Use the public IP for the turn service. The loopback is blocked because of the following line
denied-peer-ip=127.0.0.0-127.255.255.255
Use the public IP for the turn service. The loopback is blocked because of the following line
denied-peer-ip=127.0.0.0-127.255.255.255
Hi thanks for your reply. Wouldnât i be better (and safer) to just delete:
denied-peer-ip=127.0.0.0-127.255.255.255
and keeping it this way, so that every connection remains in the internal network, since jitsi and coturn are on the same machine? Would it work?
All internal services become accessible from the outside through TURN
Ok, Iâve tried commenting the line:
denied-peer-ip=10.0.0.0-10.255.255.255
and putting in nginx turn module conf the internal IP and everything works so far in TURN mode.
I tried then with the public IP but the problems appear again, no audio nor video with more than 2 partecipants. And Iâm sure that the required TCP and UDP ports are forwarded from the outside.
Any suggestions?
Itâs needed some extra rules on the firewall/router. The firewall should handle correctly the internal requests when the destination is its public IP.
Try this from jitsi
curl https://public_ip/
Ok, Iâve tried it. If I do that from the Jitsi VM, the curl just gets stuck:
root@jitsi:/tmp# curl https://public_ip/
curl: (7) Failed to connect to ... port 443: Connection refused
Also tried telnetting public_ip 443 from jitsiâs VM: it doesnât work.
If I do that from my local mobaxterm terminal on my pc:
[myPC] ⤠curl https://public_ip/
curl: (77) error setting certificate verify locations:
CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
This means that the router can not handle the internal requests
Instead of deleting this, you can add the following lines to the TURN config
listening-ip=INTERNAL-IP
allowed-peer-ip=INTERNAL-IP
no-udp
Thanks very much for the help. Which way do you think would be safer/better? Adding these rules on coturn or properly set my companyâs firewall?
The setting firewall rules is better. The denied-peer-ip
lines prevent to access to the internal IP blocks through the TURN service.
Thanks very much emrah. I will ask the firewall team to properly setup the rules.
One more question: my company is pushing towards docker deploys of Jitsi, which we have been using for a while and they work amazingly and theyâre a lot more hassle free than the standard deployment.
is there a way to setup the also dockerized installation of Jitsi to use 443 TCP only, just as we did with the manual install?
No idea for the Docker case