[ISSUE] How to configure turn server with jvb like meet.jit.si?

Nasgul · February 19, 2022, 2:25pm

Hello,

I am trying to deploy a Jitsi-meet environment like meet.jit.si.

At first it works, but when a participant is behind a firewall that only allows ports 80 and 443, the video and the screenshare connection doesn’t work.

I followed the following procedure:

I tried to implement the solution with nginx multiplexing with coturn but I couldn’t do it.

The server works fine except in this context

My configuration

/etc/nginx/sites-enabled/jitsi.domain.com.conf


server_names_hash_bucket_size 64;

types {

# nginx's default mime.types doesn't include a mapping for wasm

    application/wasm     wasm;

}

server {

    listen 80;

    listen [::]:80;

    server_name jitsi.domain.com;

    location ^~ /.well-known/acme-challenge/ {

        default_type "text/plain";

        root         /usr/share/jitsi-meet;

    }

    location = /.well-known/acme-challenge/ {

        return 404;

    }

    location / {

        return 301 https://$host$request_uri;

    }

}

server {

    listen 4444 ssl;

    listen [::]:4444 ssl;

    server_name jitsi.domain.com;

    # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration

    ssl_protocols TLSv1.2 TLSv1.3;

    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

    ssl_prefer_server_ciphers off;

    ssl_session_timeout 1d;

    ssl_session_cache shared:SSL:10m;  # about 40000 sessions

    ssl_session_tickets off;

    add_header Strict-Transport-Security "max-age=63072000" always;

    set $prefix "";

    ssl_certificate /etc/letsencrypt/live/jitsi.domain.com/fullchain.pem;

    ssl_certificate_key /etc/letsencrypt/live/jitsi.domain.com/privkey.pem;

    root /usr/share/jitsi-meet;

    # ssi on with javascript for multidomain variables in config.js

    ssi on;

    ssi_types application/x-javascript application/javascript;

    index index.html index.htm;

    error_page 404 /static/404.html;

    gzip on;

    gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;

    gzip_vary on;

    gzip_proxied no-cache no-store private expired auth;

    gzip_min_length 512;

    location = /config.js {

        alias /etc/jitsi/meet/jitsi.domain.com-config.js;

    }

    location = /external_api.js {

        alias /usr/share/jitsi-meet/libs/external_api.min.js;

    }

    # ensure all static content can always be found first

    location ~ ^/(libs|css|static|images|fonts|lang|sounds|connection_optimization|.well-known)/(.*)$

    {

        add_header 'Access-Control-Allow-Origin' '*';

        alias /usr/share/jitsi-meet/$1/$2;

        # cache all versioned files

        if ($arg_v) {

            expires 1y;

        }

    }

    # BOSH

    location = /http-bind {

        proxy_pass http://127.0.0.1:5280/http-bind?prefix=$prefix&$args;

        proxy_set_header X-Forwarded-For $remote_addr;

        proxy_set_header Host $http_host;

    }

    # xmpp websockets

    location = /xmpp-websocket {

        proxy_pass http://127.0.0.1:5280/xmpp-websocket?prefix=$prefix&$args;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        proxy_set_header Host $http_host;

        tcp_nodelay on;

    }

    # colibri (JVB) websockets for jvb1

    location ~ ^/colibri-ws/default-id/(.*) {

        proxy_pass http://127.0.0.1:9090/colibri-ws/default-id/$1$is_args$args;

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        tcp_nodelay on;

    }

    # load test minimal client, uncomment when used

    #location ~ ^/_load-test/([^/?&:'"]+)$ {

    #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;

    #}

    #location ~ ^/_load-test/libs/(.*)$ {

    #    add_header 'Access-Control-Allow-Origin' '*';

    #    alias /usr/share/jitsi-meet/load-test/libs/$1;

    #}

    location ~ ^/([^/?&:'"]+)$ {

        try_files $uri @root_path;

    }

    location @root_path {

        rewrite ^/(.*)$ / break;

    }

    location ~ ^/([^/?&:'"]+)/config.js$

    {

        set $subdomain "$1.";

        set $subdir "$1/";

        alias /etc/jitsi/meet/jitsi.domain.com-config.js;

    }

    # BOSH for subdomains

    location ~ ^/([^/?&:'"]+)/http-bind {

        set $subdomain "$1.";

        set $subdir "$1/";

        set $prefix "$1";

        rewrite ^/(.*)$ /http-bind;

    }

    # websockets for subdomains

    location ~ ^/([^/?&:'"]+)/xmpp-websocket {

        set $subdomain "$1.";

        set $subdir "$1/";

        set $prefix "$1";

        rewrite ^/(.*)$ /xmpp-websocket;

    }

    # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /

    location ~ ^/([^/?&:'"]+)/(.*)$ {

        set $subdomain "$1.";

        set $subdir "$1/";

        rewrite ^/([^/?&:'"]+)/(.*)$ /$2;

    }

}

/etc/nginx/modules-enabled/turnjitsi.conf


stream {

    map $ssl_preread_server_name $name {

        jitsi.domain.com web_backend;

        turn-jitsi-meet.domain.com turn_backend;

    }

    upstream web_backend {

        server 127.0.0.1:4444;

    }

    upstream turn_backend {

        server 127.0.0.1:5349;

    }

    server {

        listen 443;

        listen [::]:443;

        # since 1.11.5

        ssl_preread on;

        proxy_pass $name;

        # Increase buffer to serve video

        proxy_buffer_size 10m;

    }

}

/etc/turnserver.conf


# jitsi-meet coturn config. Do not modify this line

keep-address-family

use-auth-secret

lt-cred-mech

fingerprint

static-auth-secret="dMWQB5EqHYuWXHcx"

no-cli

server-name=turn-jitsi-meet.domain.com

realm=turn-jitsi-meet.domain.com

listening-port=3478

cert=/etc/coturn/certs/jitsi.domain.com.fullchain.pem

pkey=/etc/coturn/certs/jitsi.domain.com.privkey.pem

tls-listening-port=5349

fingerprint

#listening-ip=0.0.0.0

no-udp

no-tlsv1

no-tlsv1_1

log-file=/var/log/turnserver/turnserver.log

verbose

# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4

cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

# jitsi-meet coturn relay disable config. Do not modify this line

denied-peer-ip=0.0.0.0-0.255.255.255

denied-peer-ip=10.0.0.0-10.255.255.255

denied-peer-ip=100.64.0.0-100.127.255.255

denied-peer-ip=127.0.0.0-127.255.255.255

denied-peer-ip=169.254.0.0-169.254.255.255

denied-peer-ip=127.0.0.0-127.255.255.255

denied-peer-ip=172.16.0.0-172.31.255.255

denied-peer-ip=192.0.0.0-192.0.0.255

denied-peer-ip=192.0.2.0-192.0.2.255

denied-peer-ip=192.88.99.0-192.88.99.255

denied-peer-ip=192.168.0.0-192.168.255.255

denied-peer-ip=198.18.0.0-198.19.255.255

denied-peer-ip=198.51.100.0-198.51.100.255

denied-peer-ip=203.0.113.0-203.0.113.255

denied-peer-ip=240.0.0.0-255.255.255.255

denied-peer-ip=::1

denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff

denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255

denied-peer-ip=100::-100::ffff:ffff:ffff:ffff

denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff

denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff

denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff

/etc/prosody/conf.d/jitsi.domain.com.cfg.lua


plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper

muc_mapper_domain_base = "jitsi.domain.com";

external_service_secret = "dMWQB5EqHYuWXHcx";

external_services = {

     { type = "stun", host = "turn-jitsi-meet.domain.com", port = 443 },

     { type = "turn", host = "turn-jitsi-meet.domain.com", port = 443, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },

     { type = "turns", host = "turn-jitsi-meet.domain.com", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }

};

turncredentials_secret = "dMWQB5EqHYuWXHcx";

turncredentials_port = 443;

turncredentials_ttl = 86400;

turncredentials = {

     { type = "stun", host = "turn-jitsi-meet.domain.com" },

     { type = "turn", host = "turn-jitsi-meet.domain.com", port = 443},

     { type = "turns", host = "turn-jitsi-meet.domain.com", port = 443, transport = "tcp" }

};

cross_domain_bosh = false;

consider_bosh_secure = true;

-- https_ports = { }; -- Remove this line to prevent listening on port 5284

-- https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4

ssl = {

    protocol = "tlsv1_2+";

    ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

}

unlimited_jids = {

    "focus@auth.jitsi.domain.com",

    "jvb@auth.jitsi.domain.com"

}

VirtualHost "jitsi.domain.com"

    -- enabled = false -- Remove this line to enable this host

    authentication = "internal_plain"

    -- Properties below are modified by jitsi-meet-tokens package config

    -- and authentication above is switched to "token"

    --app_id="example_app_id"

    --app_secret="example_app_secret"

    -- Assign this host a certificate for TLS, otherwise it would use the one

    -- set in the global section (if any).

    -- Note that old-style SSL on port 5223 only supports one certificate, and will always

    -- use the global one.

    ssl = {

        key = "/etc/prosody/certs/jitsi.domain.com.key";

        certificate = "/etc/prosody/certs/jitsi.domain.com.crt";

    }

    av_moderation_component = "avmoderation.jitsi.domain.com"

    speakerstats_component = "speakerstats.jitsi.domain.com"

    conference_duration_component = "conferenceduration.jitsi.domain.com"

    -- we need bosh

    modules_enabled = {

        "bosh";

        "pubsub";

        "ping"; -- Enable mod_ping

        "speakerstats";

       -- "external_services";

        "conference_duration";

        "muc_lobby_rooms";

        "muc_breakout_rooms";

        "av_moderation";

        "turncredentials";

    }

    c2s_require_encryption = false

    lobby_muc = "lobby.jitsi.domain.com"

    breakout_rooms_muc = "breakout.jitsi.domain.com"

    main_muc = "conference.jitsi.domain.com"

    -- muc_lobby_whitelist = { "recorder.jitsi.domain.com" } -- Here we can whitelist jibri to enter lobby enabled rooms

Component "conference.jitsi.domain.com" "muc"

    restrict_room_creation = true

    storage = "memory"

    modules_enabled = {

        "muc_meeting_id";

        "muc_domain_mapper";

        "polls";

        --"token_verification";

        "muc_rate_limit";

    }

    admins = { "focus@auth.jitsi.domain.com" }

    muc_room_locking = false

    muc_room_default_public_jids = true

Component "breakout.jitsi.domain.com" "muc"

    restrict_room_creation = true

    storage = "memory"

    modules_enabled = {

        "muc_meeting_id";

        "muc_domain_mapper";

        --"token_verification";

        "muc_rate_limit";

    }

    admins = { "focus@auth.jitsi.domain.com" }

    muc_room_locking = false

    muc_room_default_public_jids = true

-- internal muc component

Component "internal.auth.jitsi.domain.com" "muc"

    storage = "memory"

    modules_enabled = {

        "ping";

    }

    admins = { "focus@auth.jitsi.domain.com", "jvb@auth.jitsi.domain.com" }

    muc_room_locking = false

    muc_room_default_public_jids = true

VirtualHost "auth.jitsi.domain.com"

    ssl = {

        key = "/etc/prosody/certs/auth.jitsi.domain.com.key";

        certificate = "/etc/prosody/certs/auth.jitsi.domain.com.crt";

    }

    modules_enabled = {

        "limits_exception";

    }

    authentication = "internal_hashed"

-- Proxy to jicofo's user JID, so that it doesn't have to register as a component.

Component "focus.jitsi.domain.com" "client_proxy"

    target_address = "focus@auth.jitsi.domain.com"

Component "speakerstats.jitsi.domain.com" "speakerstats_component"

    muc_component = "conference.jitsi.domain.com"

Component "conferenceduration.jitsi.domain.com" "conference_duration_component"

    muc_component = "conference.jitsi.domain.com"

Component "avmoderation.jitsi.domain.com" "av_moderation_component"

    muc_component = "conference.jitsi.domain.com"

Component "lobby.jitsi.domain.com" "muc"

    storage = "memory"

    restrict_room_creation = true

    muc_room_locking = false

    muc_room_default_public_jids = true

    modules_enabled = {

        "muc_rate_limit";

        "polls";

    }

VirtualHost "guest.jitsi.domain.com"

    authentication = "anonymous"

    modules_enabled = {

        "bosh";

        "pubsub";

        "ping"; -- Enable mod_ping

        "speakerstats";

     --   "external_services";

        "conference_duration";

        "muc_lobby_rooms";

        "muc_breakout_rooms";

        "av_moderation";

        "turncredentials";

    }

    c2s_require_encryption = false

/etc/jitsi/videobridge/sip-communicator.properties


org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true

org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=turn-jitsi-meet.domain.com:5349

org.jitsi.videobridge.ENABLE_STATISTICS=true

org.jitsi.videobridge.STATISTICS_TRANSPORT=muc

org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost

org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.jitsi.domain.com

org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb

org.jitsi.videobridge.xmpp.user.shard.PASSWORD=oHB6mEw0

org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.jitsi.domain.com

org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=1978931c-8a3b-45f6-80ca-928370754877

org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

org.ice4j.ipv6.DISABLED=true

My error in jvb logfile


JVB 2022-02-18 15:45:40.502 WARNING: [65] [confId=bfd670a7d719421f gid=53658 stats_id=Ken-i8S conf_name=static2@conference.jitsi.domain.com ufrag=66mou1fs6o592v epId=5057ea3d local_ufrag=66mou1fs6o592v] ConnectivityCheckClient.startCheckForPair#374: Failed to send BINDING-REQUEST(0x1)[attrib.count=6 len=92 tranID=0x95A6820D7F01A9EE031153B6]

java.lang.IllegalArgumentException: No socket found for __IP_PUBLIC__:10000/udp->172.20.131.6:55307/udp

        at org.ice4j.stack.NetAccessManager.sendMessage(NetAccessManager.java:631)

        at org.ice4j.stack.NetAccessManager.sendMessage(NetAccessManager.java:581)

        at org.ice4j.stack.StunClientTransaction.sendRequest0(StunClientTransaction.java:267)

        at org.ice4j.stack.StunClientTransaction.sendRequest(StunClientTransaction.java:245)

        at org.ice4j.stack.StunStack.sendRequest(StunStack.java:680)

        at org.ice4j.ice.ConnectivityCheckClient.startCheckForPair(ConnectivityCheckClient.java:335)

        at org.ice4j.ice.ConnectivityCheckClient.startCheckForPair(ConnectivityCheckClient.java:231)

        at org.ice4j.ice.ConnectivityCheckClient$PaceMaker.run(ConnectivityCheckClient.java:938)

        at org.ice4j.util.PeriodicRunnable.executeRun(PeriodicRunnable.java:206)

        at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)

        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)

        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)

        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)

        at java.base/java.lang.Thread.run(Thread.java:833)

JVB 2022-02-18 15:45:40.502 INFO: [65] [confId=bfd670a7d719421f gid=53658 stats_id=Ken-i8S conf_name=static2@conference.jitsi.domain.com ufrag=66mou1fs6o592v epId=5057ea3d local_ufrag=66mou1fs6o592v] ConnectivityCheckClient$PaceMaker.run#942: Pair failed: __IP_PUBLIC__:10000/udp/host -> 172.20.131.6:55307/udp/host (stream-5057ea3d.RTP)

JVB 2022-02-18 15:45:45.952 INFO: [26] HealthChecker.run#171: Performed a successful health check in PT0.000009713S. Sticky failure: false

If i try a connection with 3 participants, 2 in a normal network everything works but for the lastest behind firewall more restricted with a proxy there isn’t video and share.

If i try the same test with the meet.jit.si environnement everything works.

Could you help me for debug my configuration please?

Thank you

damencho · February 19, 2022, 2:51pm

Are you using a valid certificate for the turnserver?

Nasgul · February 19, 2022, 6:02pm

Thank you for your quick response.
I deploy coturn with the install jitsi-meet.
I test the certificate with this command:

openssl s_client -connect turn-jitsi-meet.domain.com:443

Where “domain” replace my real domain.
Everything is ok with the certificate and i haven’t error in coturn log.
Thank you.

damencho · February 19, 2022, 6:11pm

Does your coturn have network access to jvb public address udp 10000.
You can experiment and temporary commend disable peer configs to see whether that changes anything

Nasgul · February 19, 2022, 7:16pm

All services are in the same server, jicofo, jitsivideobridge, coturn and prosody.
I try with this command:

nc -z -v -u __IP_PUBLIC__ 10000
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Connected to __IP_PUBLIC__:10000.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.02 seconds.

It’s ok.
When you say disable peer configs, you spoke about p2p section in jitsi-meet configuration?

damencho · February 19, 2022, 8:29pm

That just sends a packet, that doesn’t check it is received.
I’m talking about coturn config.

Nasgul · February 20, 2022, 12:36am

How to disable peer configs in coturn config please?

damencho · February 20, 2022, 1:39am

Comment all lines denied-peer-ip

Nasgul · February 20, 2022, 11:40am

I disable this lines but no changes.
I have the same error in jvb.log

JVB 2022-02-20 11:13:21.885 WARNING: [73] [confId=c7ffeb46bfbde129 gid=20238 stats_id=Darryl-rSg conf_name=testnico@conference.jitsi.domain.com ufrag=c4ccf1fsbdc3b1 epId=634aee1f local_ufrag=c4ccf1fsbdc3b1] ConnectivityCheckClient.startCheckForPair#374: Failed to send BINDING-REQUEST(0x1)[attrib.count=6 len=92 tranID=0xDD0FD6167F01401C5C389072]
java.lang.IllegalArgumentException: No socket found for ___IP_PUBLIC___:10000/udp->172.20.162.83:62109/udp
       at org.ice4j.stack.NetAccessManager.sendMessage(NetAccessManager.java:631)
       at org.ice4j.stack.NetAccessManager.sendMessage(NetAccessManager.java:581)
       at org.ice4j.stack.StunClientTransaction.sendRequest0(StunClientTransaction.java:267)
       at org.ice4j.stack.StunClientTransaction.sendRequest(StunClientTransaction.java:245)
       at org.ice4j.stack.StunStack.sendRequest(StunStack.java:680)
       at org.ice4j.ice.ConnectivityCheckClient.startCheckForPair(ConnectivityCheckClient.java:335)
       at org.ice4j.ice.ConnectivityCheckClient.startCheckForPair(ConnectivityCheckClient.java:231)
       at org.ice4j.ice.ConnectivityCheckClient$PaceMaker.run(ConnectivityCheckClient.java:938)
       at org.ice4j.util.PeriodicRunnable.executeRun(PeriodicRunnable.java:206)
       at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:539)
       at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
       at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
       at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
       at java.base/java.lang.Thread.run(Thread.java:833)

I forgot to send my jitsi meet config, you can find this below:

/etc/jitsi/meet/jitsi.domain.com-config.js

var config = {

   hosts: {
       domain: 'jitsi.domain.com',

        anonymousdomain: 'guest.jitsi.domain.com',

       muc: 'conference.<!--# echo var="subdomain" default="" -->jitsi.domain.com'
   },

   testing: {

   },

   flags: {
   },

   enableNoAudioDetection: true,

   enableNoisyMicDetection: true,

   startWithVideoMuted: true,

   channelLastN: -1,

   requireDisplayName: true,

   enableWelcomePage: false,



    enableClosePage: true,

   prejoinConfig: {
        enabled: true,
    },

   p2p: {
       enabled: true,
       useStunTurn: true,
       useTurnUdp: false,

        preferH264: true,

       stunServers: [

           { urls: 'stun:turn-jitsi-meet.domain.com:5349' }
       ]
   },
useStunTurn: true,
useTurnUdp: false,
   analytics: {

   },

   deploymentInfo: {
   },

   mouseMoveCallbackInterval: 1000,

   makeJsonParserHappy: 'even if last key had a trailing comma'

};

I removed the comment lines.
Thank you again for your help.

gpatel-fr · February 20, 2022, 1:55pm

as has been said, this does NOT test that connection works effectively.
To do so, first stop the bridge (sudo systemctl stop jitsi-videobridge2), then with 2 open (ssh) sessions on your server, on the first use:

nc -l 10000 -u

and on the second session, use:

echo "123" | nc -u  your.public.IP 10000

you should see on the fist session displayed ‘123’.
If not, your Turn setup can’t work as it is.

Nasgul · February 20, 2022, 5:58pm

@gpatel-fr I tried your test.
I received “123” in the first session so the server running looks ok.

gpatel-fr · February 20, 2022, 7:47pm

then restart your bridge then your coturn, and look at the coturn log file for lines such as
0: Wait for relay ports initialization…
0: relay …
is the value provided after the word ‘relay’ your public IP address ? does coturn says that initialization is done ? if yes, is there any error messages following ?
Looking back at your config, I could not make sure if there was a NAT or not. If yes, there should be a external-ip instruction in your turnserver.conf.

Anyway, I find your prosody config file a bit disturbing. You should not have modules loaded in the guest domain. I know it’s not supposed to harm, but with Prosody I prefer to not have extraneous stuff you never know what it could do. I have not checked it extensively but I wonder what else could be found in it.

Nasgul · February 20, 2022, 8:26pm

I have cleaning my guest configuration with removed modules enabled section. thank you.
I restart the service coturn and i have my address ip public in relay and it’s ok.
View log below:

0: : log file opened: /var/log/turnserver/turnserver_2022-02-20.log
0: :
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.2 'dan Eider'
0: :
Max number of open files/sockets allowed for this process: 524288
0: :
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 262000 (approximately)
0: :

==== Show him the instruments, Practical Frost: ====

0: : TLS supported
0: : DTLS supported
0: : DTLS 1.2 supported
0: : TURN/STUN ALPN supported
0: : Third-party authorization (oAuth) supported
0: : GCM (AEAD) supported
0: : OpenSSL compile-time version: OpenSSL 1.1.1k  25 Mar 2021 (0x101010bf)
0: :
0: : SQLite supported, default database location is /var/lib/turn/turndb
0: : Redis supported
0: : PostgreSQL supported
0: : MySQL supported
0: : MongoDB is not supported
0: :
0: : Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: : Domain name:
0: : Default realm: turn-jitsi-meet.domain.com
0: :
CONFIGURATION ALERT: You specified --lt-cred-mech and --use-auth-secret in the same time.
Be aware that you could not mix the username/password and the shared secret based auth methods.
Shared secret overrides username/password based auth method. Check your configuration!
0: : SSL23: Certificate file found: /etc/coturn/certs/jitsi.domain.com.fullchain.pem
0: : SSL23: Private key file found: /etc/coturn/certs/jitsi.domain.com.privkey.pem
0: : TLS1.2: Certificate file found: /etc/coturn/certs/jitsi.domain.com.fullchain.pem
0: : TLS1.2: Private key file found: /etc/coturn/certs/jitsi.domain.com.privkey.pem
0: : TLS cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
0: : DTLS: Certificate file found: /etc/coturn/certs/jitsi.domain.com.fullchain.pem
0: : DTLS: Private key file found: /etc/coturn/certs/jitsi.domain.com.privkey.pem
0: : DTLS1.2: Certificate file found: /etc/coturn/certs/jitsi.domain.com.fullchain.pem
0: : DTLS1.2: Private key file found: /etc/coturn/certs/jitsi.domain.com.privkey.pem
0: : DTLS cipher suite: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
0: : NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: : ===========Discovering listener addresses: =========
0: : Listener address to use: 127.0.0.1
0: : Listener address to use: __IP_PUBLIC___
0: : Listener address to use: ::1
0: : Listener address to use: __IPV6___RELAY__
0: : =====================================================
0: : Total: 2 'real' addresses discovered
0: : =====================================================
0: : NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: : ===========Discovering relay addresses: =============
0: : Relay address to use: __IP_PUBLIC___
0: : Relay address to use: __IPV6___RELAY__
0: : =====================================================
0: : Total: 2 relay addresses discovered
0: : =====================================================
0: : IO method (main listener thread): epoll (with changelist)
0: : Wait for relay ports initialization...
0: :   relay __IP_PUBLIC___ initialization...
0: :   relay __IP_PUBLIC___ initialization done
0: :   relay __IPV6___RELAY__ initialization...
0: :   relay __IPV6___RELAY__ initialization done
0: : Relay ports initialization done
0: : IO method (general relay thread): epoll (with changelist)
0: : IO method (general relay thread): epoll (with changelist)
0: : turn server id=0 created
0: : turn server id=1 created
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3479
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3479
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5349
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5349
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5350
0: : IPv6. TLS/SCTP listener opened on : ::1:3478
0: : IPv6. TLS/TCP listener opened on : ::1:3478
0: : IPv6. TLS/SCTP listener opened on : ::1:3479
0: : IPv6. TLS/TCP listener opened on : ::1:3479
0: : IPv6. TLS/SCTP listener opened on : ::1:5349
0: : IPv6. TLS/TCP listener opened on : ::1:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:5350
0: : IPv6. TLS/TCP listener opened on : ::1:5350
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3479
0: : IO method (general relay thread): epoll (with changelist)
0: : IO method (general relay thread): epoll (with changelist)
0: : turn server id=3 created
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5350
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3479
0: : turn server id=2 created
0: : IPv4. DTLS listener opened on: 127.0.0.1:5349
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5350
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: : IPv4. DTLS listener opened on: 127.0.0.1:5350
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: : IPv4. DTLS listener opened on: __IP_PUBLIC___:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:3479
0: : IPv4. DTLS listener opened on: __IP_PUBLIC___:5350
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5350
0: : IPv6. DTLS listener opened on: ::1:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3478
0: : IPv6. DTLS listener opened on: ::1:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3478
0: : IPv6. DTLS listener opened on: __IPV6___RELAY__:5349
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3479
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3479
0: : IPv6. DTLS listener opened on: __IPV6___RELAY__:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3479
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3479
0: : Total General servers: 4
0: : IPv4. TLS/SCTP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5349
0: : IPv4. TLS/TCP listener opened on : 127.0.0.1:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5349
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3478
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5350
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5349
0: : SQLite DB connection success: /var/lib/turn/turndb
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:3479
0: : IPv6. TLS/SCTP listener opened on : ::1:3478
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:3479
0: : IPv6. TLS/TCP listener opened on : ::1:3478
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:3479
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5349
0: : IPv6. TLS/TCP listener opened on : ::1:3479
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:5349
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5350
0: : IPv6. TLS/TCP listener opened on : ::1:5349
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5350
0: : IPv6. TLS/SCTP listener opened on : ::1:5350
0: : IPv6. TLS/SCTP listener opened on : ::1:3478
0: : IPv6. TLS/TCP listener opened on : ::1:5350
0: : IO method (auth thread): epoll (with changelist)
0: : IO method (auth thread): epoll (with changelist)
0: : IPv4. TLS/SCTP listener opened on : __IP_PUBLIC___:5350
0: : IPv4. TLS/TCP listener opened on : __IP_PUBLIC___:5350
0: : IPv6. TLS/SCTP listener opened on : ::1:3478
0: : IPv6. TLS/TCP listener opened on : ::1:3478
0: : IPv6. TLS/SCTP listener opened on : ::1:3479
0: : IPv6. TLS/TCP listener opened on : ::1:3479
0: : IPv6. TLS/SCTP listener opened on : ::1:5349
0: : IPv6. TLS/TCP listener opened on : ::1:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:5350
0: : IPv6. TLS/TCP listener opened on : ::1:5350
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5350
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5350
0: : IPv6. TLS/TCP listener opened on : ::1:3478
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/SCTP listener opened on : ::1:3479
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/TCP listener opened on : ::1:3479
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/SCTP listener opened on : ::1:5349
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/TCP listener opened on : ::1:5349
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:5350
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/TCP listener opened on : ::1:5350
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5350
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5350
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3478
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:3479
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5349
0: : IPv6. TLS/SCTP listener opened on : __IPV6___RELAY__:5350
0: : IPv6. TLS/TCP listener opened on : __IPV6___RELAY__:5350
0: : IO method (admin thread): epoll (with changelist)

My server isn’t behind a firewall, i’t’s directly exposed.
I verify a once again the meet.jit.si environment where i don’t have a problem and i have a tag “(stun)” after the address ip public.
I haven’t this information when i try with my server and my configuration.

gpatel-fr · February 20, 2022, 9:07pm

Except the obvious (remote lt-cred-mech) I don’t see something really startling in your log. I hope that you cared about the proper name on your certiificate right ? I was thinking you would have retried a meeting before posting the log to this forum, that’s what I was thinking to when I was writing about ‘errors’.

Nasgul · February 20, 2022, 9:11pm

This an extract of coturn log:
157: : session 001000000000000002: TLS/TCP socket disconnected: 127.0.0.1:36506
157: : session 001000000000000002: usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 001000000000000002: peer usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 001000000000000002: closed (2nd stage), user <> realm <turn-jitsi-meet.domain.com> origin <>, local 127.0.0.1:5349, remote 127.0.0.1:36506, reason: TLS/TCP socket buffer operation error (callback)
157: : session 003000000000000002: TLS/TCP socket disconnected: 127.0.0.1:36508
157: : session 003000000000000002: usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 003000000000000002: peer usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 003000000000000002: closed (2nd stage), user <> realm <turn-jitsi-meet.domain.com> origin <>, local 127.0.0.1:5349, remote 127.0.0.1:36508, reason: TLS/TCP socket buffer operation error (callback)
157: : session 002000000000000002: TLS/TCP socket disconnected: 127.0.0.1:36510
157: : session 002000000000000002: usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 002000000000000002: peer usage: realm=<turn-jitsi-meet.domain.com>, username=<>, rp=0, rb=0, sp=0, sb=0
157: : session 002000000000000002: closed (2nd stage), user <> realm <turn-jitsi-meet.domain.com> origin <>, local 127.0.0.1:5349, remote 127.0.0.1:36510, reason: TLS/TCP socket buffer operation error (callback)

gpatel-fr · February 20, 2022, 9:17pm

try
allow-loopback-peers=false
in coturn config file (and remove lt-cred-mech too of course) and try again to see if behaviour changes.

Nasgul · February 20, 2022, 10:17pm

I reinstall all coturn service.
When i block just the port UDP 10000 in a computer where all is ok before. It works with the information “turn” in statistics but the dialogue is with the local ip address.
On meet.jit.si:
Capture d’écran 2022-02-19 103154
On my server:
2022-02-20 23_02_39-Window
How to modify my configuration for than she like meet.jit.si environment?

gpatel-fr · February 20, 2022, 10:34pm

It’s strange, your screenshot of meet.jit.si don’t look like what I see on my system. The region is missing.
Anyway, I think that the local address is because of your particular setup with the nginx proxy. On meet.jit.si, the turn servers are probably distinct servers accessed directly, and that’s why they are shown with a proper public IP address. If it works, I don’t see why this is a concern for you.

Nasgul · February 20, 2022, 11:02pm

I agree with you. I try to change the ip address of turnserver in nginx module and i see my ip address public so it’s ok.
I don’t know why the turnserver works with more restricted a computer on meet.jit.si and not on my server.
I try to found the cause with your help.

Nasgul · February 20, 2022, 11:18pm

I found this warning in jvb.log.
``
JVB 2022-02-20 23:13:45.176 WARNING: [59] [confId=9a2be38839ae1025 epId=ac6b63cb gid=39623 stats_id=America-ZPB conf_name=testadmtest19@conference.jitsi.domain.com] EndpointMessageTransport.endpointMessage#598: Unable to find endpoint to send EndpointMessage to: 83f3329b

The ID "83f3329b" is that of the participant with the computer more restricted.
I don't know why jvb don't send the package to this participant.