This code handles firewall port opening. The current code does not notify the user what ports they need to forward in the router. I forgot about it. Thanks for reminding me of it.
1 Like
Unfortunately, there is plenty more work to do with testing. In the initial release, I am thinking of hiding the coturn server behind the ‘show advanced apps’ flag in configuration. We need to do a lot more testing with it the in real world before we can be confident about it.
1 Like
If there is anyway I can help with testing I’d been happy to help. You’ll have realized that I’m not very techy though 
Do I get a mention in the next release 
I have finished the work on the coturn app (auto-configuring matrix-synapse is pending) and submitted a merge request. I was able to test a whole of the application code but we need to test the server configuration in various situations. Especially there are open questions about whether we should set ‘listen-ip’, ‘allow-loopback-peers’ and how to manage the ‘external-ip’ parameter.
It would be great if you can help with testing the server. Coturn will only show up if you enable ‘advanced mode’ in System -> Config. If you know how to do a development setup, go ahead with testing the merge request. Otherwise, this app will likely be available in next Monday’s release 20.8 which will reach your box by end of the week. You can test it more easily then.
3 Likes
I’m am very happy with the Coturn server. The installation was easy and it works properly.The Riot chats have an excellent video and audio quality. Thanks to all of you. You have made the freedombox more valuable!
3 Likes
So, I yet updated to FB 20.8 and tried to install the new VOIP Helper App.
Which fails with g-io-error-quark: GDBus.Error:org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: coturn-freedombox (36)
As I had a coturn service before this might be due to that. Uninstalling coturn and installing the app didn’t lead to a better result. Maybe I have to remove my coturn service from systemd before installing? …
After deleting my old coturn service manually, purging coturn and then installing the app the process finished successfully
Furthermore:
As far as I can see there’s no log for the service? Or where would I find it? As for now I cannot check if coturn is doing actually anything.OK. I found your hint regardingjournalctl -u coturnnow
But: While trying a video call (without success) there seem to happen exactly nothing. Log remains untouched.After addingverboseto the config I can see that it works now. Also TrickleICE works for stun and 3478. But neither for turn nor 5349.
- While VoIP is working inside my NAT it is not if I use a VPN with one of the devices (riot.im on notbook, Riot app on Android). So I guess TURN is not working properly yet? …
May this be connected to turnserver · coturn/coturn Wiki · GitHub as at least the browser app uses WebRTC? The coturn entry in firewall is shown as active but the sub entry coturn-freedombox is shown as blocked. In contrast to other entries all ports are shown in one line despite in separate lines per port. This might be linked to the error message reported above.After successful installation of app it is shown active.
Above that - 2 questions:
- The annotations of the app mention to forward
UDP 3478
TCP 3478
UDP 3479
TCP 3479
UDP 5349
TCP 5349
UDP 5350
TCP 5350
in my NAT.
But what about the port range for the media connections 49152 to 5xxx (I had to reduce it to 49407 because my router limits range to 255 ports)? Don’t they need to be forwarded also?
- Why does it only advice to use 3478 UDP/TCP and not 5349 UDP/TCP in Synapse? Log shows clearly that coturn only binds 3478 on IPs.
1 Like
Reloading firewalld or restarting FreedomBox will fix this issue. We have a proper fix for this issue in upcoming release 20.9 so reload/restart won’t be necessary.
Looks like I forgot this FreedomBox default configuration. I intended to add it. Created an issue for this: coturn: Add verbose flag to configuration file (#1850) · Issues · FreedomBox / FreedomBox · GitLab
Yes, that port range is needed as well. These port will be used if STUN fails and TURN is selected. TrickleICE can detect this problem as I think it does not do actual relaying during the test. But call will fail.
To overcome 255 port as max range, add 3 more rules.
5349 is the actual port for TLS (TCP) and DTLS (UDP) communication. However, the same service is provided on 3478 port as well apart from unencrypted traffic (encryption is used based on how incoming requests are).
2 Likes
Thank you for clearing these up.
I’m still struggeling with some connections especially regarding AndroidClient. And if I understand the docs of coturn correctly
-X is needed if you are running your TURN server behind a NAT.
(and my FB is actually behind a NAT) I do need to map “internal” and “external” IP for TURN to work although the ports are forwarded. Don’t I?
Unfortunately I don’t really get that part. Do they mean my router’s (dynamic) external IP by “external”? Because then I had to find a way to alter that value dynamically everytime my dynamic IP changes. 
Yes. Ideally, your router may have some way to trigger a script or dyndns update (web request) upon IP renewals. Though I don’t know what is supported.
So, ideally again, maybe freedombox could provide a local url for the router to request with a parameter like ?new_ip=x.x.x.x to get coturn updated.
This is one of the pending items for the Coturn setup. The current plan is to implement as follows:
Regularly ping an external server to find the external IP address of FreedomBox (or somehow use Dynamic DNS module to since it has do that anyway). The process can be done every 30 minutes or even sooner since it is not expensive. Once the IP is found if it is different from the one configured in Coturn, reconfigure Coturn with external-ip= and reload the configuration. To discover the external IP, public STUN servers could be used. stun-client command can be invoked to communicate with a public STUN server. We may allow the user to choose a public STUN server for privacy reasons or pick from a list of servers that we know respect privacy. Perform this entire process only if the user has selected that they are behind a router (and not directly connected to the Internet). Warn the user about the privacy consequences.
1 Like
Finding out the IP of my domain turns out to be quite straightforward on linux. One can just use host, dig or nslookup like
host mydomain.net <ip of my dns e.g. local ip of my router>
But unfortunately I see no way to only receive the ip as a single value but only complex output in shell by this.
So a better way might be python’s
import socket
print(socket.getaddressbyname('mydomain.net'))
which returns exactly what I need to alter the config and reload coturn as @sunil described.
P.S.
Just to mention: The coturn service does not support the reload action, only restart.
P.P.S.
YES! YES! It works! 
Adding external-ip = 93.158.178.34 (just made this IP up of course) and restarting coturn and voilá: The video call between my cell with VPN and my laptop immediately and astonishing stable just works!
So now it’s only the automation of the dynamic IP change that’s left to do 
1 Like
DNS approach assumes that the mapping is up-to-date (which is very reasonable assumption). It may be better for privacy than using STUN. This an approach to consider.
The router seems the best (and only) point to trigger reliable dns updates upon IP renewals. Conseqently the dns IP info should be most up to date, within the limits of the dns TTL value.
However, if freedombox relies on polling to detect changes, there will always be times were the ICE service does not work, is not reachable and points to a foreign IP.
So, it might only be a fallback and make things work in the beginnig and be a bad idea at the same time. I think it really isn’t a proper “production” setup.
The mechanism to implement should make the domain much more continuously reachable (instantly reachable, and the IP renewal interruptions as short as possible).
So maybe, either the router supports to update the freedombox as a second configured dyndns (ddns) provider, or only the freedombox needs to be configured as ddns service in the router, and freedombox will then have to forward the update to the real external dyndns/ddns service whenever getting an update from the router.
Is the ability to get an update about IP address from the router a common feature found in routers?
Yes, all I know, you may also search, for example, for how-to-configure-ddns-in-router
BTW, did somebody also try the new audio and video call support of Conversations.im (XMPP)?