xthursdayx Posted November 12, 2019 Share Posted November 12, 2019 (edited) Application Name: Coturn Application Site: https://github.com/coturn/coturn Docker Hub: https://hub.docker.com/r/instrumentisto/coturn/ Support for my Docker template of the instrumentisto Coturn container Coturn is a free open source implementation of TURN and STUN Server. The TURN Server is a VoIP media traffic NAT traversal server and gateway. It can be used as a general-purpose network traffic TURN server and gateway, too. Setup Instructions: - Generate your own turnserver.conf with your chosen settings from the example here. - Docker container network type should be set to host. - Map /etc/coturn/turnserver.conf to the location of your turnserver.conf. Ex: /mnt/cache/appdata/coturn/turnserver.conf:/etc/coturn/turnserver.conf. - Ports, 3478 and 5349 should be mapped for both TCP and UDP, 49152-49172 for UDP. These ports will need to be forwarded from your firewall/router to unRAID. - Map "/downloads" to your chosen downloads folder location. This is the directory gPodder will download your podcasts to. - In your chosen application (e.g. Nextcloud, Matrix Synapse, etc) enter the correct TURN URIs, for example: ``` - turns:your.domain?transport=udp - turns:your.domain?transport=tcp - turn:your.domain?transport=udp - turn:your.domain?transport=tcp ``` If you appreciate my work please consider buying me a coffee, cheers! 😁 Edited June 29, 2021 by xthursdayx 1 Quote Link to comment
Cessquill Posted May 20, 2020 Share Posted May 20, 2020 Has anybody got this to work for Nextcloud Talk? Coturn is something I've not had dealings with before, so it's going to be my fault entirely. Here's a few things I've tried/thought... I've pretty much set it up as per the instructions above I don't have a static IP. I have set up a turn.mydomain.com address to CNAME to my duckdns account I've installed the above, but using port 3479, as 3478 was in use by my unifi-controller docker (as a STUN port - not sure whether there's anything there I could use instead) I'm using pfSense as a router. I've forwarded ports 3479, 5349 and 49152-49172 as described above I use NGINXProxyManager for handling other sites. Don't know whether it needs to get involved with this though. I've set up turnserver.conf as per a lot of Nextcloud guides I've seen Whenever I've entered turn.mydomain.com:3479 and my pass into Nextcloud, I've always got "No working ICE candidates returned by the turn server". Pretty sure my issue with with how I've set up Coturn, as I can't get anything from public test sites either. I don't know whether I should/can run a turn server, or whether it's not a home user type setup. I've got Jitsi running, which I assume runs something similar - I just fancied getting it all under one roof if possible. Any help from anybody with Turn/Nextcloud knowledge? Quote Link to comment
xthursdayx Posted May 22, 2020 Author Share Posted May 22, 2020 On 5/20/2020 at 11:11 AM, Cessquill said: Has anybody got this to work for Nextcloud Talk? Coturn is something I've not had dealings with before, so it's going to be my fault entirely. Here's a few things I've tried/thought... I've pretty much set it up as per the instructions above I don't have a static IP. I have set up a turn.mydomain.com address to CNAME to my duckdns account I've installed the above, but using port 3479, as 3478 was in use by my unifi-controller docker (as a STUN port - not sure whether there's anything there I could use instead) I'm using pfSense as a router. I've forwarded ports 3479, 5349 and 49152-49172 as described above I use NGINXProxyManager for handling other sites. Don't know whether it needs to get involved with this though. I've set up turnserver.conf as per a lot of Nextcloud guides I've seen Whenever I've entered turn.mydomain.com:3479 and my pass into Nextcloud, I've always got "No working ICE candidates returned by the turn server". Pretty sure my issue with with how I've set up Coturn, as I can't get anything from public test sites either. I don't know whether I should/can run a turn server, or whether it's not a home user type setup. I've got Jitsi running, which I assume runs something similar - I just fancied getting it all under one roof if possible. Any help from anybody with Turn/Nextcloud knowledge? Unfortunately I don't have any experience trying to get this to work with Nextcloud Talk. I'm personally using it for voice and video calls from my Matrix Synapse homeserver via Riot and it seems to work just fine. I referred someone else to this guide: https://help.nextcloud.com/t/howto-setup-nextcloud-talk-with-turn-server/30794 and this section of the Nextcloud docs where they talk about using Coturn: https://nextcloud-talk.readthedocs.io/en/latest/TURN/ but it could be that you've already seen these guides. To be honest, I'm not a Coturn expert, so I hope those might help! Quote Link to comment
Cessquill Posted May 26, 2020 Share Posted May 26, 2020 Thank you for that - I had not seen the first link (but had the second). I'll read through that tonight. I *think* it's the way I've set up Coturn (as I'm not sure what I'm doing), but I'll have another look later. Thanks for your time. Quote Link to comment
4554551n Posted September 3, 2020 Share Posted September 3, 2020 On 5/27/2020 at 2:14 AM, Cessquill said: Thank you for that - I had not seen the first link (but had the second). I'll read through that tonight. I *think* it's the way I've set up Coturn (as I'm not sure what I'm doing), but I'll have another look later. Thanks for your time. Hey, so did you ever get this working? I'm having the same sort of problems Quote Link to comment
Cessquill Posted September 4, 2020 Share Posted September 4, 2020 12 hours ago, 4554551n said: Hey, so did you ever get this working? I'm having the same sort of problems Not yet, no. I keep prodding it every now and then, but I don't have enough Turn knowledge to really know what I'm doing (or if what I'm trying to do is sensible). Quote Link to comment
joroga22 Posted September 19, 2020 Share Posted September 19, 2020 On 9/3/2020 at 9:24 PM, 4554551n said: Hey, so did you ever get this working? I'm having the same sort of problems On 9/4/2020 at 10:24 AM, Cessquill said: Not yet, no. I keep prodding it every now and then, but I don't have enough Turn knowledge to really know what I'm doing (or if what I'm trying to do is sensible). Hi, I got this working. This is what I've done. 1. Edit container settings and change configuration path to look like this (you point to the directory, not to the file, that was my problem) 2. With windows or whatever edit a file named turnserver.conf with this content (It is a simple config, you only have to change the secret and the domain name) listening-port=3478 fingerprint use-auth-secret static-auth-secret=yourdesiredsecret realm=your.domain.com total-quota=100 bps-capacity=0 stale-nonce no-multicast-peers 3. With krusader copy the turnserver.conf you just created to /mnt/user/appdata/coturn/ 4. Forward the ports in the router as OP says Quote - Ports, 3478 and 5349 should be mapped for both TCP and UDP, 49152-49172 for UDP. These ports will need to be forwarded from your firewall/router to unRAID. 5. Restart the container 6. In nextcloud add the servername:port and secret and TCP only Now click to test and must be successful. BTW @xthursdayx thanks for you work 2 Quote Link to comment
xthursdayx Posted September 19, 2020 Author Share Posted September 19, 2020 (edited) 56 minutes ago, joroga22 said: Hi, I got this working. This is what I've done. Thanks for helping to sort this out @joroga22! I can update my template to reflect the config directory versus the actual turnserver.conf file, however in the Readme.md for the original docker container Instrumentisto suggests that you have to specify the actual config file when running the docker, which is why I set it up like I did. However, if you're finding that this is working for you then that's great! It might be the case that you need to specify the turnserver.conf the first time you create the container (to prevent the Dockerfile from generating one internally within the docker container's filesystem), but then can swap it back to the directory after that. I'm not sure to be honest. Glad it's work for you though! Edited September 19, 2020 by xthursdayx Quote Link to comment
Cessquill Posted September 21, 2020 Share Posted September 21, 2020 On 9/19/2020 at 7:38 PM, joroga22 said: Hi, I got this working. This is what I've done. Fantastic! Got it going first time. Thank you very much. I think it was the template pointing to the config file, since everything else was pretty much what I'd got. Might be able to retire Jitsi now, which I like but it's 4 separate containers and I'm not clever enough to maintain them through Portainer. Quote Link to comment
4554551n Posted November 1, 2020 Share Posted November 1, 2020 (edited) Does anyone know a way to configure coturn docker with some soft of fail2ban or similar, that will block connections using the wrong secret? Am I to understand that users talk to the nextcloud server, which securely gives them the secret with which to connect to the coturn server? In which case any attempts with the wrong key should just be an instant and lengthy/permanent ban. edit: With the amount of ports that need to be forwarded to unraid it makes me a little nervous, so some form of ban process for hack attempts would be good if possible Edited November 1, 2020 by 4554551n Quote Link to comment
4554551n Posted November 1, 2020 Share Posted November 1, 2020 (edited) On 9/20/2020 at 4:38 AM, joroga22 said: Hi, I got this working. This is what I've done. 1. Edit container settings and change configuration path to look like this (you point to the directory, not to the file, that was my problem) 2. With windows or whatever edit a file named turnserver.conf with this content (It is a simple config, you only have to change the secret and the domain name) listening-port=3478 fingerprint use-auth-secret static-auth-secret=yourdesiredsecret realm=your.domain.com total-quota=100 bps-capacity=0 stale-nonce no-multicast-peers 3. With krusader copy the turnserver.conf you just created to /mnt/user/appdata/coturn/ 4. Forward the ports in the router as OP says 5. Restart the container 6. In nextcloud add the servername:port and secret and TCP only Now click to test and must be successful. BTW @xthursdayx thanks for you work I am also curious why we are told to open 49152-49172 in the router config, but the default template in the docker uses 49152:65535? Would the lack of these additional ports cause issues? Additionally, and this is the big one, @joroga22 perhaps you could help me with this, I cannot seem to get things running with your settings. Nextcloud doesn't seem to want to connect to the turn server, where you have a tick next to the delete button, mine just spins forever The logs in the coturn server via the logs drop down are giving me: A few lines about listener addresses, real addresses and relay addresses, then 47 lines of socket: Protocol not supported Also, for anyone getting certificate/key errors in the log cert=/coturn/keys/turnserver.crt pkey=/coturn/keys/turnserver.key cipher-list=“ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384″ This at the bottom of the turnserver.conf should help, point cert and pkey to where you copied the keys from the swag/letsencrypt container to. Edited November 1, 2020 by 4554551n Quote Link to comment
xthursdayx Posted November 5, 2020 Author Share Posted November 5, 2020 On 11/1/2020 at 3:09 AM, 4554551n said: I am also curious why we are told to open 49152-49172 in the router config, but the default template in the docker uses 49152:65535? Would the lack of these additional ports cause issues? I can answer this one: I created my docker template to use 49152:65535 in order to match the ports used in the example turnserver.conf from the Coturn dev. Instrumentisto chose to use fewer ports in their suggested set up for their Coturn docker container, but it shouldn't cause any issues either way. The broader range gives Coturn more ports to utilize, but also requires you to allow connections on more ports. It's really up to you how many ports you allow, based on your firewall/router set up. Quote Link to comment
chrispcrust Posted February 6, 2022 Share Posted February 6, 2022 On 11/1/2020 at 3:09 AM, 4554551n said: Additionally, and this is the big one, @joroga22 perhaps you could help me with this, I cannot seem to get things running with your settings. Nextcloud doesn't seem to want to connect to the turn server, where you have a tick next to the delete button, mine just spins forever The logs in the coturn server via the logs drop down are giving me: A few lines about listener addresses, real addresses and relay addresses, then 47 lines of socket: Protocol not supported I have the same issue in Logs - "socket: Protocol not supported" indefinitely. However, in the Nextcloud UI, mine is reporting successful ICE candidates (checkmark). Even with the "success", actually initiating a video call with Talk via WAN works for about a second, then quits out on me. Searched far and wide on this issue, this is a very complicated topic, don't think there are any other answers out there unless someone is an expert. OP has stated he is not an expert either.. and just FYI the fork of this docker from instrumentisto states: "PROJECT IS CLOSED AND ARCHIVED. NO MAINTAINING WILL BE CONTINUED." ... so this docker probably won't be getting further updates. Quote Link to comment
xthursdayx Posted February 21, 2022 Author Share Posted February 21, 2022 On 2/6/2022 at 2:52 AM, chrispcrust said: I have the same issue in Logs - "socket: Protocol not supported" indefinitely. However, in the Nextcloud UI, mine is reporting successful ICE candidates (checkmark). Even with the "success", actually initiating a video call with Talk via WAN works for about a second, then quits out on me. Searched far and wide on this issue, this is a very complicated topic, don't think there are any other answers out there unless someone is an expert. OP has stated he is not an expert either.. and just FYI the fork of this docker from instrumentisto states: "PROJECT IS CLOSED AND ARCHIVED. NO MAINTAINING WILL BE CONTINUED." ... so this docker probably won't be getting further updates. Yeah, this is kind of the wall I've run into unfortunately. As you noted, I'm not an expert, and while I was able to get this container working with Matrix for video calls in the past, troubleshooting other use cases is beyond the scope of what I have time to dig into. Moreover, the development of Coturn in general is pretty specialized and slow - mostly undertaken buy one dev, and dockerized versions in particular have been difficult to develop and troubleshoot. I may try to dig into this again in the future and create my own docker image (and new Unraid template), but for now it's on a bit of an indefinite hold. Quote Link to comment
chrispcrust Posted March 6, 2022 Share Posted March 6, 2022 (edited) On 2/21/2022 at 6:59 PM, xthursdayx said: Yeah, this is kind of the wall I've run into unfortunately. As you noted, I'm not an expert, and while I was able to get this container working with Matrix for video calls in the past, troubleshooting other use cases is beyond the scope of what I have time to dig into. Moreover, the development of Coturn in general is pretty specialized and slow - mostly undertaken buy one dev, and dockerized versions in particular have been difficult to develop and troubleshoot. I may try to dig into this again in the future and create my own docker image (and new Unraid template), but for now it's on a bit of an indefinite hold. No problem, can't say I blame you at all. After doing some research, I've become pretty bearish on using this for layman, self hosted applications. it seems as though the purpose of a Turn server is to provide a "bypass" around a strict firewall in case a remote user's (i.e. WAN or separate network from the NC instance) true IP address is masked, so that voice, video and data can literally be routed "around the firewall", through the Turn server, instead of the normal routing that would be used if both users were on the same LAN. This is less than ideal for many of the NC users in the Unraid community who are reverse proxying their instance using something like letsencrypt certificates. There are many reasons a user's IP address may be masked, such as a VPN. Also, falling back on the Turn server eliminates the peer to peer nature that NC Talk is built on, resulting in slower more sluggish performance. Secondly it requires the coturn instance to be exposed (port forwarding) and a domain name pointing at the WAN IP address that the coturn instance is running on so that remote can be directed to it. So for folks like me using a cloudflare tunnel in an effort to mask my true IP for all my exposed dockers, including Nextcloud, this basically becomes a non-starter and probably not worth it from a security standpoint. Unfortunate, I'm really hoping a different technology may be utilized in the future so we can all self host our video/voice/chat communications with friends and family and not rely on 3rd parties. For now I guess Signal continues to be the best option for me. Edited March 6, 2022 by chrispcrust Quote Link to comment
Cessquill Posted March 7, 2022 Share Posted March 7, 2022 16 hours ago, chrispcrust said: it seems as though the purpose of a Turn server is to provide a "bypass" around a strict firewall in case a remote user's (i.e. WAN or separate network from the NC instance) true IP address is masked, so that voice, video and data can literally be routed "around the firewall", through the Turn server, instead of the normal routing that would be used if both users were on the same LAN. When I was looking into it, I seem to remember that the other use was if more than two people were in a chat - it was no longer peer-to-peer, so relied on a third party to manage the feeds (also the turn server could be resource intensive). I gave up in the end, but will probably pick it back up again over a wet weekend. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.