[jitsi-users] Add a STUN server to Jitsi-videobridge


#1

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I'm wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it's a problem, just want to be sure).

Thank you,

Jean-Sébastien


#2

Hi,

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a
server for a project I work on and I can see my face when I create a room,
I can also see when someone else joins the room. When I check the logs I am
imformed that « ICE failed » and that « No STUN servers specified » and I
was wondering where I could add a (list of) STUN server(s) on the
configuration files.

I may need to add a TURN server later but for now I mainly want to fix
this issue.

Also correct me if I’m wrong, but from what I understand, even with 2
people having a conversation all the data will go through the
Jitsi-meet/videobridge server? (not that it’s a problem, just want to be
sure).

Yep, that is correct. That's why you do not need a TURN server. About the
stun error this is strange, maybe attaching the logs will help.

Regards
damencho

···

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud < jean-sebastien.renaud@actimage.com> wrote:

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#3

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

Since I’m also working on a corporate network could the problem come from having some port restriction on the Jitsi server? (I am running tests on a regular network like the one you would have at home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards
Jean-Sébastien

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 16:45
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:
Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards
damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#4

Hi,

Thank you,

My project needs to be able to handle users in « strict network
conditions » (such as corporate networks with 80+443 TCP only) so from what
I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which
means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet,
you need a second public ip address to allow jvb to bind to port 443 for
its tcp connections, if that port is not available it binds by default to
4443. If you are using jvb to serve meet jvb should already be using port
443.
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards
damencho

···

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud < jean-sebastien.renaud@actimage.com> wrote:

Since I’m also working on a corporate network could the problem come from
having some port restriction on the Jitsi server? (I am running tests on a
regular network like the one you would have at home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

*De :* users [mailto:users-bounces@jitsi.org] *De la part de* Damian
Minkov
*Envoyé :* lundi 8 août 2016 16:45
*À :* Jitsi Users <users@jitsi.org>
*Objet :* Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a
server for a project I work on and I can see my face when I create a room,
I can also see when someone else joins the room. When I check the logs I am
imformed that « ICE failed » and that « No STUN servers specified » and I
was wondering where I could add a (list of) STUN server(s) on the
configuration files.

I may need to add a TURN server later but for now I mainly want to fix
this issue.

Also correct me if I’m wrong, but from what I understand, even with 2
people having a conversation all the data will go through the
Jitsi-meet/videobridge server? (not that it’s a problem, just want to be
sure).

Yep, that is correct. That's why you do not need a TURN server. About the
stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#5

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards
Jean-Sébastien

webrtc-log-from-firefox.txt (5.52 KB)

webrtc-stats-from-firefox.txt (9.34 KB)

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 17:14
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:
Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards
damencho

Since I’m also working on a corporate network could the problem come from having some port restriction on the Jitsi server? (I am running tests on a regular network like the one you would have at home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards
Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 16:45
À : Jitsi Users <users@jitsi.org<mailto:users@jitsi.org>>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:
Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards
damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#6

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for
that machines?

···

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come from having some port restriction on the Jitsi server? (I am running tests on a regular network like the one you would have at home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 16:45
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#7

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 18:29
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for the
first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#8

Hi,

so if you have mapping public to local address, and you can have 2
local addresses for that machine, you can use one of them only for
nginx with forwarding only port 443. And the other one you can use for
jvb and forward udp 10k:20k and 443 and setup binding of jvb to low
port and setting up local and public address properties.

Regards
damencho

···

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : lundi 8 août 2016 18:29
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for the
first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#9

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 15:29
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for
the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#10

Hi,

There is no such way currently if you are using nginx. That's the
reason I was telling you that you need two public addresses, one will
be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty
instance, jvb can do this work for you and can distinguish http
traffic to media over tcp traffic, and then you need only one public
ip address.

Regards
damencho

···

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 15:29
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for
the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#11

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to follow? https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md (I'm not really sure I get how to do each part but I'll see if I get there)

Regards
Jean-Sébastien

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 16:05
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for
the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#12

Hi,

You can use certificates in jetty. You have the choice, one public
address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is
no nginx installed by default jvb will be installed with jetty
configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.postinst#L68
there are a lot of ifs, but if you want to do it manually, my advice
is reading that script.

Regards
damencho

···

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to follow? https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md (I'm not really sure I get how to do each part but I'll see if I get there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 16:05
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem come
from having some port restriction on the Jitsi server? (I am running
tests on a regular network like the one you would have at home for
the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#13

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 16:51
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.postinst#L68
there are a lot of ifs, but if you want to do it manually, my advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#14

I don't get it. When jetty is installed it uses the provided scripts
to generate a keystore, there is a command for that and later you can
recreate the keystore.
You need uninstalling and purging, no config should be left no
/etc/jitsi folder.

···

On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 16:51
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.postinst#L68
there are a lot of ifs, but if you want to do it manually, my advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#15

My problem is to get trusted certificate on Jitsi but that's mostly a detail for now and the main issue is to get Jitsi to work even with strict network conditions.
One last thing (I think ^^) from an ealier reply you also said that my server should also have ports 10k-20k opened for UDP (in addition to 443 TCP) but I wouldn't need anything else?

Thank you for your time!

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 17:47
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

I don't get it. When jetty is installed it uses the provided scripts to generate a keystore, there is a command for that and later you can recreate the keystore.
You need uninstalling and purging, no config should be left no /etc/jitsi folder.

On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:51 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.post
inst#L68 there are a lot of ifs, but if you want to do it manually, my
advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#16

My problem is to get trusted certificate on Jitsi but that's mostly a detail for now and the main issue is to get Jitsi to work even with strict network conditions.
One last thing (I think ^^) from an ealier reply you also said that my server should also have ports 10k-20k opened for UDP (in addition to 443 TCP) but I wouldn't need anything else?

Yep traffic to these ports needs to reach jvb.

···

On Tue, Aug 9, 2016 at 11:02 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you for your time!

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 17:47
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

I don't get it. When jetty is installed it uses the provided scripts to generate a keystore, there is a command for that and later you can recreate the keystore.
You need uninstalling and purging, no config should be left no /etc/jitsi folder.

On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:51 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.post
inst#L68 there are a lot of ifs, but if you want to do it manually, my
advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#17

Hi,

What I don't get is why I need those ports if I'm supposed to handle user with strict network conditions. I get why I need them for all the other users but can I test if the setup is correct if I only have the port required for strict network conditions open? That way I would be sure that this part work (also getting a 10k udp port range approved is going to take some time and I wouldn't want to get stuck meanwhile).

Regards
Jean-Sébastien

-----Message d'origine-----

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 18:08
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

On Tue, Aug 9, 2016 at 11:02 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

My problem is to get trusted certificate on Jitsi but that's mostly a detail for now and the main issue is to get Jitsi to work even with strict network conditions.
One last thing (I think ^^) from an ealier reply you also said that my server should also have ports 10k-20k opened for UDP (in addition to 443 TCP) but I wouldn't need anything else?

Yep traffic to these ports needs to reach jvb.

Thank you for your time!

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 17:47 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

I don't get it. When jetty is installed it uses the provided scripts to generate a keystore, there is a command for that and later you can recreate the keystore.
You need uninstalling and purging, no config should be left no /etc/jitsi folder.

On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:51 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.pos
t
inst#L68 there are a lot of ifs, but if you want to do it manually,
my advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org> Objet : Re: [jitsi-users] Add a
STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#18

Yep you can try only 443, its just good to have the others if someone is
not a restricted network, but it should work and only with tcp available.

···

On Aug 10, 2016 05:20, "Jean-Sébastien Renaud" < jean-sebastien.renaud@actimage.com> wrote:

Hi,

What I don't get is why I need those ports if I'm supposed to handle user
with strict network conditions. I get why I need them for all the other
users but can I test if the setup is correct if I only have the port
required for strict network conditions open? That way I would be sure that
this part work (also getting a 10k udp port range approved is going to take
some time and I wouldn't want to get stuck meanwhile).

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 18:08
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

On Tue, Aug 9, 2016 at 11:02 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
> My problem is to get trusted certificate on Jitsi but that's mostly a
detail for now and the main issue is to get Jitsi to work even with strict
network conditions.
> One last thing (I think ^^) from an ealier reply you also said that my
server should also have ports 10k-20k opened for UDP (in addition to 443
TCP) but I wouldn't need anything else?

Yep traffic to these ports needs to reach jvb.

>
> Thank you for your time!
>
> -----Message d'origine-----
> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
> Minkov Envoyé : mardi 9 août 2016 17:47 À : Jitsi Users
> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
> Jitsi-videobridge
>
> I don't get it. When jetty is installed it uses the provided scripts to
generate a keystore, there is a command for that and later you can recreate
the keystore.
> You need uninstalling and purging, no config should be left no
/etc/jitsi folder.
>
>
> On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>> Hi,
>>
>> So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I
would get Jitsi configured with Jetty?
>> My concern about certificates was how to renew them since LE certs only
last 3 months but have a automated renewal process but I could just
intercept the http traffic on the port 80 and redirect it to another
webserver I'd use for renewing only (since Jetty would only serve HTTPS).
Would that be possibe?
>>
>> Regards
>> Jean-Sébastien
>>
>> -----Message d'origine-----
>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>> Minkov Envoyé : mardi 9 août 2016 16:51 À : Jitsi Users
>> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
>> Jitsi-videobridge
>>
>> Hi,
>>
>> You can use certificates in jetty. You have the choice, one public
address and jetty, two addresses and nginx.
>> Yep that is a basic document how to do it. On ubuntu 16.04 if there is
no nginx installed by default jvb will be installed with jetty configured.
>> The commands that the debian package uses start somewhere here:
>> https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.pos
>> t
>> inst#L68 there are a lot of ifs, but if you want to do it manually,
>> my advice is reading that script.
>>
>> Regards
>> damencho
>>
>>
>> On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>> Hi,
>>>
>>> Since I am using a Let's Encrypt certificate for HTTPS (with webroot
plugin) I don't think I'm gonna be able to use jetty (or maybe juste use
the 80 on Nginx for the webroot and prevent Nginx from using :443).
>>> To use the jetty instance, is this documentation the correct one to
>>> follow?
>>> https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
>>> (I'm not really sure I get how to do each part but I'll see if I get
>>> there)
>>>
>>> Regards
>>> Jean-Sébastien
>>>
>>> -----Message d'origine-----
>>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>>> Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
>>> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
>>> Jitsi-videobridge
>>>
>>> Hi,
>>>
>>> There is no such way currently if you are using nginx. That's the
reason I was telling you that you need two public addresses, one will be
used for nginx:443 traffic, the other one for jvb:443 traffic.
>>> If you are not using nginx and serve meet using the jvb jetty
instance, jvb can do this work for you and can distinguish http traffic to
media over tcp traffic, and then you need only one public ip address.
>>>
>>> Regards
>>> damencho
>>>
>>> On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>>> Hi,
>>>>
>>>> I read on the documentation about the LOCAL_ADDRESS and
PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm
not sure I understand how to distribute the connection from PUBLIC_IP:443
to each LOCAL_IP:443, would you do it by indetifying http and non-http
requests and treating that at the IPTABLES level?
>>>>
>>>> Regards
>>>> Jean-Sébastien
>>>>
>>>> -----Message d'origine-----
>>>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>>>> Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
>>>> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
>>>> Jitsi-videobridge
>>>>
>>>> Hi,
>>>>
>>>> so if you have mapping public to local address, and you can have 2
local addresses for that machine, you can use one of them only for nginx
with forwarding only port 443. And the other one you can use for jvb and
forward udp 10k:20k and 443 and setup binding of jvb to low port and
setting up local and public address properties.
>>>>
>>>> Regards
>>>> damencho
>>>>
>>>> On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>>>>
>>>>>
>>>>> -----Message d'origine-----
>>>>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>>>>> Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
>>>>> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
>>>>> Jitsi-videobridge
>>>>>
>>>>> On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have included the logs from a test I ran with my phone on Chrome
and my laptop on Firefox (couldn’t remember where to find a clear enough
WebRTC log in Chrome) : the logs are from Firefox.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> From what I read the fact that the public IP address of my Jitsi
server in NATed to a local IP adress may also be relevant to my case. Also
now that I understand a bit better how jvb works it seems that event if I
did receive a STUN server I would have problem with the conversation if my
port 4443 is not open.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I am indeed serving meet with Nginx on 443 so what I understood
from your answer and the doc is that I need to have another IP address that
point to my jitsi server, make jvb bind on the 443 of this other IP and
redirect the 443 of the new IP to the 4443 as an internal redirection.
>>>>>
>>>>>>>Is that machine behind nat? and you can use two public addresses
for that machines?
>>>>>
>>>>> The server is behind a NAT (don't know why it's just the way our
network is I guess) but 2 local addresses won't have the same public IP
address (at least that's the case for the servers I worked with so far). I
think I can ask for a 2nd public IP to be redirected to my server local IP
by the NAT.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also if I don’t need to use a TURN server that’s really a life
saving news that will make me save a lot of time and effort !!!
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Jean-Sébastien
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>>>>>> Minkov Envoyé : lundi 8 août 2016 17:14
>>>>>>
>>>>>>
>>>>>> À : Jitsi Users <users@jitsi.org> Objet : Re: [jitsi-users] Add a
>>>>>> STUN server to Jitsi-videobridge
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>>
>>>>>>
>>>>>> My project needs to be able to handle users in « strict network
conditions » (such as corporate networks with 80+443 TCP only) so from what
I gather I’ll need one TURN server for this.
>>>>>>
>>>>>>
>>>>>>
>>>>>> TURN is a relay, all connections between clients go through jvb,
which means all clients go through relay. That is the reason TURN is not
needed.
>>>>>>
>>>>>>
>>>>>>
>>>>>> If you want to handle port 443 and if you are using nginx to serve
meet, you need a second public ip address to allow jvb to bind to port 443
for its tcp connections, if that port is not available it binds by default
to 4443. If you are using jvb to serve meet jvb should already be using
port 443.
>>>>>>
>>>>>> https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> damencho
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Since I’m also working on a corporate network could the problem
>>>>>> come from having some port restriction on the Jitsi server? (I am
>>>>>> running tests on a regular network like the one you would have at
>>>>>> home for the first tests)
>>>>>>
>>>>>>
>>>>>>
>>>>>> I’ll run another test and attach the logs with 2 Chromes (just to
be sure).
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Jean-Sébastien
>>>>>>
>>>>>>
>>>>>>
>>>>>> De : users [mailto:users-bounces@jitsi.org] De la part de Damian
>>>>>> Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
>>>>>> <users@jitsi.org> Objet : Re: [jitsi-users] Add a STUN server to
>>>>>> Jitsi-videobridge
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud < > jean-sebastien.renaud@actimage.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>>
>>>>>>
>>>>>> I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on
a server for a project I work on and I can see my face when I create a
room, I can also see when someone else joins the room. When I check the
logs I am imformed that « ICE failed » and that « No STUN servers specified
» and I was wondering where I could add a (list of) STUN server(s) on the
configuration files.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I may need to add a TURN server later but for now I mainly want to
fix this issue.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Also correct me if I’m wrong, but from what I understand, even with
2 people having a conversation all the data will go through the
Jitsi-meet/videobridge server? (not that it’s a problem, just want to be
sure).
>>>>>>
>>>>>>
>>>>>>
>>>>>> Yep, that is correct. That's why you do not need a TURN server.
About the stun error this is strange, maybe attaching the logs will help.
>>>>>>
>>>>>>
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> damencho
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thank you,
>>>>>>
>>>>>>
>>>>>>
>>>>>> Jean-Sébastien
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users@jitsi.org
>>>>>> Unsubscribe instructions and other list options:
>>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users@jitsi.org
>>>>>> Unsubscribe instructions and other list options:
>>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> users@jitsi.org
>>>>>> Unsubscribe instructions and other list options:
>>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> users@jitsi.org
>>>>> Unsubscribe instructions and other list options:
>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> users@jitsi.org
>>>>> Unsubscribe instructions and other list options:
>>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> users@jitsi.org
>>>> Unsubscribe instructions and other list options:
>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>> _______________________________________________
>>>> users mailing list
>>>> users@jitsi.org
>>>> Unsubscribe instructions and other list options:
>>>> http://lists.jitsi.org/mailman/listinfo/users
>>>
>>> _______________________________________________
>>> users mailing list
>>> users@jitsi.org
>>> Unsubscribe instructions and other list options:
>>> http://lists.jitsi.org/mailman/listinfo/users
>>> _______________________________________________
>>> users mailing list
>>> users@jitsi.org
>>> Unsubscribe instructions and other list options:
>>> http://lists.jitsi.org/mailman/listinfo/users
>>
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>> _______________________________________________
>> users mailing list
>> users@jitsi.org
>> Unsubscribe instructions and other list options:
>> http://lists.jitsi.org/mailman/listinfo/users
>
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users
> _______________________________________________
> users mailing list
> users@jitsi.org
> Unsubscribe instructions and other list options:
> http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#19

Ok thank you, since I’m just testing in a dev environment it’s not that critical for now.

So since apparently I can’t get a 2nd public IP address (for now) I tried the 2nd solution you suggested (only installi jitsi without nginx and letting jvb and jetty deal with meet).

I can access the page in https and see my face in a room (so all is fine here) however when I try to do a conversation between 2 devices the only cadidate I receive from jvb are UDP candidates on port 10k and no 443/TCP (so obviously I get an « Ice failed » error).

I have included my videobridge config files which are almost like the one in the the doc except I added the lines needed because I’m behind a NAT and TCP_HARVESTER_MAPPED_PORT (to see if it’s what was missing but it didn’t change anything).

(Btw Do I need to create another topic since I think I got a little bit off-track from the original subject ? :confused: )

Regards
Jean-Sébastien

videobridge_config.txt (989 Bytes)

videobridge_sip-communicator.properties.txt (1.11 KB)

···

De : users [mailto:users-bounces@jitsi.org] De la part de Damian Minkov
Envoyé : mercredi 10 août 2016 14:35
À : Jitsi Users <users@jitsi.org>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

Yep you can try only 443, its just good to have the others if someone is not a restricted network, but it should work and only with tcp available.

On Aug 10, 2016 05:20, "Jean-Sébastien Renaud" <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:
Hi,

What I don't get is why I need those ports if I'm supposed to handle user with strict network conditions. I get why I need them for all the other users but can I test if the setup is correct if I only have the port required for strict network conditions open? That way I would be sure that this part work (also getting a 10k udp port range approved is going to take some time and I wouldn't want to get stuck meanwhile).

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian Minkov
Envoyé : mardi 9 août 2016 18:08
À : Jitsi Users <users@jitsi.org<mailto:users@jitsi.org>>
Objet : Re: [jitsi-users] Add a STUN server to Jitsi-videobridge

On Tue, Aug 9, 2016 at 11:02 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

My problem is to get trusted certificate on Jitsi but that's mostly a detail for now and the main issue is to get Jitsi to work even with strict network conditions.
One last thing (I think ^^) from an ealier reply you also said that my server should also have ports 10k-20k opened for UDP (in addition to 443 TCP) but I wouldn't need anything else?

Yep traffic to these ports needs to reach jvb.

Thank you for your time!

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 17:47 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

I don't get it. When jetty is installed it uses the provided scripts to generate a keystore, there is a command for that and later you can recreate the keystore.
You need uninstalling and purging, no config should be left no /etc/jitsi folder.

On Tue, Aug 9, 2016 at 10:07 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Hi,

So basically I could uninstall Jitsi, Nginx and reinstall Jitsi and I would get Jitsi configured with Jetty?
My concern about certificates was how to renew them since LE certs only last 3 months but have a automated renewal process but I could just intercept the http traffic on the port 80 and redirect it to another webserver I'd use for renewing only (since Jetty would only serve HTTPS). Would that be possibe?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:51 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

You can use certificates in jetty. You have the choice, one public address and jetty, two addresses and nginx.
Yep that is a basic document how to do it. On ubuntu 16.04 if there is no nginx installed by default jvb will be installed with jetty configured.
The commands that the debian package uses start somewhere here:
https://github.com/jitsi/jitsi-meet/blob/master/debian/jitsi-meet.pos
t
inst#L68 there are a lot of ifs, but if you want to do it manually,
my advice is reading that script.

Regards
damencho

On Tue, Aug 9, 2016 at 9:23 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Hi,

Since I am using a Let's Encrypt certificate for HTTPS (with webroot plugin) I don't think I'm gonna be able to use jetty (or maybe juste use the 80 on Nginx for the webroot and prevent Nginx from using :443).
To use the jetty instance, is this documentation the correct one to
follow?
https://github.com/jitsi/jitsi-videobridge/blob/master/doc/http.md
(I'm not really sure I get how to do each part but I'll see if I get
there)

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 16:05 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

There is no such way currently if you are using nginx. That's the reason I was telling you that you need two public addresses, one will be used for nginx:443 traffic, the other one for jvb:443 traffic.
If you are not using nginx and serve meet using the jvb jetty instance, jvb can do this work for you and can distinguish http traffic to media over tcp traffic, and then you need only one public ip address.

Regards
damencho

On Tue, Aug 9, 2016 at 8:50 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Hi,

I read on the documentation about the LOCAL_ADDRESS and PUBLIC_ADDRESS parameters if the videobridge is behind a NAT. However i'm not sure I understand how to distribute the connection from PUBLIC_IP:443 to each LOCAL_IP:443, would you do it by indetifying http and non-http requests and treating that at the IPTABLES level?

Regards
Jean-Sébastien

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : mardi 9 août 2016 15:29 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

so if you have mapping public to local address, and you can have 2 local addresses for that machine, you can use one of them only for nginx with forwarding only port 443. And the other one you can use for jvb and forward udp 10k:20k and 443 and setup binding of jvb to low port and setting up local and public address properties.

Regards
damencho

On Tue, Aug 9, 2016 at 1:43 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

-----Message d'origine-----
De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 18:29 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

On Mon, Aug 8, 2016 at 11:09 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Hi,

I have included the logs from a test I ran with my phone on Chrome and my laptop on Firefox (couldn’t remember where to find a clear enough WebRTC log in Chrome) : the logs are from Firefox.

From what I read the fact that the public IP address of my Jitsi server in NATed to a local IP adress may also be relevant to my case. Also now that I understand a bit better how jvb works it seems that event if I did receive a STUN server I would have problem with the conversation if my port 4443 is not open.

I am indeed serving meet with Nginx on 443 so what I understood from your answer and the doc is that I need to have another IP address that point to my jitsi server, make jvb bind on the 443 of this other IP and redirect the 443 of the new IP to the 4443 as an internal redirection.

Is that machine behind nat? and you can use two public addresses for that machines?

The server is behind a NAT (don't know why it's just the way our network is I guess) but 2 local addresses won't have the same public IP address (at least that's the case for the servers I worked with so far). I think I can ask for a 2nd public IP to be redirected to my server local IP by the NAT.

Also if I don’t need to use a TURN server that’s really a life saving news that will make me save a lot of time and effort !!!

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 17:14

À : Jitsi Users <users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a
STUN server to Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:56 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Thank you,

My project needs to be able to handle users in « strict network conditions » (such as corporate networks with 80+443 TCP only) so from what I gather I’ll need one TURN server for this.

TURN is a relay, all connections between clients go through jvb, which means all clients go through relay. That is the reason TURN is not needed.

If you want to handle port 443 and if you are using nginx to serve meet, you need a second public ip address to allow jvb to bind to port 443 for its tcp connections, if that port is not available it binds by default to 4443. If you are using jvb to serve meet jvb should already be using port 443.

https://github.com/jitsi/jitsi-videobridge/blob/master/doc/tcp.md

Regards

damencho

Since I’m also working on a corporate network could the problem
come from having some port restriction on the Jitsi server? (I am
running tests on a regular network like the one you would have at
home for the first tests)

I’ll run another test and attach the logs with 2 Chromes (just to be sure).

Regards

Jean-Sébastien

De : users [mailto:users-bounces@jitsi.org<mailto:users-bounces@jitsi.org>] De la part de Damian
Minkov Envoyé : lundi 8 août 2016 16:45 À : Jitsi Users
<users@jitsi.org<mailto:users@jitsi.org>> Objet : Re: [jitsi-users] Add a STUN server to
Jitsi-videobridge

Hi,

On Mon, Aug 8, 2016 at 9:36 AM, Jean-Sébastien Renaud <jean-sebastien.renaud@actimage.com<mailto:jean-sebastien.renaud@actimage.com>> wrote:

Hi,

I have installed Jitsi-meet (with Jicofo and Jitsi-videobridge) on a server for a project I work on and I can see my face when I create a room, I can also see when someone else joins the room. When I check the logs I am imformed that « ICE failed » and that « No STUN servers specified » and I was wondering where I could add a (list of) STUN server(s) on the configuration files.

I may need to add a TURN server later but for now I mainly want to fix this issue.

Also correct me if I’m wrong, but from what I understand, even with 2 people having a conversation all the data will go through the Jitsi-meet/videobridge server? (not that it’s a problem, just want to be sure).

Yep, that is correct. That's why you do not need a TURN server. About the stun error this is strange, maybe attaching the logs will help.

Regards

damencho

Thank you,

Jean-Sébastien

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users

_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
_______________________________________________
users mailing list
users@jitsi.org<mailto:users@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users


#20

Do you see anything related in the bridge logs? IIRC there was some issue with having jetty bind on "::" (since the TCP harvester always binds to a specific address).

Regards,
Boris

···

On 10/08/16 11:01, Jean-Sébastien Renaud wrote:

Ok thank you, since I’m just testing in a dev environment it’s not that
critical for now.

So since apparently I can’t get a 2^nd public IP address (for now) I
tried the 2^nd solution you suggested (only installi jitsi without nginx
and letting jvb and jetty deal with meet).

I can access the page in https and see my face in a room (so all is fine
here) however when I try to do a conversation between 2 devices the only
cadidate I receive from jvb are UDP candidates on port 10k and no
443/TCP (so obviously I get an « Ice failed » error).

I have included my videobridge config files which are almost like the
one in the the doc except I added the lines needed because I’m behind a
NAT and TCP_HARVESTER_MAPPED_PORT (to see if it’s what was missing but
it didn’t change anything).