Clarification on necessity of TURN server with Jitsi

Install & Config
,
1

Good day, :slight_smile:

I’m somewhat confused as to whether I need a TURN server or not with my Jitsi setup.

I understand that if there are just 2 participants in a Jitsi meeting, that by default, that Jitsi attempts a P2P (peer-to-peer) connection (more or less a “direct” connection between the 2 parties).

However, if 3 or more participants are in a meeting, how specifically does it work?
I am thinking via JWB (the video bridge) as UDP traffic?

I understand the port to open for JWB is port 10000 UDP.
…but I think I read that there is actually a range of ports that Jitsi uses (10000 - 20000 UDP)

If it is a range, wouldn’t that whole range need opened up in my firewall with port forwarding configured to my jitsi server?

Thanks in advance for helping me understand how Jitsi/TURN works :slight_smile:
Shawn

2

Hi there and welcome to our community!

You don’t need one.

Correct. Without a TURN server it may fail and then you’ll end up connecting through the bridge, which is not a huge deal.

It’s possible your network blocks all outgoing UDP traffic. In such scenario, TURN would help you because you’d connect to it using TCP or TLS, then to the JVB via UDP.

That’s incorrect, the JVB uses a single port by default, 10000. All traffic is multiplexed through it.

3

Thanks for your helpful reply, saghul and the welcome to the forums here!

You wrote:

Correct. Without a TURN server it may fail and then you’ll end up connecting through the bridge, which is not a huge deal.

If I understand correctly, what you’re saying is, if P2P direct connection fails, it will try via JVB (videobridge) on UDP port 10000

Correct?

and just on that single port 10000… not a range
Correct?

But is it possible that participants in a video meeting, connecting from outside (from WAN), that upon connecting, that other ports are used with JVB and / or Jitsi-meet as well?

You wrote:

It’s possible your network blocks all outgoing UDP traffic. In such scenario, TURN would help you because you’d connect to it using TCP or TLS, then to the JVB via UDP.

Is it possible to connect via UDP only instead of using TCP or TLS? (From what I understand, UDP can be faster transmission of media than TCP?)

To configure enable using a TURN server for Jitsi, per Meetrix.io tutorial, I understand I need to to download and install mod_turncredentials.lua to prosody

cd /tmp && \
wget https://raw.githubusercontent.com/otalk/mod_turncredentials/master/mod_turncredentials.lua && \
sudo cp mod_turncredentials.lua /usr/lib/prosody/modules/

and that I also need to modify the following:

  • Prosody config file: [myJitsihostname].cfg.lua in /etc/prosody/conf.avail/ and
  • JVB config file “sip-communicator.properties” in /etc/jitsi/videobridge/
  • Jitsi meet config file "[myJitsihostname]-config.js in /etc/jitsi/meet/

For the Prosody config file, I need to input my TURN server secret / hostname etc like this:

external_service_secret = "TURN_SERVER_SECRET";
external_services = {
     { type = "turn", host = "turn.mydomain.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" >     
   { type = "turns", host = "turn.mydomain.com", port = 5349, transport = "udp", secret = true, ttl = 86400, algorithm = "turn">
};

as well as to add this line: “turncredentials”;
… in the modules_enabled section, so that it looks like this:

modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        **"turncredentials";**
        "speakerstats";
        "external_services";
        "conference_duration";
        "end_conference";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
        "room_metadata";
    }

What about these lines:

cross_domain_bosh = false;
consider_bosh_secure = true;

Are those default settings OK?

For JVB config file “sip-communicator.properties”, I added this line:

org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

For Jitsi meet config file "[myJitsihostname]-config.js, I ensured that this line:

useStunTurn: true, // Using Turn Server with JVB

was within the “p2p:{” section as well as I pasted it right below that section as “useStunTurn: true, // Using Turn Server with JVB”

so that my final looks like this:

 p2p: {
       
       enabled: true,
   
   	stunServers: [

           // { urls: 'stun:[myJitsihostname].com:3478' },
           { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
       ],
   },

useStunTurn: true, // Using Turn Server with JVB

However, I suppose I need to uncomment this line: // { urls: ‘stun:[myTURNserverhostname].com:3478’ }, and input my TURN server hostname there?

Did I miss anything?

Thanks again for your time and help!

4

But is it possible that participants in a video meeting, connecting from outside (from WAN), that upon connecting, that other ports are used with JVB and / or Jitsi-meet as well?

The JVB only receives media on port udp/10000. Signalling happens over HTTPS on tcp/443. Those are the only two ports used by Jitsi Meet itself.

Is it possible to connect via UDP only instead of using TCP or TLS? (From what I understand, UDP can be faster transmission of media than TCP?)

If you don’t have a TURN server, UDP is always used. Even if you do have a TURN server, UDP is used by default, because quality is better. Some networks (particularly corporates) strictly block outbound UDP. If you want your setup to be compatible with such networks, you need a TURN server so that the media traffic can use TCP. (Note that even then, the JVB itself is still receiving the media on udp/10000 — the TURN server receives the media from the user on a TCP port and forwards it to the JVB over UDP, and does the reverse in the other direction.)

5

Yep

Yep

No

Yes, but if UDP is available a direct connection to the JVB is also usually possible so TURN wouldn’t be used for JVB connections.

That tutorial must be outdated, we ship that module now: jitsi-meet/mod_turncredentials.lua at master · jitsi/jitsi-meet · GitHub

This is now already the default.