Ok - here's how I got it working. This was worked out by checking out various posts on the Nextcloud and also an excellent, simple tutorial on my vps host's tutorial site, Hetzner.
This is a detailed how-to to enable voice/video/screensharing support in Nextcloud Talk installed in Nextcloud on Cloudron that is available from outside the local network by installing coturn turn/stun server.
Nextcloud and Nextcloud Talk installed on Cloudron
'A' record setup on your DNS registrar's admin panel pointing to your cloudron server's public ip address with a name record chosen by you e.g. 'turn'
All the below commands should be run as root or with sudo.
- Install coturn and persistent iptables:
apt-get install coturn iptables-persistent
- Temporarily stop coturn:
systemctl stop coturn
- Open ports for use with coturn (default ports in this example)
iptables -I INPUT -p tcp --dport 5349 -j ACCEPT iptables -I INPUT -p udp --dport 5349 -j ACCEPT iptables-save > /etc/iptables/rules.v4
- Enable coturn daemon
Open the file /etc/default/coturn and remove the # in front of TURNSERVER_ENABLED=1 (i.e. uncomment it)
- Make a backup of the original turnserver.conf file:
mv /etc/turnserver.conf /etc/turnserver.conf.orig
- Create new /etc/turnserver.conf using nano or vim or whatever editor you choose as below referring to the comments for changes to be made for your installation:
#the port that you opened using iptables tls-listening-port=5349 fingerprint lt-cred-mech use-auth-secret # this is created by running the sed command in the detailed instrucions static-auth-secret=replace-this-secret # the domain that you create an A record for realm=aaa.bbb.ccc total-quota=100 stale-nonce=600 # the host domain certs that were created by cloudron on installation cert=/home/yellowtent/boxdata/certs/xxx.yyy.host.cert pkey=/home/yellowtent/boxdata/certs/xxx.yyy.host.key # this will be created using openssl dh-file=/home/yellowtent/boxdata/certs/dhparam.pem cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384" no-sslv3 no-tlsv1 no-tlsv1_1 no-stdout-log # this can be watched using tail -f for troubleshooting log-file=/var/tmp/turn.log # once everything is confirmed working you can comment out the above line & uncomment the following #log-file=/dev/null no-loopback-peers no-multicast-peers proc-user=turnserver proc-group=turnserver
- Create DiffieHellman (dhparam.pem) key exchange file for better TLS security. (this can take sometime - be patient)
openssl dhparam -out /home/yellowtent/boxdata/certs/dhparam.pem 4096
- Start coturn
systemctl status coturn
- In Nextcloud, login as an admin & go to the settings page & scroll down to the Talk settings. Add a new TURN server using the domain name you created an A record that appears in your turnserver.conf file after realm= followed by a colon with the tls-listening-port number that you opened - e.g. aaa.bbb.ccc:5349 and for secret enter the static-auth-secret in your turnserver.conf. Choose UDP and TCP. It should then check that it is working and a checkmark will temporarily appear confirming it works. You can also optionally enter the same server:port combination for adding your own STUN server.
You can go ahead & test a voice & or video chat between 2 clients. To troubleshoot you can tail the latest log file while attempting a chat e.g.
tail -f /var/tmp/turn_2019-08-23.log