Hm. You are right. I re-tested with uncommented bps-capacity, restarted coturn, and still could use the TURN-server.
(My testcase is a make-shift corporate-like firewall - I allow one PC to only access the Internet via a Proxy on tcp port 443, no udp).
I think the error in my short code analysis above might be that this line in the allocate_bps function will not distinguish between bps_capacity not being set, or it being 0. So 0 is probably OK (?).
Now I wonder what else I have changed that made my setup work, when it did not beforeā¦
Thanks for your persistence in pushing me to re-test!
1 Like
Guess so. But I am no c coder 
.
But seems that disabled limit is default then, so commenting works as well.
1 Like
@j12t
Found the TURN server settings within database:
mysql -uroot -p -e "select * from nextcloud.oc_appconfig where appid='spreed'"
Replace ānextcloudā by your actual database name of course.
Output:
+--------+-------------------+----------------------------------------------------------------------------------------------------------------------------------------+
| appid | configkey | configvalue |
+--------+-------------------+----------------------------------------------------------------------------------------------------------------------------------------+
| spreed | enabled | yes |
| spreed | installed_version | 4.0.0 |
| spreed | stun_servers | ["my.domain.org:5349"] |
| spreed | turn_servers | [{"server":"my.domain.org:5349","secret":"<my_secret_string>","protocols":"udp,tcp"}] |
| spreed | types | prevent_group_restriction |
+--------+-------------------+----------------------------------------------------------------------------------------------------------------------------------------+
So to update settings via script e.g.:
mysql -uroot -p<password> -e "update <nextcloud_db_name>.oc_appconfig set configvalue='[\"your.domain.org:5349\"]' where configkey='stun_servers'"
mysql -uroot -p<password> -e "update <nextcloud_db_name>.oc_appconfig set configvalue='[{\"server\":\"your.domain.org:5349\",\"secret\":\"<your_secret_string>\",\"protocols\":\"udp,tcp\"}]' where configkey='turn_servers'"
But didnāt test syntax in this case with all the quotations 
. Testing pendingā¦
EDIT:
To not risk messing with MySQL tables, occ can be also used to apply settings:
sudo -u www-data php /path/to/nextcloud/occ config:app:set spreed stun_servers --value='["my.domain.org:1234"]'
sudo -u www-data php /path/to/nextcloud/occ config:app:set spreed turn_servers --value='[{"server":"my.domain.org:1234","secret":"XXXX","protocols":"udp,tcp"}]'
2 Likes
One idea for this warning message:
Dec 19 09:08:17 srvr turnserver: 0: WARNING: cannot find private key file: /etc/ssl/acme/private/mydomain.net.privkey.pem (1)
Dec 19 09:08:17 srvr turnserver: 0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
Cert generated by Letsencrypt on OpenBSD 6.4!
Right on private key is 0400, only for root and group wheel.
The turnserver start with _turnserver user.
how can i resolve _turnserver user read this file?
Ah okay on Raspbian/Debian certbot APT install, it runs as root user, to allow bind to restricted ports as well.
Somehow makes sense to run it as separate user on a permitted port.
There are two ways to grant access to private key files:
- Copy the key + certs somewhere to a turnserver related dir and chown _turnserver:_turnserver && chmod 400. But this then needs to be done on every certificate renewal, e.g. via cron job or by adding these steps to the renewal job.
- Create an āsslā group, add _turnserver to this group and chown the key to this group with 440 permissions then. Then you can add any other user that requires cert+key access for TLS to this group. But this as well most likely needs to be redone on certificate renewal, depending on how (with which user) the renewal is done. Perhaps you can run the related renewal process/service with āsslā group as well to have this done automatically.
1 Like
@MichaIng: ty! 
OK, i resolve by creating an other directory, copy the private key, and chown only for _turnserver userā¦
with another group as āsslā, and chmod 0440, thatās not run.
itās weird because there is no need to change the server certificate!
another question: how i can block SSL23 usageā¦ i want only TLS1.2!
i uncommented:
no-tlsv1
no-tlsv1_1
But, iāve on start message:
Dec 19 17:30:21 srvr turnserver: 0: SSL23: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: SSL23: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS1.2: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS1.2: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: TLS cipher suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5
Dec 19 17:30:21 srvr turnserver: 0: DTLS: Certificate file found: /etc/ssl/acme/mydomain.net.cert.pem
Dec 19 17:30:21 srvr turnserver: 0: DTLS: Private key file found: /etc/ssl/acme/turnserver/mydomain.net.privkey.pem
Dec 19 17:30:21 srvr turnserver: 0: DTLS cipher suite: ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5
Actually the way to copy cert+key and chown for only the particular user is the most recommended way for security reasons. Only if you have several different services that require access, the shared group solution is handier.
Indeed, down to SSLv3 everything is supported according to the comments in turnserver.conf: https://github.com/coturn/coturn/blob/master/examples/etc/turnserver.conf#L26
But no option to disable SSLv3.
Reading: https://github.com/coturn/coturn/issues/220
- So it seems that SSLv3 is disabled by default on current version, but somehow it still shows up in the log.
- Perhaps you can look further into the logs to verify, only TLSv1.2 is used?
1 Like
I understandā¦
But as I wrote on the previous message, I had only to deal the private key file, without any changes for another.
Thank for all! 
Ah jep, strict permissions are most important for your private key of course, while the certificates are public anyway and by default have weaker permissions .
Can I generate a new certificate for my turnserver, or do I need to use the certificate for my nextcloudās apache config?
Of course you can use a different one.
2 Likes
:~# sudo systemctl enable --now turnserver
Failed to enable unit: File turnserver.service: No such file or directory
The service name is coturn, at least on Debian/Raspbian, if you installed via APT, so: systemctl enable coturn
And donāt forget: sed -i '/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1' /etc/default/coturn
Otherwise the service will immediately stop.
An even easier approach is to run the script from the Nextcloud VM.
Two steps:
- Open port 5349 (or whichever you want)
- wget the RAW script and run it.
IF you run the Nextcloud VM !
Otherwise it might partly work on other Debian-based distros/systems, but leaves the config left with some wrong estimated variables => coturn settings, based on environment expectations, SSL via LetsEncrypt and others.
Can the TURN server be on the same server as Nextcloud itself? If so, I imagine we cannot refer to the TURN server by the IP address (within Nextcloud configs) as 127.0.0.1.
Both can be on the same machine, but within Nextcloud settings, you still need to set the public/external IP. This is used by the end user WebRTC clients (browser, Android app), not by Nextcloud.
2 Likes
What if we installed our Nextcloud from a snap? That would introduce some complications, I think, to get coturn working on the same server as the snap. I made a post asking deeper questions about this here.
Hi Michalng,
Your efforts on this matter are greatly appreciated! I just wanted to react to one of your quotes here as I think things have shifted in favor of your idea of bundling TURN together with TALK (and STUN).
Recently I have discovered and deployed Yunohost (self hosting solution which lets you install apps - such as NextCloud - in a GUI with the simple click of a button), and have installed NextCloud on it. Both Yunohost and Nextcloud share the mission of making self hosting (a cloud) accessible/maintainable for many many more people. The choice of only using GUIs and making installing apps easy by just clicking an install button are two ways in which this mission is accomplished.
Videocall use cases and low level of technical expertise
I am a user of NextCloud who - probably like most other users - has not deployed it for use by a huge company, but just for home use and perhaps a smaller company. In these use cases it does not make any sense to only use the TALK videocalls within the local network. As most homes or smaller companies just have a kitchen/meeting room and donāt need video calls inside the same building. Where NextCloud talk becomes interesting, is when videocalls work with people outside of the local network. Since I suspect that this is the goal of most people who install TALK on NextCloud, it is very inconvenient that they then land into having to do all kinds of expert level terminal work and understanding. Especially when these users are more and more almost non-experts being able to host themselves through the great efforts of projects like NextCloud and Yunohost.
Developer and user effort and losing (potential) users
In connection to the above, I would like to comment on what you said about a bundling solution: āOn the other hand this means always additional effort for maintaining the fork or bundle (depending on how far the integration should go)ā. I am not a developer - more of a designer/creative researcher - so I donāt know exactly how much time it would take a developer in this case. However, I do know that if these one or a few developers do not take a few hours to do this, then all thousand or more non-expert users have to spend an almost similar amount of time each reading up on the issues and instructions and installing; probably resulting in a much larger cumulative cost in time, a possible source of irritation and in many cases just a switch back to Skype or another platform than NextCloud (for example Google Drive/Talk). That would be ashame of such a good project such as NextCloud and TALK.
An ideal solution
I would really wish that the installation of TALK in NextCloud would enable videocalls outside the local network by default, and that there would be no - or only little GUI - configuration required. 
(By the way, in the installation process then it would be helpful to also give instructions about port forwarding for both TCP and UDP, I ran into trouble only having TCP in place first)
How to get there
My question to you (and perhaps others on the forum) is if the above wish could be accomplished and how? (And if it is far too difficult, how could creating an easily configurable TURN server be made available for Yunohost for example?)
Thanks again for you efforts already! I look forward to your answer(s). From a designer and less-expert user perspective I might be helpful in fleshing out a solution.
Other potentially helpful sources
P.s. Some other interesting links about TURN in this context and could perhaps be used for working toward a GUI solution:
- Apparently there is a kind of TALK installation script which already configures a TURN server: Script for installing Nextcloud talk with TURN configuration: Setting up firewall for TURN server - #4 by enoch85
- It seems that another package called Synapse for Yunohost already had a built in TURN server somehow: Turn server for Synapse - Support apps - YunoHost Forum
1 Like
As long as the server is on Ubuntu 18.04 the scripts from the VM should work. All it does is checking open ports, installs the needed packages and then adds the needed configuration.
Give it a try. 
If it doesnāt work, please let me know.