Hi all,
I’m a new Pioneer owner and have limited experience. Thanks for all the fantastic work you do making it possible for people like me to join this community. I’ve read the forum for potential solutions and found none. Still, please excuse what is probably a basic error in my thinking as I’m still getting up a steep learning curve.
Problem Description
I have Element/Matrix Synapse/Coturn up and running. My ISP only allows port 443, so I’ve set all my services up to use Cloudflare Zero Trust. I can log in using the mobile and web apps, set up rooms, and chat. I can connect video and audio calls when on the same network, but not when one party is connecting from outside. I’ve only been able to test the issue using mobile ↔ laptop and mobile <–mobile–> devices, rather than laptop ↔ laptop.
My best, half-educated guess is that I need to do more to open up ports via Cloudflare. Or, my Coturn isn’t properly configured. If either is the case, or if you see something I don’t, I’d appreciate your suggestions.
Steps to Reproduce
- Enable and configure Matrix and Synapse.
- Install Element from the command line.
- Configure Cloudflare to tunnel port 8448 via a subdomain (talk.domain.tld).
- Make a call to/from an outside party to/from the local network.
- Answer.
- “Call connecting…” Nothing.
Expected Results
Video/audio calls connect from outside network using all devices.
Actual results
Calls between servers ring but do not connect. Either nothing notable is logged or I’m looking in the wrong place for a description of the error.
Screenshot
If I had a screenshot to share it’d be the “Call connecting…” screen in Element.
Information
- FreedomBox version 24.1 on Debian GNU/Linux 12 (bookworm)
- FreedomBox Pioneer, preinstalled
- Element/Matrix Synapse/Coturn are all latest versions.
- My router puts FreedomBox in the DMZ although my ISP blocks other ports.
- Cloudflare is cloudflared.
- All services are go.
Hello James,
Regarding your setup with Cloudflare Zero Trust:
set all my services up to use Cloudflare Zero Trust.
Have you ensured that Coturn’s required ports are properly forwarded through Cloudflare?
Thanks for your question. I tweaked my Cloudflare Zero Trust settings based on your suggestion. I’ve done the following to allow the required ports and protocols.
- Set up the tunnel.
- Put in a Private Network/Firewall Policy for my public IP with allow rules for the ports below, which are the ones required by Coturn.
I’m testing today with mobile ↔ mobile since I’m in a different location. The other mobile is on the Freedombox network. I’m getting the same results, unfortunately.
Hello,
I must admit, my familiarity with Cloudflare Zero Trust (CZT) is limited, so my guidance here might be somewhat basic. From what I understand, you’re using CZT to navigate around your ISP’s port restrictions, right?
However, I’m curious about how exactly your FreedomBox is circumventing these ISP restrictions. Are you using a tool like cloudflared on your FreedomBox or router to establish a connection with Cloudflare’s Edge network? Also, do you have the WARP client installed on your devices to ensure they’re on the same private network as your FreedomBox?
A bit more detail on how you’ve set up your network would help in understanding your situation better and potentially in offering more targeted advice.
You’ve got it exactly, at least in so far as I understand it; I’m also learning as I go. CZT is getting around my ISP’s port restrictions and sending everything to ports 80 and 443. clouldflared is running on FreedomBox, but while I’m testing I’ve disabled the WARP requirement in my .cloudflared/config.yaml file. I’ve tried it both ways with the same outcome—with and without WARP enabled, I mean.
I double checked .cloudflared/config.yaml to see if I had specified a port for the subdomain talk.domain.tld during configuration, and I had. I’m not sure if this was recommended or if I left it behind when troubleshooting. I removed it so it will listen to all available ports. I’ll test again when I’m able and share the results.
Attempted with mobile ↔ mobile on and off WARP, one user in the network and one outside. No luck connecting still.
To close this out, today I found a discussion on the Coturn github page saying that I won’t be able to force the traffic through the HTTP/S tunnel. Instead, I’d “need Cloudflare to proxy raw TCP connections” for it to work. It seems that service is available through a paid plan, but my use case is far too modest for the Enterprise plan. Unless someone has a wand to wave, this is the end of the road for me; I can rely on the public matrix server just fine.
Oh. That’s unfortunate.
Have you considered reaching out to your ISP to inquire if there’s any possibility of them unblocking the necessary ports for you? Sometimes, ISPs may accommodate such requests, especially if they understand it’s for a critical service you’re using.
You should bring up your issue at the Cloudflare forum:
https://community.cloudflare.com/latest
