Urgent Help Needed: No Audio/Video on Self Hosted Jitsi in Corporate

DaakBabu · March 14, 2023, 1:39pm

Request kind indulgence of experts here.

We have a self hosted instance of Jitsi. When we try to use it on a corporate for VC, once it used to allow only one-to-one audio/vide call. Then some changes were made. Now no audio/video conference is possible.

We have tried our level best to solve it by reading past cases too. But of no help.

Request experts to pl help:

It is setup on a fresh coTURN in linux ubuntu instance and hosted a domain with like turn.mydomain.com and configured the turnserver.conf and everything is seems to be fine on port 3478 and 5349 for TLS.

but in order to setup the TLS on 443, nginx has been configured with my domain but the turn server is not working with 443 port.

turnserver.conf

realm=turn.mydomain.com
fingerprint
listening-ip=0.0.0.0
listening-port=3478
external-ip=PUBLIC_IP
min-port=32769
max-port=65535
log-file=/var/log/turnserver/turn.log
verbose
no-cli
no-loopback-peers
no-multicast-peers
#Long Term Credential Mechanism authentication
lt-cred-mech
user=myuser:mypassword
tls-listening-port=5349
cert=/etc/coturn/certs/fullchain.pem
pkey=/etc/coturn/certs/privkey.pem

turn.conf in /etc/nginx/modules-enabled

stream { 

    map $ssl_preread_server_name $name {
        turn.mydomain.com turn_backend;
    } 

    upstream turn_backend {
        server PUBLIC_IP:5349;
    } 


    server { 
        listen 443;
        listen [::]:443; # since 1.11.5
        ssl_preread on; proxy_pass $name; # Increase buffer to serve video
        proxy_buffer_size 20m; 
    }
}

It is also relevant to note that on the same Corporate, EVEN JITSI DOESNT WORK. This might be a pointer to something.

May I request the forum for help pl?
Any logs needed would be provided.

TIA

damencho · March 14, 2023, 3:03pm

Have you looked at: Setting up TURN | Jitsi Meet

You need t2o backends in

map $ssl_preread_server_name $name {
        turn.mydomain.com turn_backend;
    }

one for turn and one for web, and both are on different ports in the example turn 5349 and web on 4444.

And for turn certs you use valid certificates, right? It does not work with self-signed.

DaakBabu · March 14, 2023, 5:49pm

Thanks for the reply @damencho

We have setup our separate instance for turn (coturn) server and we have added the same config as mentioned in the post. Its running with 5349 port on TLS and SSL is setup by LetsEncrypt and we have tested our coturn server with 5349 TLS port on

and its seems to be working, but we need to work with TLS on 443 port. For that we have created a reverse proxy using nginx on our turn server.

This is our snipped for turn.conf in /etc/nginx/modules-enabled

stream {

map $ssl_preread_server_name $name {
    # jitsi-meet.example.com web_backend;
    dturn.mydomain.co.in turn_backend;
}

upstream turn_backend {
    server 127.0.0.1:5349;
}

server {

    listen 443;
    listen [::]:443;

    # since 1.11.5
    ssl_preread on;
    proxy_pass $name;

    # Increase buffer to serve video
    proxy_buffer_size 20m;

}

}

Here are our test cases:

When we are testing with turn server url:
turn:dturn.mydomain.co.in:5349?transport=tcp

Its seems to be working with following response:

When we are testing with turn server url:
turn:dturn.mydomain.co.in:443?transport=tcp

Its not working with below response:

When we are testing with turn server url:
turn:dturn.mydomain.co.in:443?transport=udp

Its working with following response:

Note: It looks like turn server with 443 and transport=tcp is not working in our case, not sure where is the issue.

Request your help on where we are going wrong.

damencho · March 14, 2023, 7:22pm

If its a separate instance why don’t you put coturn directly to listen on port 433 with no nginx in front of it, you will avoid one hop and one buffering.
5349 is the TLS port you need turns for it. jitsi-meet/prosody.cfg.lua-jvb.example at 1fc5d6e97eb8d4034bbd622d4a932fdaa329c2b3 · jitsi/jitsi-meet · GitHub
For turn TCP the default port is 3478 jitsi-meet/prosody.cfg.lua-jvb.example at 1fc5d6e97eb8d4034bbd622d4a932fdaa329c2b3 · jitsi/jitsi-meet · GitHub

DaakBabu · March 15, 2023, 4:28pm

Hi Damencho
We have started turnserver on direct port 443 (I think you mistyped 433) and TLS connections are working now.

And configured the prosody turn server config like below:

{ type = “turns”, host = “dturn.mydomain.co.in”, port = 443, transport = “tcp”, secret = true, ttl = 86400, algorithm = “turn”, username = “myusername”, credential = “mypassword” }

But at the side of turnserver log it says 401 unauthorized, because of wrong username and when we check the log it prints:

ERROR: check_stun_auth: Cannot find credentials of user <1678975411:myusername>
224: : session 000000000000000002: realm <dturn.mydomain.co.in> user <1678975411:myusername>: incoming packet message processed, error 401: Unauthorized

Not sure why this prints some random numeric value before myusername in <>

When we are checking same credential on the

its working fine and I’m getting correct logs in turn server as well without random numeric value.

Please guide what we are missing here.

Thanks

damencho · March 15, 2023, 5:29pm

Are these secrets matching in your config?

github.com

jitsi/jitsi-meet/blob/466a36dc93bb19cbc66ed788427e5efb3130ba33/doc/debian/jitsi-meet-turn/turnserver.conf#L4


      
          # jitsi-meet coturn config. Do not modify this line
          use-auth-secret
          keep-address-family
          static-auth-secret=__turnSecret__
          realm=jitsi-meet.example.com
          cert=/etc/jitsi/meet/jitsi-meet.example.com.crt
          pkey=/etc/jitsi/meet/jitsi-meet.example.com.key
          no-multicast-peers
          no-cli
          no-loopback-peers
          no-tcp-relay
          no-tcp
          listening-port=3478
          tls-listening-port=5349

github.com

jitsi/jitsi-meet/blob/466a36dc93bb19cbc66ed788427e5efb3130ba33/doc/debian/jitsi-meet-prosody/prosody.cfg.lua-jvb.example#L6


      
          plugin_paths = { "/usr/share/jitsi-meet/prosody-plugins/" }
          
          
-- domain mapper options, must at least have domain base set to use the mapper
          muc_mapper_domain_base = "jitmeet.example.com";
          
          
external_service_secret = "__turnSecret__";
          external_services = {
               { type = "stun", host = "jitmeet.example.com", port = 3478 },
               { type = "turn", host = "jitmeet.example.com", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
               { type = "turns", host = "jitmeet.example.com", port = 5349, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
          };
          
          
cross_domain_bosh = false;
          consider_bosh_secure = true;
          -- https_ports = { }; -- Remove this line to prevent listening on port 5284

And when changing the prosody config, make sure you restart prosody after the modifications.

This prosody config is wrong, not sure where you took that. Look at the example prosody and turn configs (links above), which are used when installing the deb packages by default.

DaakBabu · March 16, 2023, 11:18am

Thanks for your reply @damencho

We were able to resolve the error. But there are some interesting observation in logs which I wanted to mention here, it might be helpful for your guidance on my turn server setup with jitsi.

Sometime we are getting following errors:

68185: : ERROR: check_stun_auth: Cannot find credentials of user <1679043372>
68185: : session 001000000000000049: realm <dturn.mydomain.co.in> user <1679043372>: incoming packet message processed, error 401: Unauthorized

68230: : session 001000000000000049: usage: realm=<dturn.mydomain.co.in>, username=<1679043372>, rp=2, rb=140, sp=2, sb=240

68230: : session 001000000000000049: peer usage: realm=<dturn.mydomain.co.in>, username=<1679043372>, rp=0, rb=0, sp=0, sb=0

68230: : session 001000000000000049: closed (2nd stage), user <1679043372> realm <dturn.mydomain.co.in> origin <>, local 0.0.0.0:443, remote 27.122.60.191:51718, reason: TLS/TCP socket buffer operation error (callback)

Sometime packets are getting logged with success response

DaakBabu · March 17, 2023, 6:02am

@damencho pl help.
Waiting for your reply.

damencho · March 17, 2023, 12:24pm

No idea. Make sure prosody config and coturn config are like the templates.
What is the problem you see? Media is still not flowing? Make sure the used certificates are valid with full chain.

DaakBabu · March 18, 2023, 3:57pm

Thanks for your reply @damencho

We were able to get it working after the valid certificates were deployed. Really appreciate your help throughout the issue