How to Install TeamSpeak Server on a VPS (Ubuntu/CentOS Guide)

TeamSpeak is a self-hosted, low-latency voice communication platform that runs as a standalone server daemon on Linux. Installing it on a VPS gives you complete administrative control over channels, permissions, codecs, and security policies — without relying on third-party infrastructure or usage caps.

This guide covers the full installation of TeamSpeak 3 Server on Ubuntu (with notes for CentOS/RHEL variants), including user isolation, systemd service configuration, admin password hardening, and client connection. Every command is production-ready and tested on a clean 22.04 LTS environment.

Why Self-Host TeamSpeak on a VPS

Commercial voice platforms like Discord impose data retention policies, algorithmic moderation, and rate limits that organizations cannot override. A self-hosted TeamSpeak instance eliminates those constraints entirely. You control:

• Codec quality (Opus Voice, Opus Music) and per-channel bitrate
• Permission system with granular server group and channel group ACLs
• Encryption via TLS for signaling and optional voice encryption
• Data residency — your voice traffic never transits a third-party relay
• Uptime SLA — tied directly to your VPS provider, not a shared cloud service

For gaming clans, esports organizations, remote development teams, and corporate communications, this translates to measurable reliability and compliance advantages.

Minimum System Requirements

TeamSpeak 3 Server is exceptionally lightweight. The following specifications support approximately 50–100 concurrent users without audio quality degradation:

A VPS Hosting plan with 1 vCPU and 512 MB RAM is sufficient for a small community. Scale vertically as your concurrent user count grows.

Key ports to open on your firewall:

• `9987/UDP` — voice data (default)
• `10011/TCP` — ServerQuery (raw or SSH)
• `30033/TCP` — file transfer

Step 1: Prepare the Server

Connect to your VPS as root:

“`bash

ssh root@your_server_ip -p your_ssh_port

“`

Update all system packages to eliminate known vulnerabilities before introducing new software:

“`bash

sudo apt update && sudo apt upgrade -y

“`

Install `bzip2`, which is required to extract the TeamSpeak archive:

“`bash

sudo apt install bzip2 -y

“`

On CentOS/AlmaLinux/Rocky Linux, replace the above with:

“`bash

sudo dnf update -y && sudo dnf install bzip2 wget -y

“`

Step 2: Create a Dedicated System User

Running TeamSpeak as root is a critical security mistake. If the process is ever exploited, an attacker gains immediate root access to the entire host. Always isolate it under a non-privileged user:

“`bash

sudo adduser teamspeak

“`

Follow the prompts to set a password. This user will own all TeamSpeak binaries, configuration files, and the SQLite database.

> Security note: For hardened environments, consider creating the user with `–disabled-login` and using `sudo -u teamspeak` for all operations, preventing interactive shell access entirely.

Step 3: Download and Extract the TeamSpeak Server Binary

Switch to the `teamspeak` user context:

“`bash

sudo su – teamspeak

“`

Download the latest stable TeamSpeak 3 Server release for 64-bit Linux. Always verify the current version number at the official TeamSpeak downloads page before running this command, as the version string changes with each release:

“`bash

wget https://files.teamspeak-services.com/releases/server/3.13.7/teamspeak3-server_linux_amd64-3.13.7.tar.bz2 -O teamspeak-server.tar.bz2

“`

Extract the archive and strip the top-level directory so all files land directly in the current working directory (`/home/teamspeak/`):

“`bash

tar xvfj teamspeak-server.tar.bz2 –strip-components 1

“`

Accept the TeamSpeak license agreement by creating the required marker file. The server daemon will refuse to start without it:

“`bash

touch ~/.ts3server_license_accepted

“`

Return to the root user:

“`bash

exit

“`

Step 4: Create a systemd Service Unit

Managing TeamSpeak via systemd ensures the process restarts automatically after a reboot or crash, integrates with `journald` for centralized logging, and respects proper dependency ordering during boot.

Open a new service unit file:

“`bash

nano /etc/systemd/system/teamspeak.service

“`

Paste the following complete unit configuration:

“`ini

[Unit]

Description=TeamSpeak 3 Server

After=network.target

[Service]

WorkingDirectory=/home/teamspeak/

User=teamspeak

Group=teamspeak

Type=forking

ExecStart=/home/teamspeak/ts3server_startscript.sh start inifile=ts3server.ini

ExecStop=/home/teamspeak/ts3server_startscript.sh stop

PIDFile=/home/teamspeak/ts3server.pid

Restart=on-failure

RestartSec=10s

[Install]

WantedBy=multi-user.target

“`

Key directives explained:

• `After=network.target` — prevents startup before the network stack is ready, avoiding bind failures on `9987/UDP`
• `Type=forking` — correct for the TeamSpeak start script, which forks a background process
• `Restart=on-failure` — automatically recovers from unexpected crashes without manual intervention
• `RestartSec=10s` — adds a brief delay before restart attempts to prevent rapid crash loops

Save the file (`Ctrl+S`, then `Ctrl+X`), then reload the systemd daemon to register the new unit:

“`bash

systemctl daemon-reload

“`

Enable the service to start at boot and start it immediately:

“`bash

systemctl enable –now teamspeak

“`

Verify the service is active and running:

“`bash

systemctl status teamspeak

“`

Expected output includes `Active: active (running)` with a valid PID. If the status shows `failed`, inspect the logs immediately:

“`bash

journalctl -u teamspeak -n 50 –no-pager

“`

Step 5: Retrieve the Admin Privilege Key (Token)

When TeamSpeak Server starts for the first time, it generates a privilege key (token) in its log files. This token grants the first connecting client full server administrator rights. You must retrieve it before anyone else connects.

“`bash

grep -i token /home/teamspeak/logs/*

“`

The output will contain a line similar to:

“`

token=q1a2b3c4d5e6f7g8h9i0jKLMNOPQRSTUVWXYZ

“`

Copy this token. When you connect via the TeamSpeak client for the first time, you will be prompted to enter it. Doing so elevates your client to the `Server Admin` server group.

> Critical: This token is single-use and is consumed upon first redemption. If you lose it before using it, you must set a new admin password manually (see Step 6). Store it securely.

Step 6: Set or Reset the ServerAdmin Password

The `serveradmin` account is used for ServerQuery access — a raw TCP or SSH interface that allows scripted administration, bot integration, and remote management tools like YaTQA or ts3admin.

To set or reset this password, you must temporarily stop the service, start the server binary directly with the password argument, then stop it again and restart via systemd:

“`bash

systemctl stop teamspeak.service

“`

Switch to the teamspeak user and set the password:

“`bash

su – teamspeak

./ts3server_startscript.sh start serveradmin_password=YourStrongPassword

“`

Wait for the server to fully initialize (watch for `TeamSpeak 3 Server started successfully` in the output), then stop it:

“`bash

./ts3server_startscript.sh stop

exit

“`

Restart the managed service:

“`bash

systemctl start teamspeak.service

“`

Password requirements: Use a minimum of 16 characters with mixed case, numbers, and symbols. The ServerQuery interface is exposed on TCP port `10011` and is a common brute-force target if left with a weak password.

Step 7: Configure the Firewall

If `ufw` is active on your server, open the required ports:

“`bash

ufw allow 9987/udp comment "TeamSpeak voice"

ufw allow 10011/tcp comment "TeamSpeak ServerQuery"

ufw allow 30033/tcp comment "TeamSpeak file transfer"

ufw reload

“`

For `firewalld` (CentOS/AlmaLinux):

“`bash

firewall-cmd –permanent –add-port=9987/udp

firewall-cmd –permanent –add-port=10011/tcp

firewall-cmd –permanent –add-port=30033/tcp

firewall-cmd –reload

“`

> Hardening tip: If you do not need public ServerQuery access, restrict port `10011` to specific management IPs only. Exposing it publicly is unnecessary for standard voice server operation.

Step 8: Connect from the TeamSpeak Client

1. Download and install the TeamSpeak 3 Client for your desktop OS (Windows, macOS, Linux).
2. Open the client and navigate to Connections > Connect.
3. Enter your VPS IP address as the Server Nickname or Address.
4. Leave the port as `9987` unless you changed it in `ts3server.ini`.
5. On first connection, the client will prompt you to enter the privilege key (token). Paste the token retrieved in Step 5.
6. Your client is now the server administrator.

Optional: Use the Automated Installation Script

For rapid deployment, AlexHost provides an automated installation script that handles dependency installation, user creation, binary download, and service configuration in a single execution:

“`bash

ssh root@your_server_ip -p your_ssh_port

wget https://bill.alexhost.com/downloads/teamspeak_install.sh

chmod +x teamspeak_install.sh

./teamspeak_install.sh

“`

Review the script contents before executing it to understand what changes it makes to your system. Automated scripts are convenient but should never be run blindly on production infrastructure.

TeamSpeak vs. Alternatives: Self-Hosted Voice Platforms

TeamSpeak's ServerQuery API is a significant differentiator for organizations that need programmatic server management — automated channel creation, bot integration, or CI/CD-triggered permission changes.

Common Installation Issues and Fixes

Server fails to start — "Could not bind to port 9987"

Another process is using UDP 9987, or the service started before the network was ready. Check with `ss -ulnp | grep 9987` and verify the `After=network.target` directive is present in your service unit.

License file not found error

The `.ts3server_license_accepted` file must exist in the home directory of the user running the process (`/home/teamspeak/`). Confirm with `ls -la /home/teamspeak/.ts3server_license_accepted`.

Token not found in logs

The log directory defaults to `/home/teamspeak/logs/`. If you extracted the archive to a different path, adjust the grep command accordingly. Tokens only appear in the log from the first-ever startup — if the database already exists, no new token is generated.

ServerQuery connection refused

Confirm port `10011/TCP` is open in your firewall and that the server process is running. Test locally with `telnet 127.0.0.1 10011` — a successful connection returns a `TS3` banner.

High CPU usage with many users

TeamSpeak is single-threaded for voice mixing. If you exceed ~200 concurrent users on a single virtual server instance, consider deploying multiple virtual servers or upgrading to a Dedicated Servers plan for guaranteed CPU clock speed and no noisy-neighbor contention.

Securing Your TeamSpeak Deployment

Beyond the user isolation and firewall rules covered above, apply these hardening measures:

• Change default ports in `ts3server.ini` to reduce automated scanning exposure. Update firewall rules accordingly.
• Restrict ServerQuery (`10011/TCP`) to management IPs using firewall source filtering.
• Enable SSH key authentication on your VPS and disable password-based root login. See your VPS control panel for SSH key management options.
• Monitor logs via `journalctl -u teamspeak -f` for unusual connection patterns or repeated ServerQuery authentication failures.
• Regular backups of `/home/teamspeak/ts3server.sqlitedb` — this file contains all channel configurations, server groups, permissions, and client identities. Losing it means rebuilding your entire server structure from scratch.
• Keep the binary updated. TeamSpeak releases security patches periodically. Subscribe to their release announcements and repeat Steps 3–4 with the new version tarball when updates are available.

If you manage multiple services on the same VPS, consider pairing your TeamSpeak instance with a VPS Control Panels solution to streamline service management, monitoring, and scheduled tasks from a unified interface.

Decision Matrix: Is This Setup Right for You?

Technical Key Takeaways

• Always run TeamSpeak under a dedicated non-root user. This is non-negotiable for any internet-facing service.
• The `ts3server_license_accepted` marker file must exist before the daemon will start — a common first-boot failure point.
• Use `Type=forking` in the systemd unit, not `Type=simple`. The start script forks a background process; `simple` will cause systemd to mistrack the PID.
• Retrieve the privilege key token from logs immediately after the first start. It is consumed on first use and cannot be regenerated without a manual password reset procedure.
• Port `9987/UDP` is the only port required for basic voice operation. `10011/TCP` and `30033/TCP` are optional depending on your use case.
• Back up `ts3server.sqlitedb` on a schedule. All server configuration lives in this single file.
• For production deployments, restrict ServerQuery to localhost or a management VLAN — never expose it publicly without IP allowlisting.

—

Frequently Asked Questions

What is the maximum number of users on a free TeamSpeak server license?

The free non-profit license supports up to 32 simultaneous slots. For larger deployments, TeamSpeak offers annual licenses for 64, 128, 256, or 512 slots, as well as an unlimited-slot "Activation License" for qualifying organizations.

Can I run TeamSpeak Server on a 512 MB RAM VPS?

Yes. The TeamSpeak 3 Server daemon consumes approximately 25–40 MB of RAM at idle and scales modestly with concurrent users. A 512 MB VPS is sufficient for communities under 50 simultaneous users, with comfortable headroom for the OS and system processes.

How do I update TeamSpeak Server without losing my configuration?

Stop the service with `systemctl stop teamspeak`, download the new version tarball as the `teamspeak` user, extract it with `–strip-components 1` into the same directory (overwriting only the binaries), then restart the service. The `ts3server.sqlitedb` database and `ts3server.ini` configuration file are not overwritten by this process.

Why is my TeamSpeak server not visible in the public server list?

By default, TeamSpeak servers do not register with the public server list. To enable listing, set `machine_id=` and configure `serverip` in `ts3server.ini`, then enable the public listing option via ServerQuery or the client's server administration panel. Ensure UDP port `9987` is reachable from the internet.

Is TeamSpeak traffic encrypted by default?

Signaling traffic (connection setup, chat, permissions) is encrypted via TLS. Voice data transmitted over UDP is not encrypted by default in TeamSpeak 3. Voice encryption can be enabled per-channel or server-wide via the server settings, at the cost of a small increase in CPU usage. TeamSpeak 5 (currently in development) uses end-to-end encryption by default.