Coturn doesn't work with Jitsi on GKE

Hello,

I have already install a Jitsi on my GKE cluster like this:

Ref Graph 1

Each circle is an unique pod with is own k8s service.

I want to migrate to a coturn server. I already do that on my side with my docker-compose for my local development. I try to reproduce it with the GKE cluster. I has setup my cluster like that:

Ref Graph 2

When I join my meeting, there is no audio/video. I has check all the logs:

    • host => fail as expected because JVB is not exposed anymore
    • prflx => success for p2p connections
    • relay-tls => pending but I except success due to coturn relay. I got my remote local jvb ip as remote host.
  • Coturn logs, I got turns connections:
253: : session 000000000000000002: realm <COTURN_HOST> user <>: incoming packet message processed, error 401: Unauthorized
253: : session 000000000000000002: realm <COTURN_HOST> user <>: incoming packet message processed, error 401: Unauthorized
253: : IPv4. Local relay addr: 10.20.0.225:52004
253: : IPv4. Local relay addr: 10.20.0.225:52004
253: : session 000000000000000002: new, realm=<COTURN_HOST>, username=<1642173864>, lifetime=3600, cipher=ECDHE-RSA-AES256-GCM-SHA384, method=TLSv1.2
253: : session 000000000000000002: new, realm=<COTURN_HOST>, username=<1642173864>, lifetime=3600, cipher=ECDHE-RSA-AES256-GCM-SHA384, method=TLSv1.2
253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet ALLOCATE processed, success
253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet ALLOCATE processed, success
253: : session 000000000000000002: peer 10.20.0.225 lifetime updated: 300
253: : session 000000000000000002: peer 10.20.0.225 lifetime updated: 300
253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet CREATE_PERMISSION processed, success
253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet CREATE_PERMISSION processed, success
253: : session 000000000000000002: peer 10.24.11.74 lifetime updated: 300
253: : session 000000000000000002: peer 10.24.11.74 lifetime updated: 300
253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet CREATE_PERMISSION processed, success

253: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet CREATE_PERMISSION processed, success
291: : session 000000000000000002: refreshed, realm=<COTURN_HOST>, username=<1642173864>, lifetime=0, cipher=ECDHE-RSA-AES256-GCM-SHA384, method=TLSv1.2
291: : session 000000000000000002: refreshed, realm=<COTURN_HOST>, username=<1642173864>, lifetime=0, cipher=ECDHE-RSA-AES256-GCM-SHA384, method=TLSv1.2
291: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet REFRESH processed, success
291: : session 000000000000000002: realm <COTURN_HOST> user <1642173864>: incoming packet REFRESH processed, success
  • JVB logs:
SEVERE: Error during DTLS connection: org.bouncycastle.tls.TlsTimeoutException: Handshake timed out
Jan 13, 2022 3:25:25 PM org.jitsi.utils.logging2.LoggerImpl log
SEVERE: Error during DTLS negotiation, closing this transport manager
org.bouncycastle.tls.TlsTimeoutException: Handshake timed out
	at org.bouncycastle.tls.DTLSReliableHandshake.receiveMessage(Unknown Source)
	at org.bouncycastle.tls.DTLSServerProtocol.serverHandshake(Unknown Source)
	at org.bouncycastle.tls.DTLSServerProtocol.accept(Unknown Source)
	at org.bouncycastle.tls.DTLSServerProtocol.accept(Unknown Source)
	at org.jitsi.nlj.dtls.DtlsServer.accept(DtlsServer.kt:45)
	at org.jitsi.nlj.dtls.DtlsServer.start(DtlsServer.kt:41)
	at org.jitsi.nlj.dtls.DtlsStack.start(DtlsStack.kt:150)
	at org.jitsi.videobridge.transport.dtls.DtlsTransport.startDtlsHandshake(DtlsTransport.kt:107)

Maybe my problem is something is like this:

Ref Graph 3

I was unable to solve it. I check the ip assigned and nothing was wrong. The coturn known is own ip using the fieldRef. JVB should resolve the coturn extenal with the DNS. I am not sure about how work the JVB response with coturn. Did you have any idea ?

Thank you

that’s a good thing since it proves that your coturn is trying to talk to JVB. Now if you can’t figure out from your turnserver.conf what coturn is doing wrong (there is no configuration on the JVB side, it’s only DTLS UDP, but you should be aware that coturn is a multi protocol guy), you can always use tcpdump on the jvb side to try to understand what is happening.

Hello,

I found my error.
I use status.hostIP as external IP for coturn.
JVB try to connect to the node IP and it wasn’t the right location to connect to the coturn.
I change it to status.podIP and it work.