Solved Where is the coturn config located?
-
I am trying to resolve my issues with the TURN server not working (across multiple apps) for me. It seems I just get errors saying local ports are blocked. I have port forwarded.
Where would I find the coturn config for Cloudron? the one I found in /etc/ seems to have everything commented out.
-
@atrilahiji that just means it's using defaults, no?
otherwise it's in a container?
When I had TURN issues it was not with Cloudron, but with router or App. And since Apps are managed config, they should be good.
-
@robi Huh... my issue seems to be happening regardless of what I do in terms of my port forwarding and the app I use
-
@atrilahiji we can't guess as to what app, network config and where clients are coming from.. or logs with errors.
-
@robi This is the error I'm running into:
For reference, this is the internal IP of my cloudron server. I tried calling my brother in another city using my phone (the iOS nextcloud talk app) on LTE
-
@atrilahiji that looks like an error in NC Talk.
I have a Cloudron with a similar setup and once the v6 upgrade happened our NC:T went down. We just needed the new ports added to the router for STUN & TURN.
-
@robi Those logs are for the TURN service in the services page on my cloudron btw. So I get the exact same thing when I try a video chat with Kopano Meet. These are my forwaded ports for the same IP that is apparently being blocked:
3478,3479,5349,5350,49152:65535/tcp
3478,3479,5349,5350,49152:65535/udp -
@atrilahiji I see..
can you find the process and trace it to a container?I have to run atm, but would dig into the CL TURN docs and see how or why they restrict the private networks if that's where it's blocked.
-
-
@atrilahiji So the turn addon is configured as per https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf to have the following ports:
listening-port=3478 tls-listening-port=5349 min-port=50000 max-port=51000
We have also included a section for preventing some attack, which I think is what you may hit?
# https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/ no-multicast-peers denied-peer-ip=0.0.0.0-0.255.255.255 denied-peer-ip=10.0.0.0-10.255.255.255 denied-peer-ip=100.64.0.0-100.127.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=169.254.0.0-169.254.255.255 denied-peer-ip=127.0.0.0-127.255.255.255 denied-peer-ip=172.16.0.0-172.31.255.255 denied-peer-ip=192.0.0.0-192.0.0.255 denied-peer-ip=192.0.2.0-192.0.2.255 denied-peer-ip=192.88.99.0-192.88.99.255 denied-peer-ip=192.168.0.0-192.168.255.255 denied-peer-ip=198.18.0.0-198.19.255.255 denied-peer-ip=198.51.100.0-198.51.100.255 denied-peer-ip=203.0.113.0-203.0.113.255 denied-peer-ip=240.0.0.0-255.255.255.255
Those IPs are anyways no public IPs and thus would not help you to achieve connectivity through it as far as I understand.
-
@nebulon I didn’t see those lines in /etc/turn server.conf. Is this configured per app or is there a config file somewhere else I’m missing?
-
@atrilahiji The config is in
/run/turnserver/turnserver.conf
inside the container -
@girish perfect, thanks! I’ll play around in there and see if I can get this sorted.
-
-
@atrilahiji computer = server, so yes. clients no.
-
@robi Ah what I meant is if you have run a meeting off of a computer that is on the same network as the server which is clearly also a computer.
-
@atrilahiji Yes, same box. it's actually a nested virtualized server and the host is a client.
ISP Router ports forward directly to the server for this. -
Huh so I am back on the debugging train here. I do seem to fail the Reflexive connectivity test here O_OAlso, I should point out that I use Adguard Home on my router, which is also what connects to my cloudron. Would that cause any problems?
But its weird because it seems to work between my phone on data and my desktop (on the same network as my cloudron) but not between my someone in toronto and my desktop.
I remember there was a change related to this slated for a release @girish. Is this true? I'm really not sure what else I can do here O_O
EDIT: Seems like my investigations are going nowhere
I assumed it might have to do with this commit but if it works for Robi in the same scenario I've got nothing else I can think of trying: https://git.cloudron.io/cloudron/box/-/commit/6adf5772d8f871eae98ad5f5ffdbed7098bac214
-
@atrilahiji No Adguard in our picture so try disabling it temporarily.
-
Ugh no luck...
-
@atrilahiji sounds like a firewall issue for udp ports.
-
@robi Oh on the my desktop or the cloudron server?
Network-wise my port forwarding everything seems to be in order
-
@atrilahiji idk, that was the thought about the reflexive connectivity, yet it should be able to use a fallback relay.
-
@girish I noticed there are some turn changes in the next version. Is this something you imagine would help here?
Like it seems like it just keeps blocking people I try to talk to and I cannot for the life of me figure out why. I've had to resort to a BBB vps for meetings, but with discord's potential aquisition I would like to also use the voice and video chat in Matrix (Element) but I encounter the same issues.
-
Our meetings in NC:Talk work fine.
Our meetings in Kopano work fine.
Our meetings in GL/BBB fail at enabling the microphone. (using BBB from a second 3rd party server)It tried to connect to the echo server... and fails.
One thing I noticed is that our TURN server is configured (per @nebulon) for a port range of 50000-51000 and BBB expects 32768-65535.
Required Ports (https://docs.bigbluebutton.org/2.2/setup-turn-server.html) On the coturn server, you need to have the following ports (in addition port 22) available for BigBlueButton clients to connect (port 3478 and 443) and for coturn to connect to your BigBlueButton server (32768 - 65535). Ports Protocol Description 3478 TCP/UDP coturn listening port 443 TCP/UDP TLS listening port 32768-65535 UDP relay ports range
What's with port 22? (We use a diff port for ssh)
From .env in GL, I don't see these ports being specified, hence we may need to modify the GL / BBB configs for our more limited port range.
Also, since we're using a 3rd party BBB, we may need to specify the 3rd party TURN server as mentioned here.
-
@atrilahiji I think @nebulon and I have to first build up some webrtc expertise to understand where the problems might be. We packaged up the turn service and hope things to just work (tm) and well, they fail in many situations and afaik the apps themselves don't provide good tools to debug the situation. Either it works or it doesn't, it's not ideal. It's one of the reasons Jitsi is also not packaged. Leaving packaging complications aside, we need to be in a position where we can help when things don't work.
-
@girish Yeah thats fair. At least for meetings I am good rn
-
@robi said in Where is the coturn config located?:
Our meetings in NC:Talk work fine.
Our meetings in Kopano work fine.
Our meetings in GL/BBB fail at enabling the microphone. (using BBB from a second 3rd party server)Our meetings in GL/BBB works fine now.
Backend firewall issue after an upgrade.
-
@nebulon said in Where is the coturn config located?:
https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
So for my use case, I had to remove those rules for the vulnerability to resolve the issue. My router and desktop IPs were on the list of local IPs blocked in that list.
Of course, I am looking for a better way to do this, but I temporarily changed the turnserver.conf.template file
-
@girish Im a bit confused looking at the box code. I moved to a new server and my hack to undo that security fix needs to be done again. My issue now is I forgot what exactly I did. Is there a way to make this change and persist it through restarts? I guess what I am trying to do is remove this bit:
https://www.rtcsec.com/post/2020/04/how-we-abused-slacks-turn-servers-to-gain-access-to-internal-services/Changing the config in /run/turnserver in the container doesn't appear to work on restart. It resets the config.
-
Found the template with:
sudo grep -rnw '/' -e 'rtcsec'