Dissociate hosted Jitsi Meet server from clients

lopezray · December 15, 2020, 4:07pm

Hi,

I have a security requirement to dissociate the media server (Jitsi Meet) from its clients. The goal is for clients to never reach the hosted Jitsi Meet directly and vice-versa. I tried placing a proxy between the clients and the hosted Jitsi Meet server with nginx configurations. For the most part this works for TCP traffic, but UPD traffic goes directly to the Jitsi Meet server. I am thinking this happens as part of WebRTC negotiations and I don’t know if there is a way to get around it.

At first I thought TURN servers could help with this dissociation, but after further reading I believe TURN servers are only applicable for p2p connections, and I also think it would only help in one direction.

I would really appreciate any/all advice on this.

Thanks,
Bruce

emrah · December 15, 2020, 4:14pm

TURN is not only for P2P. All clients which have no access to UDP/10000, fall back to TURN but this is not a good idea since TURN is less performing and difficult to scale

lopezray · December 18, 2020, 6:01pm

Thanks for the explanation! I understand TURN relay is to be used as a last resort, I was able to successfully stand up a COTURN and configure Jitsi to use it. Following your advice, I blocked UDP/1000 on my client and traffic did indeed go through the TURN server. I tried blocking UDP/10000 on the server itself, but after doing so I was no longer able to have successful Jitsi sessions.

Is there a configuration that would force Jitsi to always use the TURN server irrespective of whether or not clients have access to UDP/10000?

Thanks!

emrah · December 18, 2020, 6:15pm

This means that coturn is also trying to connect to the videobridge using the external IP. So you need to set an alternative way for the coturn-JVB connection. The loopback address (127.0.0.1) or the internal IP (if the server is behind a NAT) will be an alternative.

But the coturn default config prevents to connect to the internal IP blocks. Change it according to your situation.

And…

block the UDP/10000 through the external IP completely

gpatel-fr · December 18, 2020, 6:51pm

you should be aware that it may lead to very bad performance if there are even a very low error rate on network connections, as always happen on wifi networks. Turn is only a workaround, UDP is way better for performance.

emrah · December 18, 2020, 7:33pm

I don’t understand this point too, Probably a system with TURN will be less secure and less reliable than the previous one