Installing jitsi - A bit of explantion required

Hello,

I am currently trying to set up a new Jitsi-Installation on an Ubuntu 20.04 server. I’m trying to get an as clean as possible installation of Jitsi that is why I want to avoid looking in the messed up configurations of the old server. Jitsi has to be available to both client in the internal network and internet, I’d prefer it if both would access the installation from only the external IP, which is NAT to the DMZ-IP.

Why am I mentioning this: Well our old Jitsi-Server still recieved packages from clients via port 10000 on the DMZ-IP and Clients should have recieved packets to the internal IPs on what failed because of firewall rules, but the DNS-Entry pointed to the external IP. That causes connection issues for the clients, and we couldn’t find the reason for that behaviour. (I don’t know how to explain that better, can draw a graphic if it helps someone to understand what i want.)

So i followed these instructions of the installation:

And added so far this:

The only thing i changed is to use Apache2 instead of nginx, but that shouldn’t matter too much or does it?

I opened following ports on local firewall and the firewall:
80/tcp - in
443/tcp - in
10000/udp - in
3478/udp - in
5349/tcp - in

currently working: Landing-page, no errors in logs
current issue: clients cant join a meeting (infinite loading)

I assume the Issue is because of the NAT, since everything else seems to work fine, firewall didn’t catch anything, the Apache2 doesn’t throw any errors just the usual access-logs and i don’t find any errors in the logs.

What exactly do i have to change from the Standard-Installation to get it working?

I can provide configs and nearly empty logs if needed, but i changed nothing yet outside of the instructions.

Greetings and thank you for helping me

In my opinion, use Nginx at first.

Secondly, test UDP/10000 connectivity from outside and from inside using public IP

Found the issue of clients not connecting to the meetings, it was a typo when I configured the “only authenticated users to create new conference” part… happens…

But I ran now into a different issue:
No client recieves any audio in a meeting - @emrah that could be something with the port 10000 (if I remember right, was that the port for the audio?), but the connection succeeds - tested it both local and from external.

Clients from the local network used udp port 10000.
Clients from external went for the fallback port. So Firewall is in the clear and netstat says that about port 10000:
udp 0 0 192.168.1.1:10000 0.0.0.0:*

It doesn’t look different compared to the old Jitsi-installation
What could be the reason for external connections using the fallback-Port?

Additionally I saw in the firewall logs again the issue of attempts to the internal-IP:10000/udp instead of external-IP:10000 what I really want to avoid.

The only point i know of in the Jitsi-configuration where the internal-IP is configured is in the sip-communicator.properties:

org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>

as mentioned in here:

How can I get local clients to connect to external-IP:10000? (For the https connection they use the external-IP).

Greetings

How do you test it?

Don’t set harvester lines if you want to communicate through public IP

I just let nc do it’s thing and sent a package to udp/10000 and spectated it through the firewall logs, both Firewalls didn’t block it and accepted the traffic, so I know that the Firewall doesn’t block it.

I thought that would fix my Issues since the Server runs behind NAT, but I recreated the state it was in before I added those lines. So sip-communicator.properties is in the state it was after the basic installation.

I tried around a bit with the firewall rules:

udp/5000: i saw it was opened on the local firewall of the old jitsi server.
Adding this caused the audio/video to work in the local network. What is the use for port udp/5000?

The documentation states that I should open these ports:

sudo ufw allow 80/tcp - ufw and cluster
sudo ufw allow 443/tcp - ufw and cluster
sudo ufw allow 10000/udp - ufw and cluster
sudo ufw allow 22/tcp 
sudo ufw allow 3478/udp - ufw
sudo ufw allow 5349/tcp - ufw

tcp/4443 is only mentioned in the configuration for NAT?

I added udp/5000 to the local firewall. Am I missing more ports or are those all that are required?

I keep seeing attempts from the local network to connect via local-IP:10000/udp

And from external I still got no Audio.

This result is OK only if you receive the transfered package on the JVB side. Otherwise it means that you have network/firewall issue