Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Support
  3. Where is the coturn config located?

Where is the coturn config located?

Scheduled Pinned Locked Moved Solved Support
turn
31 Posts 4 Posters 4.2k Views 5 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ? A Former User

    The documentation seems quite lacking in this regard. Perhaps @girish or @nebulon have more info on this? Meanwhile I'll see if I can figure something out combing through the cloudron/box repo

    nebulonN Offline
    nebulonN Offline
    nebulon
    Staff
    wrote on last edited by
    #10

    @atrilahiji So the turn addon is configured as per https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf to have the following ports:

    listening-port=3478
    tls-listening-port=5349
    min-port=50000
    max-port=51000
    

    We have also included a section for preventing some attack, which I think is what you may hit?

    # https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
    no-multicast-peers
    denied-peer-ip=0.0.0.0-0.255.255.255
    denied-peer-ip=10.0.0.0-10.255.255.255
    denied-peer-ip=100.64.0.0-100.127.255.255
    denied-peer-ip=127.0.0.0-127.255.255.255
    denied-peer-ip=169.254.0.0-169.254.255.255
    denied-peer-ip=127.0.0.0-127.255.255.255
    denied-peer-ip=172.16.0.0-172.31.255.255
    denied-peer-ip=192.0.0.0-192.0.0.255
    denied-peer-ip=192.0.2.0-192.0.2.255
    denied-peer-ip=192.88.99.0-192.88.99.255
    denied-peer-ip=192.168.0.0-192.168.255.255
    denied-peer-ip=198.18.0.0-198.19.255.255
    denied-peer-ip=198.51.100.0-198.51.100.255
    denied-peer-ip=203.0.113.0-203.0.113.255
    denied-peer-ip=240.0.0.0-255.255.255.255
    

    Those IPs are anyways no public IPs and thus would not help you to achieve connectivity through it as far as I understand.

    ? 2 Replies Last reply
    0
    • nebulonN nebulon

      @atrilahiji So the turn addon is configured as per https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf to have the following ports:

      listening-port=3478
      tls-listening-port=5349
      min-port=50000
      max-port=51000
      

      We have also included a section for preventing some attack, which I think is what you may hit?

      # https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
      no-multicast-peers
      denied-peer-ip=0.0.0.0-0.255.255.255
      denied-peer-ip=10.0.0.0-10.255.255.255
      denied-peer-ip=100.64.0.0-100.127.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=169.254.0.0-169.254.255.255
      denied-peer-ip=127.0.0.0-127.255.255.255
      denied-peer-ip=172.16.0.0-172.31.255.255
      denied-peer-ip=192.0.0.0-192.0.0.255
      denied-peer-ip=192.0.2.0-192.0.2.255
      denied-peer-ip=192.88.99.0-192.88.99.255
      denied-peer-ip=192.168.0.0-192.168.255.255
      denied-peer-ip=198.18.0.0-198.19.255.255
      denied-peer-ip=198.51.100.0-198.51.100.255
      denied-peer-ip=203.0.113.0-203.0.113.255
      denied-peer-ip=240.0.0.0-255.255.255.255
      

      Those IPs are anyways no public IPs and thus would not help you to achieve connectivity through it as far as I understand.

      ? Offline
      ? Offline
      A Former User
      wrote on last edited by
      #11

      @nebulon I didn’t see those lines in /etc/turn server.conf. Is this configured per app or is there a config file somewhere else I’m missing?

      girishG 1 Reply Last reply
      0
      • ? A Former User

        @nebulon I didn’t see those lines in /etc/turn server.conf. Is this configured per app or is there a config file somewhere else I’m missing?

        girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #12

        @atrilahiji The config is in /run/turnserver/turnserver.conf inside the container

        ? 2 Replies Last reply
        1
        • girishG girish

          @atrilahiji The config is in /run/turnserver/turnserver.conf inside the container

          ? Offline
          ? Offline
          A Former User
          wrote on last edited by
          #13

          @girish perfect, thanks! I’ll play around in there and see if I can get this sorted.

          1 Reply Last reply
          0
          • girishG girish

            @atrilahiji The config is in /run/turnserver/turnserver.conf inside the container

            ? Offline
            ? Offline
            A Former User
            wrote on last edited by
            #14

            @girish Digging this back up again. So I found the config file, however removing the disallowed peers doesnt work as it is all reset when the turn server is restarted.

            @robi For your setup is your computer and server on the same network? I'm seeing 401s every time I try to connect with others.

            robiR 1 Reply Last reply
            0
            • ? A Former User

              @girish Digging this back up again. So I found the config file, however removing the disallowed peers doesnt work as it is all reset when the turn server is restarted.

              @robi For your setup is your computer and server on the same network? I'm seeing 401s every time I try to connect with others.

              robiR Offline
              robiR Offline
              robi
              wrote on last edited by
              #15

              @atrilahiji computer = server, so yes. clients no.

              Conscious tech

              ? 1 Reply Last reply
              0
              • robiR robi

                @atrilahiji computer = server, so yes. clients no.

                ? Offline
                ? Offline
                A Former User
                wrote on last edited by
                #16

                @robi Ah what I meant is if you have run a meeting off of a computer that is on the same network as the server which is clearly also a computer.

                robiR 1 Reply Last reply
                0
                • ? A Former User

                  @robi Ah what I meant is if you have run a meeting off of a computer that is on the same network as the server which is clearly also a computer.

                  robiR Offline
                  robiR Offline
                  robi
                  wrote on last edited by
                  #17

                  @atrilahiji Yes, same box. it's actually a nested virtualized server and the host is a client.
                  ISP Router ports forward directly to the server for this.

                  Conscious tech

                  1 Reply Last reply
                  0
                  • ? Offline
                    ? Offline
                    A Former User
                    wrote on last edited by A Former User
                    #18

                    5ce0a490-306d-4337-83ea-fc14ce243816-image.png
                    Huh so I am back on the debugging train here. I do seem to fail the Reflexive connectivity test here O_O

                    Also, I should point out that I use Adguard Home on my router, which is also what connects to my cloudron. Would that cause any problems?

                    But its weird because it seems to work between my phone on data and my desktop (on the same network as my cloudron) but not between my someone in toronto and my desktop.

                    I remember there was a change related to this slated for a release @girish. Is this true? I'm really not sure what else I can do here O_O

                    EDIT: Seems like my investigations are going nowhere 😞

                    I assumed it might have to do with this commit but if it works for Robi in the same scenario I've got nothing else I can think of trying: https://git.cloudron.io/cloudron/box/-/commit/6adf5772d8f871eae98ad5f5ffdbed7098bac214

                    robiR 1 Reply Last reply
                    0
                    • ? A Former User

                      5ce0a490-306d-4337-83ea-fc14ce243816-image.png
                      Huh so I am back on the debugging train here. I do seem to fail the Reflexive connectivity test here O_O

                      Also, I should point out that I use Adguard Home on my router, which is also what connects to my cloudron. Would that cause any problems?

                      But its weird because it seems to work between my phone on data and my desktop (on the same network as my cloudron) but not between my someone in toronto and my desktop.

                      I remember there was a change related to this slated for a release @girish. Is this true? I'm really not sure what else I can do here O_O

                      EDIT: Seems like my investigations are going nowhere 😞

                      I assumed it might have to do with this commit but if it works for Robi in the same scenario I've got nothing else I can think of trying: https://git.cloudron.io/cloudron/box/-/commit/6adf5772d8f871eae98ad5f5ffdbed7098bac214

                      robiR Offline
                      robiR Offline
                      robi
                      wrote on last edited by
                      #19

                      @atrilahiji No Adguard in our picture so try disabling it temporarily.

                      Conscious tech

                      1 Reply Last reply
                      0
                      • ? Offline
                        ? Offline
                        A Former User
                        wrote on last edited by
                        #20

                        Ugh no luck...

                        robiR 1 Reply Last reply
                        0
                        • ? A Former User

                          Ugh no luck...

                          robiR Offline
                          robiR Offline
                          robi
                          wrote on last edited by
                          #21

                          @atrilahiji sounds like a firewall issue for udp ports.

                          Conscious tech

                          ? 1 Reply Last reply
                          0
                          • robiR robi

                            @atrilahiji sounds like a firewall issue for udp ports.

                            ? Offline
                            ? Offline
                            A Former User
                            wrote on last edited by
                            #22

                            @robi Oh on the my desktop or the cloudron server?

                            Network-wise my port forwarding everything seems to be in order

                            robiR 1 Reply Last reply
                            0
                            • ? A Former User

                              @robi Oh on the my desktop or the cloudron server?

                              Network-wise my port forwarding everything seems to be in order

                              robiR Offline
                              robiR Offline
                              robi
                              wrote on last edited by
                              #23

                              @atrilahiji idk, that was the thought about the reflexive connectivity, yet it should be able to use a fallback relay.

                              Conscious tech

                              1 Reply Last reply
                              0
                              • ? Offline
                                ? Offline
                                A Former User
                                wrote on last edited by
                                #24

                                @girish I noticed there are some turn changes in the next version. Is this something you imagine would help here?

                                Like it seems like it just keeps blocking people I try to talk to and I cannot for the life of me figure out why. I've had to resort to a BBB vps for meetings, but with discord's potential aquisition I would like to also use the voice and video chat in Matrix (Element) but I encounter the same issues.

                                girishG 1 Reply Last reply
                                0
                                • robiR Offline
                                  robiR Offline
                                  robi
                                  wrote on last edited by robi
                                  #25

                                  Our meetings in NC:Talk work fine.
                                  Our meetings in Kopano work fine.
                                  Our meetings in GL/BBB fail at enabling the microphone. (using BBB from a second 3rd party server)

                                  It tried to connect to the echo server... and fails.

                                  One thing I noticed is that our TURN server is configured (per @nebulon) for a port range of 50000-51000 and BBB expects 32768-65535.

                                  Required Ports (https://docs.bigbluebutton.org/2.2/setup-turn-server.html)
                                  
                                  On the coturn server, you need to have the following ports (in addition port 22) available for BigBlueButton clients to connect (port 3478 and 443) and for coturn to connect to your BigBlueButton server (32768 - 65535).
                                  Ports 	Protocol 	Description
                                  3478 	TCP/UDP 	coturn listening port
                                  443 	TCP/UDP 	TLS listening port
                                  32768-65535 	UDP 	relay ports range
                                  

                                  What's with port 22? (We use a diff port for ssh)

                                  From .env in GL, I don't see these ports being specified, hence we may need to modify the GL / BBB configs for our more limited port range.

                                  Also, since we're using a 3rd party BBB, we may need to specify the 3rd party TURN server as mentioned here.

                                  Conscious tech

                                  robiR 1 Reply Last reply
                                  1
                                  • ? A Former User

                                    @girish I noticed there are some turn changes in the next version. Is this something you imagine would help here?

                                    Like it seems like it just keeps blocking people I try to talk to and I cannot for the life of me figure out why. I've had to resort to a BBB vps for meetings, but with discord's potential aquisition I would like to also use the voice and video chat in Matrix (Element) but I encounter the same issues.

                                    girishG Offline
                                    girishG Offline
                                    girish
                                    Staff
                                    wrote on last edited by girish
                                    #26

                                    @atrilahiji I think @nebulon and I have to first build up some webrtc expertise to understand where the problems might be. We packaged up the turn service and hope things to just work (tm) and well, they fail in many situations and afaik the apps themselves don't provide good tools to debug the situation. Either it works or it doesn't, it's not ideal. It's one of the reasons Jitsi is also not packaged. Leaving packaging complications aside, we need to be in a position where we can help when things don't work.

                                    ? 1 Reply Last reply
                                    1
                                    • girishG girish

                                      @atrilahiji I think @nebulon and I have to first build up some webrtc expertise to understand where the problems might be. We packaged up the turn service and hope things to just work (tm) and well, they fail in many situations and afaik the apps themselves don't provide good tools to debug the situation. Either it works or it doesn't, it's not ideal. It's one of the reasons Jitsi is also not packaged. Leaving packaging complications aside, we need to be in a position where we can help when things don't work.

                                      ? Offline
                                      ? Offline
                                      A Former User
                                      wrote on last edited by
                                      #27

                                      @girish Yeah thats fair. At least for meetings I am good rn

                                      1 Reply Last reply
                                      1
                                      • robiR robi

                                        Our meetings in NC:Talk work fine.
                                        Our meetings in Kopano work fine.
                                        Our meetings in GL/BBB fail at enabling the microphone. (using BBB from a second 3rd party server)

                                        It tried to connect to the echo server... and fails.

                                        One thing I noticed is that our TURN server is configured (per @nebulon) for a port range of 50000-51000 and BBB expects 32768-65535.

                                        Required Ports (https://docs.bigbluebutton.org/2.2/setup-turn-server.html)
                                        
                                        On the coturn server, you need to have the following ports (in addition port 22) available for BigBlueButton clients to connect (port 3478 and 443) and for coturn to connect to your BigBlueButton server (32768 - 65535).
                                        Ports 	Protocol 	Description
                                        3478 	TCP/UDP 	coturn listening port
                                        443 	TCP/UDP 	TLS listening port
                                        32768-65535 	UDP 	relay ports range
                                        

                                        What's with port 22? (We use a diff port for ssh)

                                        From .env in GL, I don't see these ports being specified, hence we may need to modify the GL / BBB configs for our more limited port range.

                                        Also, since we're using a 3rd party BBB, we may need to specify the 3rd party TURN server as mentioned here.

                                        robiR Offline
                                        robiR Offline
                                        robi
                                        wrote on last edited by
                                        #28

                                        @robi said in Where is the coturn config located?:

                                        Our meetings in NC:Talk work fine.
                                        Our meetings in Kopano work fine.
                                        Our meetings in GL/BBB fail at enabling the microphone. (using BBB from a second 3rd party server)

                                        Our meetings in GL/BBB works fine now.

                                        Backend firewall issue after an upgrade.

                                        Conscious tech

                                        1 Reply Last reply
                                        1
                                        • nebulonN nebulon

                                          @atrilahiji So the turn addon is configured as per https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf to have the following ports:

                                          listening-port=3478
                                          tls-listening-port=5349
                                          min-port=50000
                                          max-port=51000
                                          

                                          We have also included a section for preventing some attack, which I think is what you may hit?

                                          # https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
                                          no-multicast-peers
                                          denied-peer-ip=0.0.0.0-0.255.255.255
                                          denied-peer-ip=10.0.0.0-10.255.255.255
                                          denied-peer-ip=100.64.0.0-100.127.255.255
                                          denied-peer-ip=127.0.0.0-127.255.255.255
                                          denied-peer-ip=169.254.0.0-169.254.255.255
                                          denied-peer-ip=127.0.0.0-127.255.255.255
                                          denied-peer-ip=172.16.0.0-172.31.255.255
                                          denied-peer-ip=192.0.0.0-192.0.0.255
                                          denied-peer-ip=192.0.2.0-192.0.2.255
                                          denied-peer-ip=192.88.99.0-192.88.99.255
                                          denied-peer-ip=192.168.0.0-192.168.255.255
                                          denied-peer-ip=198.18.0.0-198.19.255.255
                                          denied-peer-ip=198.51.100.0-198.51.100.255
                                          denied-peer-ip=203.0.113.0-203.0.113.255
                                          denied-peer-ip=240.0.0.0-255.255.255.255
                                          

                                          Those IPs are anyways no public IPs and thus would not help you to achieve connectivity through it as far as I understand.

                                          ? Offline
                                          ? Offline
                                          A Former User
                                          wrote on last edited by A Former User
                                          #29

                                          @nebulon said in Where is the coturn config located?:

                                          https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/

                                          So for my use case, I had to remove those rules for the vulnerability to resolve the issue. My router and desktop IPs were on the list of local IPs blocked in that list.

                                          Of course, I am looking for a better way to do this, but I temporarily changed the turnserver.conf.template file

                                          1 Reply Last reply
                                          2
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search