No video or audio with "internal_plain" room authentication from certain networks

First of all, thank you for the great application.

We have a situation where on some cases where a client is connecting from a firewalled and NATted connection they are only able to chat. No video or audio. From some networks everything works fine. JVB-log show errors “Par failed” that might be related.

2020-04-09 16:44:04.464 INFO: [29949] [confId=27022a58966ce470 gid=ffd9ba stats_id=Alana-3Kf conf_name=testing ufrag=6jh451e5fitrtn epId=7ab7f947 local_ufrag=6jh451e5fitrtn] ConnectivityCheckClient$PaceMaker.run#922: Pair failed: MY_PUBLIC_IP:10000/udp/host -> 10.11.160.88:53028/udp/host (stream-7ab7f947.RTP)

While debugging, we noticed that the problem begins when enabling the authentication to the rooms (secure-domain guide), especially when adding the “anonymousdomain” variable in meet/jitsi-config.js. Without adding the anonymousdomain, Jitsi requires authentication for all users but the Video and Audio works.

Only “abnormal” configuration is that our hosting provider has a “catch-all” DNS for subdomains. Meaning that the “guest.myjitsidomain.fi” will resolve to a non-related IP address. Could this be related?

OS: Ubuntu 18.04.4 LTS

Packages:
ii jitsi-meet 2.0.4384-1 all WebRTC JavaScript video conferences
ii jitsi-meet-prosody 1.0.3969-1 all Prosody configuration for Jitsi Meet
ii jitsi-meet-turnserver 1.0.3969-1 all Configures coturn to be used with Jitsi Meet
ii jitsi-meet-web 1.0.3969-1 all WebRTC JavaScript video conferences
ii jitsi-meet-web-config 1.0.3969-1 all Configuration for web serving of Jitsi Meet
ii jitsi-videobridge2 2.1-164-gfdce823f-1 all WebRTC compatible Selective Forwarding Unit (SFU)
ii coturn 4.5.0.7-1ubuntu2.18.04.1 amd64 TURN and STUN server for VoIP
ii prosody 0.10.0-1build1 amd64 Lightweight Jabber/XMPP server
ii java-common 0.68ubuntu1~18.04.1 all Base package for Java runtimes

Configuration

# cat /etc/jitsi/jicofo/sip-communicator.properties 
org.jitsi.jicofo.BRIDGE_MUC=JvbBrewery@internal.auth.myjitsidomain.fi
org.jitsi.jicofo.auth.URL=XMPP:myjitsidomain.fi
# cat /etc/jitsi/videobridge/sip-communicator.properties 
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=meet-jit-si-turnrelay.jitsi.net:443
org.jitsi.videobridge.ENABLE_STATISTICS=true
org.jitsi.videobridge.STATISTICS_TRANSPORT=muc
org.jitsi.videobridge.xmpp.user.shard.HOSTNAME=localhost
org.jitsi.videobridge.xmpp.user.shard.DOMAIN=auth.myjitsidomain.fi
org.jitsi.videobridge.xmpp.user.shard.USERNAME=jvb
org.jitsi.videobridge.xmpp.user.shard.PASSWORD=JIwAcooE
org.jitsi.videobridge.xmpp.user.shard.MUC_JIDS=JvbBrewery@internal.auth.myjitsidomain.fi
org.jitsi.videobridge.xmpp.user.shard.MUC_NICKNAME=2774de2d-cf5b-438f-b05e-efeca0ee4fe2
> # cat /etc/jitsi/meet/myjitsidomain.fi-config.js 
var config = {
    hosts: {
        domain: 'myjitsidomain.fi',
	anonymousdomain: 'guest.myjitsidomain.fi',
    },
    testing: {
        enableFirefoxSimulcast: false,
        p2pTestMode: false
    },
    enableNoAudioDetection: true,
    enableNoisyMicDetection: true,
    desktopSharingChromeExtId: null,
    desktopSharingChromeSources: [ 'screen', 'window', 'tab' ],
    desktopSharingChromeMinExtVersion: '0.1',
    channelLastN: -1,
    useStunTurn: true,
    enableWelcomePage: true,
    enableUserRolesBasedOnToken: false,
    p2p: {
        enabled: true,
        useStunTurn: true,
        stunServers: [
            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' }
        ],
        preferH264: true
    },
    analytics: {
    },
    deploymentInfo: {
    },
};
cat /etc/prosody/conf.d/myjitsidomain.fi.cfg.lua 
plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }

-- domain mapper options, must at least have domain base set to use the mapper
muc_mapper_domain_base = "myjitsidomain.fi";

turncredentials_secret = "SECRET_HERE";

turncredentials = {
  { type = "stun", host = "myjitsidomain.fi", port = "443" },
  { type = "turn", host = "myjitsidomain.fi", port = "443", transport = "udp" },
  { type = "turns", host = "myjitsidomain.fi", port = "443", transport = "tcp" }
};

cross_domain_bosh = false;
consider_bosh_secure = true;

VirtualHost "myjitsidomain.fi"
        -- enabled = false -- Remove this line to enable this host
	authentication = "internal_plain"
        -- Properties below are modified by jitsi-meet-tokens package config
        -- and authentication above is switched to "token"
        --app_id="example_app_id"
        --app_secret="example_app_secret"
        -- Assign this host a certificate for TLS, otherwise it would use the one
        -- set in the global section (if any).
        -- Note that old-style SSL on port 5223 only supports one certificate, and will always
        -- use the global one.
        ssl = {
                key = "/etc/prosody/certs/myjitsidomain.fi.key";
                certificate = "/etc/prosody/certs/myjitsidomain.fi.crt";
        }
        speakerstats_component = "speakerstats.myjitsidomain.fi"
        conference_duration_component = "conferenceduration.myjitsidomain.fi"
        -- we need bosh
        modules_enabled = {
            "bosh";
            "pubsub";
            "ping"; -- Enable mod_ping
            "speakerstats";
            "turncredentials";
            "conference_duration";
        }
        c2s_require_encryption = false

Component "conference.myjitsidomain.fi" "muc"
    storage = "none"
    modules_enabled = {
        "muc_meeting_id";
        "muc_domain_mapper";
        -- "token_verification";
    }
    admins = { "focus@auth.myjitsidomain.fi" }
    muc_room_locking = false
    muc_room_default_public_jids = true

-- internal muc component
Component "internal.auth.myjitsidomain.fi" "muc"
    storage = "none"
    modules_enabled = {
      "ping";
    }
    admins = { "focus@auth.myjitsidomain.fi", "jvb@auth.myjitsidomain.fi" }

VirtualHost "auth.myjitsidomain.fi"
    ssl = {
        key = "/etc/prosody/certs/auth.myjitsidomain.fi.key";
        certificate = "/etc/prosody/certs/auth.myjitsidomain.fi.crt";
    }
    authentication = "internal_plain"

Component "focus.myjitsidomain.fi"
    component_secret = "SECRET_HERE"

Component "speakerstats.myjitsidomain.fi" "speakerstats_component"
    muc_component = "conference.myjitsidomain.fi"

Component "conferenceduration.myjitsidomain.fi" "conference_duration_component"
    muc_component = "conference.myjitsidomain.fi"

VirtualHost "guest.myjitsidomain.fi"
    authentication = "anonymous"
    c2s_require_encryption = false

Yesterday, we also noticed that when enabling the authentication, the fallback to TURN server fails on the client. We do not know if the problem is located in prosody (which should store the configuration of the turnserver and provide tokens to access the turnserver, as we understood), or in the web client, which “forgets” to fall back to TURN after an authentication.

The symptom are the same as you: people behind firewall are able to join a room, but no video or audio stream are exchanged. They appears as dark screen.

On the TURN side, nothing happens in the logs (even after having enabled verbose and Verbose in the config). It seems that no one try a connection to this server.

Removing the authentication with internal_plain makes and end to the problem.

We do not know where to start for debugging this.

I have also noticed something in the turn log (Bad configuration format: keep-address-family). Do you have the same?

0: log file opened: /var/log/turn_947_2020-04-09.log
0: 
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.0.7 'dan Eider'
0: 
Max number of open files/sockets allowed for this process: 4096
0: 
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0: 

==== Show him the instruments, Practical Frost: ====

0: TLS supported
0: DTLS supported
0: DTLS 1.2 supported
0: TURN/STUN ALPN supported
0: Third-party authorization (oAuth) supported
0: GCM (AEAD) supported
0: OpenSSL compile-time version: OpenSSL 1.1.0g  2 Nov 2017 (0x1010007f)
0: 
0: SQLite supported, default database location is /var/lib/turn/turndb
0: Redis supported
0: PostgreSQL supported
0: MySQL supported
0: MongoDB is not supported
0: 
0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Bad configuration format: keep-address-family

I do not remember having noticed this message in logs. I didn’t touch at the /etc/turnserver.conf file.

We are using Debian 10.

I think this problem might be the same than in: UDP port 10000 blocked behind corporate firewall - possible approaches

Unfortunately it is a bit unclear how it was exactly solved. I tried adding turnserver module in the prosody configuration (/etc/prosody/conf.d/myjitsidomain.fi.cfg.lua) but it did not do any difference:

VirtualHost "guest.myjitsidomain.fi"
    authentication = "anonymous"
    c2s_require_encryption = false
    modules_enabled = {
        "turncredentials";
   }

I was having the same problem using docker-jitsi-meet – my calls connect (for chat etc) but pass no audio or video between participants. So I tried disabling authentication in .env, deleting the config tree and relaunching the docker containers, and sure enough now my calls work (at least up to 2 members, haven’t tested more yet).

So hopefully someone can figure out why auth is breaking calls, because I’m not keen on having a publicly accessible server with no authentication whatsoever. But in the mean time, is there some other way I can add a basic auth layer to my docker-jitsi-meet setup? Like a basic username and password on the web server itself, rather than on the rooms? Can anyone point me to info on how to set that up?

Continuing to discuss the issue in the thread:
https://community.jitsi.org/t/2-users-works-fine-3rd-user-come-in-and-audio-video-stop/29236/12