Default Jitsi Install What's Needed For UDP 10000 To Go Over Coturn 443/80

I have a complete default install of Jitsi following the handbook steps exactly.

What would need changed to tell the clients that everything should go over 443/80?

On a default install my clients keep trying port 10000 udp.

I want ALL clients on the internet to use ports 80 and 443 for all traffic to guarantee they can all participate in meetings.

I’ve been working on this for months and cannot successfully get this to work.

Please help Jitsi devs!!!

You want to force all connection to be over TCP? This is not good idea and quality will suffer …
You can change jvb to bind to port 443 udp and use that …

Thanks for the reply damencho.

Yeah I want to guarantee all users behind corporate firewalls can use my jitsi install over 80 and 443. Basically I want how meet.jit.si works. I can use meet.it.si with more than 2 users and I’m behind a firewall only allowing port 80 and 443 out.

I think a lot of people are like me and wanting a setup that works over port 80 and 443 just like meet.jit.si works.

What controls how the clients connect back? My clients still try to send UDP 10000. I can’t get them to try sending over 443 no matter what ports I change.

Like I said, I have a stock default Jitsi install.

Here is my videobridge sip config.

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet.example.com:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.meet.example.com
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=PASSWORD
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.meet.example.com
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=f202ad90-1c6c-4c4b-88a9-2afaffbedcf7
org.jitsi.videobridge.DISABLE_TCP_HARVESTER = true
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=192.168.14.21
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=EXTERNALIP

----------------HERE IS TURNSERVER CONFIG---------------------

use-auth-secret
keep-address-family
static-auth-secret=SECRET
realm=meet.example.com
cert=/var/lib/letsencrypt/certs/meet.example.com/fullchain.pem
pkey=/var/lib/letsencrypt/certs/meet.example.com/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
external-ip=EXTERNALIP/192.168.14.21
no-tlsv1
no-tlsv1_1
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255

I changed this in jitsi meet config.

// The STUN servers that will be used in the peer to peer connections
stunServers: [

         { urls: 'stun:meet.example.com:3478' },
        { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
    ]

Everything else is stock default install with latest stable.

You need to enable this module: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example#L47
And configure it: https://github.com/jitsi/jitsi-meet/blob/master/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example#L6

In default install with nginx this is already the case.

Clients query xmpp server for turn address, port and credentials.

That’s what I’m confused about. I have a default install with nginx with latest stable from July.

Here is my prosody config.

I have kept everything stock install and configured by jitsi installers except the Meet Config example above, added my PUBLIC and PRIVATE IP to sip-configuration.

I can’t really find anywhere that takes a default jitsi install and configures it with steps to allow port 80 and 443 ONLY. We use Zoom currently and it works perfectly fine on port 80 and 443 to the Internet which is all we allow.

plugin_paths = { “/usr/share/jitsi-meet/prosody-plugins/” }

– domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = “meet.example.com”;

turncredentials_secret = “SECRET”;

turncredentials = {
{ type = “stun”, host = “meet.example.com”, port = “3478” },
{ type = “turn”, host = “meet.example.com”, port = “3478”, transport = “udp” },
{ type = “turns”, host = “meet.example.com”, port = “443”, transport = “tcp” }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
– https_ports = { }; – Remove this line to prevent listening on port 5284

https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
ssl = {
protocol = “tlsv1_2+”;
ciphers = “ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384”
}

VirtualHost “meet.example.com
– enabled = false – Remove this line to enable this host
authentication = “anonymous”
– Properties below are modified by jitsi-meet-tokens package config
– and authentication above is switched to “token”
–app_id=“example_app_id”
–app_secret=“example_app_secret”
– Assign this host a certificate for TLS, otherwise it would use the one
– set in the global section (if any).
– Note that old-style SSL on port 5223 only supports one certificate, and will always
– use the global one.
ssl = {
key = “/etc/prosody/certs/meet.example.com.key”;
certificate = “/etc/prosody/certs/meet.example.com.crt”;
}
speakerstats_component = “speakerstats.meet.example.com
conference_duration_component = “conferenceduration.meet.example.com
– we need bosh
modules_enabled = {
“bosh”;
“pubsub”;
“ping”; – Enable mod_ping
“speakerstats”;
“turncredentials”;
“conference_duration”;
“muc_lobby_rooms”;
}
c2s_require_encryption = false
lobby_muc = “lobby.meet.example.com
main_muc = “conference.meet.example.com
– muc_lobby_whitelist = { “recorder.meet.example.com” } – Here we can whitelist jibri to enter lobby enabled rooms

Component “conference.meet.example.com” “muc”
storage = “none”
modules_enabled = {
“muc_meeting_id”;
“muc_domain_mapper”;
– “token_verification”;
}
admins = { “focus@auth.meet.example.com” }
muc_room_locking = false
muc_room_default_public_jids = true

– internal muc component
Component “internal.auth.meet.example.com” “muc”
storage = “none”
modules_enabled = {
“ping”;
}
admins = { “focus@auth.meet.example.com”, “jvb@auth.meet.example.com” }
muc_room_locking = false
muc_room_default_public_jids = true

VirtualHost “auth.meet.example.com
ssl = {
key = “/etc/prosody/certs/auth.meet.example.com.key”;
certificate = “/etc/prosody/certs/auth.meet.example.com.crt”;
}
authentication = “internal_plain”

Component “focus.meet.example.com
component_secret = “#qWw4xza

Component “speakerstats.meet.example.com” “speakerstats_component”
muc_component = “conference.meet.example.com

Component “conferenceduration.meet.example.com” “conference_duration_component”
muc_component = “conference.meet.example.com

Component “lobby.meet.example.com” “muc”
storage = “none”
restrict_room_creation = true
muc_room_locking = false
muc_room_default_public_jids = true

All my configs I have replaced my domain with EXAMPLE and I have removed the secretes info just for security of posting here but these are all configured by default.

IS a DEFAULT install of Jitsi Meet from July supposed to work only over ports 80 and 443 OR does it by default want 10000 UDP open? I think it would solve a lot of people’s issues if you guys did a tutorial on how to configure Jitsi Meet to ONLY work with ports 80 and 443 OUT to the Internet open. Most secure organizations will not allow port UDP 10000 out. This would guarantee compatibility with all clients just like Zoom.

Thanks for all your help on this. I just need the piece of the puzzle that allows Jitsi to work over ports 80 and 443 and there are so many different configs in the forums that I can’t figure it out.

ALSO this is all on the SAME box and not separate VM’s for different components.

Thanks again!

Hey Damencho. Can I provide any other logs to help understand my setup?

Thanks so much.

Do you have this: /etc/nginx/modules-enabled/60-jitsi-meet.conf ?
Are you using valid certs with fullchain for nginx and turn? Are you using the Let’s encrypt certs as installed from jitsi-meet scripts?

Yes it’s the default. Nginx jitsi config still has 4444 as the port. I have tried the handbook step of removing this modules file and changing nginx site to 443 but it didn’t do anything for me.

this is jitsi-meet nginx module configuration

this forward all http traffic to the nginx virtual host port

and the rest to the turn server

stream {
upstream web {
server 127.0.0.1:4444;
}
upstream turn {
server 127.0.0.1:5349;
}
# since 1.13.10
map $ssl_preread_alpn_protocols $upstream {
~\bh2\b web;
~\bhttp/1. web;
default turn;
}

server {
    listen 443;
    listen [::]:443;

    # since 1.11.5
    ssl_preread on;
    proxy_pass $upstream;

    # Increase buffer to serve video
    proxy_buffer_size 10m;
}

}

SSL certs I have tried the default jitsi install of the following. AND have also tried the let’s encrypt path.

I would assume the jitsi installer would configure this correctly when I run.

sudo /usr/share/jitsi-meet/scripts/install-letsencrypt-cert.sh

#cert=/etc/jitsi/meet/meet.example.com.crt
#pkey=/etc/jitsi/meet/meet.example.com.key
cert=/var/lib/letsencrypt/certs/meet.example.com/fullchain.pem
pkey=/var/lib/letsencrypt/certs/meet.example.com/privkey.pem

Like I mentioned earlier. I can do another default install and if you guys can let me know what steps would be needed from a default install to make coturn and everything work over 443 and 80, I can then test that process.

Check the topic coturn chronicles after the default installation.

No need the close UDP/10000. If a client can’t connect directly to the videobridge, it’ll try to connect through the turn server.

Ok thanks Emrah. I tried to follow your steps but did not have any success.

I’m using one machine for everything and not separate VMs.

I’ll try those again. Thanks

Ok I think I am having more success now.

Below is my current turnserver.conf file. I am able to open multiple tabs from the Internet and from behind the firewall with only 443 and 80 enabled. So I have success with more than 3 tabs and video.

I’m now having issues using the mobile app on Android and even in chrome browser on android.

How should I change my turnserver.conf?

ALSO I copied the the new coturn cert to /etc/coturn.

How should I do this so it updates with coturn and the other meet.example.com jitsi cert?

cp /etc/letsencrypt/live/turn.EXAMPLE.com/fullchain.pem /etc/coturn/certs/turn.EXAMPLE.com.fullchain.pem
cp /etc/letsencrypt/live/turn.EXAMPLE.com/privkey.pem /etc/coturn/certs/turn.EXAMPLE.com.privkey.pem

use-auth-secret
keep-address-family
static-auth-secret=YgIOsHNGzEuJRnQY
realm=meet.EXAMPLE.com
cert=/etc/coturn/certs/turn.EXAMPLE.com.fullchain.pem
pkey=/etc/coturn/certs/turn.EXAMPLE.com.privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
listening-ip=192.168.14.21
allowed-peer-ip=192.168.14.21
no-udp
no-tlsv1
no-tlsv1_1
cipher-list=EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
dh-file=/etc/coturn/certs/dhparam.pem
syslog

I use certbot to create and update the TLS certificate. I shared my experience to integrate certbot and coturn on this topic:

Tip: coturn + certbot issue on Debian Buster