Well, I guess I found some things out and kind of solved the problem:
- Some of the problems with the coturn server were linked to the privileges of the daemon and of the letsencrypt certs. I did the following
sudo su -
mkdir -p /etc/coturn/certs
mv /etc/turnserver.conf /etc/coturn/turnserver.conf
cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/coturn/certs/privkey.pem
cp /etc/letsencrypt/live/mydomain.net/cert.pem /etc/coturn/certs/cert.pem
chown turnserver:turnserver /etc/coturn/
chown turnserver:turnserver /etc/coturn/*
chmod 700 /etc/coturn/certs/
chmod 600 /etc/coturn/certs/*
touch /var/log/turnserver.log
chown turnserver:turnserver /var/log/turnserver.log
Of course this means that we have to cp the certs every renewal unless we automate that.
- Now we have to adopt the service to the new path by
systemctl edit --full coturn
[...]
[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/coturn/turnserver.conf --pidfile\
/run/turnserver/turnserver.pid -l /var/log/turnserver.log
[...]
- My /etc/coturn/turnserver.conf looks like
listening-port=3478
tls-listening-port=5349
relay-ip=192.168.1.15 # the local ip-adress of your machine, please adjust!
min-port=49152
max-port=49252 # my router only allows 255 ports per region
verbose # for debugging only
fingerprint
#lt-cred-mech
#no-auth
use-auth-secret
static-auth-secret= s0meS3cr3tPa55phras3 # which you also need in the synapse config
realm=yourdomain.net
total-quota=100
bps-capacity=0
stale-nonce=600
cert=/etc/coturn/certs/cert.pem
pkey=/etc/coturn/certs/privkey.pem
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/apache2/ssl/dhparams.pem
#no-stdout-log
log-file=/var/log/turnserver.log
simple-log
#no-multicast-peers
mobility
no-tlsv1
no-tlsv1_1
no-cli
Now just start the coturn server with systemctl start coturn
and watch your log-file with tail -f /var/log/turnserver.log
Test your turnserver with stun yourdomain.net -p 3478
and follow your log. If it moves obviously your server is reachable. Otherwise you might check if the server is actually running or check if you opened the ports both in your router/NAT and in firewallD.
If it is reachable you may make a video call in Matrix. My findings up to now are the following:
- Browser to Browser (both Element):
- works like a charm.
- In the turnserver.log you’ll find entries from both users and succesfull connetions.
- Browser to Android Riot App:
- As we are used to the video shows until the called account answers the call.
- Videos turn black and after some time and the call ends.
- In the turnserver.log you will see that only the account using the browser turns up. No lead of the AndroidApp using account.
- Hypothesis, untested:
- Android 2 Android Calls won’t work either
- and neither of the accounts will turn up in the log.
Could this be linked to the ports? Does Android(App) not allow those and would work with e.g. 443 instead? Nextcloud e.g. uses a STUN-server with 443 by default. With my coturn server I found the same pattern with nextcloud Talk:
- The Android app didn’t work
- while joining the call in the Firefox for Android as guest works perfectly.
Obviously I could test this by changing the ports in the turnserver.conf to 80 resp. 443. Unfortunately that won’t work so easily on the same machine right now. Because I would have to stop apache so that the ports are free to be bound by coturn - but as synapse is dependend of apache it wouldn’t work anymore.
Conclusion
At the moment there is no way to get Video Calls on the Riot AndroidApp to work with the coturn server. Something blocks the communication ot the App with the TURN server at least with the used ports.
Maybe someone with a separate TURN-Server and the ports 80 and 443 might check this hypothesis?