P2P not working properly

I am struggling to find out why P2P is no longer working with computers connecting inside their networks. Not to be confused with corporate Firewalls and the use of TURN servers, P2P seems to only be in use when connecting with external IP addresses and not internal (192.x.x.x).

Can anyone help here?

Your turnserver config, does it look like this: jitsi-meet/turnserver.conf at master · jitsi/jitsi-meet · GitHub

Is turnserver in same network with jvb and client, can you give details about the scenario?

It looks like Jitsi installation comes with the coturn but we want turnserver on a separate server to handle the high load, We have also tried your default Cotrun with default config but in both cases, some people can’t establish a P2P connection while some people can, but the weird thing is that those participants who were not established P2P on our setup those can establish p2p connect on other self-hosted quick installed Jitsi (default 1 JVB setup ) More important is to establish a P2P connection when turn server is on a separate server, these are our config please guide us on what mistake we are making and what is the cause and solution. thanks (On AWS server)

@damencho turnserver in same network with jvb and client?

Their VPC and Subnet are same

So we did the installation, of coturn on a separate server

this our config

/etc/default/coturn

TURNSERVER_ENABLED=1

/etc/turnserver.conf

server-name=turn.example.com
cert=/etc/letsencrypt/live/turn.example.com/fullchain.pem
pkey=/etc/letsencrypt/live/turn.example.com/privkey.pem
realm=turn.example.com
use-auth-secret
keep-address-family
static-auth-secret=xxxxxxxxxxxxxx
#fingerprint
#listening-ip=0.0.0.0
external-ip=13.52.xx.xx/13.52.xx.xxx
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
log-file=/var/log/turnserver.log
verbose

added prosody module mod_turncredentials.lua
mention this module in prosody VirtualHost “meet.example.com

modules_enabled = {
“bosh”;
“websocket”;
“smacks”;
“pubsub”;
“ping”; – Enable mod_ping
"turncredentials";
“speakerstats”;
“external_services”;
“conference_duration”;
“muc_lobby_rooms”;
“av_moderation”;
“presence_identity”
}

and also added

turncredentials_secret = "xxx_same_as_static-auth-secret_from_turnserver.conf";
turncredentials_port = 443;
turncredentials_ttl = 86400;
turncredentials = {
    { type = "stun", host = "turn.example.com" },
    { type = "turn", host = "turn.example.com", port = 443},
    { type = "turns", host = "turn.example.com", port = 443, transport = "tcp" }
}

jitsi our config.js

 p2p: {
 enabled: true,
 useStunTurn: true, // Using Turn for p2p connections & also tried by commenting this line.
 preferH264: true,
 stunServers: [
            { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
	    { urls: "stun:stun.l.google.com:19302" },
            { urls: "stun:stun1.l.google.com:19302" },
            { urls: "stun:stun2.l.google.com:19302" },
        ]
    },

useStunTurn: true, // Using Turn Server with JVB (also tired by commenting this line)

To us Turn Server with JVB

By setting useStunTurn: true and setting org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true on JVB (using sip-communicator.properties file), we can turn off the TCP Harvester of JVB and use the Turn Server for TCP connections. With this method, JVB will only be uing UDP. If a participant fails to establish a UDP connection with the bridge, TURN server will establish a TCP connection with the participant and then will relay the media traffic over UDP to the bridge. so org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true is added.

Multi-JVB and region-based Octo scaling (Nginx GeoIP based region routing )

Ports open in Coturn server

3478	UDP	0.0.0.0/0	
3478	UDP	::/0	        
80	TCP	0.0.0.0/0	
80	TCP	::/0	        
22	TCP	0.0.0.0/0	
22	TCP	::/0	
10000 - 20000	UDP	0.0.0.0/0	
10000 - 20000	UDP	::/0	
443	TCP	0.0.0.0/0	
443	TCP     ::/0

For main Jitsi (Jicofo + prosody + Nginx + jitsi frontend) and all separate jvbs these Ports are open

Custom TCP	TCP	5369	::/0	

–
IPv4	Custom TCP	TCP	5347	0.0.0.0/0	

–
IPv4	Custom TCP	TCP	5349	0.0.0.0/0	

–
IPv4	Custom TCP	TCP	5222	0.0.0.0/0	

–
IPv4	Custom TCP	TCP	3478	0.0.0.0/0	

–
IPv6	Custom TCP	TCP	5222	::/0	

–
IPv4	Custom UDP	UDP	4096	0.0.0.0/0	

–
IPv4	HTTP	TCP	80	0.0.0.0/0	

–
IPv4	Custom TCP	TCP	4443	0.0.0.0/0	

–
IPv4	SSH	TCP	22	0.0.0.0/0	

–
IPv6	Custom TCP	TCP	9090	::/0	

–
IPv4	Custom TCP	TCP	5369	0.0.0.0/0	

–
IPv6	Custom UDP	UDP	10000 - 20000	::/0	

–
IPv4	Custom UDP	UDP	10000 - 20000	0.0.0.0/0

–
IPv6	Custom TCP	TCP	4443	::/0	

–
IPv4	Custom TCP	TCP	8080	0.0.0.0/0	–

–
IPv6	Custom TCP	TCP	3478	::/0	

–
IPv6	Custom TCP	TCP	8080	::/0	

–
IPv6	Custom TCP	TCP	5347	::/0	

–
IPv6	HTTPS	TCP	443	::/0	

–
IPv6	Custom UDP	UDP	4096	::/0	

–
IPv4	HTTPS	TCP	443	0.0.0.0/0	

–
IPv6	HTTP	TCP	80	::/0	

–
Custom TCP	TCP	9090	0.0.0.0/0

Drop this and make sure your coturn can reach jvb using its public address on port 10000 udp.

And you better use this template for your config: jitsi-meet/turnserver.conf at master · jitsi/jitsi-meet · GitHub
There are some denied-peer-ip stuff in there which are important for security reasons.