforms: Competitive gaming with minimal delay
- Financial Trading: Real-time market data streaming
- Interactive Webinars: Q&A with negligible latency
- Live Sports Betting: Same-game betting during broadcasts
- Telemedicine: Live surgical procedures and consultations
Next Steps
- Scale horizontally: Deploy multiple OME instances behind a load balancer for high concurrency
- Add authentication: Implement token-based stream access control
- Enable recording: Configure OME to record streams to disk
- Set up SRT failover: Add Secondary RTMP input for redundancy
- Implement adaptive bitrate: Configure CMAF packaging for multi-quality delivery
Resources & Further Reading
- OvenMediaEngine Official Documentation
- WebRTC Best Practices
- OvenPlayer SDK
- OBS Studio Documentation
Conclusion
You've just built a professional-grade streaming infrastructure capable of sub-second latency delivery. This is production-ready code used by companies streaming millions of concurrent viewers.
The key takeaways:
- Security rules must be stateful (the #1 mistake)
- Server.xml needs your public IP (not localhost)
- UDP ports are critical (often forgotten)
- Test connectivity at every layer (cloud → OS → container → player)
From here, you can build interactive experiences that were impossible with traditional RTMP. The future of live streaming is here.
Happy streaming! 🎬
Have feedback? Share your setup in the comments. Did you hit any snags I didn't cover? What use case are you building for?
Common Errors & Solutions
Error: "docker: command not found"
# Docker not installed or not in PATH
curl -fsSL https://get.docker.com -o get-docker.sh
sudo sh get-docker.sh
Error: "Connection refused" on port 1935
# RTMP port not open in cloud security rules
# Add TCP 1935 to your cloud provider's security list
# Then restart OME
docker restart ome
Error: "Cannot connect to Docker daemon"
# Docker not running or permission denied
sudo systemctl start docker
sudo usermod -aG docker $USER
# Log out and back in
Latency exceeding 2 seconds
# Check keyframe interval in OBS (should be 1-2 seconds)
# Verify no packet loss: mtr YOUR_PUBLIC_IP
# Check OME CPU usage: docker stats ome
OBS connection drops randomly
# Check OME logs for errors
docker logs ome | grep -i "error\|exception"
# Restart the container
docker restart ome
# Check if iptables rules are persisted
sudo netfilter-persistent save
OME Version: Latest (pull latest from Docker Hub)
Tested On: Ubuntu 22.04 LTS, Oracle Cloud VM.Standard.E4.Flex
Top comments (0)