Nextcloud Spreed/Talk: deny IP ranges of VPN connections

I have following connection problem:

When using Nextcloud Spreed/Talk with two computers, that are also available via an internal VPN network, the voice/video traffic gets routed through the VPN connection, which causes heavy traffic on the VPN server’s connection and an impractical routing/delay. We use coturn as TURN server with a secret and STUN server on port 3478 as the Nextcloud server is behind a reverse proxy!

We have already tried to deny the VPN’s IP address range within coturn’s /etc/turnserver.conf:
coturn says, that it denies these IPs when connecting.

But I am not sure, if this problem can be solved entirely via coturn. I have the impression, that it should also be declared to Talk/Spreed/Nextcloud, that the internal IPs are not to be used. Can someone tell me config-variables or other measures (port blockings?) to counter this problem?

HostA=, VPN=
HostB=, VPN=
HostVPN=, VPN=

HostA calls HostB via Nextcloud/Talk/Spreed. The talk does not connect from to, but it connects from to which works, but the traffic gets routed via and causes unnecessary traffic and delay, as the HostVPN is located in a different country. So I need to tell Talk/Spreed/Nextcloud, that 192.168.99.* should not be used.

Thank you + greetings

Hi Mathias,

from the information you gave I can give you just this answer: Because of your TCP/IP configuration it’s the cheapest route to push network packets beween HostA and HostB.

Are your hosts really on public ip adresses? Can the hosts comunicate directly or do they use NAT? Where is your Nextcloud / coTURN instance located? afaik if TURN is used, every traffic is routed thru the TURN server.

I suggest to make a sketch of your ip infrastructure first (including gateways, static routes etc), so an analysis of this problem is much easier.


I made a network scetch to clairfy the situation I wanted to describe:

1 Like