How to run VICIdial on Hetzner Cloud

Hetzner Cloud is one of the cheapest places to run a VICIdial box, and it works fine for a single dialer. You rent a virtual private server, give it a real public IPv4, open the right ports, and install Ubuntu plus Asterisk and the dialer on top. The catch is in the network layer, not the hardware. Get the firewall and the audio path right and the rest is routine.

Pick the instance type

Hetzner sells three relevant families. CX are shared Intel vCPUs and the budget option. CPX are shared AMD with more clock headroom. CCX are dedicated vCPUs with no noisy-neighbor jitter, which matters once you carry a few dozen concurrent calls. For a small campaign a CPX31 (4 vCPU, 8 GB) is a sane start; for 50-plus agents move to a CCX. VICIdial wants real CPU for transcoding when your Codec mix forces conversion. If your Carrier hands you G.729 codec and your agents use a different codec, every leg gets transcoded and CPU climbs fast.

You need a public IPv4

VICIdial is a telephony server, not a web app behind a load balancer. It must be reachable by a routable address so your SIP trunk can register or send INVITEs to it, and so media flows back. At order time tick the IPv4 box; Hetzner gives every Cloud server a primary IPv4 by default, but confirm it before you build. Without a public address SIP (Session Initiation Protocol) signaling will not complete and you will chase one-way-audio ghosts that were never going to work. The public-IP requirement is the single most common reason a cloud dialer never makes a call.

Open SIP and the RTP range

Hetzner Cloud has its own stateful firewall you attach to the server. By default it blocks inbound. You must allow your SIP signaling port (UDP 5060, or your TLS port) and the whole RTP media range. Asterisk uses UDP 10000-20000 for audio out of the box, and every one of those ports has to be open inbound, scoped to your carrier's IPs where you can. Lock SIP to known carrier and agent addresses; an open 5060 to the whole internet invites credential-stuffing within hours.

flowchart LR
  Carrier[SIP carrier] -->|UDP 5060 SIP| FW[Hetzner firewall]
  FW -->|allow signaling| VD[VICIdial box]
  Carrier -->|UDP 10000-20000 RTP| FW
  FW -->|allow media| VD
  VD -->|audio| Agent[Agent softphone]

NAT and audio

A Hetzner Cloud server sees its public IP directly on the interface in most setups, so heavy NAT traversal gymnastics are usually unnecessary. Still set externip and localnet in Asterisk to the public address so SDP advertises the right media IP. Skip that and the SIP packets say connect here while pointing at a private address the carrier cannot reach. The symptom is the call connects, both sides answer, and nobody hears anything. That is the classic NAT audio fault, and we cover it in depth in our cloud NAT audio guide.

Backups with snapshots

Hetzner takes a Server snapshot of the whole disk on demand, which captures your config, dialplan, and database state in one image. Schedule one before any upgrade. A full snapshot can take five to fifteen minutes to create depending on disk size, so do not treat it as instant rollback during a live shift. Recordings live on the same disk by default; move them off if retention matters.

The honest time cost

Doing this by hand is a real afternoon. Provision the VPS, harden SSH, build VICIdial from source or run an installer, set up the firewall, wire TLS, and test a call. None of it is hard, but it adds up, and the security hardening is the part people skip and regret. The cloud part of this is covered end to end in our VICIdial in the cloud guide. We provision on Hetzner ourselves, and Provisioning a fully secured, Single tenant box takes us under 40 seconds. You still get root SSH and bring your own carrier. See pricing if you would rather skip the afternoon.