Jitsi on port 443 behind corporate Firewall

Hi all,

im currently trying to configure jitsi with coturn to allow jitsi behind some corporate firewalls.
With coturn there is no video and audio in Jitsi and im getting the following errors:

From the turnserver:
closed (2nd stage), user <> realm <TURN_DOMAIN> origin <>, local 127.0.0.1:5349, remote 127.0.0.1:44512, reason: TLS/TCP socket buffer operation error (callback)

In jvb:
JVB 2022-01-31 13:10:44.339 WARNING: [111] [confId=c0d150158127a661 gid=39595 stats_id=Esta-zeU conf_name=test@conference.JITSI_DOMAIN ufrag=a6fep1fqo44ku2 epId=6972b0b2 local_ufrag=a6fep1fqo44ku2] ConnectivityCheckClient.startCheckForPair#374: Failed to send BINDING-REQUEST(0x1)[attrib.count=6 len=96 tranID=0x735542B07E0147A96FBE59DB] java.lang.IllegalArgumentException: No socket found for MY_PUBLIC_IP:10000/udp->192.168.1.112:51680/udp

This are my configs
sip-communicator.properties (i removed some non important lines)

org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

prosody (only the important virtual host with the configuration above)

plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "PUBLIC_DOMAIN";

external_service_secret = "SECRET";
external_services = {
     { type = "stun", host = "TURN_DOMAIN", port = 443 },
     { type = "turn", host = "TURN_DOMAIN", port = 443, transport = "udp", secret = "SECRET", ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "TURN_DOMAIN", port = 443, transport = "tcp", secret = "SECRET", ttl = 86400, algorithm = "turn" }
};

turncredentials_secret = "SECRET";
turncredentials_port = 443;
turncredentials_ttl = 86400;
turncredentials = {
     { type = "stun", host = "TURN_DOMAIN", port = 443 },
     { type = "turn", host = "TURN_DOMAIN", port = 443, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
     { type = "turns", host = "TURN_DOMAIN", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;
-- https_ports = { }; -- Remove this line to prevent listening on port 5284

VirtualHost "JITSI_DOMAIN"
    -- enabled = false -- Remove this line to enable this host
    authentication = "anonymous"
    -- Properties below are modified by jitsi-meet-tokens package config
    -- and authentication above is switched to "token"
    --app_id="example_app_id"
    --app_secret="example_app_secret"
    -- Assign this host a certificate for TLS, otherwise it would use the one
    -- set in the global section (if any).
    -- Note that old-style SSL on port 5223 only supports one certificate, and will always
    -- use the global one.
    ssl = {
        key = "/etc/prosody/certs/JITSI_DOMAIN.key";
        certificate = "/etc/prosody/certs/JITSI_DOMAIN.crt";
    }
    av_moderation_component = "avmoderation.JITSI_DOMAIN"
    speakerstats_component = "speakerstats.JITSI_DOMAIN"
    conference_duration_component = "conferenceduration.JITSI_DOMAIN
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "external_services";
        "conference_duration";
        "muc_lobby_rooms";
        "muc_breakout_rooms";
        "av_moderation";
	-- "turncredentials";
    }
    c2s_require_encryption = false
    lobby_muc = "lobby.JITSI_DOMAIN"
    breakout_rooms_muc = "breakout.JITSI_DOMAIN"
    main_muc = "conference.JITSI_DOMAIN"
    -- muc_lobby_whitelist = { "recorder.JITSI_DOMAIN" } -- Here we can whitelist jibri to enter lobby enabled rooms
```

**turnserver.conf**
```
use-auth-secret
keep-address-family
static-auth-secret=SECRET
realm=TURN_DOMAIN
cert=/etc/letsencrypt/live/TURN_DOMAIN/fullchain.pem
pkey=/etc/letsencrypt/live/TURN_DOMAIN/privkey.pem
no-multicast-peers
no-cli
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
verbose
log-file=/var/log/turnserver.log
dh-file=/etc/coturn/certs/dhparam4096.pem
```

**nginx module**
```
stream {
    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 127.0.0.1:5349;
    }
    # since 1.13.10
    map $ssl_preread_alpn_protocols $upstream {
        ~\bh2\b         web;
        ~\bhttp/1\.     web;
        default         turn;
    }

    server {
        listen 443;
        listen [::]:443;

        # since 1.11.5
        ssl_preread on;
        proxy_pass $upstream;

        # Increase buffer to serve video
        proxy_buffer_size 10m;
    }
}
```

If you need any other configurations just ask for them. 

Does anyone know where the problem is? I tried it for several days and it was not possible for me to find a solution.

Thank you in advance!

Hi Jonie,
I have the same issue.
Do you resolved your problem?
Thank you.

Have you opened a 10000 port in the firewall?

Hey Nasgul,

yeah i kinda resolved the problem. I switched to a setup with two dedicated ips. One for the turn server and the other one for Jitsi. With this setup it seems to work.

The port 10000 is closed for the users because they are behind a firewall where we cant open a port.
On the server the port 10000 is opened (it works without the turn server)

Hello,
Thank you for your reply.
I can’t opened the port 10000 because it’s measure of security.
I install a turn server on other server. I can see the requests of my participants but i have always the problem with the participant behind the firewall Just with 80 and 443 ports opened.
In jvb log, i have an error of communication broken between the Server with port 10000 udp to participant ip address with udp too.
Do you have à specific configuration on jvb service please ? Because i don’t think so that my problem it’s turn.
Is it possible to sens me your configuration files anonimyzed ?
All functionnalities works fine on meet.jit.si.
Thank you

Hey,

i used this script for the installation installers/jitsi-base at main · jitsi-contrib/installers · GitHub
After i did everything with this script it worked for me

Hi Jonie,
I tried with the shared link but it didn’t work for me.
I continue my research.
Thank you.

What is the issue while using the installer script?

I have the same problem that this Link.

Are you talking about this script? If so, what is the output when running this script?

The script is OK but it don’t solved my problem.