Struggling to make jitsi dockerized work from inside VPN

Hello !

After many hours to make it work behind NAT firewall, I succeeded and this works on public IP with more than 3 participants etc …

Now I encounter some situation and I can’t find what I should do with my spaghettis.
The server is behind a NAT firewall that also hosts a VPN where some people are. The problem :

When I create a room with people from the VPN, I can see them inside but there is no video/audio exchange while it works perfectly between the people that aren’t inside the VPN.

A room with only people from the VPN doesn’t work at all, no video/audio, I can only see others and send text messages

I opened the UDP 10000 to the VPN network (I found out thank to the blocked packets logs) but it still doesn’t change anything and I’m not sure from what source I should open this since I don’t really know from where the audio/video stream is coming (p2p or from the server)

I know that to make the NAT firewall stuff working with docker I had to set DOCKER_HOST_ADDRESS to my PUBLIC IP, I wonder if that could cause this since the VPN is hosted on the same firewall and may not go through this IP, but I don’t know what is the behaviour here ^^

Finally, some logs of JVB that I’m not sure I understand,

When there are people from outside and inside the VPN :

org.jitsi.utils.logging2.LoggerImpl log
PMINFO: Suspicious ICE connectivity failure. Checks failed but the remote end was able to reach us.
PMINFO: ICE state changed old=Running new=Failed
PMINFO: Expiring.

When there are only people from the VPN :

org.jitsi.utils.logging2.LoggerImpl log
MWARNING: Received request for a nonexistent endpoint: 56dd050d(conference 52de068c9216ea79)
MWARNING: Unable to find endpoint to send EndpointMessage to: 56dd050d

I’m a bit lost here, thank you for reading, and if you seem less lost than me thanks for help :slight_smile:

Hi, I am quite new to jitsi-meet, so I don’t know the answer to your question, but I could recommend a few things to look at.

  1. I run Jitsi server behind NAT too, it works well as long as you access the server via the public IP (i.e. using the Internet domain name via your Internet domain name’s public IP address). Do your VPN users route to your Jitsi server via the public domain name/Public IP address? I am thinking that if both your non-VPN users and your VPN users run “nslookup yourjitsiserverfullyqualifieddomainname” that the IP address returned is your Jitsi server’s public IP address.

  2. ensure that VPN ports route to the internet for Jitsi required ports. And check which ports as there are more ports than just 10000.

Here are a few links which may give you some ideas, and the link to a previous posting seems to say what I was thinking regards having to access the Jitsi server via the Public IP address for all Jitsi required Internet facing ports.

But the easiest solution for those problems if the firewall and VPN rules can be altered is to allow bridge addresses and connections to port udp 10000 in the corporate firewall and to make sure that VPN does not route traffic to jvb address udp port 10000 over the VPN connection, but uses the internet of the clients and directly connecting to it.

The following ports need to be open in your firewall, to allow traffic to the Jitsi Meet server:
80 TCP - for SSL certificate verification / renewal with Let’s Encrypt
443 TCP - for general access to Jitsi Meet
10000 UDP - for general network video/audio communications
22 TCP - if you access you server using SSH (change the port accordingly if it’s not 22)
3478 UDP - for quering the stun server (coturn, optional, needs config.js change to enable it)
5349 TCP - for fallback network video/audio communications over TCP (when UDP is blocked for example), served by coturn

I hope something in the above might help you find your answer.