TURN not working after clean jitsi install

I have just installed jitsi-meet on UBUNTU LTS 20.04. I have followed the instructions for the TURN installation to the letter ( Setting up TURN · Jitsi Meet Handbook )

NOTE: the /etc/jitsi/meet/<domain>-config.js DOES NOT contain p2p.useStunTurn any longer!
( was this setting recently dropped? )

/etc/turnserver.conf

# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=****************
realm=<domain>
cert=/etc/coturn/certs/turn-<domain>.fullchain.pem
pkey=/etc/coturn/certs/turn-<domain>.privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-ip=127.0.0.1
allowed-peer-ip=127.0.0.1
no-udp
listening-port=3478
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
simple-log
log-file=/var/log/turnserver.log
verbose
user=test:test123
# https://ssl-config.mozilla.org/#server=haproxy&version=2.1&config=intermediate&openssl=1.1.0g&guideline=5.4
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
# jitsi-meet coturn relay disable config. Do not modify this line
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
syslog

tail -f /var/log/turnserver.log
tail: cannot open ‘/var/log/turnserver.log’ for reading: No such file or directory
tail: no files remaining

The log file should exist and it is clearly specified in the config above
log-file=/var/log/turnserver.log

systemctl status coturn

coturn.service - coTURN STUN/TURN Server
Loaded: loaded (/lib/systemd/system/coturn.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2021-01-07 12:21:14 UTC; 9min ago
Docs: man:coturn(1)
man:turnadmin(1)
man:turnserver(1)
Process: 37844 ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid (code=exited, status=0/SUCCESS)
Process: 37885 ExecStartPost=/bin/sleep 2 (code=exited, status=0/SUCCESS)
Main PID: 37884 (turnserver)
Tasks: 7 (limit: 4578)
Memory: 4.4M
CGroup: /system.slice/coturn.service
└─37884 /usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.pid
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: turn server id=0 created
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IPv4. DTLS listener opened on: 127.0.0.1:5349
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: Total General servers: 2
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IO method (auth thread): epoll (with changelist)
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:5349
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IPv4. TLS listener opened on : 127.0.0.1:5349
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IO method (admin thread): epoll (with changelist)
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: IO method (auth thread): epoll (with changelist)
Jan 07 12:21:12 starfishx1 turnserver[37884]: 0: SQLite DB connection success: /var/lib/turn/turndb
Jan 07 12:21:14 starfishx1 systemd[1]: Started coTURN STUN/TURN Server.


So to summarize

  1. Running a test of 3 open browser tabs on the same network shows the video to all participants on UDP 10000 (same network)
  2. Set the firewall setting to block TCP/UDP 10000 port, only TCP/UDP 443 is open
  3. Adding 4th participant coming from an external network → no video is going through
  4. No /etc/log/turnserver.log available
  5. chrome://web-internals shows the TURN server

{ iceServers: [turns:turn-**********.com:443?transport=tcp], iceTransportPolicy: all, bundlePolicy: max-bundle, rtcpMuxPolicy: require, iceCandidatePoolSize: 0, sdpSemantics: “plan-b” }, {advanced: [{googHighStartBitrate: {exact: 0}}, {googPayloadPadding: {exact: true}}, {googScreencastMinBitrate: {exact: 100}}, {googCpuOveruseDetection: {exact: true}}, {googCpuOveruseEncodeUsage: {exact: true}}, {googCpuUnderuseThreshold: {exact: 55}}, {googCpuOveruseThreshold: {exact: 85}}]}

IF ANYONE CAN SHINE SOME LIGHT ON THIS PLEASE !!!

When doing this, is it allowed for the turnserver to reach port 10000? The turnserver needs to be able to communicate with jvb on the public address of jvb.

The TURN server is installed on the same box as jitsi. Do you mean to say the TURN server will communicate with the JVB on the IP that resolves to the domain name?

If so, for the same of testing would I block the incoming or outgoing (or both) 10000 port on the external user’s side?

Also, why would it there be NO turnserver.log?

@damencho So

  1. I went ahead and opened UDP 10000 on the firewall that is in front of the JVB and TURN server.
  2. Closed UDP on the firewall that is in front of the external user ( who is on a different network )

The connection worked and as the external user i do see the video. However looking at the external user stats I am seeing that the connection did NOT happen on TCP 443. Attaching a screenshot.

It does not seem to be working!!

PS: still no turnserver.log file!!!

So apparently it communicates directly to the bridge …

@damencho If you do not mind, I have a few questions

  1. how can I know for sure that the turn server is working?
  2. where is the turn server log file?
  3. is it better to run the turn server on a separate box? ( performance, etc… )

Seeing traffic only on port 443 from the client using Wireshark is what I do … otherwise you will see udp on port 10000.

/var/log/turnserver.log ? isn’t it?

Well depends on the traffic, if it is not a lot, it can be the same machine …

@damencho Thank you for the answers!

On the log file I am very curious as to why the file does not get generated. It appears that it should be there. Could it be a permissions thing?

Hum maybe no file in default config … Hum

Its in syslog jitsi-meet/turnserver.conf at 9268255ca857260a298e3b6ea0c639dc3f62729e · jitsi/jitsi-meet · GitHub