Routing SFU Traffic Over TCP

In the self hosting guide, under “Setting up TURN”, it explains how to route P2P traffic over TCP 443, but there are no such instructions for SFU.

Is it possible to have the SFU (non-P2P) traffic also route over TCP 443?

I see that when I have p2p.enabled = false, if I block the UDP ports to our Jitsi server, I lose my video, so it seems to only use UDP for communication

TURN is not only for P2P. It routes traffic if the participant cannot connect to JVB directly.

I have entered our STUN / TURN servers as per:

and

When I block the UDP ports and try make SFU connections, I get failing connections

There seems to be a connection, sometimes even some stats, but the video never shows and after a few seconds it fails

Apply only what you see in Jitsi Meet Handbook. Don’t change jitsi-meet config.

TURN server must be able to connect to JVB (to itself if it’s on the same server) through the public IP

I think we’re misunderstanding each other here. I haven’t changed any jitsi-meet settings. We don’t use jitsi-meet. We only use jitsi server and the lib-jitsi-meet API

I only used the referenced docs to set our STUN / TURN servers

p2p: {
enabled: false,
stunServers: [
{urls: ‘stun:al01relay.something.com:3478’},
{urls: ‘turn:al01relay.something.com:80’, username: ‘test’, credential: ‘password’},
{urls: ‘turn:al01relay.something.com:443’, username: ‘test’, credential: ‘password’},
{urls: ‘turn:al01relay.something.com:3478’, username: ‘test’, credential: ‘password’}
]
}

in the conference options

_this.conference = _this.connection.initJitsiConference(roomName, _this.conferenceOptions);

The server configs are unchanged

So my questions is: those STUN / TURN settings in the P2P options, how can I make them also apply to SFU connections?

These are the STUN servers of jitsi-meet and not directly related to what you need. Update TURNS in prosody config

Make sure turn can use udp, the turn server connects to the bridge as a regular client on public address using udp, if you block all udp you block and turn server.

Turn servers are coming from prosody, because of the shortterm passwords are generated on request …

“Make sure turn can use udp, the turn server connects to the bridge as a regular client on public address using udp, if you block all udp you block and turn server”

The TURN to bridge connection is not limited. The UDP ports are only blocked on the client.

I managed to get the connections working with UDP ports blocked by setting

JVB_TCP_HARVESTER_DISABLED = false

in the .env file and then restarting the docker container.

Seems that’s what I needed to route the SFU traffic over TCP

You are probably connecting to the bridge using TCP, which is not recommended … Apparently, your turn server is not working, either port blocked or not valid certificates.

The TCP routing is just meant as a fallback for restrictive networks, so I’m testing it by intentionally blocking my computer’s UDP ports

I see that the TCP traffic defaults to port 4443, because 443 is already in use. I need the traffic to use port 443 in the case of restrictive networks.

I tried these settings in the .env file:

# TCP Fallback for Jitsi Videobridge for when UDP isn't available
JVB_TCP_HARVESTER_DISABLED=false
JVB_TCP_PORT=4443
JVB_TCP_MAPPED_PORT=443

But it still uses TCP 4443 when the UDP ports are blocked

What is the recommended way to do this?