HowTo: Setup Nextcloud Talk with TURN server

Jep reasonable thoughts.

However, actually nowadays I think different about the idea to have TURN natively integrated into the Nextcloud Talk app, for the following reasons:

  • Indeed having the ability to make video calls across the www through local NAT is a feature that many require, but not all. Generally a modular system, that allows to only load/install the required features, is preferable in terms of system resources and compatibility with different application scenarios. There are also situations thinkable where the company is larger and has different international locations, which are for privacy reasons connected via VPN tunnels. There as well direct P2P video calls are possible without a TURN server.
  • Explicitly privacy is a topic when it comes to a TURN server usage. In a native P2P call, the Nextclouds server machine does not even know about details of the video call. It just handles authentication, but afterwards all data streams are just between the two clients via their WebRTC client (browser, Nextcloud Talk mobile App, or other WebRTC client). If you have a TURN server in between, all data steams go though it, can be logged and theoretically decrypted/read in detail. Of course usually you (should) trust the TURN server owner/machine to respect whatever privacy agreement you accepted, but if one wantā€™s to be sure, direct P2P is always preferable, as well in terms of performance/resource usage.
  • Currently coturn is indeed THE standard TURN server on the open source market. At least I couldnā€™t find any other for Linux. But integrating it into the Talk app would weaken possible alternative/new solutions from the start, and, is a decision that can be hardly reverted afterwards, e.g. if a better/modern new TURN implementation arises with promising advantages. So it limits flexibility after all.
  • On small networks with a low amount of call attendees, having Nextcloud and the TURN server on the same machine works well, but if you need a more reliable setup that as well allows a high amount of users in group video chat, the TURN machine will be quite stressed, perhaps taking important resources from the Nextcloud server/webserver and/or database. As well having both behind the NAT leads to additional resource usage and signal lag. In those cases it is in general recommended to run the TURN server on a dedicated machine, directly attached to the www and not behind the NAT. So in worst case you have two NAT (each client side) instead of four (client1 out > TURN server in > TURN server out > client2 in).

However this has nothing to do with 3rd party distros/solutions to have an integrated installer that does install and setup of Nextcloud + Talk app + TURN server all together.

  • The official Nextcloud VM does this.
  • This is what we do in DietPi: https://github.com/Fourdee/DietPi
  • It can be implemented into Yunohost as well for sure, which seems to have a very similar aim than DietPi (enable simply integrated one-step installers via GUI).
  • Just note that the installs/configs enable a certain use case, based on the aim of the OS/solution and surely do not fit in all use cases.

Just a final history note about the Talk app:

  • At start, it was separated into a dedicated WebRTC server and a Nextcloud app: Spreed.ME
  • You needed to install the dedicated WebRTC server and then configure the app to use it to provide video calls and chat within the Nextcloud interface.
  • Nowadays both functionalities are merged into the Talk app, which is already a great enhancement in terms of end user comfort. This also makes (more) sense, since the app is never able to do anything without a WebRTC server in the back. But the TURN server indeed is just an additional functionality, only required in some (although perhaps many) scenarios.

About more details how to install and configure coturn with Nextcloud as automated script, I just link the current code we use in DietPi, for reference. In the Nextcloud VM this looks similar, but both depend moreless on the base system, which might be different on Yunohost:

2 Likes

Thanks for describing the procedure. I have successfully followed it on a OpenSUSE host, using the the turnserver package by Bruno Friedmann found in OpenSUSE Buildservice

1 Like

Hi,

I have seen that the plain is also listening.
Is this worrying in terms of security that e.g. a video call is unencrypted to the turn server?

Issue: https://github.com/coturn/coturn/issues/33

I will answer to the GitHub issue.

I found this link: https://www.netways.de/blog/2017/08/16/setting-up-a-turn-server-for-nextcloud-video-calls/ very useful. With that I managed to get a stable Talk experience.

1 Like

Jep this pretty much matches this HowTo. Only thing is I removed lt-cred-mech. See the changelog it OT.

does anyone have a working docker setup (docker run ā€¦ or docker-compose file) for TURN server and nextcloud?

4 Likes

Hi everyone, I created a new topic for my configuration problem Talk - call and video-call does not work remains black screen

I searched a solutions in the forum but I didnā€™t find what I need, I ask you for help for any further configuration on my TURN server.

Great, many thanks for this great tutorial! Works like a charm! :slight_smile:

1 Like

Dear all,

Iā€™ve installed the Talk application onto my nextCloud instance and bumped onto some issues, so came here with some troubleshooting questionsā€¦

First, a bit of context:

  • Private server from hosting provider, running Debian Stretch, insy=talled nextCloud as a Virtualmin subserver,
  • Two locations: HQ in Paris, R&D in South of France, different ISP

Results are not too bad:

  • Made test between two laptops in R&D (laptop 1: W10, laptop 2: Debian, Firefox on both) = audio + video SUCCESS
  • Made test between two laptops in HQ + R&D (laptop 1: W10, laptop 2: W8, Firefox on both) = audio SUCCESS / video FAIL (black square)

Obviously read all thread you guys pointed at in this thread! :wink:

Now for the questions:

  • Do I need to install coturn 1) to allow internal communication or 2) to allow external people to call in?
  • Do I need to install coturn in its own subserver?
  • Could I use the talk.sh script (as reported by enoch85) to install coturn?
  • Would script break the Virtualmin config?

Itā€™s not clear to me as I tested the default config with the Trickle ICE page and got positive results with turn:stun.mydomain.com:3478?transport=tcp. Is finally the TURN server (probably coturn) already installed on my machine? So why wouldnā€™t colleagues in HQ get any video stream?

Thanks in advance for any help!

That is it, and also to allow internal people call external ones. AFAIK the direction, which should be only signaling layer, does not play a role.

Nope, you can install it on the same machine where Nextcloud is installed on. A separate server makes sense only if you want to more strictly separate for permissions/security reasons or to devide load for performance reasons.
Another reason to have a separate coTURN server would be in large setups (large number of frequent users) where it is benefitial to have coTURN directly connected to the www and not behind a NAT, while for other reasons you might want to have Nextcloud behind the NAT.

This is the script used on Nextcloud VM, right? I would not use it, but only as an idea what steps are done. However it includes some special steps/paths that are valid for the Nextcloud VM setup only. Follow this HowTo instead, which is valid for all kind of systems.

Which script? The VM one? As said, go through the HowTo steps manually. However coTURN (or any provided steps) do not tangent the remaining server setup/config. It is a standalone program that has no special needs about the underlying system.

Not sure what/how Trickle ICE tests exactly, but I would check on the server itself if coTURN is installed and the related process running. Then run the TURN test on Nextcloud admin panel, as this is what finally needs to work. However the address you posted looks good, although I suggest you use UDP instead of TCP in most cases.

If you assurred coTURN is up and the TURN server test on Nextcloud admin panel succeeds (so is configures correctly as well), I would do some own test from outside the local server network. E.g. try video call from home to HQ (if the coTURN server is located there) and check the logs from coTURN if it actually receives and handles the requests, so that the local network part is assured to be setup correctly. There are cases where network firewalls only allow TLS requests to pass, so then you would need to enable TLS within the coTURN settings.

2 Likes

Hi @Michalng,

Reading your answer back from vacation and wanted to thank you for such detailed content!

Iā€™l then try to install coturn on the server, following the HowTo steps and check from the nextCloud adminā€¦ Actually, the admin settings page displays the :stop_sign: icon when checking the (default) turn.mydomain.com server, which probably indicates therā€™s no TURN server at all.

Thanks again, back when done!

It just means that Nextcloud cannot access the entered coTURN, which can have different reasons. Check server state on the system, e.g. on Debian/Ubuntu systemctl status coturn, and if it is up, assure that entered domain and port are correct + the port is open/forwarded through NAT.

Hi Michalng,

The command returns ā€œUnit coturn.service could not be found.ā€, so I think thereā€™s no server at allā€¦ Any other check to confirm this?

Thanks for your help!

Seems the HowTo is perfectly detailed: I installed the whole stuff following all steps andā€¦ TADA! It works from the same site (text + audio + video) with different browsers on different OS!

Looking forward to running same test between both sites tomorrow!

Thanks to all for your help! Iā€™ll keep you posted and hopefully switch the subject to [SOLVED] soon! :wink:

1 Like

was something I needed to change to get coturn recognizing the certificates correctly.

1 Like

Thanks for providing this info. However note the following:

  • Nextcloud Talk does not support the STURN protocol, hence it does not make use of the configured certificate/encrypted TURN connections.
  • STURN does not provide any practical security benefit since WebRTC itself is encrypted and includes authentication mechanisms already. Also since Nextcloud manages the TURN connections it should be guaranteed that it is your own TURN server used and not a different one. So the only chance where STURN protects against is when the server itself is compromised (signalling level), but then a faked TURN server is likely your smallest problem.
  • The usual method to grant web applications access to private key and certificate is to not grant them direct access to the /etc/letsencrypt/ directory but instead copy key + cert to a different location where only the particular web application (coTURN) has access to, for security reasons. This can be done automatically via renewal hooks, on modern packages there are related directories inside /etc/letsencrypt/ where one can put scripts that contain the copy and chmod/chown tasks.

To ensure your turnserver really is accessible, set its external IP in /etc/turnserver.conf like so:

external-iP=123.45.67.890 # <= replace with your server public IP

Our Talk worked 90% of the time and 10% not, we just got a turning icon for about 10% of the calls. @nickvergessen pointed us to the right direction: our Turn server was configured according to the advice here above, but we needed to add the iP of the turnserver to /etc/turnserver.conf for it to really start working. 90% of the cases were apparently served by Stun and the 10% were those were Turn failed, maybe?

Now it works.

2 Likes

Is your TURN server directly accessible from www or behind a NAT?

If it still doesnā€™t work, you might need to configure the setting external-ip in /etc/turnserver.conf to your external IP (i.e. outside your NAT) and restart the coturn service.

EDIT: I checked the config file as well: coturn/examples/etc/turnserver.conf at master Ā· coturn/coturn Ā· GitHub
Indeed external-ip needs to be set as in some cases, where the server is behind a NAT. I added this info to the HowTo.

1 Like

Our server is directly exposed to the internet. When configuring, I copy pasted the turnserver.conf template in ā€œSection 3. Configure turnserver.conf for usage with Nextcloud Talkā€ and changed th listening port. I did indeed not add listening-ip and relay-ip as it seems optional based upon the Howto. Will add these, too.
Thanks for the advice.