Setting Jitsi to work behind strict firewall

Hello,

we are running a standalone Jitsi deployment on a server with Ubuntu 20.04. The service runs fine, but when someone who is behind a strict firewall wants to join the call he doesn’t have any audio/video.
I looked at similar topics and the solution seems to be to run TURN server, so I have tried to deploy coturn on the same machine, but without success. I want a setup where coturn and Jitsi frontend are running on the same server.

My current settings are:
/etc/turnserver.conf


use-auth-secret
keep-address-family
static-auth-secret=**my_secret**
realm=**server_FQDN**
cert=/etc/letsencrypt/live/**server_FQDN**/cert.pem
pkey=/etc/letsencrypt/live/**server_FQDN**/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256>
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
syslog

/etc/jitsi/meet/server_fqdn-config.js

    p2p: {
        enabled: true,
        useStunTurn: true,
        stunServers: [
            { urls: "stun:server_fqdn:443" }
        ],
        preferH264: true,
        disableH264: true,
    },
    useStunTurn: true,

/etc/prosody/conf.avail/server_fqdn.cfg.lua

turncredentials_secret = "**my_secret**";
turncredentials_port = 443;
turncredentials_ttl = "86400";
turncredentials = {
    { type = "stun", host = "server_fqdn" },
    { type = "turn", host = "server_fqdn", port = 443, transport = "udp" },
    { type = "turns", host = "server_fqdn", port = 443, transport = "tcp" }
};

...

VirtualHost "server_fqdn"
    -- we need bosh
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
        "presence_identity";
    }
enabled rooms

VirtualHost "guest.server_fqdn"
    authentication = "token";
    app_id="**secret**"
    app_secret="**secret**"
    c2s_require_encryption = true;
    allow_empty_token = true;
    modules_enabled = {
        "bosh";
        "pubsub";
        "ping"; -- Enable mod_ping
        "speakerstats";
        "turncredentials";
        "conference_duration";
        "muc_lobby_rooms";
        "presence_identity";
    }

So the goal that I am trying to achieve is that the Jitsi will work also behind strict firewalls and that both Jitsi frontend and TURN server are running on the same machine.
What am I missing?
Thank you!

turnserver cannot access to /etc/letsencrypt/live/... by default. Did you change the permissions?

stunServers: [
    { urls: "stun:server_fqdn:443" }
],

Don’t change this line. It’s not related with your issue.

TURN should access to JVB through the public IP. Don’t forget to check this.

I have changed the permissions based on this post:

TURN should access to JVB through the public IP. Don’t forget to check this.

Where can I check this setting?

You can make a connectivity test for UDP/10000 from Jitsi server to the public IP

Yes, this is the output

 nc -z -v -u public_ip 10000
Connection to public_ip 10000 port [udp/*] succeeded!