Building/configuring a TURN server

I tested the coturn server before both with

• my old setup and with
• your config of the app.

In both cases I could not connect between my smartphone while it is in cell mode or in a VPN to my Laptop in the same NAT as my FreedomBox.

Since I added external-ip to the config it works flawlessly.

This corresponds to difference in the log I observed. Before the external-ip only the client inside the NAT showed up with the name of account. The one outside didn’t or showed up as some number. Also there were a lot of 401 errors like this:

session 002000000000000010: realm <mydomain.net> user <>: incoming packet message processed, error 401: Unauthorized
IPv4. Local relay addr: 192.168.1.19:49394

As you can see the user tag is empty there. Only the local users in the NAT are shown in the log, the ones from outside cannot be authorized.

But now - after defining external-ip - both clients’ accounts show up, and no obvious error messages!

One problem is stil left:
The log shows that coturn doesn’t find the certs from the config file. So that TLS connections are impossible.

WARNING: cannot find private key file: /etc/coturn/certs/pkey.pem (1)
WARNING: cannot start TLS and DTLS listeners because private key file is not set properly

Checking my log and config I found out that you named the key pkey.pem while I named it privkey.pem. After correcting this in config there’s a working TLS setup.

Still I receive:

set_ctx: ERROR: cannot set DH
ERROR: set_ctx: ERROR: cannot set DH

which vanishes if I add

dh-file=/etc/apache2/ssl/dhparams.pem

in my config.
Now TLS and DTLS are flawlessly working according to the log.

After setting /etc/matrix-synapse/homeserver.yaml up with

turn_uris:
  - "stun:ismus.net:3478?transport=udp"
  - "stun:ismus.net:3478?transport=tcp"
  - "turn:ismus.net:3478?transport=udp"
  - "turn:ismus.net:3478?transport=tcp"
  - "stun:ismus.net:5349?transport=udp"
  - "stun:ismus.net:5349?transport=tcp"
  - "turn:ismus.net:5349?transport=udp"
  - "turn:ismus.net:5349?transport=tcp"

the log tells me also that the 5349 port is used by matrix-synapse.

I guess now I’m ready

Checking only every 8 hours will leave your server unreachable for many hours every day on average.

Another idea to detect IP changes could be to try much more frequent (10 seconds?) pings or connection attempts, but only to a known to work local port of the router using the own public IP. Assuming that the port becomes unreachable if the IP is not the own anymore, that could trigger a DNS check for the new IP.

However, such polling will probably prevent that the freedombox and router enter a power saving state.

@homer77 does your router support entering a custom url for a DDNS service? You could then enter your local freedombox IP there and just let your script wait on a port (http server) to catch the router’s request.

If there is no way to configure a custom DDNS URL, you could try configuring a host or route entry to override a preconfigured DDNS provider, routing the request to your freedombox IP instead.

You’re right regarding the interval. I only thought about my special case that I know that

• usually my IP changes exclusively once in 24h
• There are exactly two accounts on my matrix instance - one of them me - so that I exactly know when the server’s needed

Since the mere IP check isn’t very expensive it wasn’t an actual problem to make the cronjob far more regular.
10 seconds on the other hand seems to me like a heavy overhead. Let’s assume 10 minutes. That would mean that the maximum downtime of the coturn server would be 10 minutes. For most FB users this should be a marginal loss…

This could of course also be adjustable in the VoIP-Helper app’s interface.

Regarding the power saving state:
Are you sure? I mean … aren’t there lots of such regular jobs already running? E.g. if the matrix instance is running and my Android Client is on - aren’t there continous connections between server and client?
I’m not an expert for the power management but I actually doubt that the coturn IP check has to impede that more than any instant messenger service running on your box yet

Router/DDNS:
I could use the Fritzbox for DDNS. But as I have a running ddclient config since years I stick to that.
I am not sure if I understand exactly what you mean by catching the router’s request. Can you give an example how that request would look?

Thanks for your elaborating reply.

Ok, I see the polling interval could be shortened, but it’s so avoidable to create constant traffic, might even lead to problems by block/filter/usage listing or analytics, and is noise if you want to monitor your own connections. (at least for a fredombox supported setup)

Concerning the power saving, I think listening on an open connection can be delegated into a low power state of the network adapter, but cron + making nework requests causes CPU activity.

What I first had in mind was starting a webserver with python…

But it could be much better as a test setup if maybe a freedombox developer could provide a hint about how to best configure a new port or subdirectory? served by the webserver that is already running on the freedombox.

Then your script could in the simplest form just loop over an inotifywait that watches that port/directory’s log file, to trigger the update after the router makes the http request.

Your router seems to support entering a custom URL in its DynDNS configuration, at least there seems to be a help page about it. So it should be possible to enter the local freedombox URL there.

EDIT:
(In case your are wondering, I’m myself still looking for updating my filesystem setup, and not there yet.)

When your script just inotifywaits for the router making a request, without extracting any info from it, I think it would first have to trigger your ddclient, to actually update the DNS, and then do your lookup+coturn update.

And your script would already be fully usable in freedombox if it could fallback to polling as long as the logfile does not exist (no DDNS configured in the router), which should also render a warning to the user in the webfrontend/email notifications.

EDIT:

@sunil What could allow the easiest and most versatile configuration of routers might be: To configure an additional internal IP on the freedom box.

(And letting any type of request to that IP trigger a dyndns update (updating the real provider as configured in the freedombox) and then the STUN/TURN update, as suggested above.)

That could allow any type of router with an arbitrary DDNS implementation to trigger an update, no matter the URL or even protocol. Either by directly configuring the custom IP as custom DDNS provider with arbitrary protocol, or by configuring a hosts or route entry on the router, that redirects an available provider to the special freedombox DDNS update IP.

ejabberd and Coturn URLs and shared authentication secret?

Hey, great to have Coturn installed.

Noobie questions… for XMPP/eJabberd do I have to add the Coturn URLs and shared authentication secret to: sudo nano /etc/ejabberd/ejabberd.yml

Or are the URLs and secret only for Matrix Synapse?

In reference to the docs I haven’t found a way to use an external stun/turn config in ejabberd yet. It seems mandatory for ejabberd to use its internal stun/turn server which above doesn’t work with ldap auth afai read.

Besides it seems overhead to use two seperate stun/turn servers for two im services on one box.

So I’m also not sure how to deal with this.

Thanks for the clarification.

doesn’t work with ldap auth

This is the bit that I had not quite understood. So as it stands, there is no workable TURN solution for eJabberd with Freedombox?

I’m afraid that I don’t find the eJabberd documentation/configuration very easy to understand!

On another note, last night I tested Conversation.im (2.8.2+fcr - free from F-Droid repos) on two Android devices using my Freedombox/eJabberd XMPP server. Over the local network Conversation works great - nice snappy connections and great quality audio and video chat.

When I tried it with both Android devices going through a VPN then they rang but the connection was never established - what you’d expect I guess!

Don’t give up hope! Guess you will like that:

https://blog.cubieserver.de/2020/ejabberd-announce-external-stun/turn-over-xmpp-xep-0215/

Points exactly to your question I would say.

wow, exactly what I needed - nice find I’m going to follwo his set up guide whan I get time over the weekend: https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794

Bad news! We won’t get it to work until ejabberd 20.4 is in the debian repos. At the moment it’s 18something … so … I guess that will time until then.

The article mentioned 20.04 though, and that is already in buster-backports.
It is widely, highly apprecieated I guess.

Sooooo! To sum up the state of the STUN

• VoIP via Matrix already works well after configuring coTURN with --external-ip
• After upgrading ejabberd to 20.4 via backports I activated mod_stun_disco with stun(s) and turn(s) on 3478 and 5349
  • and had yet a 90min call with a friend via PixArt-Messenger (Conversations-fork) Unfortunately we didn’t realize that we did not use my server for calling. Instead PixArt doesn’t offer to call at all when we use our accounts on my FreedomBox What do I have to do for that? … @SottishFreedom ?
  • Well, I had a strange time with that server … The only thing I altered during my investigation was adding the stun and turn SRV entry in DNS of my domain. I also observed that in our conversation we didn’t receive the avatars. And finally some minutes ago the Call-Symbol appeared in PixArt and we called successfully and received the right avatars. …
• added the stun and the turn incl. secret in Nextcloud Talk on another server at my office
  • which worked fantastic between different networks, too.

I’m good with this

Just realized that redirecting the router’s dyndns updates to a secondary IP of the freedombox (router hosts file or routing table entry) might even make the dyndns configuration on the freedomox entirely obsolete.

It should be possible to simply reuse the domain and the specific URL of the router’s request (found in the logs) for forwarding the request to the actual public dyndns service. But the redirection on the router would have to be only in effect for its locally originating request (packages), not for those triggered and originating from the freedombox.

Your devices will only fetch the new records, after the TTL of the last dns info expired, so that would introduce some lag to expect there.

Does everything continue working?

It seems so. Still everything’s working as far as I observed.

Did you add the dns records to a second level domain name or to a dyndns subdomain?
The former often have longer TTLs of several hours or even days.

As everything is still working, I congratulate!
First to have made it to a really complete setup.

second level.

Thank you

I try not to party too soon.
But as I called my friend on a daily bases for the last week with different device and network setups each I guess I can start to claim this

could it be possible to prevent the /etc/matrix-synapse/homeserver.yaml file from being overwritten for updates when using the Coturn server?