Supporting VPN, with separate VMs for Meet, JVB (multiple) and Coturn

Hi everyone,

I’m trying to setup a scalable Jitsi Meet installation in GCP. My trouble is with getting coturn to work for VPN users. Ideally, I’d like to support the situation where a users VPN/firewall blocks port 10000/udp. This should use TURNS (some firewalls block fake-non-ssl 443 traffic).

From the start:

First, I created an installation with multiple JVB’s, using a Managed Instance Group. The JVB firewalls are set to allow port 10000/udp from everywhere. This works fine! Without VPNs, I can have 2, 3, more participants, no problems at all!

What I did is available open source in my repo:

The linked repository contains all startup-scripts, and contain variables that are inserted with Terraform. This is using the latest versions available in the APT sources of Debian Buster (debian-cloud/debian-10 GCP image).

Notably, my meet instance runs only NGINX and no turnserver: I want this separate.

Then I installed coturn on a separate VM following the guide at meetrix io (I can’t link it: only 2 links allowed :frowning: ). I’m using Time-Limited Credentials over SSL. I’ve validated that this works using the WebRTC samples Trickle ICE tool.

Anonymizing my root url the domains are:

  • meet:
  • coturn: (port 443)

In the prosody configuration I’ve enabled mod_turncredentials, downloaded the module from github/otalk/mod_turncredentials and installed it at /usr/lib/prosody/modules/mod_turncredentials.lua.

Then I set the following parameters at the top of my /etc/prosody/conf.avail/my_jitsi_hostname.cfg.lua:

turncredentials_host = "${COTURN_REALM}";
turncredentials_secret = "${COTURN_AUTH_SECRET}";
turncredentials_port = 443;
turncredentials_ttl = 86400;
turncredentials = {
    { type = "stun", host = "${COTURN_REALM}" },
    { type = "turn", host = "${COTURN_REALM}", port = 443},
    { type = "turns", host = "${COTURN_REALM}", port = 443, transport = "tcp" }

(with variables replaced)

Then I disabled UDP traffic from my home IP from reaching the JVB using a cloud firewall and disabled P2P by flipping the testing flag.

However, the video/audio does not load!
Things that indicate that stuff is working:

  • in coturn’s /var/log/turnserver*.log I see clients connecting from my home ip!

  • in webrtc-internals I see the correct “turns” iceServers:, { iceServers: [], iceTransportPolicy: all, bundlePolicy: max-bundle, rtcpMuxPolicy: require, iceCandidatePoolSize: 0, sdpSemantics`: “plan-b” }, {advanced: […]}

Things that indicate that stuff is not working:

  • no video/audio in Jitsi Meet in Chrome

  • consistent stream of these errors from Javascript:

    [modules/RTC/BridgeChannel.js] <l._send>: Bridge Channel send: no opened channel.
    [JitsiConference.js] <h.sendMessage>: Failed to send E2E ping request or response

Has anyone tried to set this up this way? I’m clueless as to what might be the issue…

I’ve not written out all urls or put - in front of some urls in my post because I can only post 2 links :cry:

1 Like