[Support] xthursdayx - coturn


Recommended Posts

 Coturn Icn

 

Application Name: Coturn

Application Site: https://github.com/coturn/coturn

Docker Hub: https://hub.docker.com/r/instrumentisto/coturn/

 

Support for my Docker template of the instrumentisto Coturn container

 

Coturn is a free open source implementation of TURN and STUN Server. The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server and gateway, too.

 

Setup Instructions:

- Generate your own turnserver.conf with your chosen settings from the example here.

- Docker container network type should be set to host.

- Map /etc/coturn/turnserver.conf to the location of your turnserver.conf. Ex: /mnt/cache/appdata/coturn/turnserver.conf:/etc/coturn/turnserver.conf.

- Ports, 3478 and 5349 should be mapped for both TCP and UDP, 49152-49172 for UDP. These ports will need to be forwarded from your firewall/router to unRAID. 
- Map "/downloads" to your chosen downloads folder location. This is the directory gPodder will download your podcasts to. 
- In your chosen application (e.g. Nextcloud, Matrix Synapse, etc) enter the correct TURN URIs, for example:
```

- turns:your.domain?transport=udp

- turns:your.domain?transport=tcp
- turn:your.domain?transport=udp
- turn:your.domain?transport=tcp

```

 

If you appreciate my work please consider buying me a coffee, cheers! 😁

btn_donate_SM.gif

 

Edited by xthursdayx
  • Like 1
Link to comment
  • 6 months later...

Has anybody got this to work for Nextcloud Talk?  Coturn is something I've not had dealings with before, so it's going to be my fault entirely.  Here's a few things I've tried/thought...

  • I've pretty much set it up as per the instructions above
  • I don't have a static IP.  I have set up a turn.mydomain.com address to CNAME to my duckdns account
  • I've installed the above, but using port 3479, as 3478 was in use by my unifi-controller docker (as a STUN port - not sure whether there's anything there I could use instead)
  • I'm using pfSense as a router.  I've forwarded ports 3479, 5349 and 49152-49172 as described above
  • I use NGINXProxyManager for handling other sites.  Don't know whether it needs to get involved with this though.
  • I've set up turnserver.conf as per a lot of Nextcloud guides I've seen

Whenever I've entered turn.mydomain.com:3479 and my pass into Nextcloud, I've always got "No working ICE candidates returned by the turn server".

 

Pretty sure my issue with with how I've set up Coturn, as I can't get anything from public test sites either.  I don't know whether I should/can  run a turn server, or whether it's not a home user type setup.

 

I've got Jitsi running, which I assume runs something similar - I just fancied getting it all under one roof if possible.  Any help from anybody with Turn/Nextcloud knowledge?

Link to comment
On 5/20/2020 at 11:11 AM, Cessquill said:

Has anybody got this to work for Nextcloud Talk?  Coturn is something I've not had dealings with before, so it's going to be my fault entirely.  Here's a few things I've tried/thought...

  • I've pretty much set it up as per the instructions above
  • I don't have a static IP.  I have set up a turn.mydomain.com address to CNAME to my duckdns account
  • I've installed the above, but using port 3479, as 3478 was in use by my unifi-controller docker (as a STUN port - not sure whether there's anything there I could use instead)
  • I'm using pfSense as a router.  I've forwarded ports 3479, 5349 and 49152-49172 as described above
  • I use NGINXProxyManager for handling other sites.  Don't know whether it needs to get involved with this though.
  • I've set up turnserver.conf as per a lot of Nextcloud guides I've seen

Whenever I've entered turn.mydomain.com:3479 and my pass into Nextcloud, I've always got "No working ICE candidates returned by the turn server".

 

Pretty sure my issue with with how I've set up Coturn, as I can't get anything from public test sites either.  I don't know whether I should/can  run a turn server, or whether it's not a home user type setup.

 

I've got Jitsi running, which I assume runs something similar - I just fancied getting it all under one roof if possible.  Any help from anybody with Turn/Nextcloud knowledge?

Unfortunately I don't have any experience trying to get this to work with Nextcloud Talk. I'm personally using it for voice and video calls from my Matrix Synapse homeserver via Riot and it seems to work just fine. 

I referred someone else to this guide: https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794

and this section of the Nextcloud docs where they talk about using Coturn: https://nextcloud-talk.readthedocs.io/en/latest/TURN/

but it could be that you've already seen these guides. 

 

To be honest, I'm not a Coturn expert, so I hope those might help!

Link to comment
  • 3 months later...
On 5/27/2020 at 2:14 AM, Cessquill said:

Thank you for that - I had not seen the first link (but had the second).  I'll read through that tonight.

 

I *think* it's the way I've set up Coturn (as I'm not sure what I'm doing), but I'll have another look later.

 

Thanks for your time.

Hey, so did you ever get this working?
I'm having the same sort of problems

Link to comment
  • 3 weeks later...
On 9/3/2020 at 9:24 PM, 4554551n said:

Hey, so did you ever get this working?
I'm having the same sort of problems

 

On 9/4/2020 at 10:24 AM, Cessquill said:

Not yet, no.  I keep prodding it every now and then, but I don't have enough Turn knowledge to really know what I'm doing (or if what I'm trying to do is sensible).

 

Hi, I got this working. This is what I've done.

 

1. Edit container settings and change configuration path to look like this (you point to the directory, not to the file, that was my problem)

1352279150_Anotacin2020-09-19202221.png.3032c2cc702a2aed87ee3f6f096b8498.png

 

2. With windows or whatever edit a file named turnserver.conf with this content (It is a simple config, you only have to change the secret and the domain name)

listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=yourdesiredsecret
realm=your.domain.com
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers

3. With krusader copy the turnserver.conf you just created to /mnt/user/appdata/coturn/

1553613170_Anotacin2020-09-19202223.png.127dc7df48b66532accad73b26268c8c.png

 

4. Forward the ports in the router as OP says

Quote

- Ports, 3478 and 5349 should be mapped for both TCP and UDP, 49152-49172 for UDP. These ports will need to be forwarded from your firewall/router to unRAID. 

5. Restart the container

6. In nextcloud add the servername:port and secret and TCP only

145828217_Anotacin2020-09-19202243.png.e73f0ab604967bd24056a77f041c153e.png

 

Now click to test and must be successful.

 

BTW @xthursdayx thanks for you work

  • Thanks 2
Link to comment
56 minutes ago, joroga22 said:

 

 

Hi, I got this working. This is what I've done.

 

Thanks for helping to sort this out @joroga22!  I can update my template to reflect the config directory versus the actual turnserver.conf file, however in the Readme.md for the original docker container Instrumentisto suggests that you have to specify the actual config file when running the docker, which is why I set it up like I did. However, if you're finding that this is working for you then that's great! It might be the case that you need to specify the turnserver.conf the first time you create the container (to prevent the Dockerfile from generating one internally within the docker container's filesystem), but then can swap it back to the directory after that. I'm not sure to be honest. Glad it's work for you though!

Edited by xthursdayx
Link to comment
On 9/19/2020 at 7:38 PM, joroga22 said:

Hi, I got this working. This is what I've done.

Fantastic!  Got it going first time.  Thank you very much.  I think it was the template pointing to the config file, since everything else was pretty much what I'd got.

 

Might be able to retire Jitsi now, which I like but it's 4 separate containers and I'm not clever enough to maintain them through Portainer.

Link to comment
  • 1 month later...

Does anyone know a way to configure coturn docker with some soft of fail2ban or similar, that will block connections using the wrong secret?
Am I to understand that users talk to the nextcloud server, which securely gives them the secret with which to connect to the coturn server?
In which case any attempts with the wrong key should just be an instant and lengthy/permanent ban.

 

edit: With the amount of ports that need to be forwarded to unraid it makes me a little nervous, so some form of ban process for hack attempts would be good if possible

Edited by 4554551n
Link to comment
On 9/20/2020 at 4:38 AM, joroga22 said:

 

 

Hi, I got this working. This is what I've done.

 

1. Edit container settings and change configuration path to look like this (you point to the directory, not to the file, that was my problem)

1352279150_Anotacin2020-09-19202221.png.3032c2cc702a2aed87ee3f6f096b8498.png

 

2. With windows or whatever edit a file named turnserver.conf with this content (It is a simple config, you only have to change the secret and the domain name)


listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=yourdesiredsecret
realm=your.domain.com
total-quota=100
bps-capacity=0
stale-nonce
no-multicast-peers

3. With krusader copy the turnserver.conf you just created to /mnt/user/appdata/coturn/

1553613170_Anotacin2020-09-19202223.png.127dc7df48b66532accad73b26268c8c.png

 

4. Forward the ports in the router as OP says

5. Restart the container

6. In nextcloud add the servername:port and secret and TCP only

145828217_Anotacin2020-09-19202243.png.e73f0ab604967bd24056a77f041c153e.png

 

Now click to test and must be successful.

 

BTW @xthursdayx thanks for you work

I am also curious why we are told to open 49152-49172 in the router config, but the default template in the docker uses 49152:65535?
Would the lack of these additional ports cause issues?

Additionally, and this is the big one, @joroga22 perhaps you could help me with this, I cannot seem to get things running with your settings.

Nextcloud doesn't seem to want to connect to the turn server, where you have a tick next to the delete button, mine just spins forever
The logs in the coturn server via the logs drop down are giving me:
 

A few lines about listener addresses, real addresses and relay addresses, then 47 lines of

 

socket: Protocol not supported

 

Also, for anyone getting certificate/key errors in the log

cert=/coturn/keys/turnserver.crt
pkey=/coturn/keys/turnserver.key
cipher-list=“ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384″

This at the bottom of the turnserver.conf should help, point cert and pkey to where you copied the keys from the swag/letsencrypt container to.

Edited by 4554551n
Link to comment
On 11/1/2020 at 3:09 AM, 4554551n said:

I am also curious why we are told to open 49152-49172 in the router config, but the default template in the docker uses 49152:65535?
Would the lack of these additional ports cause issues?

I can answer this one: I created my docker template to use 49152:65535 in order to match the ports used in the example turnserver.conf from the Coturn dev. Instrumentisto chose to use fewer ports in their suggested set up for their Coturn docker container, but it shouldn't cause any issues either way. The broader range gives Coturn more ports to utilize, but also requires you to allow connections on more ports. It's really up to you how many ports you allow, based on your firewall/router set up. 

Link to comment
  • 7 months later...
On 11/1/2020 at 3:09 AM, 4554551n said:

Additionally, and this is the big one, @joroga22 perhaps you could help me with this, I cannot seem to get things running with your settings.

Nextcloud doesn't seem to want to connect to the turn server, where you have a tick next to the delete button, mine just spins forever
The logs in the coturn server via the logs drop down are giving me:
 

A few lines about listener addresses, real addresses and relay addresses, then 47 lines of

 

socket: Protocol not supported

 

I have the same issue in Logs - "socket: Protocol not supported" indefinitely.

 

However, in the Nextcloud UI, mine is reporting successful ICE candidates (checkmark).

 

Even with the "success", actually initiating a video call with Talk via WAN works for about a second, then quits out on me.

 

Searched far and wide on this issue, this is a very complicated topic, don't think there are any other answers out there unless someone is an expert.

 

OP has stated he is not an expert either.. and just FYI the fork of this docker from instrumentisto states: "PROJECT IS CLOSED AND ARCHIVED. NO MAINTAINING WILL BE CONTINUED." ... so this docker probably won't be getting further updates.

Link to comment
  • 3 weeks later...
On 2/6/2022 at 2:52 AM, chrispcrust said:

 

I have the same issue in Logs - "socket: Protocol not supported" indefinitely.

 

However, in the Nextcloud UI, mine is reporting successful ICE candidates (checkmark).

 

Even with the "success", actually initiating a video call with Talk via WAN works for about a second, then quits out on me.

 

Searched far and wide on this issue, this is a very complicated topic, don't think there are any other answers out there unless someone is an expert.

 

OP has stated he is not an expert either.. and just FYI the fork of this docker from instrumentisto states: "PROJECT IS CLOSED AND ARCHIVED. NO MAINTAINING WILL BE CONTINUED." ... so this docker probably won't be getting further updates.

Yeah, this is kind of the wall I've run into unfortunately. As you noted, I'm not an expert, and while I was able to get this container working with Matrix for video calls in the past, troubleshooting other use cases is beyond the scope of what I have time to dig into. Moreover, the development of Coturn in general is pretty specialized and slow - mostly undertaken buy one dev, and dockerized versions in particular have been difficult to develop and troubleshoot. I may try to dig into this again in the future and create my own docker image (and new Unraid template), but for now it's on a bit of an indefinite hold.

Link to comment
  • 2 weeks later...
On 2/21/2022 at 6:59 PM, xthursdayx said:

Yeah, this is kind of the wall I've run into unfortunately. As you noted, I'm not an expert, and while I was able to get this container working with Matrix for video calls in the past, troubleshooting other use cases is beyond the scope of what I have time to dig into. Moreover, the development of Coturn in general is pretty specialized and slow - mostly undertaken buy one dev, and dockerized versions in particular have been difficult to develop and troubleshoot. I may try to dig into this again in the future and create my own docker image (and new Unraid template), but for now it's on a bit of an indefinite hold.

 

No problem, can't say I blame you at all.  After doing some research, I've become pretty bearish on using this for layman, self hosted applications.  it seems as though the purpose of a Turn server is to provide a "bypass" around a strict firewall in case a remote user's (i.e. WAN or separate network from the NC instance) true IP address is masked, so that voice, video and data can literally be routed "around the firewall", through the Turn server, instead of the normal routing that would be used if both users were on the same LAN.  This is less than ideal for many of the NC users in the Unraid community who are reverse proxying their instance using something like letsencrypt certificates.  There are many reasons a user's IP address may be masked, such as a VPN.  Also, falling back on the Turn server eliminates the peer to peer nature that NC Talk is built on, resulting in slower more sluggish performance.

 

Secondly it requires the coturn instance to be exposed (port forwarding) and a domain name pointing at the WAN IP address that the coturn instance is running on so that remote can be directed to it.  So for folks like me using a cloudflare tunnel in an effort to mask my true IP for all my exposed dockers, including Nextcloud, this basically becomes a non-starter and probably not worth it from a security standpoint.  

 

Unfortunate, I'm really hoping a different technology may be utilized in the future so we can all self host our video/voice/chat communications with friends and family and not rely on 3rd parties.  For now I guess Signal continues to be the best option for me.

Edited by chrispcrust
Link to comment
16 hours ago, chrispcrust said:

it seems as though the purpose of a Turn server is to provide a "bypass" around a strict firewall in case a remote user's (i.e. WAN or separate network from the NC instance) true IP address is masked, so that voice, video and data can literally be routed "around the firewall", through the Turn server, instead of the normal routing that would be used if both users were on the same LAN.

When I was looking into it, I seem to remember that the other use was if more than two people were in a chat - it was no longer peer-to-peer, so relied on a third party to manage the feeds (also the turn server could be resource intensive).  I gave up in the end, but will probably pick it back up again over a wet weekend.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.