Complete NC installation on Debian with Spreed.me and TURN step by step

Because i’m testing with Spreed.me and TURN server i made a installation manual. Maybe any of you could use this document. This document is a step by step manual for installing Nextcloud on a fresh installed Debian 8.5 server with only ssh-server installed and standard system tools (i like to keep it clean). If you follow the document step by step you will have a complete installed nextcloud server with a working Spreed.me app and a start with TURN server. I use vim as editor but you’re offcourse welcome to use your own flafour.

Install packages for apache, mariadb, php, nextcloud and enable ssl

apt-get install vim
apt-get install unzip
apt-get install sudo

Installing apache2.4 and Mariadb
apt-get install apache2 mariadb-server libapache2-mod-php5

Installing php modules
apt-get install php5-gd php5-json php5-mysql php5-curl apt-get install php5-intl php5-mcrypt php5-imagick

Download unzip and move latest NextCloud
wget https://download.nextcloud.com/server/releases/nextcloud-12.0.0.zip unzip nextcloud-12.0.0.zip mv nextcloud/ /var/www

Enable SSL
a2enmod ssl a2ensite default-ssl

Now for some reason the default-ssl prevents spreed.me from starting. So create your own certificate:

mkdir /etc/apache2/ssl cd /etc/apache2/ssl openssl req -new -x509 -days 365 -nodes -out /etc/apache2/ssl/apache.pem -keyout /etc/apache2/ssl/apache.key Just enter trough all the certificate questions chmod 600 /etc/apache2/ssl/apache.*

Create vhost file (rename host.domain.nl to your own host.domain):

Download the virtualhost file here: https://cloud.i-erik.nl/s/ZpQsqWsTWGfmgnR/download
I don’t know how to paste it here without messing it up. If anybody does know let me know so i can add it for eternity.

Create symbolic link to sites-enabled
ln -s /etc/apache2/sites-available/nextcloud.conf /etc/apache2/sites-enabled/nextcloud.conf

Enable apache modules:
a2enmod rewrite a2enmod headers a2enmod env a2enmod dir a2enmod mime a2enmod ssl a2ensite default-ssl a2enmod proxy proxy_http proxy_wstunnel

If you’re running mod_fcgi instead of the standard mod_php also enable:
a2enmod setenvif

Set the right permissions on the files in the nextcloud folder. For now we do it the easy way, later on we will use the strong permissions script for nextcloud

cd /var/www/nextcloud
chown www-data:www-data . -R

Installing NextCloud
cd /var/www/nextcloud sudo -u www-data php occ maintenance:install --database "mysql" --database-name "nextcloud" --database-user "root" --database-pass "<password>" --admin-user "ncadmin" --admin-pass "password"

Make sure you have a dns record or configured host file so you can access your virtualhost name based. Open your browser and go to http://host.domain.nl (change to your host and domain)

You probably get an error:

You are accessing the server from an untrusted domain. Please contact your administrator. If you are an administrator of this instance, configure the "trusted_domains" setting in config/config.php. An example configuration is provided in config/config.sample.php. Depending on your configuration, as an administrator you might also be able to use the button below to trust this domain.

Just open your /var/www/nextcloud/config/config.php and add:

vi /var/www/nextcloud/config/config.php
find the line with 0 => ‘localhost’, and add a line below like 1 => ‘host.domain.nl’,

array ( 0 => 'localhost', 1 => 'host.domain.nl',

I also move the data folder from /var/www/nextcloud/data to /var/oc_data

mv /var/www/nextcloud/data /var/oc_data

And change the data folder in /var/www/nextcloud/config/config.php

'datadirectory' => '/var/oc_data',

If you have done this you can also run the next script for strong file permissions:

vi /var/www/oc_perm.sh

####### Copy and Paste from #!/bin/bash to the last fi
#!/bin/bash ncpath='/var/www/nextcloud' ncdata='/var/oc_data' htuser='www-data' htgroup='www-data' rootuser='root'

printf "Creating possible missing Directories\n" mkdir -p $ncpath/data mkdir -p $ncpath/assets mkdir -p $ncpath/updater

printf "chmod Files and Directories\n" find ${ncpath} -type f -print0 | xargs -0 chmod 0640 find ${ncpath} -type d -print0 | xargs -0 chmod 0750 find ${ncdata} -type f -print0 | xargs -0 chmod 0640 find ${ncdata} -type d -print0 | xargs -0 chmod 0750

printf "chown Directories\n" chown -R ${rootuser}:${htgroup} ${ncpath} chown -R ${htuser}:${htgroup} ${ncpath}/apps/ chown -R ${htuser}:${htgroup} ${ncpath}/assets/ chown -R ${htuser}:${htgroup} ${ncpath}/config/ chown -R ${htuser}:${htgroup} ${ncdata}/ chown -R ${htuser}:${htgroup} ${ncpath}/themes/ chown -R ${htuser}:${htgroup} ${ncpath}/updater/

chmod +x ${ncpath}/occ

printf "chmod/chown .htaccess\n"
if [ -f ${ncpath}/.htaccess ]
then chmod 0644 ${ncpath}/.htaccess
chown ${rootuser}:${htgroup} ${ncpath}/.htaccess
fi if [ -f ${ncdata}/.htaccess ]
then chmod 0644 ${ncdata}/.htaccess chown ${rootuser}:${htgroup} ${ncdata}/.htaccess fi
######### END SCRIPT#########

That concludes the basic Nextcloud installation and configuration on a Debian 8.5 server. Now for the WebRTC fun stuff. You can now login in nextcloud by going to https://host.domain.nl

First we gonna make go available on our system. Don’t install it with apt because you’ll get a 1.3 version wich is to low. Install it from source, its verry easy:

First download go
cd /root wget https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz tar xzvf go1.7.linux-amd64.tar.gz mv go/ /usr/local vi /root/.profile

add after fi and before mesg n

export PATH=$PATH:/usr/local/go/bin

I also run this command straight from the command line to make available instantly

export PATH=$PATH:/usr/local/go/bin

Now test if go can be found and is working

go version go version go1.7 linux/amd64

Now install WebRTC

First we need some more packages. Git and node.js

apt-get install git node.js make automake

cd /opt wget https://github.com/strukturag/spreed-webrtc/archive/master.zip unzip master.zip rm master.zip

cd spreed-webrtc-master ./autogen.sh ./configure make

If all finished without errors, then kuddo’s, you really followed this manual. Now you can now configure webrtc. We still need to be in /opt/spreed-webrtc-master First copy the de default config file server.conf.in to server.conf

cp server.conf.in server.conf

Lets first generate a secret for our sessionSecret

openssl rand -hex 32 1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx

Copy this string to your memory so you can paste it in the next config file

You need to adjust te following lines to be exactly like (except for the sessionSecret and sharedsecret_secret ofcourse):

vi server.conf

[http]
root = /opt/spreed-webrtc-master
listen = 127.0.0.1:8080
basePath = /webrtc/

[app]
sessionSecret = 02819e83254f793608a1a6b1adb11ed657dxxxxxxxxxxxxxxxxxxxxxxxxxxx
encryptionSecret = c3ec0dc5ead5a8c95bcbae94fcde149xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
authorizeRoomJoin = true
serverToken = 9b88f0aee6fde09a749e65d061de84xxxxxxxxxxxxxxxxxxxxx
serverRealm = mynextcloud.net
extra = /var/www/nextcloud/apps/spreedme/extra
plugin = extra/static/owncloud.js

turnURIs = turn:mynextcloud.net:8443?transport=udp turn:mynextcloud.net:8443?transport=tcp
turnSecret = 6cf6cbc540e9667f3552773df92edbd442eca209axxxxxxxxxxxxxxxxxxxxxx

[users]
enabled = true
mode = sharedsecret
sharedsecret_secret = 10b774ef3db23e63a4d80c69b7879193xxxxxxxxxxxxxxxxxxxx

Save and close the file. This concludes the configuration of spreed-webrtc.

Now we need the Spreed.me nextcloud app

cd /var/www/nextcloud/apps wget https://github.com/strukturag/nextcloud-spreedme/archive/master.zip unzip master.zip mv nextcloud-spreedme-master spreedme cd spreedme/config cp config.php.in config.php vi config.php

Add your sharedSecret from ealier to the config

OWNCLOUD_TEMPORARY_PASSWORD_LOGIN_ENABLED = true SPREED_WEBRTC_SHAREDSECRET = ‘1e719578d2345d32f7ce467d891111f1ba6aa8bexxxxxxxxxxxxxxxx’

Thats it. Save and close the file. This concludes the configuration of spreed.me app.

cd ../extra/static/config cp OwnCloudConfig.js.in OwnCloudConfig.js

Now we can start spreed.me

cd /opt/spreed-webrtc-master/
./spreed-webrtc-server

This command makes spreed run in the forground. Use the next command to run in background (at least until your next boot. U can ofcourse make a init script. Please leave samples below i’m not that good in init scripts)

nohup ./spreed-webrtc-server > /dev/null 2>&1 &

Check if it is running

ps -e |grep spreed

Now the Spreed.me app is installed and configured. Login to Nextcloud, open the apps page. Select Not Enabled and scroll to the bottom and enable the Spreed.me app

Just remember. Your spreedme cam sessions will only work if you and the one you call are in the same network, or are directly connected to the internet. When you are inside a company network your peer to peer traffic will most likely be blocked by the firewall. There is lots of UDP traffic for the webcam data. I’m now trying to configure coturn (TURN server) to port all udp traffic on random ports (49152:65535) to port 443, but i dont know exactly how it works yet. And if you get it to work it might still be blocked by firewalls that do data fingerprint scanning But to get you started do the following :

apt-get install coturn vi /etc/turnserver.conf

This is my config so far just change the secrets:
listening-port=8443 alt-listening-port=3478 fingerprint lt-cred-mech use-auth-secret static-auth-secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX realm=MyDnsService total-quota=100 bps-capacity=0 stale-nonce cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5" log-file=/var/log/spreed/turn/turn.log no-loopback-peers no-multicast-peers cert=/etc/letsencrypt/XXX/cert.pem pkey=/etc/letsencrypt/XXX/privkey.pem

And now enable TURN as a service and restart coturn

vi /etc/default/coturn Remove # in front of TURNSERVER_ENABLED=1 /etc/init.d/coturn restart

3 Likes

This is awesome. Thanks for sharing this guide!

Let me try :slight_smile: - so in your Spreed WebRTC server.conf you actually need to enable and configure TURN. Did you do that, i do not see it in your example above. Look for turnURIs and turnSecret in the example configuration.

We also have a brand new Docker container which runs a TURN server with the required configuration. You might want to take a look at the docs at https://github.com/strukturag/docker-webrtc-turnserver and https://hub.docker.com/r/spreed/turnserver/ and add the additional bits like described there.

1 Like

Yes it’s in the guide. When i look in chrome://webrtc-internals i see

https://host.domain.nl/webrtc/?load_config_js=1, { servers: [turn:127.0.0.1:8443?transport=udp], iceTransportType: all, bundlePolicy: balanced, rtcpMuxPolicy: negotiate }, {advanced: [{googCpuOveruseDetection: {exact: true}}]}

So it seems like something is working. I just don’t know anything about TURN yet :slight_smile: so i’ll keep investigating. I’ll also take a look at the docker container, but i always like to know what i’m doing and how something works so i can troubleshoot if needed.

1 Like

You seem to have configured TURN as 127.0.0.1:8443?transport=udp. That will not work. TURN needs to run on public IP addresses. To get all the features you need two public IP addresses. A TURN server usually runs at a Datacenter as close as possible to the users. See https://github.com/strukturag/docker-webrtc-turnserver#turn-server-configuration-for-webrtc for details on this.

1 Like

Ok tnx. Then i might be able to test it at work in our datacenter. I can install a single TURN server with 2 public addresses and see how that works.

I got it only running if I installed coturn on a seperate machine on the internet.
I have the following setup: nc: 192.168.122.48, landevice via vpn 192.168.1.100 and a device on cell network.
the coturn was on the gatway.

But my local client connectec via VPN to the nextcloud so the coturn is seeing the connection from the lan interface and it gets confused ending it with a allocation timeout.

After installing it on a remote device, which doesn’t interfere with one of my networks, it works.
That turn/stun system seems to be bit “fragile”.

Hi,

Interesting subject ! :thumbsup:

I’m facing this very same problem to have a working turn/stun server. My SpreedMe installation works very well (very good picture and sound) but only if my machines are in the same network

So, can we use the public SpreedMe one (stun.spreed.me:443) ?.. Is there a “how-to” somewhere ? I couldn’t see one somewhere.

Hi - I had a similar challenge.

I temporarly solved it by using “stunURIs = stun:stun.spreed.me:443” in the [app] section of %webrtcroot%/server.conf .

Give us news if that temporarly solution works.

regards

p.s. I don’t use the docker container

O.K., have just tried now your solution with the SpreedMe stun server and it works very well ! ! :clap:
But, with a stun server, it’s not a direct “peer-to-peer” connection…

Is there a reliable public TURN server we can use ? Or Is it mandatory to install a TURN (coturn) server ourselves to be able to make direct connections ?

Anyway, this SpreedMe thing is striking ! Very good ! :smiley: and when everybody will be using IPV6 we then could get rid off all these subterfuges…

Great - stunning, isn’t it? :slight_smile:

I thought STUN is only needed for getting the public IP of the router serving the NAT behind it. But afterwards everything should be p2p - someone correct my words please if I’m wrong.

I still can’t completely and intuitively see through the STUN/TURN jungle. One day maybe, hopefully :wink:

Me too ! :slight_smile:

But when everybody will use IPV6, no more problems… and SpreedMe is really a great app !

Cheers

Yes, it works incredibly smooth - thanks to Struktur AG and the NC devs!

1 Like

Here is a good explanation about the different aspects of STUN and TURN:
http://www.html5rocks.com/en/tutorials/webrtc/infrastructure/

1 Like

That’s the link I usually send aswell :wink:

Very good link !

Now, i know (as @MikeLupe said before) that :

A STUN server is used to get an external network address only.

(check the IP:port address of an incoming request (from an application running behind a NAT) and send that address back as a response)

TURN servers are used to relay traffic if direct (peer to peer) connection fails.

… and i am happy ! :smile:

If any of you can post what programs you used and the configuration i will try to get it to work as well and if it works i will add it the the complete nc installation on debian guide. Then i can finaly remove the [quote=“SyS0p3r, post:1, topic:2436”]
BUT AGAIN, REMEMBER, NOT WORKING.
[/quote]

:slight_smile:

I’m unsure if it really is that easy, but I just installed coturn on my VPS and it just works. I could successfully establish a call between two devices which are in separate NATed networks. I also see the public IPs of these devices appearing in the coturn log.

coturn is running on the same server as my NextCloud and Spreed.Me installations, I configured everything similar to your steps. I’m using Ubuntu Xenial, so the packaged version of coturn is 4.5.0.3.

The only major difference I see is the turnURIs value in the configuration, I set it to the FQDN of my VPS.

As I found out, filetransfers wont be redirected through the turn server, correct?

@dev0 all WebRTC connections should go through the TURN server.

I think i found the setup for private network:

nano /etc/spreed/webrtc.conf

turnURIs = turn:MyDnsService:8443?transport=udp
; Shared secret authentication for TURN user generation if the TURN server is
; protected (which it should be).
; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details.
; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
turnSecret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
; Enable renegotiation support. Set to true to tell clients that they can

On my router I’ve redirect the port 8443 to my nextcloud/webrtc/coturn server

nano etc/turnserver.conf

listening-port=8443
alt-listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
realm=MyDnsService
total-quota=100
bps-capacity=0
stale-nonce
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
log-file=/var/log/spreed/turn/turn.log
no-loopback-peers
no-multicast-peers
cert=/etc/letsencrypt/XXX/cert.pem
pkey=/etc/letsencrypt/XXX/privkey.pem

I’ve tried between my phone on the 3G , my laptop on the local network and my tablet on a public wifi, connected all together :slight_smile:

3 Likes