Manual coturn install for Nextcloud?
iqweb last edited by girish
I have seen that there is already a app wishlist entry for a turn server for Nextcloud Talk. Has anyone been able to install anything manually in the meantime so that webrtc can work on Nextcloud Talk? Either on the cloudron server directly - or on another server?
It's a bit of a blocker for us at the moment. We could setup Nextcloud & a turn server on Ubuntu directly without cloudron, but as we're a small NGO, cloudron is a much easier solution to support without a dedicated IT department.
Does anyone have any ideas?
yusf last edited by
The Matrix app comes with a TURN server built-in, which should be of guidance if implemented into the Nextcloud app.
Would be ok to manually install coturn on the Cloudron server as per their instructions? If so, how would I open the coturn port on the server without messing up any cloudron security?
Apologies for bumping a month-old thread. Has anyone been able to get this working?
I have tried installing coturn on the host, adding iptable entries to open the tcp/udp ports, made them persistent & still no go. I'm not sure if I've setup the certs correctly. I pointed the config file to the host certs in /home/yellowtent/boxdata/certs. I have also tried without tls - still no go.
Anyone? I would of thought that many people using Nextcloud in a company/organisational setting would definitely benefit from Nextcloud Talk.
girish last edited by
Thanks for checking again. We haven't looked into this but it's definitely something we want to support out of the box. Will update this post after we check out the installation instructions.
girish last edited by
@iqweb It seems that coturn may not work very well in a reverse proxy setup (like cloudron). So, we have to use another VPS server and install coturn there atm.
I found some good tutorials - https://meetrix.io/blog/webrtc/coturn/installation.html. I will keep looking for ideas on how to install coturn in a reverse proxy setup like https://github.com/coturn/coturn/issues/43
fbartels last edited by
@girish while its surely beneficial in very restricted networks to have the turn server available on port 443, its not really a requirement. Similar to the openvpn app you could have the turn server simply listening on its own port.
I have for another project identified https://github.com/instrumentisto/coturn-docker-image as a good base for running coturn (but actually did not yet get to implement it). This image is actively maintained and because of its alpine base quite small.
I have good news! I have manged to get it working - voice/screensharing tested successfully! I haven't tested video yet but I'm pretty sure it should work. I'm on the road at the moment but I'll post a write up in the next day or so.
Just to clarify - it is working with tls on coturn, installed & configured on the same vps as the cloudron install. It was very simple - just needed to get the turnserver.conf correct with a generated dh file & host certs in the yellowtent/boxdata/certs folder.
girish last edited by girish
Do you think you can put in some more detailed instructions on how to do this, so I can integrate it into Cloudron itself?
never mind, you mentioned that as the first line of your comment.
Ok - here's how I got it working. This was worked out by checking out various posts on the Nextcloud and also an excellent, simple tutorial on my vps host's tutorial site, Hetzner.
This is a detailed how-to to enable voice/video/screensharing support in Nextcloud Talk installed in Nextcloud on Cloudron that is available from outside the local network by installing coturn turn/stun server.
Nextcloud and Nextcloud Talk installed on Cloudron
'A' record setup on your DNS registrar's admin panel pointing to your cloudron server's public ip address with a name record chosen by you e.g. 'turn'
All the below commands should be run as root or with sudo.
- Install coturn and persistent iptables:
apt-get install coturn iptables-persistent
- Temporarily stop coturn:
systemctl stop coturn
- Open ports for use with coturn (default ports in this example)
iptables -I INPUT -p tcp --dport 5349 -j ACCEPT iptables -I INPUT -p udp --dport 5349 -j ACCEPT iptables-save > /etc/iptables/rules.v4
- Enable coturn daemon
Open the file /etc/default/coturn and remove the # in front of TURNSERVER_ENABLED=1 (i.e. uncomment it)
- Make a backup of the original turnserver.conf file:
mv /etc/turnserver.conf /etc/turnserver.conf.orig
- Create new /etc/turnserver.conf using nano or vim or whatever editor you choose as below referring to the comments for changes to be made for your installation:
#the port that you opened using iptables tls-listening-port=5349 fingerprint lt-cred-mech use-auth-secret # this is created by running the sed command in the detailed instrucions static-auth-secret=replace-this-secret # the domain that you create an A record for realm=aaa.bbb.ccc total-quota=100 stale-nonce=600 # the host domain certs that were created by cloudron on installation cert=/home/yellowtent/boxdata/certs/xxx.yyy.host.cert pkey=/home/yellowtent/boxdata/certs/xxx.yyy.host.key # this will be created using openssl dh-file=/home/yellowtent/boxdata/certs/dhparam.pem cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384" no-sslv3 no-tlsv1 no-tlsv1_1 no-stdout-log # this can be watched using tail -f for troubleshooting log-file=/var/tmp/turn.log # once everything is confirmed working you can comment out the above line & uncomment the following #log-file=/dev/null no-loopback-peers no-multicast-peers proc-user=turnserver proc-group=turnserver
- Create DiffieHellman (dhparam.pem) key exchange file for better TLS security. (this can take sometime - be patient)
openssl dhparam -out /home/yellowtent/boxdata/certs/dhparam.pem 4096
- Start coturn
systemctl status coturn
- In Nextcloud, login as an admin & go to the settings page & scroll down to the Talk settings. Add a new TURN server using the domain name you created an A record that appears in your turnserver.conf file after realm= followed by a colon with the tls-listening-port number that you opened - e.g. aaa.bbb.ccc:5349 and for secret enter the static-auth-secret in your turnserver.conf. Choose UDP and TCP. It should then check that it is working and a checkmark will temporarily appear confirming it works. You can also optionally enter the same server:port combination for adding your own STUN server.
You can go ahead & test a voice & or video chat between 2 clients. To troubleshoot you can tail the latest log file while attempting a chat e.g.
tail -f /var/tmp/turn_2019-08-23.log