STUN/TURN using Coturn - Corporate FW solution ** HERE'S HOW **

I’m not sure of what you mean exactly. The browser gets from the OS the device list, all the network interfadces, and tries to establish a connection with all the JVB network devices provided by Jicofo. Some of these pairs don’t make sense and are always failing. For example I have a Openvpn bridge on my workstation and I always see its adress in Jvb logs while as it’s a link to another unrelated site, it will never be used. Is that the problem ?

Our issue is *** SOLVED *** finally!

After a lot, A LOT of research and observation I finally came across the issues we had with coturn as STUN.

On the guide we used to configure coturn they failed to mention that SRV records are required on the domain DNS.

I’ll go ahead and update my guide here to prevent others with making a similar mistake.
Once that was corrected when we checked our STUN service there were no issues that appeared before (error 701).

In addition to all this mess one of our servers had an issue with it’s FW where port 10,000 was blocked even though it was whitelisted. This caused the communication to be relayed via coturn rather than the connect directly to the server.

I hope this will help others with the issues we had here. It was a great challenge that spanned over weeks of investigations.

1 Like

Cool!

Newbie here, so do some of the configs here same with coTurn with docker instead? Really need a tutorial on how to set those up as I’m confused on the config files.

But this is a good read and I’m sure it helped a lot of people.

Thanks

What wasn’t clear about the config file? I can help to the best of my ability.

Hello

By domain you mean another domain?
For instance if i have meet.test.com , will I need a subdomain with that? turn.test.com?

Also did you install this within the same machine/host of where you installed jitsi meet? or?

I’m running nginx proxy manager as well.

Thanks a lot.

Yes, a second domain is needed for TURN

Both are possible. If it is on JMS server, then you will need these changes.

Hi
Did you leave this blank or did you define it?

server-name=yourdomain.com
realm=yourdomain.com

I followed your instructions up to until the systemctl start coturn, I was testing it with Trickle Ice and I am getting an error.

returned an error with code=701:
443?transport=udp returned an error with code=701:

Apologies as I am confused, can you clarify somethings for me?
For instance is the turn.yourdomain.com a subdomain? correct? like turn.testdomain.com
I created an A record pointing the subdomain to it’s server’s IP. (If i assume correctly this the turn server’s public ip right? not the host/machine where jitsi-meet is installed correct? or?.)

In the trickle test.
turn:yourdomain.com:443 (is it just the domain like, turn:testdomain.com) ? or is it the whole path?, turn:turn.testdomain.com ?

Thanks for your help.

Thank you, thank you, thank you!
I was struggling wit this issue until I found your post and adapted your configuration, but I’m still halfway there.
In my case, I want to put the coturn server and jitsi on the same host, multiplexing it through nginx (as explained here).
First of all, since my host is behind a NAT, I had to add an allowed-peer-ip line to whitelist the ip of the internal host (since I saw it was denied in the log).
The problem I have is that apparently the turn server is not working correctly behind nginx. If I advertise in prosody port 5439, I can get audio/video even with port 10000 blocked, but if I advertise port 443 I have no luck. Also, the trickle-ice test fails, I explain more details here.

FWIW, in the nginx configuration, instead of the public ip, I had to put the internal ip of the host (my previous tests were done with 127.0.0.1).

Sorry for the delay in my response. It’s a bit hectic on my end here.

A. I configured on an external server. Not the JMS.
B. Your realm (to my understanding) is the main domain you’re using.

Did you set up the SRV records on your domain?

I read on some posts that to solve this issue someone installed coturn on a separate machine, not behind nginx. I think coturn is trying to bind port 443 which will be occupied by nginx.
I’m not entirely sure cause I didn’t even bother to try set it up behind nginx after I saw that someone was struggling.

Did you configure your SRV records on your domain? As I mentioned in my previous response I noticed that changed everything for us,

[quote=“rn1984, post:16, topic:112526”]
Thank you for the great effort: Followed this guide a long, but still confused. and clients with port 10000 cannot have video

let me understand the logic first. Correct me please:

a client tries to connect to JVB server by udp 10000 fails
a client connects to port 443 on (coturn? or Nginx?)

Who does the redirection to coturn?

Finally, coturn takes tcp to udp and connects to jvb port 10000

Does the client connect to coturn ?


What I have so far and not working:

Stand alone coturn as per guide ( Trickle ICE test looks good)

configured correctly: /etc/prosody/conf.d/yourdomain.com.cfg.lua

A record for turn and stun

SRV records for:

_stun._tcp 3478
_turn._tcp 3478
_turns._tcp 443

Logs:

IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
0: : IPv4. TLS listener opened on : 127.0.0.1:5349
0: : IPv4. TLS/SCTP listener opened on : 172.xxx.xxx.xxx:5349
0: : IPv4. TLS listener opened on : 172.105.11.137:5349
0: : IPv6. TLS/SCTP listener opened on : ::1:5349
0: : IPv6. TLS listener opened on : ::1:5349
0: : IPv6. TLS/SCTP listener opened on : 2600:3c04::f03c:93ff:fee9:5a27:5349
0: : IPv6. TLS listener opened on : 2600:3c04::f03c:93ff:fee9:5a27:5349
0: : IPv4. DTLS/UDP listener opened on: 127.0.0.1:443
0: : IPv4. DTLS/UDP listener opened on: 127.0.0.1:5349
0: : IPv4. DTLS/UDP listener opened on: 172.xxx.xxx.xxx :443
0: : IPv4. DTLS/UDP listener opened on: 172.xxx.xxx.xxx :5349
0: : IPv6. DTLS/UDP listener opened on: ::1:443
0: : IPv6. DTLS/UDP listener opened on: ::1:5349
0: : IPv6. DTLS/UDP listener opened on: 2600:3c04::f03c:93ff:fee9:5a27:443
0: : IPv6. DTLS/UDP listener opened on: 2600:3c04::f03c:93ff:fee9:5a27:5349

Certificate file all found:

I see 443 is bind to all interfaces

From Coturn I can connect to JVB by 10000 udp

I Cannot telnet to 443 on the Coturn local or from remote to Coturn

The firewall on Coturn: opened 443, 10000, 3478, 5349

The client connects to coturn (TCP/5349) through nginx (TCP/443).

nginx redirects the traffic using the configured module.

Yes, the client communicates with JVB through coturn.

Yes but coturn connects to JVB's UDP/10000 though its public IP.

In this guide, coturn sits outside of jicofo and ngnix. The redirect is done by prosody (that’s why we need to update the file).

Where are you hosting coturn?

@rn1984 CoTurn is set up as a stand-alone. Its working now I was missing the config.js and sip-communicator.properties settings:
org.ice4j.ipv6.DISABLED=true
org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=10000
org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=turn.Mydomain.com
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES=turn.Mydomain.com:443

Would you elaborate on sizing? Any hints?

Sizing of what?

CoTurn server

It’s a matter of load. I like to think of worse case scenario in which all the endpoints connect through 443 instead of 10000 and then it’s the same server size as the videobridge.

Ok. Thx.
Have a look here: Question: Server Requirements? · Issue #328 · coturn/coturn · GitHub

1 Like