If 10000 udp blocked users cannot connect

When 10000 udp is blocked my users will not get video and the connection keeps resetting.
Is the TURN server supposed to allow connections via 443 if udp 10000 is blocked?

Connections should fallback to turns if turn is configured and using a valid certificate.

I am trying this AWS 18.04.1-Ubuntu using a fresh install and when blocking port 10000 it will not failover to 443 (no video and the connection keeps resetting).

Any suggestions for troubleshooting? I have tried everything I can think of.

Here are my versions.

Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name                                                                     Version                                   Architecture                              Description
+++-========================================================================-=========================================-=========================================-=====================================================================================================================================================
ii  coturn                                                                   4.5.0.7-1ubuntu2.18.04.2                  amd64                                     TURN and STUN server for VoIP
ii  jitsi-meet                                                               2.0.4857-1                                all                                       WebRTC JavaScript video conferences
ii  jitsi-meet-prosody                                                       1.0.4289-1                                all                                       Prosody configuration for Jitsi Meet
un  jitsi-meet-tokens                                                        <none>                                    <none>                                    (no description available)
ii  jitsi-meet-turnserver                                                    1.0.4289-1                                all                                       Configures coturn to be used with Jitsi Meet
ii  jitsi-meet-web                                                           1.0.4289-1                                all                                       WebRTC JavaScript video conferences
ii  jitsi-meet-web-config                                                    1.0.4289-1                                all                                       Configuration for web serving of Jitsi Meet
un  jitsi-videobridge                                                        <none>                                    <none>                                    (no description available)
ii  jitsi-videobridge2                                                       2.1-273-g072dd44b-1                       all                                       WebRTC compatible Selective Forwarding Unit (SFU)
ii  prosody                                                                  0.10.0-1build1                            amd64                                     Lightweight Jabber/XMPP server

Are valid certs in place? Let’s encrypt? turns works only if valid certificates with full chain are used.

I installed with letsencrypt certs.

I am trying to use the meet-jit-si-turnrelay.jitsi.net server

#org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=false
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
#org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=example.com:4445
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.example.com
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=12345678
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.example.com
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=klsdlkjlsfkgjlksgrjlksksdlkhlkslksdfnl

turnserver.conf

    # jitsi-meet coturn config. Do not modify this line
    use-auth-secret
    keep-address-family
    static-auth-secret=1234567890abc
    realm=example.com
    cert=/etc/jitsi/meet/example.com.crt
    pkey=/etc/jitsi/meet/example.com.key
    no-multicast-peers
    no-cli
    no-loopback-peers
    no-tcp-relay
    no-tcp
    listening-port=3478
    tls-listening-port=5349
    external-ip=1.2.3.4
    #no-tlsv1
    #no-tlsv1_1
    # https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
    #cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    # jitsi-meet coturn relay disable config. Do not modify this line
    denied-peer-ip=0.0.0.0-0.255.255.255
    denied-peer-ip=10.0.0.0-10.255.255.255
    denied-peer-ip=100.64.0.0-100.127.255.255
    denied-peer-ip=127.0.0.0-127.255.255.255
    denied-peer-ip=169.254.0.0-169.254.255.255
    denied-peer-ip=127.0.0.0-127.255.255.255
    denied-peer-ip=172.16.0.0-172.31.255.255
    denied-peer-ip=192.0.0.0-192.0.0.255
    denied-peer-ip=192.0.2.0-192.0.2.255
    denied-peer-ip=192.88.99.0-192.88.99.255
    denied-peer-ip=192.168.0.0-192.168.255.255
    denied-peer-ip=198.18.0.0-198.19.255.255
    denied-peer-ip=198.51.100.0-198.51.100.255
    denied-peer-ip=203.0.113.0-203.0.113.255
    denied-peer-ip=240.0.0.0-255.255.255.255
    syslog

I am unable to use local turn server or meet-jit-si-turnrelay.jitsi.net:443

So you want to say that jvb cannot discover its address when using meet-jit-si-turnrelay.jitsi.net because of some restricted firewall infront of jvb?

You cannot use your own turnserver in the same network for jvb to discover its addresses, it needs to be a stun server in different network.

I am able to discover the the external IP but I cannot relay traffic to 443 when 10000 is blocked.

One problem for me is I don’t understand how the failover from 10000 to 443 works when 10000 is blocked. Does a turn server relay the traffic? Is it the local Coturn server? On this host I can’t get the failover to work and I need to figure out how to troubleshoot that issue.

Yes, turn relay traffic from its port and address to jvb udp 10000

Do you have any suggestions please, how to troubleshoot the turn relay not getting used when port 10000 us blocked?

@Jonathan_Lennox how did you debug the turn connection, are there any easy steps to try? Thanks
@jpkelly I would say running chrome with debug output for the webrtc and read the output, it is a lot but probably you can spot something

Is this a self-hosted instance you’re having the issue with, or meet.jit.si?

If the former I can suggest some configuration tweaks to make it possible to Wireshark the turn connection (changing the turn to be unencrypted) but if you’re connecting to our servers that won’t work.

Self hosted on AWS.

Still having this issue…
When 10000 is blocked users cannot connect
Any ideas?

my coturn chronicles

1 Like

Thank you this looks helpful!

in your chronicles you have

external-ip=public-ip-address/local-ip-address
allowed-peer-ip=local-ip-address

does this get the following format?

external-ip=1.2.3.4/5.6.7.8
allowed-peer-ip=5.6.7.8

Ok I used that format and it worked.
Thank you so much for this! Great work!

I was debugging a similar problem yesterday and actually just commenting the external-ip param made it work. So I removed that param from the default config for new installs.
@emrah @jpkelly

1 Like