Matrix-Synapse:
I can establish a connection between 2 users and use the chat function but i cannot run a video- or phone call. Is it necessary have a TURN server running for that? The package coturn is not installed on my Freedombox. I had uninstalled Martix-Synapse once. TURN might have been uninstalled …
Freedombox Pioneer 19.18
Debian 10
Firefox 60.8.0esr
I love my Freedombox
We are not automatically setting up a TURN server for matrix-synapse yet in FreedomBox. If you have information on how to setup one (or which one to setup), it could help us with setting up one.
I have late realized that the video connections are made possible by matrix and not running on FreedomBox itself. I’ve found a (german) tutorial on how to set up a turn server, the debian package coturn is used in this configuration
As I am fiddeling around with synapse and coturn as TURN/STUN-server lately I like to addd some findings. Might help some people to save some time.
as most of our servers might dwell behind a Router with NAT …
To solve this one will need
Instructions I found for setting up coturn:
of course a good overview about flags and options is https://github.com/coturn/coturn/wiki/turnserver
Most important!
If you think: Hey, I opened all the ports on my router. Obviously the problem that nothing works is because of a buggy /etc/turnserver.conf! But how to know since the log-file is nowhere to find or simply empty! 
Then please remember that freedombox comes with the firewallD. And as you installed coturn outside of plinth it is not configured as a service in firewalld. So all the ports you opened in your router/NAT are still blocked by your homeserver. 
Invest some minutes in learning how to add a service and ports to it using firewalld-cmd …
To have a working log you need to add the verbose and the simple-log flags than you might find it under /var/log/turnserver.log (check the path in config-file).
After restarting the coturn daemon you can watch the log by
sudo tail -f /var/log/turnserver.log
With https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ you can check if your stun/turn server receives signal or can be found. Or you can
apt install stun-client
on another machine and
stun yourdoma.in -p 3478
if you want to use your letsencrypt certs for the turn server remember that its privileges don’t suffice to read them. You might change the group of the services process with sudo systemctl edit --full turnserver from turnserver to root.
Right now coturn does receive information when trying to videocall with matrix but the call doesn’t get media streams to work. The screens turn black and call is canceled.
I used the coturn server in a nextcloud config of Nextcloud Talk on another machine. A conference between the same devices (Notebook and Android both with Firefox) works with Video/Audio and the turnserver.log indicates that it works.
Tomorrow I’ll try to find out why Matrix-Calls still don’t work and what authentification method of coturn might have to do with it.
As you see: To fiddle with TURN-server is a pain in the ass.
So it would obviously be great to solve this make an one-click-app of it ! 
Well, I guess I found some things out and kind of solved the problem:
sudo su -
mkdir -p /etc/coturn/certs
mv /etc/turnserver.conf /etc/coturn/turnserver.conf
cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/coturn/certs/privkey.pem
cp /etc/letsencrypt/live/mydomain.net/cert.pem /etc/coturn/certs/cert.pem
chown turnserver:turnserver /etc/coturn/
chown turnserver:turnserver /etc/coturn/*
chmod 700 /etc/coturn/certs/
chmod 600 /etc/coturn/certs/*
touch /var/log/turnserver.log
chown turnserver:turnserver /var/log/turnserver.logOf course this means that we have to cp the certs every renewal unless we automate that.
systemctl edit --full coturn[...]
[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/coturn/turnserver.conf --pidfile\
/run/turnserver/turnserver.pid -l /var/log/turnserver.log
[...]listening-port=3478
tls-listening-port=5349
relay-ip=192.168.1.15 # the local ip-adress of your machine, please adjust!
min-port=49152
max-port=49252 # my router only allows 255 ports per region
verbose # for debugging only
fingerprint
#lt-cred-mech
#no-auth
use-auth-secret
static-auth-secret= s0meS3cr3tPa55phras3 # which you also need in the synapse config
realm=yourdomain.net
total-quota=100
bps-capacity=0
stale-nonce=600
cert=/etc/coturn/certs/cert.pem
pkey=/etc/coturn/certs/privkey.pem
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/apache2/ssl/dhparams.pem
#no-stdout-log
log-file=/var/log/turnserver.log
simple-log
#no-multicast-peers
mobility
no-tlsv1
no-tlsv1_1
no-cli
Now just start the coturn server with systemctl start coturn and watch your log-file with tail -f /var/log/turnserver.log
Test your turnserver with stun yourdomain.net -p 3478 and follow your log. If it moves obviously your server is reachable. Otherwise you might check if the server is actually running or check if you opened the ports both in your router/NAT and in firewallD.
If it is reachable you may make a video call in Matrix. My findings up to now are the following:
Could this be linked to the ports? Does Android(App) not allow those and would work with e.g. 443 instead? Nextcloud e.g. uses a STUN-server with 443 by default. With my coturn server I found the same pattern with nextcloud Talk:
Obviously I could test this by changing the ports in the turnserver.conf to 80 resp. 443. Unfortunately that won’t work so easily on the same machine right now. Because I would have to stop apache so that the ports are free to be bound by coturn - but as synapse is dependend of apache it wouldn’t work anymore.
Conclusion
At the moment there is no way to get Video Calls on the Riot AndroidApp to work with the coturn server. Something blocks the communication ot the App with the TURN server at least with the used ports.
Maybe someone with a separate TURN-Server and the ports 80 and 443 might check this hypothesis?
@homer77, Thanks for the awesome work so far on the issue. I hope we get this working. Just last meeting @jvalleroy has suggested that we should get audio/video conferencing working as a priority due to the current need for it.
I am writing this to add that copying letsencrypt certificates on every renewal in an automated way and setting the correct permissions is super easy on FreedomBox and we do that already for many apps. So is editing systemd service file.
In the coming days, I hope to join you with this effort. If the issue is fixed, it would be straight forward to write an app in FreedomBox.
That’s good news! So making the turn server default or at least a one click option in plinth’s synapse configuration seems quite realistic - that’s nice.
Regarding the certs I wonder if it makes more sense to copy them into the certain certs folders every renewal or to add e.g. a letsencrypt group, give the original folder 0600 privs and add all servers which profit from them to the letsencrypt group. So no copying and easy to add any new server or app to it.
The more sophisticated thing might be the use of subdomains like it’s needed in ejabberd conf and expand the certs like I showed here. But sure that’s also manageable?
I’m looking forward to see what that will develop to 
Hey @homer77, I’m going back over your research and I wondering… do I need to sort out the letsencrypt certs? Or is that just if I want encrypted connections?
I ask because when I try the following command that you used:
I get the response:
systemctl: unrecognized option ‘–edit’
Any ideas?
I’ve looked at systemctl -h and systemctl -a but I can’t see anything to help me!
Thanks again for your help and work on this.
Hey @ScottishFreedom,
You are getting this error because I wrote it wrong 
It’s to be sudo systemctl edit --full turnserver
I will correct this in the post above.
Thanks for the update. When I run your command (below) I get this error message:
No files found for turnserver.service.
Run ‘systemctl edit --force --full turnserver.service’ to create a new unit.
I’m starting to think there something wrong with my Coturn install!
Maybe the coturn service has another name on your system? You could check the list of available services with tab-completion e.g. or with ls -la /etc/systemd/system and then look for coturn or some other term with turn in it …
Can you start turnserver as application in shell?
Thanks. When I run turnserver I get a load of output and it looks like the server is running:
0: Trying to bind fd 24 to <0.0.0.0:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: Cannot bind TLS/TCP listener socket to addr 0.0.0.0:3478
0: Trying to bind TLS/TCP listener socket to addr 0.0.0.0:3478, again...
Wen I run ls -la /etc/systemd/system I get the follwing out put, which I cannot see a reference to TURNSERVER!:
total 72
drwxr-xr-x 17 root root 4096 Apr 13 00:37 .
drwxr-xr-x 5 root root 4096 Apr 10 02:20 ..
-rw-r--r-- 1 root root 1551 Apr 29 2019 autologin@.service
drwxr-xr-x 2 root root 4096 Feb 13 15:57 bluetooth.target.wants
lrwxrwxrwx 1 root root 42 Feb 13 15:58 dbus-fi.w1.wpa_supplicant1.service -> /lib/systemd/system/wpa_supplicant.service
lrwxrwxrwx 1 root root 37 Feb 13 15:57 dbus-org.bluez.service -> /lib/systemd/system/bluetooth.service
lrwxrwxrwx 1 root root 37 Apr 3 21:51 dbus-org.fedoraproject.FirewallD1.service -> /lib/systemd/system/firewalld.service
lrwxrwxrwx 1 root root 40 Feb 13 15:57 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service
lrwxrwxrwx 1 root root 40 Apr 3 21:52 dbus-org.freedesktop.ModemManager1.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx 1 root root 53 Apr 3 21:50 dbus-org.freedesktop.nm-dispatcher.service -> /lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx 1 root root 45 Feb 13 15:52 dbus-org.freedesktop.timesync1.service -> /lib/systemd/system/systemd-timesyncd.service
lrwxrwxrwx 1 root root 36 Feb 13 16:03 default.target -> /lib/systemd/system/graphical.target
drwxr-xr-x 2 root root 4096 Apr 3 21:50 default.target.wants
lrwxrwxrwx 1 root root 34 Feb 13 15:58 dhcpcd5.service -> /lib/systemd/system/dhcpcd.service
lrwxrwxrwx 1 root root 35 Feb 13 15:59 display-manager.service -> /lib/systemd/system/lightdm.service
drwxr-xr-x 2 root root 4096 Feb 13 16:03 getty.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 16:03 getty@tty1.service.d
drwxr-xr-x 2 root root 4096 Feb 13 15:59 graphical.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 halt.target.wants
drwxr-xr-x 2 root root 4096 Apr 12 19:19 multi-user.target.wants
lrwxrwxrwx 1 root root 35 Apr 5 00:32 mysqld.service -> /lib/systemd/system/mariadb.service
lrwxrwxrwx 1 root root 35 Apr 5 00:32 mysql.service -> /lib/systemd/system/mariadb.service
drwxr-xr-x 2 root root 4096 Apr 3 21:50 network-online.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 poweroff.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 rc-local.service.d
drwxr-xr-x 2 root root 4096 Feb 13 15:57 reboot.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 remote-fs.target.wants
drwxr-xr-x 2 root root 4096 Apr 10 01:02 sockets.target.wants
lrwxrwxrwx 1 root root 31 Apr 3 21:08 sshd.service -> /lib/systemd/system/ssh.service
drwxr-xr-x 2 root root 4096 Feb 13 16:09 sysinit.target.wants
lrwxrwxrwx 1 root root 35 Feb 13 15:54 syslog.service -> /lib/systemd/system/rsyslog.service
drwxr-xr-x 2 root root 4096 Apr 10 02:23 timers.target.wants
Tanks for continuing to try and help me with this
I have a coturn entry in my /etc/systemd/system …
Did you install coturn with sudo apt install coturn? Or any other way?
Good point… it was installed by the NextCloud Talk app. This maybe the problem!
There is no mention of Turn or Conturn in the output from:
/etc/systemd/system $ ls
autologin@.service dbus-org.freedesktop.timesync1.service halt.target.wants remote-fs.target.wants
bluetooth.target.wants default.target multi-user.target.wants sockets.target.wants
dbus-fi.w1.wpa_supplicant1.service default.target.wants mysqld.service sshd.service
dbus-org.bluez.service dhcpcd5.service mysql.service sysinit.target.wants
dbus-org.fedoraproject.FirewallD1.service display-manager.service network-online.target.wants syslog.service
dbus-org.freedesktop.Avahi.service getty.target.wants poweroff.target.wants timers.target.wants
dbus-org.freedesktop.ModemManager1.service getty@tty1.service.d
But when I run:
sudo apt install coturn
I get:
Reading package lists... Done
Building dependency tree
Reading state information... Done
coturn is already the newest version (4.5.1.1-1.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
But there is a file:
/etc/turnserver.conf
Which is what I have been editing and made me think Coturn had been installed, and it looks like it is. I just can’t find where. I’m not very familiar with Linux architecture though!
You could execute whereis coturn resp. whereis turnserver in terminal. It should show you were you find the binary.
Also you could pstree | grep turn to check if there’s already a coturn process running on your system
indicates that there is one already and so you should be able to use it’s config simply for your synapse matrix server.
I have just had some success before getting your message. I set up a subdomain with Letsencrypt, as per my post here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then followed the following configuration instructions for Cotrun and Matrix here: https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f and now I can make voice calls outside the local network between devices/RIot.
Regarding our earlier discussion, I did find a reference to my Coturn server pointing to the /nextcloud folder in my web root. So maybe NextCloud Talk has done a none standard install of Coturn
The commends to start and stop Coturn work fine though:
systemctl start coturn
systemctl stop coturn
And worth noting that I had to restart Matrix after changing the configuration:
systemctl daemon-reload
I had previously set up my home router port forwards and the configured the Freedombox firewall, as per your suggestion.
I’d be interested to know if you have any luck getting your TURN server working?
Thanks for all your input.
This is handy to know, thanks.
When I run:
whereis turnserver
I get output:
turnserver: /usr/bin/turnserver /etc/turnserver.conf /usr/share/man/man1/turnserver.1.gz
Hi, I have set up a working TURN server on my Feedombox with steps here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then the steps here: TTRSS install Problem and Matrix Synapse Server Problem
UPDATE: I have done a bit more testing and I’m not sure if TURN is working correctly.
I get the following output from the Trickle test, which looks good: https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
Time Component Type Foundation Protocol Address Port Priority
0.005 1 host 0 udp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 52208 126 | 32512 | 255
0.005 1 host 5 tcp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 9 125 | 32704 | 255
0.007 2 host 0 udp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 57929 126 | 32512 | 254
0.007 2 host 5 tcp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 9 125 | 32704 | 254
11.354 Done
But, I have been testing with a VPN, and calls connect between my laptop and phone (different accounts on the Freedombox/Raspberry Pi) when:
But the call will not connect when the phone is connected to a VPN.
So, I’m not sure what is going on here!
I don’t think, these are your servers the trickle-ice shows. These are the test servers of the service.
So I fear you’re turn-server isn’t working correctly yet 
Yes, thanks. I think you are right. Coturn is a pain My main problem is that I haven’t found anything that really explains Coturn at the right level for me. So I’m floundering in the dark. I have opened up a thread on StackOverflow but I’m getting the feeling that I’m just wasting people’s time with my ignorance!