Accessing turn server from external network through port forwarding

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face:

help.nextcloud.com is for home/non-enterprise users. If you’re running a business, paid support can be accessed via portal.nextcloud.com where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:

example

Or for longer, use three backticks above and below the code snippet:

longer
example
here

Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Some useful links to gather information about your Nextcloud Talk installation:
Information about Signaling server: /index.php/index.php/settings/admin/talk#signaling_server
Information about TURN server: /index.php/settings/admin/talk#turn_server
Information about STUN server: /index.php/settings/admin/talk#stun_server

Nextcloud version (eg, 24.0.1): 24.0.2
Talk Server version (eg, 14.0.2): 14.0.3
Custom Signaling server configured: yes and 0.5.0
Custom TURN server configured: yes
Custom STUN server configured: no, using stun.nextcloud.com

In case the web version of Nextcloud Talk is involved:
Operating system (eg, Windows/Ubuntu/…): Fedora Server 36
Browser name and version (eg, Chrome v101): Firefox v102.0

In case mobile Nextcloud Talk apps are involved:
Talk iOS version (eg, 14.0.2): 14.0.1
Talk Android version (eg, 14.0.2): replace me

The issue you are facing:

Is this the first time you’ve seen this error? (Y/N): N

Steps to replicate it:

  • I am currently configuring turn server on my local server, and locally I can connect to it and its working perfect. But for external users I have set a public IP and I added DNS record to point turn server domain (e.g turn.mydomain.com) to the public IP. After that I port forwarded on my Cisco Firewall, since am using TLS I forwarded port 5349.
  • When I test if the server returns ICE candidates, its showing me an error that there is no returned ICE candidate.

The output of your Nextcloud log in Admin > Logging or errors in nextcloud.log in /var/www/:

There is no related errors regarding this

The output of your Apache/nginx/system log in /var/log/____:

There is no related errors regarding this

Your browser log if relevant (javascript console log, network log, etc.):

Creating PeerConnection with 
    Object { iceServers: (1) […], iceTransportPolicy: "relay" }
    ​iceServers: Array [ {…} ]
    iceTransportPolicy: "relay"

Received candidates 
    Array []
    length: 0
    <prototype>: Array []

Here is what I configured inside turnserver.conf

  • tls-listening-port=5349
  • fingerprint
  • use-auth-secret
  • static-auth-secret=********
  • realm=turn.mydomain.com
  • total-quota=0
  • bps-capacity=0
  • stale-nonce=600
  • cert=/etc/letsencrypt/live/turn.mydomain.com/fullchain.pem
  • pkey=/etc/letsencrypt/live/turn.mydomain.com/privkey.pem
  • log-file=/var/log/coturn/turnserver.log
  • simple-log
  • no-multicast-peers
  • allowed-peer-ip=127.0.0.1

I would like to know if there is something I should add to this config in order to access the turn server from external. Thank you.

I could imagine that you need to open a few UDP ports on your firewall. That was at least what I experienced during my exercises. I’ve written a small guide to setup signaling backend, maybe it helps.

results in a fact only localhost can acquire ICE candidates…

# Option to allow or ban specific ip addresses or ranges of ip addresses.
# If an ip address is specified as both allowed and denied, then the ip address is
# considered to be allowed. This is useful when you wish to ban a range of ip
# addresses, except for a few specific ips within that range.
#
# This can be used when you do not want users of the turn server to be able to access
# machines reachable by the turn server, but would otherwise be unreachable from the
# internet (e.g. when the turn server is sitting behind a NAT)
#
# Examples:
# denied-peer-ip=83.166.64.0-83.166.95.255
# allowed-peer-ip=83.166.68.45

from: coturn/turnserver.conf at master · coturn/coturn · GitHub

default and best practice for real-time media is to use UDP. for this reason you should configure your TURN server to listen on 3478/udp and create corresponding port forwarding in the router.

# TURN listener port for UDP and TCP (Default: 3478).
# Note: actually, TLS & DTLS sessions can connect to the
# "plain" TCP & UDP port(s), too - if allowed by configuration.
#
#listening-port=3478

from: coturn/turnserver.conf at master · coturn/coturn · GitHub