After many hours of troubleshooting we finally managed to get trafic going through the TURN to the JVB. The final piece of the puzzle was to allow UDP range trafic FROM jvb to TURN.
In a 3+ particpants we get video and voice from each other. However, while looking at the remote/local adress in the Jitsi GUI or chrome://webrtc-internals it shows the JVB as the remote adress which is not possible as the trafic runs through the TURN server.
Due to us being a high security environment we are not allowed to disclose internal IPs of the infrastructur to external parties which means it is important for us that the remote adress is the publically available TURN server.
Are we missing something here? Or is this by design?
I am seeing the public adress(not local) of the JVB pod in the kluster that is fetched via stun_mapping_harvester_addresses.
However, from a network topolgy perspective it is not a internet public IP adress, it is the internal ip of the jvb that TURN connects to as we cannot expose the jvb directly to internet. So the IP should not be known to the outside world.
So basically we cannot do anything about this? Jitsi will always present the jvb public adress to the connecting clients even if we use TURN? Or can we configure prosody/turn to “force turn” to display turn-server a remote address?
I was pointing that out because of your description. I don’t have a clear picture of your topology, but in general, coturn is supposed to connect to jvb using its public address and should not use the internal network for that connection when both coturn and jvb are in the same internal network, as this is a security issue.
The configuration we use as a template (the link I shared earlier) is doing exactly that.
Much appreciated for the clarifications @damencho!
I did some testing with what public and local adress is being displayed in Jitsi GUI/webrtc-internals vs. org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover from the jvb.log
It appears like the displayed public adress in Jitsi/webrtc-internals does not match what the org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover finds.
MappingCandidateHarvesters.createStunHarvesters: Using JITSISTUNRELAY:443/udp for StunMappingCandidateHarvester (localAddress=JVBIPADRESS:0/udp)
org.ice4j.ice.harvest.StunMappingCandidateHarvester.discover: Discovered public address PUBLICADRESS:58390/udp from STUN server JITSISTUNRELAY:443/udp using local address org.ice4j.socket.IceUdpSocketWrapper
jvb harvester public = 22.214.171.124 (internet public IP adress)
Jitsi/webrtc-internal remote = 126.96.36.199 (local adress of jvb)
jvb harvester local = 188.8.131.52 (local adress of jvb)
Jitsi/webrtc-internal local = CLIENT local adress
Does this mean that the jvb always announces the local adress and ignores the public adress? Can it be configured manually?
Or… is this a webrtc thing that cannot be adressed?