Building/configuring a TURN server

I have finished the work on the coturn app (auto-configuring matrix-synapse is pending) and submitted a merge request. I was able to test a whole of the application code but we need to test the server configuration in various situations. Especially there are open questions about whether we should set ‘listen-ip’, ‘allow-loopback-peers’ and how to manage the ‘external-ip’ parameter.

It would be great if you can help with testing the server. Coturn will only show up if you enable ‘advanced mode’ in System -> Config. If you know how to do a development setup, go ahead with testing the merge request. Otherwise, this app will likely be available in next Monday’s release 20.8 which will reach your box by end of the week. You can test it more easily then.

A post was split to a new topic: Transitioning from testing to backports

I wrote a manual page for Coturn. Please feel free to contribute to it.

I’m am very happy with the Coturn server. The installation was easy and it works properly.The Riot chats have an excellent video and audio quality. Thanks to all of you. You have made the freedombox more valuable!

So, I yet updated to FB 20.8 and tried to install the new VOIP Helper App.

Which fails with g-io-error-quark: GDBus.Error:org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: coturn-freedombox (36)
As I had a coturn service before this might be due to that. Uninstalling coturn and installing the app didn’t lead to a better result. Maybe I have to remove my coturn service from systemd before installing? …

After deleting my old coturn service manually, purging coturn and then installing the app the process finished successfully

Furthermore:

• As far as I can see there’s no log for the service? Or where would I find it? As for now I cannot check if coturn is doing actually anything. OK. I found your hint regarding journalctl -u coturn now
  • But: While trying a video call (without success) there seem to happen exactly nothing. Log remains untouched. After adding verbose to the config I can see that it works now. Also TrickleICE works for stun and 3478. But neither for turn nor 5349.
• While VoIP is working inside my NAT it is not if I use a VPN with one of the devices (riot.im on notbook, Riot app on Android). So I guess TURN is not working properly yet? … May this be connected to turnserver · coturn/coturn Wiki · GitHub as at least the browser app uses WebRTC?
• The coturn entry in firewall is shown as active but the sub entry coturn-freedombox is shown as blocked. In contrast to other entries all ports are shown in one line despite in separate lines per port. This might be linked to the error message reported above. After successful installation of app it is shown active.

Above that - 2 questions:

1. The annotations of the app mention to forward

UDP 3478
TCP 3478
UDP 3479
TCP 3479
UDP 5349
TCP 5349
UDP 5350
TCP 5350

in my NAT.
But what about the port range for the media connections 49152 to 5xxx (I had to reduce it to 49407 because my router limits range to 255 ports)? Don’t they need to be forwarded also?

2. Why does it only advice to use 3478 UDP/TCP and not 5349 UDP/TCP in Synapse? Log shows clearly that coturn only binds 3478 on IPs.

Reloading firewalld or restarting FreedomBox will fix this issue. We have a proper fix for this issue in upcoming release 20.9 so reload/restart won’t be necessary.

Looks like I forgot this FreedomBox default configuration. I intended to add it. Created an issue for this: coturn: Add verbose flag to configuration file (#1850) · Issues · FreedomBox / FreedomBox · GitLab

Yes, that port range is needed as well. These port will be used if STUN fails and TURN is selected. TrickleICE can detect this problem as I think it does not do actual relaying during the test. But call will fail.

To overcome 255 port as max range, add 3 more rules.

5349 is the actual port for TLS (TCP) and DTLS (UDP) communication. However, the same service is provided on 3478 port as well apart from unencrypted traffic (encryption is used based on how incoming requests are).

Thank you for clearing these up.

I’m still struggeling with some connections especially regarding AndroidClient. And if I understand the docs of coturn correctly

-X is needed if you are running your TURN server behind a NAT.

(and my FB is actually behind a NAT) I do need to map “internal” and “external” IP for TURN to work although the ports are forwarded. Don’t I?

Unfortunately I don’t really get that part. Do they mean my router’s (dynamic) external IP by “external”? Because then I had to find a way to alter that value dynamically everytime my dynamic IP changes.

Yes. Ideally, your router may have some way to trigger a script or dyndns update (web request) upon IP renewals. Though I don’t know what is supported.

So, ideally again, maybe freedombox could provide a local url for the router to request with a parameter like ?new_ip=x.x.x.x to get coturn updated.

This is one of the pending items for the Coturn setup. The current plan is to implement as follows:

Regularly ping an external server to find the external IP address of FreedomBox (or somehow use Dynamic DNS module to since it has do that anyway). The process can be done every 30 minutes or even sooner since it is not expensive. Once the IP is found if it is different from the one configured in Coturn, reconfigure Coturn with external-ip= and reload the configuration. To discover the external IP, public STUN servers could be used. stun-client command can be invoked to communicate with a public STUN server. We may allow the user to choose a public STUN server for privacy reasons or pick from a list of servers that we know respect privacy. Perform this entire process only if the user has selected that they are behind a router (and not directly connected to the Internet). Warn the user about the privacy consequences.

Finding out the IP of my domain turns out to be quite straightforward on linux. One can just use host, dig or nslookup like
host mydomain.net <ip of my dns e.g. local ip of my router>

But unfortunately I see no way to only receive the ip as a single value but only complex output in shell by this.

So a better way might be python’s

import socket
print(socket.getaddressbyname('mydomain.net'))

which returns exactly what I need to alter the config and reload coturn as @sunil described.

P.S.
Just to mention: The coturn service does not support the reload action, only restart.

P.P.S.
YES! YES! It works!
Adding external-ip = 93.158.178.34 (just made this IP up of course) and restarting coturn and voilá: The video call between my cell with VPN and my laptop immediately and astonishing stable just works!
So now it’s only the automation of the dynamic IP change that’s left to do

DNS approach assumes that the mapping is up-to-date (which is very reasonable assumption). It may be better for privacy than using STUN. This an approach to consider.

The router seems the best (and only) point to trigger reliable dns updates upon IP renewals. Conseqently the dns IP info should be most up to date, within the limits of the dns TTL value.

However, if freedombox relies on polling to detect changes, there will always be times were the ICE service does not work, is not reachable and points to a foreign IP.
So, it might only be a fallback and make things work in the beginnig and be a bad idea at the same time. I think it really isn’t a proper “production” setup.

The mechanism to implement should make the domain much more continuously reachable (instantly reachable, and the IP renewal interruptions as short as possible).
So maybe, either the router supports to update the freedombox as a second configured dyndns (ddns) provider, or only the freedombox needs to be configured as ddns service in the router, and freedombox will then have to forward the update to the real external dyndns/ddns service whenever getting an update from the router.

Is the ability to get an update about IP address from the router a common feature found in routers?

Yes, all I know, you may also search, for example, for how-to-configure-ddns-in-router

BTW, did somebody also try the new audio and video call support of Conversations.im (XMPP)?

I scripted a quick and dirty fix for the dynamic IP problem in my case.
That might help others until there will be an official solution.

#!/usr/bin/python3                                                              

import socket, shutil

# Read the current coturn config                                                
#                                                                               
config = {}
with open('/etc/coturn/freedombox.conf') as f:
    for line in f:
        key, value = line.partition("=")[::2]
        config[key.strip()] = value.strip()


# Get current IP of TLD                                                         
#                                                                               
current_ip = socket.gethostbyname(config['realm'])

print('Old IP: %s' % config['external-ip'])
print('Current IP: %s' % current_ip)

# If the IP hasn't change, simply do nothing                                    
#                                                                               
if current_ip == config['external-ip']:                                         
    print("Still the same IP (%s)." % config['external-ip'])                    
    print("Doing nothing.")                                                     
                                                                                
# If the IP has actually changed                                                
#                                                                               
else:                                                                           
    print("The IP has changed.")

    # Set external-ip to new value and write it to a new file                   
    #                                                                           
    config['external-ip'] = current_ip
    with open('/etc/coturn/freedombox.conf.new','w') as f:
        for key, value in config.items():
            if value is not "":
                f.write('%s = %s\n' % (key, value))
            else:
                f.write('%s' % key)
                continue
    print("Changed coturn IP to %s." % current_ip)

    try:
        shutil.copyfile('/etc/coturn/freedombox.conf', '/etc/coturn/freedombox.\
conf.bak')
        print("Backuped old config.")
    except:
	print("Could not backup old config!")

    try:
        shutil.copyfile('/etc/coturn/freedombox.conf.new', '/etc/coturn/freedom\
box.conf')
        print("Substituted old config with the new.")
    except:
	print("Could not substitute config file!")

# Restart the coturn service                                                
    #                                                                           
    try:
        os.system("systemctl restart coturn")
        print("Restarted coturn service.")
    except:
        print("Could not restart coturn service!")

With sudo crontab -e I let this script fire every 8 hours.

0 4,12,20 * * *	     python3 /root/update_coturn_external_ip.py

Until now looks like it works smoothely.

@homer77, fantastic work, do you have test case or test tool that can distinguish a proper coturn server with external-ip address set and one without?

I tested the coturn server before both with

• my old setup and with
• your config of the app.

In both cases I could not connect between my smartphone while it is in cell mode or in a VPN to my Laptop in the same NAT as my FreedomBox.

Since I added external-ip to the config it works flawlessly.

This corresponds to difference in the log I observed. Before the external-ip only the client inside the NAT showed up with the name of account. The one outside didn’t or showed up as some number. Also there were a lot of 401 errors like this:

session 002000000000000010: realm <mydomain.net> user <>: incoming packet message processed, error 401: Unauthorized
IPv4. Local relay addr: 192.168.1.19:49394

As you can see the user tag is empty there. Only the local users in the NAT are shown in the log, the ones from outside cannot be authorized.

But now - after defining external-ip - both clients’ accounts show up, and no obvious error messages!

One problem is stil left:
The log shows that coturn doesn’t find the certs from the config file. So that TLS connections are impossible.

WARNING: cannot find private key file: /etc/coturn/certs/pkey.pem (1)
WARNING: cannot start TLS and DTLS listeners because private key file is not set properly

Checking my log and config I found out that you named the key pkey.pem while I named it privkey.pem. After correcting this in config there’s a working TLS setup.

Still I receive:

set_ctx: ERROR: cannot set DH
ERROR: set_ctx: ERROR: cannot set DH

which vanishes if I add

dh-file=/etc/apache2/ssl/dhparams.pem

in my config.
Now TLS and DTLS are flawlessly working according to the log.

After setting /etc/matrix-synapse/homeserver.yaml up with

turn_uris:
  - "stun:ismus.net:3478?transport=udp"
  - "stun:ismus.net:3478?transport=tcp"
  - "turn:ismus.net:3478?transport=udp"
  - "turn:ismus.net:3478?transport=tcp"
  - "stun:ismus.net:5349?transport=udp"
  - "stun:ismus.net:5349?transport=tcp"
  - "turn:ismus.net:5349?transport=udp"
  - "turn:ismus.net:5349?transport=tcp"

the log tells me also that the 5349 port is used by matrix-synapse.

I guess now I’m ready

Checking only every 8 hours will leave your server unreachable for many hours every day on average.

Another idea to detect IP changes could be to try much more frequent (10 seconds?) pings or connection attempts, but only to a known to work local port of the router using the own public IP. Assuming that the port becomes unreachable if the IP is not the own anymore, that could trigger a DNS check for the new IP.

However, such polling will probably prevent that the freedombox and router enter a power saving state.

@homer77 does your router support entering a custom url for a DDNS service? You could then enter your local freedombox IP there and just let your script wait on a port (http server) to catch the router’s request.