Always turn but never stun

Hi all,

I seem to have a situation where if the stun/turn server is installed, rather than just having a direct p2p connection it creates a turn p2p connection. This is really difficult to scale and should be unnecessary in most cases if stun would just work.

It is a basic stun/turn server installed using the jitsi-meet-turnserver package. Firewalls on the server side is not an issue as it was tested with everything open on some test servers.

Are other people seeing something similar? and any ideas how to test this.
chrome://webrtc-internals/
seems to show the stun, turn and turns servers. Yet its either turn or jvb if there is even a single nat in between the clients.

Does anyone know what the jitsi-meet-turnserver package does. It depends on prosody and jitsi-meet-web, but I haven’t figured out why. A vanilla coturn server installation seems to be working just the same. This leads me to believe I’m totally misunderstanding how the turn server is used by jitsi and maybe this is why stun is not used?

This is not expected, if STUN works it should be preferred to TURN. The dependency on prosody is there because prosody is configured to provide credentials to clients. You can test further by disabling TURN (but keeping STUN) in prosody’s config (look for ‘turncredentials’).

Boris

1 Like

Thank you very much for your answer. Yes I was really wondering about the lack of stun connections as I’ve seen statistics that the vast majority should be able to use stun. Disabling turn will route the conference to use JVB2.

The setup now consists of 3 servers.

On the main server meet.example.com.cfg.lua

turncredentials_host = "stun.example.com"
turncredentials_secret = "FirstSecret";

turncredentials = {
  { type = "stun", host = "stun.example.com", port = "3478" },
  { type = "turn", host = "stun.example.com", port = "3478", transport = "udp" },
  { type = "turns", host = "stun.example.com", port = "5349", transport = "tcp" }
};

On the stun.example.com server turnserver.conf

use-auth-secret    
keep-address-family
static-auth-secret=FirstSecret     
realm=example.com    
cert=/etc/jitsi/meet/stun.example.com.fullchain.pem
pkey=/etc/jitsi/meet/stun.example.com.privkey.pem

no-tcp
listening-port=3478    
tls-listening-port=5349

syslog

So the secret is static but only configured in prosody on the main server. The stun/turn server doesn’t have prosody installed. Should prosody on the stun/turn server send a generated onetime password to the clients. But even if the password configuration isn’t exactly right I’m baffled why turn works but stun seemingly not.