How connections are made from users to users (and jitsi server)

Hey there,

with all this STUN/TURN Server stuff, i am wondering about the network connections/architecture how connections are really be done, when running my own jitsi server instance.

So in the scenario, where users are behind a NAT Router at home (where all ports for outgoing connections are allowed) and a jitsi server in the internet with ports 80, 443 and 10000 are opened.

Normally these home routers allows everthings outgoing, but allow only connections back from an ip to which the inital packet was send and to the port the NAT Router used(Stateful Firewall)

Are there any direct connections between the users of a meeting or are all users connecting to the jitsi server and videobridge and they both are sending the pakets from the server forwards and backwards to the users?

So why are STUN Server are needed, if every users behind a NAT can connect to jitsi server first and receives pakets back from it.

A TURN Server is only needed if outgoing ports to e.g 10000 are blocked, thats what i understand.
But in my scenario the jitsi server itself acts like an kind of TURN Server?
Since all users are connecting to it and receives the data from all other users back through jitsi and videobridge?

So by default there is no external TURN Server needed or is there any configured anywhere?

Hopefully i was able to explain my question good enough. If not please ask for some point. I really need to understand for privacy reasons in which scenario, data are transfered to

When there are two participants in the call they establish 2 connections (peer connections) one direct and one to the bridge. In order to establish direct connection a stun server is needed to resolve its external address and two open the port which will be used for receiving media. If direct connection is not possible it fallbacks to the one to the bridge.
Turn server is a relay server, the same as jvb. Turn is used in two ways, first if p2p connection is not possible the two users may use turn to relay media in order to offload jvb. And the second use case is when a user is in network environment where udp is not allowed it uses a TCP connection to the turn server in order to send media to the bridge.

Hope this explains everything.

So this means in every scenario where the both(or more) users are behind a nat router (stateful firewall) there is a fallback to the bridge because if both are behind a nat nobody can receive direct connections.

Because on the side of user A the first connection/packet to user B is not allowed since it was not initiated by user B. And the same way from user B to user A.?

Maybe with the help of STUN it is possible to establish an direct connection between them and i just dont understand it.

One question directly to your answer:

If all the users in a jitsi conference are directly connected to each other this means there is a lot of use of the STUN server the whole time, not just for the inital connection but for the time since every user is connected to every else user in the confernce.

And if this is done what task is left for the videobridge?

And last question, this scenario is done with 2 users. If there are more than 2 users in a confernce then there is no STUN used at all because the whole traffic goes through the bridge, so all users are connected to the bridge and the bridge sends the packets to each of the users?

(I understand that the bridge is a relay and is relaying all the data to the other users in the conference.) But asking for the initiation.

Thanks @damencho and all the others helping to get more knowledge and options with the help and this really cool project!

Hello @it-ba,

AFAIK, some of your assumptions are not true and these cause the complexity.

Lets says PeerB established a connection to a server. PeerA can connect to PeerB if it knowns PeerB’s external (IP, port) which was used to connect to the server. This allows the peers to establish a direct connection to each other, although there is a NAT between them.

The symmetric NAT don’t allow this kind of connections. It only accepts connections from peers which have previously connected to. But not all NATs are symmetric NATs.

If there are only 2 peers, they communicate directly. No videobridge between them, no audio/video traffic through the server…

STUN helps to find the external IPs of the peers and the NAT types between them.

The videobridge is a relay server but not a relay like the TURN server. It doesn’t send all coming audio/video packages to all clients. It decides which packages will be sent according to the peers’ status, bandwidth quality, needed resolution, active speakers etc.

Users are directly connected only when they are just 2. In case of more than two everyone is sending media to the bridge and the bridge is smart forwarding whatever is needed.
And in case of 2, which is in case of p2p Stun server is used to discover external address and port just in the beginning.

Yep.

Thanks a lot!
There are preconfigured STUN Servers, but is there also a preconfigured turn server anywhere in the configs or are the stun servers are used also for turn?

Is there an option to turn off the option to use a turn server? so that if needed there is stun used but never turn, instead use always the videobridge?

If you always want to us the bridge, just turn off p2p. There is option in config.js for that

I mean if i just want to use STUN Servers but never TURN Servers. Instead when using TURN the bridge is used.

Is this in -config.js:

"stunServers: [
{ urls: ‘stun.nextcloud.com:443’ },
{ urls: ‘stun:stun1.l.google.com:19302’ }
{ urls: ‘stun.1und1.de:3478’ }

],"

so are the used for stun and turn, or is every server here just used for stun?

Turn off you mean this part:

"useStunTurn: true,

[…]

p2p: {
useStunTurn: true,
"

These are stun only. Turn server config is coming from prosody cause is uses a shared secret.

Hm, i wanted to just comment out the both lines with turn & turns but this part is completey missing in my /etc/prosody/conf.avail/meet.host.cfg.lua

anybody can help where else to find the parts in which config file to turn off TURN/p2p as told before in this conversation?

And why the described parts in my config are completly missing?

Probably you had installed jitsi-meet before we introduce this. The link above is the latest template you will have when you do a clean install.

Yes i did an new installation on a tes machine and i see this. but as TURN servers the server itself is listed automatically. so the server itself acts as a turn server. hopefully i get it right.

But thanks for all the information. I understand a lot more than before and really love jitsi. Thanks for your work!