Coturn & ISP Firewall

Hi !

In order to get around those restricted firewall that blocks the 10000/udp port, I’ve just successfully installed the jitsi-meet 2.0.5142-1 on Ubuntu 20.04.

First, thank you for this embedded coturn server !

When I block my 10000/udp port on my firewall, this turn server is doing the job and all works like a charm (i can see the ‘(turn)’ reference next to the distant IP)

However, in France, we have an ISP named ‘Orange’ (the most afloat), which provided an embedded firewall on its BOX.

Those firewalls have an ‘Restricted Mode’ and when it’s on, the coturn on my self hosted jitsi-meet, is not doing the job anymore…

As a result, the person behind the firewall can connect and chat on a room but he’s not able to listen/see other participants voice/camera.

The most surprising is when the same person use the official meet.jit.si behind the same restricted mode firewall, it works perfectly and i can see the ‘(turn)’ reference next to the distant IP.

So, I’m wondering is there something missing on the embedded coturn server to work with some more restricted firewall ?

Or do i have to admit that meet.jit.si is whitelisted by the French ISP ‘Orange’ ?

Regards,
Jonathan

Is this firewall in front of the turnserver?

So by default jitsi-meet installs with turnserver on standard port 5349, where meet.jit.si run the turnserver on port 443. So maybe this is the difference.
You can do the same, but if everything is on the same machine you will need a second DNS entry: https://jitsi.github.io/handbook/docs/devops-guide/turn#use-turn-server-on-port-443

1 Like

Hi damencho !

Those firewall I mention are located in some users private/professional infrastructures. Not on our jitsi server.

Thank you very much for your answer !

Our coturn is now able to trick those ISP firewall like official meet.jit.si ! But only with ipv4 clients…

Indeed, our implementation is incomplete because it isn’t working with IPV6 : we can see ipv6 clients join the meeting, but can’t listen/see them.

I point out that those ipv6 clients have no problem when they are not in restricted mode on their firewall.

So thoses ipv6 problems happen only when coturn is used.

Is there something to set for ipv6 in coturn/nginx/prosody ?

Here is what we done :

1/ Create DNS entries A and AAAA for myturn.mydomain.fr .
-> The same as myvisio.mydomain.fr because coturn is running on our jitsi-meet server.

2/ Enable a new module for nginx in /etc/nginx/module-enabled/jitsi-coturn-443.conf

stream {
    map $ssl_preread_server_name $name {
        myvisio.mydomain.fr web_backend;
        myturn.mydomain.fr turn_backend;
    }

    upstream web_backend {
        server 127.0.0.1:4444;
    }

    upstream turn_backend {
        server __my_public_ipv4__:5349;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;

        proxy_pass $name;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

3/ Replace listening port from 443 to 4444 in my /etc/nginx/site-enable/myvisio.mydomain.fr.conf

4/ Replace turns configuration in /etc/prosody/conf.d/myvisio.mydomain.fr.cfg.lua :

{ type = "turns", host = "myturn.mydomain.fr", port = "443", transport = "tcp" }

5/ Set the /etc/turnserver.conf file as following :

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=my_auth_secret
realm=myturn.mydomain.fr
cert=/etc/ssl/mydomain.fr/fullchain.pem
pkey=/etc/ssl/mydomain.fr/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
allowed-peer-ip=__my_public_ipv4__
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# jitsi-meet coturn relay disable config. Do not modify this line
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
syslog

Hoping this will help some other people.