We are not automatically setting up a TURN server for matrix-synapse yet in FreedomBox. If you have information on how to setup one (or which one to setup), it could help us with setting up one.
I have late realized that the video connections are made possible by matrix and not running on FreedomBox itself. I’ve found a (german) tutorial on how to set up a turn server, the debian package coturn is used in this configuration
As I am fiddeling around with synapse and coturn as TURN/STUN-server lately I like to addd some findings. Might help some people to save some time.
-
as most of our servers might dwell behind a Router with NAT …
- Audiio/Video-conferences won’t work under certain circumstances
- I got conferences between two riot.im/app instances smoothly working
- while Riot Android App cannot establish a WebRTC
- no matter if to another Android App or riot.im/app
-
To solve this one will need
- either to turn the clients to turn to fallback as TURN - which didn’t work for me
- or setup a TURN server like coturn on your freedombox to circumvent the NATs between clients
Instructions I found for setting up coturn:
- decatec. de/home-server/nextcloud-talk-mit-eigenem-turn-server-coturn/
- www .nomachine. com/AR07N00894
- github. com/matrix-org/synapse/blob/master/docs/turn-howto.md
of course a good overview about flags and options is https://github.com/coturn/coturn/wiki/turnserver
Most important!
If you think: Hey, I opened all the ports on my router. Obviously the problem that nothing works is because of a buggy /etc/turnserver.conf! But how to know since the log-file is nowhere to find or simply empty!
Then please remember that freedombox comes with the firewallD. And as you installed coturn outside of plinth it is not configured as a service in firewalld. So all the ports you opened in your router/NAT are still blocked by your homeserver.
Invest some minutes in learning how to add a service and ports to it using firewalld-cmd …
To have a working log you need to add the verbose and the simple-log flags than you might find it under /var/log/turnserver.log (check the path in config-file).
After restarting the coturn daemon you can watch the log by
sudo tail -f /var/log/turnserver.log
With https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ you can check if your stun/turn server receives signal or can be found. Or you can
apt install stun-client
on another machine and
stun yourdoma.in -p 3478
if you want to use your letsencrypt certs for the turn server remember that its privileges don’t suffice to read them. You might change the group of the services process with sudo systemctl edit --full turnserver
from turnserver to root.
Right now coturn does receive information when trying to videocall with matrix but the call doesn’t get media streams to work. The screens turn black and call is canceled.
I used the coturn server in a nextcloud config of Nextcloud Talk on another machine. A conference between the same devices (Notebook and Android both with Firefox) works with Video/Audio and the turnserver.log indicates that it works.
Tomorrow I’ll try to find out why Matrix-Calls still don’t work and what authentification method of coturn might have to do with it.
As you see: To fiddle with TURN-server is a pain in the ass.
So it would obviously be great to solve this make an one-click-app of it !
Well, I guess I found some things out and kind of solved the problem:
- Some of the problems with the coturn server were linked to the privileges of the daemon and of the letsencrypt certs. I did the following
sudo su -
mkdir -p /etc/coturn/certs
mv /etc/turnserver.conf /etc/coturn/turnserver.conf
cp /etc/letsencrypt/live/mydomain.net/privkey.pem /etc/coturn/certs/privkey.pem
cp /etc/letsencrypt/live/mydomain.net/cert.pem /etc/coturn/certs/cert.pem
chown turnserver:turnserver /etc/coturn/
chown turnserver:turnserver /etc/coturn/*
chmod 700 /etc/coturn/certs/
chmod 600 /etc/coturn/certs/*
touch /var/log/turnserver.log
chown turnserver:turnserver /var/log/turnserver.log
Of course this means that we have to cp the certs every renewal unless we automate that.
- Now we have to adopt the service to the new path by
systemctl edit --full coturn
[...]
[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/coturn/turnserver.conf --pidfile\
/run/turnserver/turnserver.pid -l /var/log/turnserver.log
[...]
- My /etc/coturn/turnserver.conf looks like
listening-port=3478
tls-listening-port=5349
relay-ip=192.168.1.15 # the local ip-adress of your machine, please adjust!
min-port=49152
max-port=49252 # my router only allows 255 ports per region
verbose # for debugging only
fingerprint
#lt-cred-mech
#no-auth
use-auth-secret
static-auth-secret= s0meS3cr3tPa55phras3 # which you also need in the synapse config
realm=yourdomain.net
total-quota=100
bps-capacity=0
stale-nonce=600
cert=/etc/coturn/certs/cert.pem
pkey=/etc/coturn/certs/privkey.pem
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/apache2/ssl/dhparams.pem
#no-stdout-log
log-file=/var/log/turnserver.log
simple-log
#no-multicast-peers
mobility
no-tlsv1
no-tlsv1_1
no-cli
Now just start the coturn server with systemctl start coturn
and watch your log-file with tail -f /var/log/turnserver.log
Test your turnserver with stun yourdomain.net -p 3478
and follow your log. If it moves obviously your server is reachable. Otherwise you might check if the server is actually running or check if you opened the ports both in your router/NAT and in firewallD.
If it is reachable you may make a video call in Matrix. My findings up to now are the following:
- Browser to Browser (both Element):
- works like a charm.
- In the turnserver.log you’ll find entries from both users and succesfull connetions.
- Browser to Android Riot App:
- As we are used to the video shows until the called account answers the call.
- Videos turn black and after some time and the call ends.
- In the turnserver.log you will see that only the account using the browser turns up. No lead of the AndroidApp using account.
- Hypothesis, untested:
- Android 2 Android Calls won’t work either
- and neither of the accounts will turn up in the log.
Could this be linked to the ports? Does Android(App) not allow those and would work with e.g. 443 instead? Nextcloud e.g. uses a STUN-server with 443 by default. With my coturn server I found the same pattern with nextcloud Talk:
- The Android app didn’t work
- while joining the call in the Firefox for Android as guest works perfectly.
Obviously I could test this by changing the ports in the turnserver.conf to 80 resp. 443. Unfortunately that won’t work so easily on the same machine right now. Because I would have to stop apache so that the ports are free to be bound by coturn - but as synapse is dependend of apache it wouldn’t work anymore.
Conclusion
At the moment there is no way to get Video Calls on the Riot AndroidApp to work with the coturn server. Something blocks the communication ot the App with the TURN server at least with the used ports.
Maybe someone with a separate TURN-Server and the ports 80 and 443 might check this hypothesis?
@homer77, Thanks for the awesome work so far on the issue. I hope we get this working. Just last meeting @jvalleroy has suggested that we should get audio/video conferencing working as a priority due to the current need for it.
I am writing this to add that copying letsencrypt certificates on every renewal in an automated way and setting the correct permissions is super easy on FreedomBox and we do that already for many apps. So is editing systemd service file.
In the coming days, I hope to join you with this effort. If the issue is fixed, it would be straight forward to write an app in FreedomBox.
That’s good news! So making the turn server default or at least a one click option in plinth’s synapse configuration seems quite realistic - that’s nice.
Regarding the certs I wonder if it makes more sense to copy them into the certain certs folders every renewal or to add e.g. a letsencrypt group, give the original folder 0600 privs and add all servers which profit from them to the letsencrypt group. So no copying and easy to add any new server or app to it.
The more sophisticated thing might be the use of subdomains like it’s needed in ejabberd conf and expand the certs like I showed here. But sure that’s also manageable?
I’m looking forward to see what that will develop to
Hey @homer77, I’m going back over your research and I wondering… do I need to sort out the letsencrypt certs? Or is that just if I want encrypted connections?
I ask because when I try the following command that you used:
I get the response:
systemctl: unrecognized option ‘–edit’
Any ideas?
I’ve looked at systemctl -h and systemctl -a but I can’t see anything to help me!
Thanks again for your help and work on this.
Hey @ScottishFreedom,
You are getting this error because I wrote it wrong
It’s to be sudo systemctl edit --full turnserver
I will correct this in the post above.
Thanks for the update. When I run your command (below) I get this error message:
No files found for turnserver.service.
Run ‘systemctl edit --force --full turnserver.service’ to create a new unit.
I’m starting to think there something wrong with my Coturn install!
Maybe the coturn service has another name on your system? You could check the list of available services with tab-completion e.g. or with ls -la /etc/systemd/system
and then look for coturn or some other term with turn in it …
Can you start turnserver
as application in shell?
Thanks. When I run turnserver
I get a load of output and it looks like the server is running:
0: Trying to bind fd 24 to <0.0.0.0:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: Cannot bind TLS/TCP listener socket to addr 0.0.0.0:3478
0: Trying to bind TLS/TCP listener socket to addr 0.0.0.0:3478, again...
Wen I run ls -la /etc/systemd/system
I get the follwing out put, which I cannot see a reference to TURNSERVER!:
total 72
drwxr-xr-x 17 root root 4096 Apr 13 00:37 .
drwxr-xr-x 5 root root 4096 Apr 10 02:20 ..
-rw-r--r-- 1 root root 1551 Apr 29 2019 autologin@.service
drwxr-xr-x 2 root root 4096 Feb 13 15:57 bluetooth.target.wants
lrwxrwxrwx 1 root root 42 Feb 13 15:58 dbus-fi.w1.wpa_supplicant1.service -> /lib/systemd/system/wpa_supplicant.service
lrwxrwxrwx 1 root root 37 Feb 13 15:57 dbus-org.bluez.service -> /lib/systemd/system/bluetooth.service
lrwxrwxrwx 1 root root 37 Apr 3 21:51 dbus-org.fedoraproject.FirewallD1.service -> /lib/systemd/system/firewalld.service
lrwxrwxrwx 1 root root 40 Feb 13 15:57 dbus-org.freedesktop.Avahi.service -> /lib/systemd/system/avahi-daemon.service
lrwxrwxrwx 1 root root 40 Apr 3 21:52 dbus-org.freedesktop.ModemManager1.service -> /lib/systemd/system/ModemManager.service
lrwxrwxrwx 1 root root 53 Apr 3 21:50 dbus-org.freedesktop.nm-dispatcher.service -> /lib/systemd/system/NetworkManager-dispatcher.service
lrwxrwxrwx 1 root root 45 Feb 13 15:52 dbus-org.freedesktop.timesync1.service -> /lib/systemd/system/systemd-timesyncd.service
lrwxrwxrwx 1 root root 36 Feb 13 16:03 default.target -> /lib/systemd/system/graphical.target
drwxr-xr-x 2 root root 4096 Apr 3 21:50 default.target.wants
lrwxrwxrwx 1 root root 34 Feb 13 15:58 dhcpcd5.service -> /lib/systemd/system/dhcpcd.service
lrwxrwxrwx 1 root root 35 Feb 13 15:59 display-manager.service -> /lib/systemd/system/lightdm.service
drwxr-xr-x 2 root root 4096 Feb 13 16:03 getty.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 16:03 getty@tty1.service.d
drwxr-xr-x 2 root root 4096 Feb 13 15:59 graphical.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 halt.target.wants
drwxr-xr-x 2 root root 4096 Apr 12 19:19 multi-user.target.wants
lrwxrwxrwx 1 root root 35 Apr 5 00:32 mysqld.service -> /lib/systemd/system/mariadb.service
lrwxrwxrwx 1 root root 35 Apr 5 00:32 mysql.service -> /lib/systemd/system/mariadb.service
drwxr-xr-x 2 root root 4096 Apr 3 21:50 network-online.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 poweroff.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 rc-local.service.d
drwxr-xr-x 2 root root 4096 Feb 13 15:57 reboot.target.wants
drwxr-xr-x 2 root root 4096 Feb 13 15:57 remote-fs.target.wants
drwxr-xr-x 2 root root 4096 Apr 10 01:02 sockets.target.wants
lrwxrwxrwx 1 root root 31 Apr 3 21:08 sshd.service -> /lib/systemd/system/ssh.service
drwxr-xr-x 2 root root 4096 Feb 13 16:09 sysinit.target.wants
lrwxrwxrwx 1 root root 35 Feb 13 15:54 syslog.service -> /lib/systemd/system/rsyslog.service
drwxr-xr-x 2 root root 4096 Apr 10 02:23 timers.target.wants
Tanks for continuing to try and help me with this
I have a coturn
entry in my /etc/systemd/system
…
Did you install coturn with sudo apt install coturn
? Or any other way?
Good point… it was installed by the NextCloud Talk app. This maybe the problem!
There is no mention of Turn or Conturn in the output from:
/etc/systemd/system $ ls
autologin@.service dbus-org.freedesktop.timesync1.service halt.target.wants remote-fs.target.wants
bluetooth.target.wants default.target multi-user.target.wants sockets.target.wants
dbus-fi.w1.wpa_supplicant1.service default.target.wants mysqld.service sshd.service
dbus-org.bluez.service dhcpcd5.service mysql.service sysinit.target.wants
dbus-org.fedoraproject.FirewallD1.service display-manager.service network-online.target.wants syslog.service
dbus-org.freedesktop.Avahi.service getty.target.wants poweroff.target.wants timers.target.wants
dbus-org.freedesktop.ModemManager1.service getty@tty1.service.d
But when I run:
sudo apt install coturn
I get:
Reading package lists... Done
Building dependency tree
Reading state information... Done
coturn is already the newest version (4.5.1.1-1.1).
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
But there is a file:
/etc/turnserver.conf
Which is what I have been editing and made me think Coturn had been installed, and it looks like it is. I just can’t find where. I’m not very familiar with Linux architecture though!
You could execute whereis coturn
resp. whereis turnserver
in terminal. It should show you were you find the binary.
Also you could pstree | grep turn
to check if there’s already a coturn process running on your system
indicates that there is one already and so you should be able to use it’s config simply for your synapse matrix server.
I have just had some success before getting your message. I set up a subdomain with Letsencrypt, as per my post here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then followed the following configuration instructions for Cotrun and Matrix here: https://gist.github.com/maxidorius/2b0acc2e707ae9a2d6d0267026a1024f and now I can make voice calls outside the local network between devices/RIot.
Regarding our earlier discussion, I did find a reference to my Coturn server pointing to the /nextcloud folder in my web root. So maybe NextCloud Talk has done a none standard install of Coturn
The commends to start and stop Coturn work fine though:
systemctl start coturn
systemctl stop coturn
And worth noting that I had to restart Matrix after changing the configuration:
systemctl daemon-reload
I had previously set up my home router port forwards and the configured the Freedombox firewall, as per your suggestion.
I’d be interested to know if you have any luck getting your TURN server working?
Thanks for all your input.
This is handy to know, thanks.
When I run:
whereis turnserver
I get output:
turnserver: /usr/bin/turnserver /etc/turnserver.conf /usr/share/man/man1/turnserver.1.gz
Hi, I have set up a working TURN server on my Feedombox with steps here: [SOLVED] How to add subdomains to Letsencrypt: "how to renew certificate and expand with subdomains"! and then the steps here: TTRSS install Problem and Matrix Synapse Server Problem
UPDATE: I have done a bit more testing and I’m not sure if TURN is working correctly.
I get the following output from the Trickle test, which looks good: https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
Time Component Type Foundation Protocol Address Port Priority
0.005 1 host 0 udp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 52208 126 | 32512 | 255
0.005 1 host 5 tcp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 9 125 | 32704 | 255
0.007 2 host 0 udp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 57929 126 | 32512 | 254
0.007 2 host 5 tcp 08e190ed-2d51-4616-8681-a0d94a917b8a.local 9 125 | 32704 | 254
11.354 Done
But, I have been testing with a VPN, and calls connect between my laptop and phone (different accounts on the Freedombox/Raspberry Pi) when:
- neither are connected through a VPN, and when;
- the laptop is connected to a VPN and the phone is not.
But the call will not connect when the phone is connected to a VPN.
So, I’m not sure what is going on here!
I don’t think, these are your servers the trickle-ice shows. These are the test servers of the service.
So I fear you’re turn-server isn’t working correctly yet
Yes, thanks. I think you are right. Coturn is a pain My main problem is that I haven’t found anything that really explains Coturn at the right level for me. So I’m floundering in the dark. I have opened up a thread on StackOverflow but I’m getting the feeling that I’m just wasting people’s time with my ignorance!
Have a look into the turnserver.log (wherever you put it) with tail -f turnserver.log
and watch it while you connect two clients on your server. That’s the best way to check if sth running or not resp. why not.
My coturn doesn’t show up at this trickle-ice check either but coturn definitely does a lot.
At least you will see if and how your clients try to make use of the turnserver.
I must correct this as I made a few observations yesterday evening:
- My coturn server does show up at the trickle ice test you linked. But only as STUN not as TURN server.
- Yesterday it didn’t show up because it … well, for some reason its process was failed and I didn’t notice yet as with the only person I conferenced with there have been no trouble. Which leads me to some further obersvations …
- I tried to use my STUN and TURN server for my nextcloud instance at a distant webhoster. And as logs confirmed it made use of it but
- while invited guests without a login account on the nextcloud could perfectly video conference with me immediately a connection between me and another account on the cloud was blocked.
- watching the log I saw a lot auf
401 Unauthorized
- when I removed my coturn server from the Nextcloud Talk config (and left the
nextcloud.com
stunserver) we could both immediately connect as loggedin users.
- watching the log I saw a lot auf
- while invited guests without a login account on the nextcloud could perfectly video conference with me immediately a connection between me and another account on the cloud was blocked.
- I configured my synapse matrix server to use my coturn which definitely worked for a friend from abroad and me until now. Yesterday with a friend from the same city it didn’t and I saw a lot blockage in the log and also the
401 Unauthorized
messages.- While the first friend uses an account on my server the second used a common
matrix.org
-account. - My suspicion: The
realm
config option might block accounts which are not registered on my domain. - Unfortunately we couldn’t check that out yesterday. But I should definitely check if we can conference when the friend uses an account on my synapse instance.
- And then finally if there’s a way to deactivate this
realm
thing to not exclude users from other matrix servers.
- And then finally if there’s a way to deactivate this
- While the first friend uses an account on my server the second used a common
Still a lot to fiddle around with this TURN/STUN server stuff …