Open UDP port 64738 in a Hetzner firewall (Mumble)
Mumble voice uses UDP 64738 by default. On Hetzner Cloud you typically have two controls: a Cloud Firewall (Hetzner panel) and a host firewall (often UFW). If either one blocks UDP 64738, the server will look “offline”.
If you’re new to VPS security, start with our Ubuntu VPS hardening checklist.
Step 1: confirm Mumble is running and listening
On the server:
sudo systemctl status mumble-server.service --no-pager
# Show listening sockets (UDP/TCP)
ss -lunpt | grep -E '(:64738\b|mumble)' || trueIf nothing is listening on UDP 64738, fix that before touching firewalls.
Step 2: Hetzner Cloud Firewall rule (inbound)
In Hetzner Cloud: go to Firewalls (or the firewall attached to your server) and add an inbound rule.
Recommended inbound rules:
- UDP port 64738 from
0.0.0.0/0(and::/0if using IPv6) - (Optional) TCP port 64738 as fallback
If you can restrict sources to known IPs, do it. If you can’t (mobile users, travel), keep it open but ensure the server is invite-only and not publicly listed.
Step 3: UFW rule (host firewall)
If you use UFW on Ubuntu/Debian:
sudo ufw status verbose
# Allow Mumble
sudo ufw allow 64738/udp
sudo ufw allow 64738/tcp
sudo ufw statusStep 4: verify from the outside
UDP is harder to “probe” than TCP, so don’t rely on a single test. Use multiple signals:
- Your Mumble client can connect and stays connected
ss -lunpshows the server listening- Server logs show connection attempts
If you need a structured debug flow, use: Mumble server not reachable (UDP blocked) — fix checklist.
Common mistakes
- Only opening UFW but forgetting the Hetzner firewall (or vice versa).
- Opening TCP 64738 but forgetting UDP 64738.
- Firewall not attached to the correct server.
- IPv6 is enabled and blocked (or clients try IPv6 first).
Want this handled as applied infrastructure?
SecureVoice can provision Mumble, align cloud + host firewalls, and deliver a short onboarding pack.