Building/configuring a TURN server

Matrix-Synapse:
I can establish a connection between 2 users and use the chat function but i cannot run a video- or phone call. Is it necessary have a TURN server running for that? The package coturn is not installed on my Freedombox. I had uninstalled Martix-Synapse once. TURN might have been uninstalled …

Freedombox Pioneer 19.18
Debian 10
Firefox 60.8.0esr
I love my Freedombox

We are not automatically setting up a TURN server for matrix-synapse yet in FreedomBox. If you have information on how to setup one (or which one to setup), it could help us with setting up one.

I have late realized that the video connections are made possible by matrix and not running on FreedomBox itself. I’ve found a (german) tutorial on how to set up a turn server, the debian package coturn is used in this configuration

As I am fiddeling around with synapse and coturn as TURN/STUN-server lately I like to addd some findings. Might help some people to save some time.

  • as most of our servers might dwell behind a Router with NAT …

    • Audiio/Video-conferences won’t work under certain circumstances
    • I got conferences between two riot.im/app instances smoothly working
    • while Riot Android App cannot establish a WebRTC
    • no matter if to another Android App or riot.im/app
  • To solve this one will need

    • either to turn the clients to turn to fallback as TURN - which didn’t work for me
    • or setup a TURN server like coturn on your freedombox to circumvent the NATs between clients

Instructions I found for setting up coturn:

  • decatec. de/home-server/nextcloud-talk-mit-eigenem-turn-server-coturn/ :de:
  • www .nomachine. com/AR07N00894 :gb:
  • github. com/matrix-org/synapse/blob/master/docs/turn-howto.md :gb:

of course a good overview about flags and options is https://github.com/coturn/coturn/wiki/turnserver

Most important!
If you think: Hey, I opened all the ports on my router. Obviously the problem that nothing works is because of a buggy /etc/turnserver.conf! But how to know since the log-file is nowhere to find or simply empty! :frowning:

Then please remember that freedombox comes with the firewallD. And as you installed coturn outside of plinth it is not configured as a service in firewalld. So all the ports you opened in your router/NAT are still blocked by your homeserver. :man_facepalming:

Invest some minutes in learning how to add a service and ports to it using firewalld-cmd

To have a working log you need to add the verbose and the simple-log flags than you might find it under /var/log/turnserver.log (check the path in config-file).

After restarting the coturn daemon you can watch the log by
sudo tail -f /var/log/turnserver.log

With https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ you can check if your stun/turn server receives signal or can be found. Or you can
apt install stun-client
on another machine and
stun yourdoma.in -p 3478

if you want to use your letsencrypt certs for the turn server remember that its privileges don’t suffice to read them. You might change the group of the services process with sudo systemctl edit --full turnserver from turnserver to root.

Right now coturn does receive information when trying to videocall with matrix but the call doesn’t get media streams to work. The screens turn black and call is canceled.

I used the coturn server in a nextcloud config of Nextcloud Talk on another machine. A conference between the same devices (Notebook and Android both with Firefox) works with Video/Audio and the turnserver.log indicates that it works.

Tomorrow I’ll try to find out why Matrix-Calls still don’t work and what authentification method of coturn might have to do with it.

As you see: To fiddle with TURN-server is a pain in the ass.
So it would obviously be great to solve this make an one-click-app of it ! :purple_heart:

2 Likes

Well, I guess I found some things out and kind of solved the problem:

  1. Some of the problems with the coturn server were linked to the privileges of the daemon and of the letsencrypt certs. I did the following
sudo su -
mkdir -p /etc/coturn/certs
mv /etc/turnserver.conf /etc/coturn/turnserver.conf
cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/coturn/certs/privkey.pem
cp /etc/letsencrypt/live/mydomain.net/cert.pem /etc/coturn/certs/cert.pem
chown turnserver:turnserver /etc/coturn/
chown turnserver:turnserver /etc/coturn/*
chmod 700 /etc/coturn/certs/
chmod 600 /etc/coturn/certs/*
touch /var/log/turnserver.log
chown turnserver:turnserver /var/log/turnserver.log

Of course this means that we have to cp the certs every renewal unless we automate that.

  1. Now we have to adopt the service to the new path by systemctl edit --full coturn
[...]
[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/coturn/turnserver.conf --pidfile\
 /run/turnserver/turnserver.pid  -l /var/log/turnserver.log
[...]
  1. My /etc/coturn/turnserver.conf looks like
listening-port=3478

tls-listening-port=5349

relay-ip=192.168.1.15 # the local ip-adress of your machine, please adjust!

min-port=49152
max-port=49252  # my router only allows 255 ports per region

verbose # for debugging only

fingerprint

#lt-cred-mech                                                                   
#no-auth                                                                        
use-auth-secret

static-auth-secret= s0meS3cr3tPa55phras3 # which you also need in the synapse config

realm=yourdomain.net
total-quota=100

bps-capacity=0

stale-nonce=600

cert=/etc/coturn/certs/cert.pem

pkey=/etc/coturn/certs/privkey.pem

cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"

dh-file=/etc/apache2/ssl/dhparams.pem

#no-stdout-log                                                                  

log-file=/var/log/turnserver.log

simple-log

#no-multicast-peers                                                             

mobility


no-tlsv1
no-tlsv1_1

no-cli

Now just start the coturn server with systemctl start coturn and watch your log-file with tail -f /var/log/turnserver.log

Test your turnserver with stun yourdomain.net -p 3478 and follow your log. If it moves obviously your server is reachable. Otherwise you might check if the server is actually running or check if you opened the ports both in your router/NAT and in firewallD.

If it is reachable you may make a video call in Matrix. My findings up to now are the following:

  • Browser to Browser (both https://riot.im/app/):
    • works like a charm.
    • In the turnserver.log you’ll find entries from both users and succesfull connetions.
  • Browser to Android Riot App:
    • As we are used to the video shows until the called account answers the call.
    • Videos turn black and after some time and the call ends.
    • In the turnserver.log you will see that only the account using the browser turns up. No lead of the AndroidApp using account.
  • Hypothesis, untested:
    • Android 2 Android Calls won’t work either
    • and neither of the accounts will turn up in the log.

Could this be linked to the ports? Does Android(App) not allow those and would work with e.g. 443 instead? Nextcloud e.g. uses a STUN-server with 443 by default. With my coturn server I found the same pattern with nextcloud Talk:

  • The Android app didn’t work
  • while joining the call in the Firefox for Android as guest works perfectly.

Obviously I could test this by changing the ports in the turnserver.conf to 80 resp. 443. Unfortunately that won’t work so easily on the same machine right now. Because I would have to stop apache so that the ports are free to be bound by coturn - but as synapse is dependend of apache it wouldn’t work anymore.

Conclusion
At the moment there is no way to get Video Calls on the Riot AndroidApp to work with the coturn server. Something blocks the communication ot the App with the TURN server at least with the used ports.
Maybe someone with a separate TURN-Server and the ports 80 and 443 might check this hypothesis?

1 Like

@homer77, Thanks for the awesome work so far on the issue. I hope we get this working. Just last meeting @jvalleroy has suggested that we should get audio/video conferencing working as a priority due to the current need for it.

I am writing this to add that copying letsencrypt certificates on every renewal in an automated way and setting the correct permissions is super easy on FreedomBox and we do that already for many apps. So is editing systemd service file.

In the coming days, I hope to join you with this effort. If the issue is fixed, it would be straight forward to write an app in FreedomBox.

1 Like

That’s good news! So making the turn server default or at least a one click option in plinth’s synapse configuration seems quite realistic - that’s nice.

Regarding the certs I wonder if it makes more sense to copy them into the certain certs folders every renewal or to add e.g. a letsencrypt group, give the original folder 0600 privs and add all servers which profit from them to the letsencrypt group. So no copying and easy to add any new server or app to it.

The more sophisticated thing might be the use of subdomains like it’s needed in ejabberd conf and expand the certs like I showed here. But sure that’s also manageable?
I’m looking forward to see what that will develop to :slight_smile:

Hey @homer77, I’m going back over your research and I wondering… do I need to sort out the letsencrypt certs? Or is that just if I want encrypted connections?

I ask because when I try the following command that you used:

I get the response:

systemctl: unrecognized option ‘–edit’

Any ideas?

I’ve looked at systemctl -h and systemctl -a but I can’t see anything to help me!

Thanks again for your help and work on this.

Hey @ScottishFreedom,

You are getting this error because I wrote it wrong :see_no_evil:
It’s to be sudo systemctl edit --full turnserver

I will correct this in the post above.

1 Like

Thanks for the update. When I run your command (below) I get this error message:

No files found for turnserver.service.
Run ‘systemctl edit --force --full turnserver.service’ to create a new unit.

I’m starting to think there something wrong with my Coturn install!

Maybe the coturn service has another name on your system? You could check the list of available services with tab-completion e.g. or with ls -la /etc/systemd/system and then look for coturn or some other term with turn in it …

Can you start turnserver as application in shell?

Thanks. When I run turnserver I get a load of output and it looks like the server is running:

0: Trying to bind fd 24 to <0.0.0.0:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: Cannot bind TLS/TCP listener socket to addr 0.0.0.0:3478
0: Trying to bind TLS/TCP listener socket to addr 0.0.0.0:3478, again...

Wen I run ls -la /etc/systemd/system I get the follwing out put, which I cannot see a reference to TURNSERVER!:

total 72
drwxr-xr-x 17 root root 4096 Apr 13 00:37 .
drwxr-xr-x  5 root root 4096 Apr 10 02:20 ..
-rw-r--r--  1 root root 1551 Apr 29  2019 autologin@.service
drwxr-xr-x  2 root root 4096 Feb 13 15:57 bluetooth.target.wants
lrwxrwxrwx  1 root root   42 Feb 13 15:58 dbus-fi.w1.wpa_supplicant1.service -> /lib/systemd/system/wpa_supplicant.service
lrwxrwxrwx  1 root root   37 Feb 13 15:57 dbus-org.bluez.service -> /lib/systemd/system/bluetooth.service
lrwxrwxrwx  1 root root   37 Apr  3 21:51 dbus-org.fedoraproject.FirewallD1.service -> /lib/systemd/system/firewalld.service
lrwxrwxrwx  1 root root   40 Feb 13 15:57 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service
lrwxrwxrwx  1 root root   40 Apr  3 21:52 dbus-org.freedesktop.ModemManager1.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx  1 root root   53 Apr  3 21:50 dbus-org.freedesktop.nm-dispatcher.service -> /lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx  1 root root   45 Feb 13 15:52 dbus-org.freedesktop.timesync1.service -> /lib/systemd/system/systemd-timesyncd.service
lrwxrwxrwx  1 root root   36 Feb 13 16:03 default.target -> /lib/systemd/system/graphical.target
drwxr-xr-x  2 root root 4096 Apr  3 21:50 default.target.wants
lrwxrwxrwx  1 root root   34 Feb 13 15:58 dhcpcd5.service -> /lib/systemd/system/dhcpcd.service
lrwxrwxrwx  1 root root   35 Feb 13 15:59 display-manager.service -> /lib/systemd/system/lightdm.service
drwxr-xr-x  2 root root 4096 Feb 13 16:03 getty.target.wants
drwxr-xr-x  2 root root 4096 Feb 13 16:03 getty@tty1.service.d
drwxr-xr-x  2 root root 4096 Feb 13 15:59 graphical.target.wants
drwxr-xr-x  2 root root 4096 Feb 13 15:57 halt.target.wants
drwxr-xr-x  2 root root 4096 Apr 12 19:19 multi-user.target.wants
lrwxrwxrwx  1 root root   35 Apr  5 00:32 mysqld.service -> /lib/systemd/system/mariadb.service
lrwxrwxrwx  1 root root   35 Apr  5 00:32 mysql.service -> /lib/systemd/system/mariadb.service
drwxr-xr-x  2 root root 4096 Apr  3 21:50 network-online.target.wants
drwxr-xr-x  2 root root 4096 Feb 13 15:57 poweroff.target.wants
drwxr-xr-x  2 root root 4096 Feb 13 15:57 rc-local.service.d
drwxr-xr-x  2 root root 4096 Feb 13 15:57 reboot.target.wants
drwxr-xr-x  2 root root 4096 Feb 13 15:57 remote-fs.target.wants
drwxr-xr-x  2 root root 4096 Apr 10 01:02 sockets.target.wants
lrwxrwxrwx  1 root root   31 Apr  3 21:08 sshd.service -> /lib/systemd/system/ssh.service
drwxr-xr-x  2 root root 4096 Feb 13 16:09 sysinit.target.wants
lrwxrwxrwx  1 root root   35 Feb 13 15:54 syslog.service -> /lib/systemd/system/rsyslog.service
drwxr-xr-x  2 root root 4096 Apr 10 02:23 timers.target.wants

Tanks for continuing to try and help me with this :slight_smile:

:thinking: I have a coturn entry in my /etc/systemd/system

Did you install coturn with sudo apt install coturn? Or any other way?

Good point… it was installed by the NextCloud Talk app. This maybe the problem!

There is no mention of Turn or Conturn in the output from:

/etc/systemd/system $ ls

    autologin@.service                          dbus-org.freedesktop.timesync1.service  halt.target.wants            remote-fs.target.wants
    bluetooth.target.wants                      default.target                          multi-user.target.wants      sockets.target.wants
    dbus-fi.w1.wpa_supplicant1.service          default.target.wants                    mysqld.service               sshd.service
    dbus-org.bluez.service                      dhcpcd5.service                         mysql.service                sysinit.target.wants
    dbus-org.fedoraproject.FirewallD1.service   display-manager.service                 network-online.target.wants  syslog.service
    dbus-org.freedesktop.Avahi.service          getty.target.wants                      poweroff.target.wants        timers.target.wants
    dbus-org.freedesktop.ModemManager1.service  getty@tty1.service.d

But when I run:

sudo apt install coturn

I get:

Reading package lists... Done
Building dependency tree       
Reading state information... Done
coturn is already the newest version (4.5.1.1-1.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

But there is a file:

/etc/turnserver.conf

Which is what I have been editing and made me think Coturn had been installed, and it looks like it is. I just can’t find where. I’m not very familiar with Linux architecture though!

You could execute whereis coturn resp. whereis turnserver in terminal. It should show you were you find the binary.

Also you could pstree | grep turn to check if there’s already a coturn process running on your system

indicates that there is one already and so you should be able to use it’s config simply for your synapse matrix server.

1 Like

I have just had some success before getting your message. I set up a subdomain with Letsencrypt, as per my post here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then followed the following configuration instructions for Cotrun and Matrix here: https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f and now I can make voice calls outside the local network between devices/RIot.

Regarding our earlier discussion, I did find a reference to my Coturn server pointing to the /nextcloud folder in my web root. So maybe NextCloud Talk has done a none standard install of Coturn

The commends to start and stop Coturn work fine though:

systemctl start coturn
systemctl stop coturn

And worth noting that I had to restart Matrix after changing the configuration:

systemctl daemon-reload

I had previously set up my home router port forwards and the configured the Freedombox firewall, as per your suggestion.

I’d be interested to know if you have any luck getting your TURN server working?

Thanks for all your input.

This is handy to know, thanks.

When I run:

whereis turnserver

I get output:

turnserver: /usr/bin/turnserver /etc/turnserver.conf /usr/share/man/man1/turnserver.1.gz

Hi, I have set up a working TURN server on my Feedombox with steps here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then the steps here: TTRSS install Problem and Matrix Synapse Server Problem

UPDATE: I have done a bit more testing and I’m not sure if TURN is working correctly.

I get the following output from the Trickle test, which looks good: https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/

Time 	Component 	Type 	Foundation 	Protocol 	Address 	Port 	Priority
0.005	1	host	0	udp	08e190ed-2d51-4616-8681-a0d94a917b8a.local	52208	126 | 32512 | 255
0.005	1	host	5	tcp	08e190ed-2d51-4616-8681-a0d94a917b8a.local	9	125 | 32704 | 255
0.007	2	host	0	udp	08e190ed-2d51-4616-8681-a0d94a917b8a.local	57929	126 | 32512 | 254
0.007	2	host	5	tcp	08e190ed-2d51-4616-8681-a0d94a917b8a.local	9	125 | 32704 | 254
11.354	Done

But, I have been testing with a VPN, and calls connect between my laptop and phone (different accounts on the Freedombox/Raspberry Pi) when:

  1. neither are connected through a VPN, and when;
  2. the laptop is connected to a VPN and the phone is not.

But the call will not connect when the phone is connected to a VPN.

So, I’m not sure what is going on here!

I don’t think, these are your servers the trickle-ice shows. These are the test servers of the service.

So I fear you’re turn-server isn’t working correctly yet :confused:

1 Like

Yes, thanks. I think you are right. Coturn is a pain :frowning: My main problem is that I haven’t found anything that really explains Coturn at the right level for me. So I’m floundering in the dark. I have opened up a thread on StackOverflow but I’m getting the feeling that I’m just wasting people’s time with my ignorance!