Turn Server on 443 along with Jitsi - Multiplex

Hi,

I need to run turn server on 443 along with Jitsimeet web UI.

I followed this article, but for some reasons I couldn’t make it work.

After configuring, when we try to access Jitsimeet web with restricted firewall ( only 443/80), I could see that the client is able to connect but there are no video streams. It simply says ICE failed.

Do I need to change anything in turnserver?

Config and logs are available in the url mentioned below
https://drive.google.com/drive/folders/1sL7Q4G-8ev58e9Qp98KxKQOzmxdgsC-1?usp=sharing

Any help on debugging is much appreciated.

Regards,

TURN server must have access to JVB using the public IP

Hi,

Both coturn (installed as part of jitsi) and jitsi platform are in the same server with public IP.
I have the turn dns pointed to the same server.
I even tried with unrestricted port (firewall) access in server. It just connects only to port 10000 and doesnt seems to connect to 443.

Regards

I also noticed this error in ICE failed candidate
url: turns:turn-sample.example.app:443?transport=tcp
host_candidate: 192.168.10.x:0
error_text:
error_code: 701

Don’t change STUN_MAPPING_HARVESTER_ADDRESSES line in sip config. JVB cannot learn its public IP using local STUN server.

Do you get the local IP or the public when resolving FQDN on JMS?

host sample.example.app

If it’s the local IP then you need to allow this IP in turnserver config or remove the related denied-peer-ip line.

If it’s the public IP then you need to be sure the firewall redirects UDP/10000 requests from the local (TURN) to the public IP correctly

Hi,

Option 2:
I am getting public IP when I query FQDN.
I am not sure how to redirect UDP/10000 traffic to local turn. Any links?

Option 1:
I tried changing the hosts file to local ip for FQDN to see if it works. I even commented the denied lines. And it too didn’t work.

As an alternate (Option 3), I tried external XIRSYS turn server. I am not sure where to give the username and password. I tried adding the static credentials in
1.example.app.cfg.lua
external_service_secret
turncredentials_secret
Sample:
{ type = “turns”, host = “xx.xirsys.com”, port = 443, transport = “tcp”, secret = true, ttl = 86400, algorithm = “turn” }

Overridden uid and password in mod_turncredentials.lua as suggested in forum.

  1. config.js

     // The STUN servers that will be used in the peer to peer connections
        // The STUN servers that will be used in the peer to peer connections
     stunServers: [
    

{urls: ‘stun:xxx.xirsys.com’ },
{urls:‘turns:xxx.xirsys.com:443?transport=tcp’,username:‘adfdasfadsfRtXaYG4qhPZkVRZQulVjtWu9PNTfytYO1IGAAAAAGEUsRp0cmlhZGNjZTE2’,credential:‘e511f7b5-fb2d-11eb-a213-0242ac140004’}
]

But even in this case (Xirsys), I can see the XIRYSYS ICE candidate but it shows as unauthorised ( May be uid and password is not properly set)

Will the p2p.stunServers work really work as mentioned in “Settup Up Turn”?

Regards,

I would also like to mention that I am trying this in AWS EC2 instance in a public subnet

don’t mix p2p with port 443 use for turn. It’s all a big mess and very difficult to understand, but don’t try to put p2p in the mix at first, it will only confuse you more.
Use of turn to work around ‘businessy’ firwalls is as the following:
client → server udp 10000 fails
→ client connects to port 443 and is redirected to coturn
→ coturn translate tcp to udp and connect to jvb port 10000
so if your coturn knows the FQDN as a public IP, the firewall should be able to get a packet that is directed to the public IP on the internet (its own address is you have an internal, private network,setup) and turns it around to get back the packet to the internal network. This is not obvious and lot of firewalls are not able to do that.
So it’s better that on the JMS/JVB/turn server the FQDN resolves to the internal address (your option 1).
In your hosts file, add en entry defining your FQDN as the private address of the server, so that when coturn tries to contact the JVB it will not try to get on the internet.

Yes, you are right. It works now.
Thank you very much