Jitsi Meet & Coturn

Hi there,

I’m about to set up our working jitsi with an additional coturn server. Problem is, that many collegues can’t connect because of firewall restrictions. The aim is our jitsi can be used by external people without udp port opened.

I fear I need some guidance here, I’m no linux pro…

The issue is, that jitsi doesn’t use the turnserver. Confernecing with 2 persons is working, after a third person joined, video and audio switches off.

Can you please provide some information about where to look for logfiles?

coturn config

I set up coturn according to this:


I have a valid certificate and changed ports to 443. Trickle ICE shows “Done” when testing the turn-domain with port 443 and transport=tcp.

turnserver.conf:

listening-port=443
tls-listening-port=443
listening-ip=intIP
relay-ip=extIP
external-ip=extIP/intIP
min-port=10000
max-port=20000
fingerprint
lt-cred-mech
user=coturnuser:coturnkey
realm=turn-domain
cert=/etc/coturn/certs/cert-11028875712017614327058612676.pem
pkey=/etc/coturn/certs/turn-private.pem
no-multicast-peers

This is the syslog output from coturn:

Oct 22 15:04:25 host2 systemd[1]: Starting coTURN STUN/TURN Server...
Oct 22 15:04:25 host2 turnserver: 0: #012RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server#012Version Coturn-4.5.1.1 'dan Eider'
Oct 22 15:04:25 host2 turnserver: 0: #012Max number of open files/sockets allowed for this process: 524288
Oct 22 15:04:25 host2 turnserver: 0: #012Due to the open files/sockets limitation,#012max supported number of TURN Sessions possible is: 262000 (approximately)
Oct 22 15:04:25 host2 turnserver: 0: #012#012==== Show him the instruments, Practical Frost: ====#012
Oct 22 15:04:25 host2 turnserver: 0: TLS supported
Oct 22 15:04:25 host2 turnserver: 0: DTLS supported
Oct 22 15:04:25 host2 turnserver: 0: DTLS 1.2 supported
Oct 22 15:04:25 host2 turnserver: 0: TURN/STUN ALPN supported
Oct 22 15:04:25 host2 turnserver: 0: Third-party authorization (oAuth) supported
Oct 22 15:04:25 host2 turnserver: 0: GCM (AEAD) supported
Oct 22 15:04:25 host2 turnserver: 0: OpenSSL compile-time version: OpenSSL 1.1.1d  10 Sep 2019 (0x1010104f)
Oct 22 15:04:25 host2 turnserver: 0:
Oct 22 15:04:25 host2 turnserver: 0: SQLite supported, default database location is /var/lib/turn/turndb
Oct 22 15:04:25 host2 turnserver: 0: Redis supported
Oct 22 15:04:25 host2 turnserver: 0: PostgreSQL supported
Oct 22 15:04:25 host2 turnserver: 0: MySQL supported
Oct 22 15:04:25 host2 turnserver: 0: MongoDB is not supported
Oct 22 15:04:25 host2 turnserver: 0:
Oct 22 15:04:25 host2 turnserver: 0: Default Net Engine version: 3 (UDP thread per CPU core)#012#012=====================================================#012
Oct 22 15:04:25 host2 turnserver: 0: Domain name:
Oct 22 15:04:25 host2 turnserver: 0: Default realm: turn.meeting.studentenwerk-augsburg.de
Oct 22 15:04:25 host2 turnserver: 0: #012CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
Oct 22 15:04:25 host2 turnserver: 0: SSL23: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: SSL23: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: set_ctx: ERROR: cannot set DH
Oct 22 15:04:25 host2 turnserver: 0: TLS1.0: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS1.0: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS1.1: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS1.1: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS1.2: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS1.2: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: TLS cipher suite: DEFAULT
Oct 22 15:04:25 host2 turnserver: 0: DTLS: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: DTLS: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: DTLS1.2: Certificate file found: /etc/coturn/certs/cert-11028875712017614327058612676.pem
Oct 22 15:04:25 host2 turnserver: 0: DTLS1.2: Private key file found: /etc/coturn/certs/turn-private.pem
Oct 22 15:04:25 host2 turnserver: 0: DTLS cipher suite: DEFAULT
Oct 22 15:04:25 host2 turnserver: 0: pid file created: /run/turnserver/turnserver.pid
Oct 22 15:04:25 host2 turnserver: 0: IO method (main listener thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
Oct 22 15:04:25 host2 turnserver: 0: Wait for relay ports initialization...
Oct 22 15:04:25 host2 turnserver: 0:   relay extIP initialization...
Oct 22 15:04:25 host2 turnserver: 0:   relay extIP initialization done
Oct 22 15:04:25 host2 turnserver: 0: Relay ports initialization done
Oct 22 15:04:25 host2 turnserver: 0: IO method (general relay thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: IO method (general relay thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: turn server id=0 created
Oct 22 15:04:25 host2 turnserver: 0: turn server id=1 created
Oct 22 15:04:25 host2 turnserver: 0: IO method (general relay thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: IO method (general relay thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: turn server id=3 created
Oct 22 15:04:25 host2 turnserver: 0: turn server id=2 created
Oct 22 15:04:25 host2 turnserver: 0: Total General servers: 4
Oct 22 15:04:25 host2 turnserver: 0: IO method (auth thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: IO method (auth thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: IO method (admin thread): epoll (with changelist)
Oct 22 15:04:25 host2 turnserver: 0: SQLite DB connection success: /var/lib/turn/turndb
Oct 22 15:04:27 host2 systemd[1]: Started coTURN STUN/TURN Server.

Jitsi config

sip-communicator.properties:

org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=turn-domain:443
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

host1.cfg.lua:

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "host1";

turncredentials_secret = "SECRET";
turncredentials_port = 443;
turncredentials_ttl = 86400;

turncredentials = {
  { type = "stun", host = "turn-domain", port = "443" },
  { type = "turn", host = "turn-domain", port = "443", transport = "udp" },
  { type = "turns", host = "turn-domain", port = "443", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;

VirtualHost "kirnach.stwa.local"
        -- enabled = false -- Remove this line to enable this host
        authentication = "anonymous"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/host1.key";
                certificate = "/etc/prosody/certs/host1.crt";
        }

I disabled the ufw on both host1 and host2 for testing…

I’m behind a corporate firewall, where I setup a webserver for both host1 and host2 for port 443 and a NAT/forwarding for ports 10000:20000 udp for host2.

Thank you very much for helping!

Christian

Is your jvb on host2?

Sorry, no, jvb is on host1.

So, your port forwarding is wrong the only port used by clients to reach jvb is 10000 UDP.

Also remove this.

You cannot have your turn/stun server to discover your addresses, I think, you may have problems with that. They need to be in different networks. Use meet jit si one which come by default or set your addresses by hand.

I commented out external-ip and set stun.t-online.de:3478 as STUN_MAPPING_HARVESTER_ADDRESSES
I also changed port forwarding for port 10000/udp to host1 (jvb).

As a result, I can now see 3 people in a conference.

I fear the problem isn’t solved, or I’m confused (or both) - On the firewall I can see traffic for https and 10000/udp for host1, nothing for host2 (turnserver).

I’m testing at home, so my udp port isn’t blocked - maybe that’s the reason?

Thank you so much for the support!

Yep, turn is fallback. You can do iptables to block udp 10000 on the jvb host, but just for your home address, then 3 tabs need to send to jvb by relaying the media through the turn server. Turn server will use the udp 10000 on the bridge to send traffic to.

I created a rule on our firewall to block 10000/udp from my home address.

Now I have the same situation as before:

Maybe you could get some in-depth information by reading the emrah chronicles

Hi gpatel-fr,

I red the emrah chronicles, but I’m not sure if that helps me.

I assume there are 2 reasons that can cause the issue:

  • Jitsi/coturn misconfiguration
  • Firewall misconfiguration

Jitsi/coturn misconfiguration

As I understand, emrah runs jvb and coturn on one box - I have two seperate boxes on one subnet.
The magic happens in Stage 3, but I don’t want to run coturn on tcp/5349. I set allowed-peer-ip=local-ip-address but with no luck.

Is there any need to edit the Nginx config in my case?

Just to be sure, my Nginx config looks like:

listen 80;
server_name host1.local;

listen 4444 ssl http2;
server_name host1.local;

Also, here is my /etc/nginx/modules-enabled/60-jitsi-meet.conf file - shouldn’t be upstream turn inernal IP of coturn server + port 443?

stream {
    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 127.0.0.1:5349;
    }
    # since 1.13.10
    map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1\.     web;
        default         turn;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;
        proxy_pass $upstream;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}

Do I have to set static-auth-secret in turnserver.conf?

Firewall misconfiguration

As I cannot see connections from or to the coturn server (host2) I can’t exclude firewall misconfiguration.
After all the howtos the only thing I have to do is to open port 443 for external connections and NAT them to the coturn server. I did that. In case of a not working conference I can see such log entries on the firewall:

hello @chris.d,

I have many JVBs. one of them is on the same server with coturn

If you have a standalone server for coturn, you can choose any port since it has a different IP address, probably TCP/443… You don’t need /etc/nginx/modules-enabled/60-jitsi-meet.conf and mapping traffic in this case too

If coturn and nginx are on the same server, ssl_preread_alpn_protocols is the main problem. Switch to ssl_preread_server_name

I don’t have much to add to @emrah, to check if it works you have to understand the process, and look at where it blocks using a packet scanner such as tcpdump or tshark.

  • your browser connects to the coturn server according to the setup in prosody.
  • so you can listen on your coturn server address and port configured to see if you see attempts to connect through tls. You can see if coturn replies. If yes, you have half of the problem solved
  • in this case you have to look at what happens between coturn and jvb. You should see Udp packets flowing from coturn to jvb. If nothing appears, coturn is not configurrd correctly, either it does not start or it does not understand where to send its Udp packets.
    If Udp packets are starting from coturn toward jvb, you have to see if they are getting to jvb instance if not, it’s a firewall or other network issues. If yes, the problem will be something in jvb config (not likely but who knows)

Ok, thank you! I guess I have to take a closer look…
I’ll report back!

Hi there,

today I had some time to test again. Result: I’m totally stuck :confused:

I disabled all ssl/tls-related configuration to get back to a kind of default state:

/etc/turnserver.conf

listening-port=3478
tls-listening-port=5349

/etc/prosody/conf.d/host1.cfg.lua

turncredentials_port = 3478;
turncredentials = {
{ type = “stun”, host = “turn-domain”, port = “3478” },
{ type = “turn”, host = “turn-domain”, port = “3478”, transport = “udp” },
{ type = “turns”, host = “turn-domain”, port = “3478”, transport = “tcp” }

  • I updated my firewall rule accordingly.
  • I did use a packet scanner > no packets for port 3478
  • I searched the chrome console for errors > no errors
  • I checked Trickle ICE and it works > turn:turn-domain:3478?transport=tcp
  • I checked prosody and jvb logs > no errors

Any ideas where I can look?

Those 2 messages pop up in the chrome console:

[modules/RTC/BridgeChannel.js] <l._send>: Bridge Channel send: no opened channel.

Logger.js:154 2020-11-18T10:55:32.316Z [JitsiConference.js] <u.sendMessage>: Failed to send E2E ping request or response. undefined

I also moved the coturn server host2.local from dmz to lan zone on my firewall.

Same behavoir…

AFAIK this should be 5349 since you have

tls-listening-port=5349