I’m documenting my tests for the ports that need to be opened for the jitsi configured with docker-jitsi-meet to work. The purpose is to understand configurations where participation in a videoconference could fail for the participants and why they fail.
Setup: I’m using docker-jitsi-meet modified to enable multiplexing as of the docs and turn (based mostly docker-jitsi-meet PR 667 but adding turncredentials and turncredentials_secret). I describe the setup for the multiplexing in this comment
I will only test simple firewall configurations (those that only block based on port number). What I’m doing to simulate participant firewalls is placing a firewall in front the server and blocking different sets of ports.
The initial configuration from which I start the tests is as follows:
Outbound ports (inbound for the client) Firewall only allows:
80 and 443 and 53 (dns)
Inbound ports (outbound for the client) Firewall only allows:
4443 (jvb rtp over tcp), 5339 (connect port for turn over both tcp and udp), 10_000 (jvb rtp over udp) and 16_000-17_000 (rtp for turn over udp).
With this setup the videoconferences work.
When closing additional ports apart from those described in the base configuration, the results are:
Closing only 4443: The videoconference works
Closing all TURN ports 5349 tcp and udp and 16_000-17_000 udp: The videoconference works
Closing 4443, 5349 and 16_000-17_000: The videoconference works
Problems arise if I close 10_000 inbound (oubound for client), in that case the videoconference fails, this error shows in the browser console
[modules/RTC/BridgeChannel.js] <l._send>: Bridge Channel send: no opened channel. [conference.js] <te._onConferenceFailed>: CONFERENCE FAILED: conference.iceFailed [modules/RTC/BridgeChannel.js] <RTCDataChannel.e.onerror>: Channel error: undefined
As far as I can see in this configuration the videoconferences work with no problem with:
Outbound ports (inbound for the client) Firewall only allow:
80, 443 and 53 (dns)
Inbound ports (outbound for the client) ports closed except
80, 443, 10_000
As far as I understand this is the most restrictive firewall configuration (taking into account ports only) under which jitsi can operate.
I wonder also whether it would be possible to configure jitsi so it would also work with 10_000 blocked both inbound and outbound by multiplexing on protocol instead of server name.