How to use own Intranet penetration solution without the default configured stun server

I deployed nextcloud in LAN, I want to use talk for collaboration, I also deployed VPN and frpc to do Intranet penetration, I plan not to use the default stun server of nextcloud talk, but I found that the default configuration is no way to delete, it seems that this is written in the code, how should I solve this problem

I thought, you could configure the STUN server in the admin settings. If unconfigured, the default server is used as a fallback as far as I know. Have you checked in the code that your interpretation is correct?

This forum section is about development and stuff, this problem seems rather configuration. You will not get much help in this sub-forum here if you need configuration help.

I found this for you here:

  • Configure Nextcloud Talk to use your TURN server
    Go to Nextcloud admin panel > Talk settings. Btw. if you already have your own TURN server, you can and may want to use it as STUN server as well:
STUN servers:<yourChosenPortNumber>
TURN server:<yourChosenPortNumber>
TURN secret: <yourChosen/GeneratedSecret>

Do not add http(s):// here, this causes errors, the protocol is simply a different one. Also turn: or something as prefix is not needed. Just enter the bare domain:port.


Nextcloud Talk is still based on the Spreed video calls app (just got renamed) and thus the Spreed.ME WebRTC solution. For this reason all guides about how to configure coturn for one of them, applies to all of them.

1 Like

For the record, same question was asked here How to use own Intranet penetration solution without the default configured stun server · Issue #9144 · nextcloud/spreed · GitHub
But the answer remains :wink:

What I say is that I don t use any stun server and I complete the remote access using our existing vpn + frpc solution

I am not a STUN expert. But i think if the clients can see each other you do not need STUN.

STUN (Session Traversal Utilities for NAT; originally Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators)


1 Like

Yes, if there is not NAT between clients, no STUN or TURN server is needed. This includes the case where all clients are connecting to Nextcloud Talk through the same VPN network (without VPN NAT).

The STUN server is only used as fallback, if needed. So it should be possible to enter some invalid address, if for some reason you want to rule out that the default server is used. But it actually makes sense to allow unsetting STUN completely.

I have deployed nextcloud and talk in the private network, and nextcloud talk server cannot access the Internet, which means there is no way to access any public network deployed stun server, including the default 443, how should I configure it

Let’s clarify again

I have deployed nextcloud and talk in the private network, and This network has only local IP and no access to internet, For example, our IP address is the address segment, and the nextcloud talk sever address is are no server such as ICE server and STUN in this network, and moreover, the network cannot have access to others or any default STUN server due to the reasons described above. So nextcloud talk server cannot access the Internet, which means there is no way to access any public network deployed stun server, including the default 443.

How should it be configured in this case,

Have you tried to set it up and putting an arbitrary IP into the setting that is not resolvable? E.g. and no machine is listening on that machine.

At worst you could install a local STUN server inside the IP range and use that one.
Honestly, I am unsure if the process needs some signaling service internally that bases on the services. But this is just guessing.

I tried setting up an arbitrary ip address into the setting but didn t fix the problem

Have you checked if this is a problem at all? I mean have you actually tried to perform calls between multiple LAN clients, and did it fail?

The reason for my question is, as others already pointed out, that you don’t necessarily need a TURN/STUN server if all clients can connect directly to each other. So if it doesn’t work, the problem may lie somewhere else entirely.

Just a guess on my part, but I think I read somewhere that Talk requires HTTPS in order to work. So, If this is the case, and you are using Nextcloud with an IP address instead of a Fully Qualified Domain Name, without HTTPS or with self-signed certificates, that could be the reason why it doesn’t work…

Yes, I checked and found no other problems; I failed to talk with multiple clients.

I also understand that I don’t need a stun server, so I started with the idea to remove the default stun server.

Could there be any other problems?

See my previous post… Do you use HTTPS?

Btw, in the meantime I also found this:

HTTPS is required to be able to use WebRTC (the video call technology of browsers used by Nextcloud Talk calls).

I use talk app, which does not need to deploy netcloud server into https, and I have verified that when I put two clients with nextcloud server in a LAN, two clients can call; and when I connect one client to nextcloud server through a VPN network, two clients cannot call

I deployed nextcloud server on the LAN server with a talk app client connected to nextcloud server the same LAN with IP address At the same time, I have deployed the vpn network, and the address of the nextcloud server in the VPN network is Another talk app client is connected to another wifi network with address; also he joins the VPN network and his VPN address is; this talk app client connects to nextcloud server through this VPN address; I call the two clients to each other

I grab packet analysis client signaling requests accessed via the VPN network

POST /ocs/v2.php/apps/spreed/api/v3/signaling/4fie8puo HTTP/1.1\r\n

[{“fn”:“{"payload":{"candidate":{"candidate":"candidate:791385798 1 tcp 1518280447 9 typ host tcptype active generation 0 ufrag TRVN network-id 4 network-cost 10","sdpMLineIndex":0,"sdpMid":"0"},"type":"candidate"},"roomType":"video","to":"j0xgvZIytf4veqhW0uIRPQNtq/5sDxLQRgVE7m7CRtr+7GHYR2tmnblluJh3RgVvqDYAojwy8VChes5KgfL4AngKJ1bGCAZJI/mqweiHOCvyYkAlmErCc8YRT1QjUftzTjSFQEXdp5oAaj+oMOg24RQjhedEVg1ODG68Pi2sAAT6nxNsaHz5ymuNjfLf50aLGhL/wHOfIBhT6aSfHICCQl+pWcMFt7oar5KEQmNYhndKD6CkghzeoFl97bqgp8j","type":"candidate"}”,“sessionId”:“TPNDEYYftGYtaY+IrGLnP/Qu86uev/gma8kclf2pjefbyuy7VdRIjnhtMg/nfmuNbf4tRg6xlkY4EygQ7Tct2YDpyuoGvn3k7msSOpEhScEuVd5aDwSpWMZp8hiAuPMER3Iy16L4BGo7hlEk4XGbZufxgzQ6FHwsSsr9thdBRuScKorgf+LyAMu5j+jYNTo6uqz7+Di+MvQDGjkZ+nUt7AQ85JC0eWJ//nf4Xkg70UtRucygfOztT3FTlRTWBKR”,“ev”:“message”}]

Among them, is the IP address assigned by his LAN, not the address assigned by the VPN network

This causes the talk app client with IP address sending media messages to, but this address is inaccessible, so the media cannot get through

Well this seems more like a networking issue than a Talk issue to me, but I’m not an expert…

What I do know, though, is that the Talk server and all clients have to be able to talk directly to each other, in order for it to work. If this is not possible for whatever reason, you need a STUN/TURN server. The TURN server and also the Nextcloud server do not have to be publicly accessible, although this would simplify things, but can also be set up in your LAN.

Thank you. I will try to install a stun server in the same LAN of nextcloud server. In addition, the attachment diagram corresponds to the problem I described above, so that I can express the problem more clearly
network.pdf (112.1 KB)

I’m also not aware that Talk/WebRTC would require HTTPS. That information may be wrong. But what I read ia that some browsers deny access to camera and microphone for websites without HTTPS. E.g.: Camera & microphone require https in Firefox 68. - Advancing WebRTC

In the same network, indeed neither TURN nor STUN should be required.

As there are clients with different 192.168.* addresses: Is this a network so that all hosts can directly reach each other or is there some internal NATing for communication between different 192.168.*.0/24 networks? In this case, TURN is required (or at least STUN) and the server located where it can be reached from all clients, like the Nextcloud server itself.