TURN failover when port 10000 blocked broken on latest build

When installing a new server from the latest build, failover when 10000 is blocked is not working.
Any ideas?
I noticed /etc/turnserver is now missing external-ip= setting.
@damencho Any ideas?

No need to external-ip

TCP/443 traffic is not distributed according to the traffic type on the latest stable, only HTTPS traffic is managed. It’s needed to activate TURN manually.

Can you please tell me how do I activate TURN manually?

  • First, you need a second host address for turn. Something like turn.mydomain.com

  • By default, TCP/443 is used by the Nginx virtualhost. Use another port for it (for example TCP/4444) and deallocate TCP/443. Related file is /etc/nginx/sites-enabled/yourdomain.conf

  • Add a config to distribute the traffic according to the requested host address. /etc/nginx/modules-enabled/60-jitsi-meet-custom.conf

stream {
    upstream web {
        server 127.0.0.1:4444;
    }
    upstream turn {
        server 127.0.0.1:5349;
    }

    map $ssl_preread_server_name $upstream {
        turn.mydomain.com         turn;
        default                 web;
    }

    server {
        listen 443;
        listen [::]:443;

        ssl_preread on;
        proxy_pass $upstream;

        proxy_buffer_size 10m;
    }
}
  • Allow 127.0.0.1 in /etc/turnserver.conf, add the following lines
listening-ip=127.0.0.1
allowed-peer-ip=127.0.0.1
no-udp
  • Create TLS certificate for TURN too (this step is a bit complicated, see the old messages in forum)

  • Customize the turns line in /etc/prosody/conf.d/yourdomain.cfg.lua according to your turn address

  • restart services etc…

If it’s boring to deal with all this, use my installer

1 Like

Does your installer work with Ubuntu 18 on AWS instances?

I am unable to get failover from 10000 to work on a new install I could use some help!

Only for Debian Buster (Debian 10)

Thank you I am going to try your installer. I have a question about configuration.
In your documentation you have the following for setting LetsEencrypt SSL the command
set-letsencrypt-cert meet.mydomain.com,turn.mydomain.com
How do you do this in practice? does the set-letsencrypt-cert command become available when I install eb-base?

yes, it will work after the installation

I used the installer and tested with port 10000 blocked and video was blocked in the meeting.

Could you send me your host address as a private message?
The turn address too…

@jpkelly,

sorry, my fault…

I fixed the installer according to the lastest stable’s prosody config. Choose one to solve the issue

  • give me SSH access and I’ll fix it manually

  • fix it yourself

lxc-attach -n eb-jitsi

vim /etc/prosody/conf.d/yourdomain.cfg.lua

Find turns line

turncredentials = {
...
...
  { type = "turns", host = ...

Change host to turn.yourdomain.com and port to 443

  • restart the installer but before restart
echo "export REINSTALL_JITSI_IF_EXISTS=true" >> eb-jitsi.conf

Otherwise the installer doesn’t overwrite already running services

I have not worked with Linux containers before. How difficult would it be to create my ownJitsi-Meet build (with UI customization) to use with your installer?

The Linux container is really easy. It is like a virtual machine. You can attach it with lxc-attach -n container-name and then work as espected

The related part of the installer is this script. If you want, ignore the container related parts and check what I do.

Or give me SSH access to fix the last step in 2 min

Thank you for fixing this in the installer. I did an install from scratch and it works great!

A couple questions.

If I want to modify the Jitsi-Meet GUI can I run lxc-attach -n eb-jitsi and then have access to the files I want to modify? (files in /usr/share/Jitsi-Meet)

How could I make my own installer with the Gui changes I want included?

yes, when you attach to a container, you can manage it as a standalone server.

I shared how I customize it in:
Tip: customizing the configuration after upgrade

while I don’t use lxc directly (I use lxd, the ubuntu derivated version) I think that you could - like I do - run the sshd service in your container; I use the proxyjump feature of ssh to connect directly to the container from my main computer and I can then use sftp or scp to transfer files.

It’s also possible to connect to the container through SSH as @gpatel-fr said.

TCP/30014 is already reserved for the Jitsi container and the host authorized keys are also valid for the container too. So

ssh -l root -p 30014 your.domain.addr

What is the benefit of running Jitsi in a container?