Building/configuring a TURN server

Well, I guess I found some things out and kind of solved the problem:

  1. Some of the problems with the coturn server were linked to the privileges of the daemon and of the letsencrypt certs. I did the following
sudo su -
mkdir -p /etc/coturn/certs
mv /etc/turnserver.conf /etc/coturn/turnserver.conf
cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/coturn/certs/privkey.pem
cp /etc/letsencrypt/live/mydomain.net/cert.pem /etc/coturn/certs/cert.pem
chown turnserver:turnserver /etc/coturn/
chown turnserver:turnserver /etc/coturn/*
chmod 700 /etc/coturn/certs/
chmod 600 /etc/coturn/certs/*
touch /var/log/turnserver.log
chown turnserver:turnserver /var/log/turnserver.log

Of course this means that we have to cp the certs every renewal unless we automate that.

  1. Now we have to adopt the service to the new path by systemctl edit --full coturn
[...]
[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/coturn/turnserver.conf --pidfile\
 /run/turnserver/turnserver.pid  -l /var/log/turnserver.log
[...]
  1. My /etc/coturn/turnserver.conf looks like
listening-port=3478

tls-listening-port=5349

relay-ip=192.168.1.15 # the local ip-adress of your machine, please adjust!

min-port=49152
max-port=49252  # my router only allows 255 ports per region

verbose # for debugging only

fingerprint

#lt-cred-mech                                                                   
#no-auth                                                                        
use-auth-secret

static-auth-secret= s0meS3cr3tPa55phras3 # which you also need in the synapse config

realm=yourdomain.net
total-quota=100

bps-capacity=0

stale-nonce=600

cert=/etc/coturn/certs/cert.pem

pkey=/etc/coturn/certs/privkey.pem

cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"

dh-file=/etc/apache2/ssl/dhparams.pem

#no-stdout-log                                                                  

log-file=/var/log/turnserver.log

simple-log

#no-multicast-peers                                                             

mobility


no-tlsv1
no-tlsv1_1

no-cli

Now just start the coturn server with systemctl start coturn and watch your log-file with tail -f /var/log/turnserver.log

Test your turnserver with stun yourdomain.net -p 3478 and follow your log. If it moves obviously your server is reachable. Otherwise you might check if the server is actually running or check if you opened the ports both in your router/NAT and in firewallD.

If it is reachable you may make a video call in Matrix. My findings up to now are the following:

  • Browser to Browser (both Element):
    • works like a charm.
    • In the turnserver.log you’ll find entries from both users and succesfull connetions.
  • Browser to Android Riot App:
    • As we are used to the video shows until the called account answers the call.
    • Videos turn black and after some time and the call ends.
    • In the turnserver.log you will see that only the account using the browser turns up. No lead of the AndroidApp using account.
  • Hypothesis, untested:
    • Android 2 Android Calls won’t work either
    • and neither of the accounts will turn up in the log.

Could this be linked to the ports? Does Android(App) not allow those and would work with e.g. 443 instead? Nextcloud e.g. uses a STUN-server with 443 by default. With my coturn server I found the same pattern with nextcloud Talk:

  • The Android app didn’t work
  • while joining the call in the Firefox for Android as guest works perfectly.

Obviously I could test this by changing the ports in the turnserver.conf to 80 resp. 443. Unfortunately that won’t work so easily on the same machine right now. Because I would have to stop apache so that the ports are free to be bound by coturn - but as synapse is dependend of apache it wouldn’t work anymore.

Conclusion
At the moment there is no way to get Video Calls on the Riot AndroidApp to work with the coturn server. Something blocks the communication ot the App with the TURN server at least with the used ports.
Maybe someone with a separate TURN-Server and the ports 80 and 443 might check this hypothesis?

1 Like