Complete NC installation on Debian with Spreed.me and TURN step by step

Very good link !

Now, i know (as @MikeLupe said before) that :

A STUN server is used to get an external network address only.

(check the IP:port address of an incoming request (from an application running behind a NAT) and send that address back as a response)

TURN servers are used to relay traffic if direct (peer to peer) connection fails.

… and i am happy ! :smile:

If any of you can post what programs you used and the configuration i will try to get it to work as well and if it works i will add it the the complete nc installation on debian guide. Then i can finaly remove the [quote=“SyS0p3r, post:1, topic:2436”]
BUT AGAIN, REMEMBER, NOT WORKING.
[/quote]

:slight_smile:

I’m unsure if it really is that easy, but I just installed coturn on my VPS and it just works. I could successfully establish a call between two devices which are in separate NATed networks. I also see the public IPs of these devices appearing in the coturn log.

coturn is running on the same server as my NextCloud and Spreed.Me installations, I configured everything similar to your steps. I’m using Ubuntu Xenial, so the packaged version of coturn is 4.5.0.3.

The only major difference I see is the turnURIs value in the configuration, I set it to the FQDN of my VPS.

As I found out, filetransfers wont be redirected through the turn server, correct?

@dev0 all WebRTC connections should go through the TURN server.

I think i found the setup for private network:

nano /etc/spreed/webrtc.conf

turnURIs = turn:MyDnsService:8443?transport=udp
; Shared secret authentication for TURN user generation if the TURN server is
; protected (which it should be).
; See http://tools.ietf.org/html/draft-uberti-behave-turn-rest-00 for details.
; A supported TURN server is https://code.google.com/p/rfc5766-turn-server/.
turnSecret = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
; Enable renegotiation support. Set to true to tell clients that they can

On my router I’ve redirect the port 8443 to my nextcloud/webrtc/coturn server

nano etc/turnserver.conf

listening-port=8443
alt-listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
realm=MyDnsService
total-quota=100
bps-capacity=0
stale-nonce
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
log-file=/var/log/spreed/turn/turn.log
no-loopback-peers
no-multicast-peers
cert=/etc/letsencrypt/XXX/cert.pem
pkey=/etc/letsencrypt/XXX/privkey.pem

I’ve tried between my phone on the 3G , my laptop on the local network and my tablet on a public wifi, connected all together :slight_smile:

3 Likes

SLAPPS

Could you please share your files with me?
I am unable to make spreedme works.

Following errors:
output of command ./spreed-webrtc-server
server 2016/10/25 01:06:42.039997 Warning: encryptionSecret value is not a hex encoded encoding/hex: invalid byte: U+0074 't’
server 2016/10/25 01:06:42 Using ‘/webrtc/’ base base path.
server 2016/10/25 01:06:42.040331 Enabled modules: [screensharing youtube presentation contacts]
server 2016/10/25 01:06:42.042539 Loaded extra templates from: /var/www/nextcloud/apps/spreedme/extra
server 2016/10/25 01:06:42.042588 Max open files are 65536
server 2016/10/25 01:06:42.043787 Enabled users handler 'sharedsecret’
server 2016/10/25 01:06:42.044069 Added URL handler /extra/static/… for static files in /var/www/nextcloud/apps/spreedme/extra/static/…
server 2016/10/25 01:06:42 no services were registered

The output of this command ps -e |grep spreed is empty

I seek all config files in master as well as in spreedme app.

The installation procedure I followed without any errors until the time of executing the command.
I do not understand where my problem is.
Kindly help.

You might wanna check Nextcloud/Spreed.me install script Debian i made a script that runs the whole instruction for you (on debian 8.5). The only issue with the script is an error when entering a spreed.me chat room i haven’t figured out yet.

The errors i got with spreed.me most of the time are typo’s in one of the config files. In this case i would gues in the spreedme-server.conf

Thank you very much, this worked for me, where using the spreedme stun server was not enough.

If first found the strukurag docker solution here, but I didn’t want to install again something to run/install something else again. I am already unhappy only being able to run spreedme with git, go, nodeJS, … installed before ;). I hope there will be some easier slim solution soon.

I only understand half of the turnserver.conf, I guess “alt-listening-port” is not necessary and will also only work with proper port forwarding in router. “cipher-list” should be also not necessary to edit, right? I will try to find out which lines are really necessary for the turn server to run with spreedme. But as the given configs work, I guess it would be helpfull to add it to the “official” installation guides on gut-hub and nextcloud.com as they are the first places where server-admins will try to find them.

So the installation priority would be:

  1. install spreed server + spreed.me nextcloud app + configuration
  2. as this doesn’t work in most cases for calls between separate networks: configure the use of stun server, preferably the one from spreed.me
  3. as this also is not enough for some network configurations (e.g. mine): installation of turn server, preferably coturn with the here given config adjustments

@MichaIng docker works every time but you need to manually run on each reboot.
you need to do docker ps -a copy the pid number xxxx, then docker rm xxxxxxxx
then re-run docker with the following command
docker run --rm --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -vpwd:/srv/extra -i -t spreed/webrtc

for more info you can visit the following link : http://community.nethserver.org/t/experimenting-the-spreed-me-feature-under-nextcloud/4685/3

the second issue with docker is that you cannot change the ports 8080 and 8443 .
the third issue of Docker is you can access the spreedme outside of nextcloud , security problem

@SyS0p3r solution is very good however again I was not able to fix the security nor being able to run it in Https
and you need to start the spreed webrtc manually.

I am working on an easy solution will post the howto however it will be complementing that of @SyS0p3r
in the meantime can someone help in the webrtc.conf with https enabled?

I have solved the start with boot, solved the security (so now no one will be able to access spreed without being logged into nextcloud) I am left with https not being enabled which is really annoying me. Every time I enable https the spreed-webrtc refuses to reload.

Yeah, I mean the docker solution should be nice, if someone anyway already uses docker as platform for many other things. But as I never used it so far and also don’t see any reason why I should, I don’t like to use it just for one piece of software to run. The things you mention also don’t look like it’s an “easier” solution in any way.

@https: As the turn server already listens to port 8443 now, could there be a problem using the same port for the spreed server? At least port 8443 is offered in the https section of the conf file. But I guess you can choose any free port? I wonder why I don’t need the forward port 8080 where my spreed server listens to it so far (non https so far).

I will also try to get it work with https now and let you know how it works.

€: Okay I tried to make spreed listen to https. For the first: It is not possible to use port 8443, if that is already used by the turn server. At least good to know for me as noob in this topics ;).
I tried to use port 8444 and adjusted the apache conf, spreed server conf and also the one for the nextcloud app, but at least I always got some handshake error message, trying to access the spreedme app.
But looking into the apache conf, I guess that the connection actually already is in https.

This is, what my nextcloud apache conf contains according to the guides:

	<Location /webrtc>
		ProxyPass http://127.0.0.1:8080/webrtc
		ProxyPassReverse /webrtc
	</Location>
	<Location /webrtc/ws>
		ProxyPass ws://127.0.0.1:8080/webrtc/ws
	</Location>
	ProxyVia On
	ProxyPreserveHost On
	RequestHeader set X-Forwarded-Proto 'https' env=HTTPS

I don’t exactly understand all of this, but isn’t this a sort of just redirecting the https request of the client internally to the http port where the spreed server listens? I mean even that spreed does not listen explicit to an https port, the access over the web browser is (as long as apache is configures accordingly) just possible over https, which also doesn’t change, when accessing the spreedme app. This also explains why there is no port forwarding for 8080 necessary.

The official instructions say:
"Running for production
Spreed WebRTC should be run through a SSL frontend proxy with support for Websockets."
and then refer to documentation files that (for apache) show exactly the lines I show above.

So I guess everything is as it should be and the connection is “save” through https, or am I wrong?

@MichaIng yes you are right
This should be fine.
You just need to make sure you can access it via http as well as via https.
also make sure that you do not have direct access http://ipaddress:8080 or https://ipaddress:8443

Mine is similar to your except that I run the VM machine provided by techandme where all runs in https.

What do you mean by “access it via http”? All http access is redirected to https automatically. Whatever I try (with webbrowser) to access via http or port 80 is redirected or refused.

Port 8080 is not forwarded by the router, just UDP 8443 to the turn server. I didn’t found a way to access something through this opened port, but I also don’t know much ways to do that ;). As far as I understand my settings, my webserver just listens to port 80 (which is redirected to 443) and 443. For ssh my router forwards another certain port to 22. I don’t know about the actual security risk of opening port 8443 (directly) for the turn server or what I can/should do to minimize it. If you or somebody else has some hint for me, I would appreciate :).

@MichaIng as I explained to you earlier my OS is bit different as well as your setup.
My OS is ubuntu 16 , it is the VM pre-installed version of Nextcloud provided by techandme.se
What I did is followed the steps of @SyS0p3r script and adopted some of it on my machine

If all your requests are going to 443 then your machine fulfills the conditions.

many thansk for your complete tutorial
i tried to apply it on ubuntu 16.10 server
spreed seem working but ididnt understand how will starting chat then i restart server
now i cant start apache server
i didnt find any error log

what is the error you get? what happens when you do a

/etc/init.d/httpd restart
or
service httpd restart

error should be in /var/log/httpd/

i dont have any error but i am trying to revert all that i do in this tutorial so can you give me way to delete init script
(nohup ./spreed-webrtc-server > /dev/null 2>&1 &)
thanks

i solved problem when i delete golang and installed directly apache returned to start but i am still dont knwo how to use spreedme
when i click spreed me it generate second line top of nextcloud nothing more

why can’t you change the port? just edit it in the config file and then in the docker start command. You even can redirect one port from the outside to another to the inside.

Additional, if you look at the recent spreed.me manual on the nextcloud page you will see that the security issue is solved too.

On top of that, you forgot to expose your nextcloud App instance.

for spreedme server you need golang. if the problem was that apache wasnt starting with spreedme running i would think there might be a port conflict. did you run spreedme and apache on the same ports?

and to stop the spreedme script (it isnt a init script just a way to start in the background) you could do a:

ps -e | grep spreed-webrtc-server

it wil give you a line with a process id (like 8992 or something) and then kill it with

kill -9 8992 (change 8992 with your process id)