Jitsi Meet behind NAT

Hello Guys

First of all: Thanks for that cool project! It looks very promising and due to the current situation with everyone being at home it could be quite of a solution.
I have sucessfully set up Jitsi Meet in a VM on my vmware esxi. I only have one Internet facing IPV4 address, so I am running it behind a nginx reverse proxy. That said, jitsi currently works for two users in the same network like a charm!
But a third one cannot connect (“Encounters Connection Issues” and cant see nor stream video). Furtheron two parties can only connect, when they are in the same network.

My Configuration looks as follows:
10.X.X.123: jitsi
10.X.X.6: nginx reverse
10.X.X.1: Gateway

Port forwarding from Gateway to jitsi:
4443
10000

Port forwarding form Gateway to nginx reverse:
443

/etc/jitsi/videobridge/sip-communicator.properties :
org.jitsi.videobridge.AUTHORIZED_SOURCE_REGEXP=focus@auth.meet.fqdn.com/.*

/etc/jitsi/meet/meet.fqdn.com-config.js:
default from installation…

What am I missing or doing wrong?
Thanks for any help!

PS: fqdn.com is my redacted domain…

Bump. I am willing to help others with the installation, once I have solved mine… I know its a bit a more complex solution, but i also know that I must have been missing something small…
Thank you for any help! :slight_smile:

Hello
while I’m also a beginner, some help from a beginner could possibly be better than no help at all :slight_smile:
I’m using a somewhat peculiar setup and I’m not quite sure it works fully. At least I can use it with 2 people on different networks. I have never used it with more than 2 persons but that’s because I’m waiting for testing with 3 terminals before trying it for real and I can’t find an additional webcam in my town for love or money just now :slight_smile:
Anyway, here it is:
I have setup jitsi in a LXD container in a normal way, that is with standard options, without installing apache or nginx first. That means that’s jetty that is doing the job.
The idea is that nginx on the host is not doing any real work, it’s just a proxy (the host nginx is doing other stuff). So while there is only one physical computer, the nginx proxy and the jitsi install are on 2 different logical hosts.
My idea was to disable TLS on jetty and doing it on nginx. It seems to work but I am not sure it be stable. I’m still testing all this.
in sip-communicator.properties
org.jitsi.videobridge.rest.jetty.port=9090
org.jitsi.videobridge.rest.jetty.tls.port=-1
org.jitsi.videobridge.TCP_HARVESTER_PORT=443
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.1.0.44
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=myipaddress
I don’t know what is doing the TCP_HARVESTER_PORT in truth.
in nginx I have a whole bunch of stuff that I’m not sure is really used in fact but I’m afraid to touch :slight_smile:
the only thing that I’m sure is used is
location / {
proxy_pass //jitsi:9090;
}
with ‘jitsi’ representing the IP address of the jitsi container for my host (10.1.0.44 in my example)

in the jitsi site I have added these incantations:
# BOSH
location = /http-bind {
proxy_pass //jitsi:5280/http-bind;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $http_host;
}

  # xmpp websockets
location /xmpp-websocket {
    proxy_pass                //jitsi:5280/xmpp-websocket;
    proxy_http_version      1.1;
    proxy_set_header        Upgrade $http_upgrade;
    proxy_set_header        Connection "upgrade";
    proxy_set_header        Host $host;
    tcp_nodelay             on;
}

I don’t know if these are really used (note that the links are mangled because the darn forum software brays that as a new user I can’t post so much links)

As of ports, the only port of my host that is translated to my container is 10000 (a NAT rule). Port 443 is the standard https port of my host and 4443 is not used at all (as I understand it it’s a port used when you want to access jitsi separately of an existing web server, something I did not want, I wanted to have only one web server, that is if my main site is example.com, the jitsi container is meet.example.com)

I intend to write a tutorial myself as I have not yet found someone using jitsi in a LXD container, I just would like another webcam to confirm that it work with 3 users - I have setup
/etc/jitsi/meet/meet.example.com-config.js
to invalidate p2p and it seems to work anyway so I hope it will work with 3.

Hope it will get you further.

@gpatel-fr : Thank you very much for all your help!

It was very easy:
After having set the NAT options in sip-communicator.properties:
org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=10.1.0.44
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=myipaddress

I had to restart jitsi-videobridge AND jicofo (!!!)
That was it :slight_smile:

Now I have one further problem: My IPV4 isn’t static, therefore I would like to use my domainname as PUBLIC_ADDRESS. Any Idea on how to do this?

In case it helps others, here’s the relevant section in the jitsi documentation:

@Neil_Brown : Thank you for referring to the right document.
But I couldn’t find anything about using a domainname instead of an IP for the NAT Harvester…

I couldn’t find anything about using a domainname instead of an IP for the NAT Harvester

As far as I know, it’s not possible.

what you need is to monitor the current IP address of your system, when it changes update the sip file -communicator.properties and restart the services. I have absolutely no idea on how to do that (I have never used a dynamic IP address myself). All I know is that there are on the Internet hosts that can give you your current IP address, so you get it in a script with something along the lines of
myip=$(curl checkip4.dns.lightningwirelabs.com | cut -f 2 -d:)
After that the rest is up to you :slight_smile: