Building/configuring a TURN server

Have a look into the turnserver.log (wherever you put it) with tail -f turnserver.log and watch it while you connect two clients on your server. That’s the best way to check if sth running or not resp. why not.

My coturn doesn’t show up at this trickle-ice check either but coturn definitely does a lot.
At least you will see if and how your clients try to make use of the turnserver.

I must correct this as I made a few observations yesterday evening:

  • My coturn server does show up at the trickle ice test you linked. But only as STUN not as TURN server.
    • Yesterday it didn’t show up because it … well, for some reason its process was failed and I didn’t notice yet as with the only person I conferenced with there have been no trouble. Which leads me to some further obersvations …
  • I tried to use my STUN and TURN server for my nextcloud instance at a distant webhoster. And as logs confirmed it made use of it but
    • while invited guests without a login account on the nextcloud could perfectly video conference with me immediately a connection between me and another account on the cloud was blocked.
      • watching the log I saw a lot auf 401 Unauthorized
      • when I removed my coturn server from the Nextcloud Talk config (and left the nextcloud.com stunserver) we could both immediately connect as loggedin users.
  • I configured my synapse matrix server to use my coturn which definitely worked for a friend from abroad and me until now. Yesterday with a friend from the same city it didn’t and I saw a lot blockage in the log and also the 401 Unauthorized messages.
    • While the first friend uses an account on my server the second used a common matrix.org-account.
    • My suspicion: The realm config option might block accounts which are not registered on my domain.
    • Unfortunately we couldn’t check that out yesterday. But I should definitely check if we can conference when the friend uses an account on my synapse instance.
      • And then finally if there’s a way to deactivate this realm thing to not exclude users from other matrix servers.

Still a lot to fiddle around with this TURN/STUN server stuff …

1 Like

Thanks for the info. I’m going to try a completely fresh install without NextCloud and see how I get on. I have read quite a few threads about people having difficulty with Coturn. Especially those try to run it from a home connection, for example, this thread: https://stackoverflow.com/questions/47253562/coturn-need-help-configurating-my-server-correctly?rq=1 I wonder if there is something about TURN that makes it unsuitable for home deployment!

UPDATE - my latest unsuccessful attempts!

I’ve done a fresh install of Debian Buster/Freedombox on my Pi3B and then installed and configured Coturn, following this guide: https://ourcodeworld.com/articles/read/1175/how-to-create-and-configure-your-own-stun-turn-server-with-coturn-in-ubuntu-18-04

The Trickle ICE test, TURN RESULTS IceTransports value: relay, still return nothing:

Time 	Component 	Type 	Foundation 	Protocol 	Address 	Port 	Priority
11.126	Done

In turnserver.config I added:

external-ip=[MY HOME IP]/[MY LOCAL IP]
listening-ip=[MY LOCAL IP]

And restarted Coturn, but still no joy

I found the following page that provides a full list of ports required by TURN: https://docs.pexip.com/rp_turn/rpturn_ports.htm

So I tried opening ALL(ANY) incoming and outgoing ports on my home router and opening all the ports, suggested at the link above, in Freedombox/Firewalld, but I still don’t get anything from the ICE test page.

I will try installing Matrix next and have a look at the Coturn log, as you suggest.

I’m wondering if this is a firewall issue. Or because of my lack of knowledge to properly configure Coturn. Or both!

@MikaelB, @ScottishFreedom, @homer77 I have moved all the TURN related discussion into a new topic so it is not lost and gets more focus.

Also, I started reading up and doing tests on coturn.

1 Like

Rahul C and I have been experimenting with coturn primary based on the configuration steps provided here. We were able get video call working between an iOS app and Android app with modified configuration. We configured matrix-synapse as follows (after which the call started working):

turn_uris: [ "stun:ourserver.example.org:3478?transport=udp", "stun:ourserver.example.org:3478?transport=tcp", "turn:ourserver.example.org:3478?transport=udp", "turn:ourserver.example.org:3478?transport=tcp" ]

I won’t know why matrix-synapse documentation does not include the stun: protocol values.

We also made some changes to the turnserver.conf (won’t make a lot of difference):

listening-port=3478

tls-listening-port=5349

Did not set. These are the default anyway.

relay-ip=192.168.1.15

This is not needed as coturn takes all the IP addresses of the machine and listens on them if no IP is provided.

fingerprint

Did not set it. Left it to default behavior. If the client sends fingerprint, response will have fingerprint. Otherwise, older clients will fail.

stale-nonce=600

Left it to default value. Didn’t set it.

cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AE\
S256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"

We left this to the default value since understand what ciphers are supported by each of the clients is a big exercise and best left to coturn developers.

dh-file=/etc/apache2/ssl/dhparams.pem

We didn’t provide this. Default DH params will then be used.

log-file=/var/log/turnserver.log

simple-log

Not needed. Use journalctl -u coturn instead.

mobility

Didn’t set, left to default.

mobility

Left to default.

Also, based on the configuration above, a freedombox app to setup everything automatically (including LE certs, auto renewal, firewalld changes, auth token, URLs, etc) is almost ready: https://salsa.debian.org/sunilmohan/plinth/-/commits/coturn

2 Likes

Wow, that’s amazing work. Sounds like you’ve almost completed making Matrix-Synapse a fully functional one-click deployment. That’s awesome. I look forward to getting the benefit of your work in future releases :slight_smile:

I was totally defeated by Coturn so I went off exploring in other areas - I found that eJabberd has a STUN/TURN Server that is not turned in the default Freedombox config, see below!

Matrix-Synapse vs XMPP
I had originally started exploring Matrix-Synapse because I’d been having trouble navigating the XMPP world - so many clients and no standard set of features. For example there is no suite of compatible XMPP clients for Android, iOS and Linux that support both OMEMO encryption and Jingle voice/video calls. Yes, you can install Jitsi client on Linux and Android and make voice calls, but there is no compatible iOS client etc etc. I need something that deploy-able cross platform from apps - not just in theory, but in practice. Matrix-Synapse seems to provide this :slight_smile: (The most comprehensive list, comparing of XMPP client features, I found is here: https://riseup.net/en/chat/clients).

eJabberd STUN/TURN Server
I found that eJabberd has a buil in STUN/TURN server that is pretty well documented here: https://docs.ejabberd.im/admin/configuration/listen/#ejabberd-stun-1 but it is turned off in the default Freedombox eJabberd config file: sudo su, nano /etc/ejabberd/ejabberd.yml I was going to start exploring configuring it to support XMPP Jingle voice and video calls.

OpenFire
I also tried OpenFire XMPP server. Super easy to deploy (even for a noob like me) and nice web admin GUI (also great for noobs). It has a built in media relay and easy to install plug-ins for Jingle and TLS/SSL certificate management: https://www.igniterealtime.org/projects/openfire/

OpenFire posted an update yesterday (26/4/2020) providing guidelines for implementing Coturn for OpenFire, in preparation for the XMPP Android app, Conversations, releasing an update next week that will support voice and video calls. See blog post here: https://www.igniterealtime.org/

Conclusion
I’m eventually going to do a blog post about what I’ve discovered about the state of XMPP, but in the meantime, it sounds like you have made voice and video chat a whole load more accessible to none techies via Matrix-Synapse. That’s a massive thumbs up for Freedombox.

Thank you

1 Like

Hey @sunil. Thanks again. I have just had a look through the app source code and it’s really inspiring to see how well structured the Freedombox code is.

One question: will the app mention which ports to forward?

Or is this already taken care of in the code here (replicated below). This looks like the description text that the user will see and it seems to reference ports, but I can’t tell if this text explicitly informs the user which ports to open in the home router?

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Coturn STUN/TURN server</short>
  <description>Coturn is a server to facilitate audio/video calls and conferences by providing implementation of TURN and STUN protocols. WebRTC, SIP and other communication servers can use it to establish a call between parties who are otherwise unable connect with each other. Enable this if you are running the communications server and wish to perform audio/video calls.</description>
  <port protocol="tcp" port="3478"/>
  <port protocol="udp" port="3478"/>
  <port protocol="tcp" port="3479"/>
  <port protocol="udp" port="3479"/>
  <port protocol="tcp" port="5349"/>
  <port protocol="udp" port="5349"/>
  <port protocol="tcp" port="5350"/>
  <port protocol="udp" port="5350"/>
  <port protocol="tcp" port="49152-50175"/>
  <port protocol="udp" port="49152-50175"/>
</service>
1 Like

This code handles firewall port opening. The current code does not notify the user what ports they need to forward in the router. I forgot about it. Thanks for reminding me of it.

1 Like

Unfortunately, there is plenty more work to do with testing. In the initial release, I am thinking of hiding the coturn server behind the ‘show advanced apps’ flag in configuration. We need to do a lot more testing with it the in real world before we can be confident about it.

1 Like

If there is anyway I can help with testing I’d been happy to help. You’ll have realized that I’m not very techy though :frowning:

Do I get a mention in the next release :joy:

I have finished the work on the coturn app (auto-configuring matrix-synapse is pending) and submitted a merge request. I was able to test a whole of the application code but we need to test the server configuration in various situations. Especially there are open questions about whether we should set ‘listen-ip’, ‘allow-loopback-peers’ and how to manage the ‘external-ip’ parameter.

It would be great if you can help with testing the server. Coturn will only show up if you enable ‘advanced mode’ in System -> Config. If you know how to do a development setup, go ahead with testing the merge request. Otherwise, this app will likely be available in next Monday’s release 20.8 which will reach your box by end of the week. You can test it more easily then.

3 Likes

A post was split to a new topic: Transitioning from testing to backports

I wrote a manual page for Coturn. Please feel free to contribute to it.

1 Like

I’m am very happy with the Coturn server. The installation was easy and it works properly.The Riot chats have an excellent video and audio quality. Thanks to all of you. You have made the freedombox more valuable!

3 Likes

So, I yet updated to FB 20.8 and tried to install the new VOIP Helper App.

Which fails with g-io-error-quark: GDBus.Error:org.fedoraproject.FirewallD1.Exception: INVALID_SERVICE: coturn-freedombox (36)
As I had a coturn service before this might be due to that. Uninstalling coturn and installing the app didn’t lead to a better result. Maybe I have to remove my coturn service from systemd before installing? …

After deleting my old coturn service manually, purging coturn and then installing the app the process finished successfully

Furthermore:

  • As far as I can see there’s no log for the service? Or where would I find it? As for now I cannot check if coturn is doing actually anything. OK. I found your hint regarding journalctl -u coturn now :sweat_smile:
    • But: While trying a video call (without success) there seem to happen exactly nothing. Log remains untouched. After adding verbose to the config I can see that it works now. Also TrickleICE works for stun and 3478. But neither for turn nor 5349.
  • While VoIP is working inside my NAT it is not if I use a VPN with one of the devices (riot.im on notbook, Riot app on Android). So I guess TURN is not working properly yet? … :thinking: May this be connected to turnserver · coturn/coturn Wiki · GitHub as at least the browser app uses WebRTC?
  • The coturn entry in firewall is shown as active but the sub entry coturn-freedombox is shown as blocked. In contrast to other entries all ports are shown in one line despite in separate lines per port. This might be linked to the error message reported above. After successful installation of app it is shown active.

Above that - 2 questions:

  1. The annotations of the app mention to forward

UDP 3478
TCP 3478
UDP 3479
TCP 3479
UDP 5349
TCP 5349
UDP 5350
TCP 5350

in my NAT.
But what about the port range for the media connections 49152 to 5xxx (I had to reduce it to 49407 because my router limits range to 255 ports)? Don’t they need to be forwarded also?

  1. Why does it only advice to use 3478 UDP/TCP and not 5349 UDP/TCP in Synapse? Log shows clearly that coturn only binds 3478 on IPs.
1 Like

Reloading firewalld or restarting FreedomBox will fix this issue. We have a proper fix for this issue in upcoming release 20.9 so reload/restart won’t be necessary.

Looks like I forgot this FreedomBox default configuration. I intended to add it. Created an issue for this: coturn: Add verbose flag to configuration file (#1850) · Issues · FreedomBox / FreedomBox · GitLab

Yes, that port range is needed as well. These port will be used if STUN fails and TURN is selected. TrickleICE can detect this problem as I think it does not do actual relaying during the test. But call will fail.

To overcome 255 port as max range, add 3 more rules.

5349 is the actual port for TLS (TCP) and DTLS (UDP) communication. However, the same service is provided on 3478 port as well apart from unencrypted traffic (encryption is used based on how incoming requests are).

2 Likes

Thank you for clearing these up.

I’m still struggeling with some connections especially regarding AndroidClient. And if I understand the docs of coturn correctly

-X is needed if you are running your TURN server behind a NAT.

(and my FB is actually behind a NAT) I do need to map “internal” and “external” IP for TURN to work although the ports are forwarded. Don’t I?

Unfortunately I don’t really get that part. Do they mean my router’s (dynamic) external IP by “external”? Because then I had to find a way to alter that value dynamically everytime my dynamic IP changes. :worried:

Yes. Ideally, your router may have some way to trigger a script or dyndns update (web request) upon IP renewals. Though I don’t know what is supported.