After some more reading it seems that I need to do something with nginix since Iām not behind firewall or nat.
Iām not sure how to configure this but looks like this might be related to using the same port for different things at the same time.
https://www.nginx.com/blog/running-non-ssl-protocols-over-ssl-port-nginx-1-15-2/
A TURN-Server relays webrtc traffic (talk video / audio) between the peers - so imagine: I you are at home in a private network (e.g. 192.168.0.1) and your friend is at his / her house in another private LAN. In this situation, it would be impossible to route the traffic between these 2 peers.
See also: WebRTC Signaling Servers ā STUN vs TURN ā WebRTC.ventures
So in order to relay the traffic your turn-server has to be accessible from the internet - it does not matter if it is located at home (fw port open and port forwarding of port 3478 to the private ip of your server) or in the cloud. I decided to install mine in the cloud due to better bandwith (i just have a 300/30 mbps line at home) and latency ā¦
I think I understand.
Thanks.
So these services need Turn Servers too: Skype, Zoom, Discord etc. ? Because itās connecting peers I think I get that. Not like hosting website exactly but direct connect of peers.
Anyhow now Iām wondering what method.
-So I could put the Turn server on some VPS with different public IP then the nextcloud public IP ?
-OR put Turn on my nginix box the same public ip for nextcloud
-OR put Turn directly on the nextcloud but then it would not share the same public IP because technically the public IP goes to the nginx server first.
If I put coturn on separate VM and port forward port 3478 that would be the only port. There would be no port sharing of 80/443 at that point so Iām wondering how this will work if nginix is consuming ports 80/443 traffic.
Doesnāt TALK still require those ports somehow ? If not then I guess port forwards to another VM would be good enough.
Thanks
One more question thanks.
What VPS specs would you suggest for strictly a Turn / coturn server ?
1cpu / 2GB enough ? Or does it need much more ?
thanks
Based on this article
https://fatiherikci.com/en/how-to-install-turn-coturn/
It looks like ports 443 cannot already have another web application running at least according to this.
nextcloud uses ports 443 already, and nginix is receiving the 443 traffic and proxy_pass to nextcloud.
Iām not sure coturn is going to work like it should when running it on the same network that is already running 443 applications etc. At least I donāt know how.
I would like more advise if you know about this part.
Thanks
It would seem that I would need to somehow share 80/443 or to install on VPS I donāt see how to work around this.
Also VPS would have itās own domain that I could perhaps subdomain this at my domain records somehow.
I would prefer to host myself but I donāt know how to work around the port 443 unless I can understand how to set this up in nginix somehow.
Looks like someone has it working with nginx here. But my nginx.conf needs something like listed here.
https://github.com/coturn/coturn/issues/702
Iāll have to play with it some if I plan to make it work with self hosting
So with my current setup it still seems the easiest thing to do is to install a separate coturn VPS and itās own domain.
Did you have a separate subdomain or domain for your turn server ?
Please advise thanks
In the meantime TLS is supported, but since WebRTC is encrypted already, it doesnāt give you any security benefit but is only required when your firewall allows HTTPS only on signalling level.
If you run into hardware limits (CPU usage, bandwidth etc) with the Nextcloud server system, then indeed it makes sense to run the TURN server on a dedicated machine. Basically all WebRTC traffic is passed through the TURN server. So monitor resource usage before doing the decision.
Thanks.
Iām struggling with ease of use via VPS vs self hosting.
I would attempt a self hosting with a VM but I just canāt seem to grasp the details.
nginx is in control of port 80/443 on single IP which does proxy_pass to nextcloud.
I installed a VM Turn Server but I am unsure about how to configure nginix to work like this. From what I read, I need to use the stream module of nginx but my lack of knowledge is not giving me a clear enough picture.
So for now itās either try VPS or keep reading.
Looks like everything I need to know is here:
https://github.com/coturn/coturn/issues/702
For starters do I need to port forward port 3478 to the coturn server if behind a router etc. ?
I may not have enough backround to understand it or how to configure this.
Thanks
The TURN server and Nextcloud are completely independent applications, using different protocols, so there is no need to proxy TURN/WebRTC traffic through Nginx only because you do so for Nextcloud. Iām not sure whether/how it is even possible, and if it was, it would imply an overhead that one would aim to avoid.
Simply forward port 3478 (yes this is required then) and leave Nginx out of the game. The HowTo should actually contain all required steps which you should be able to follow regardless whether you setup the TURN server on an own physical machine, VM or VPS. It has been btw adopted/added to the official Nextcloud Talk docs in the meantime, where it is maintained and extended by Nextcloud developers: https://nextcloud-talk.readthedocs.io/en/latest/TURN/
It has especially grown further, which may make people scared 
, when I find time Iāll go through it to see where we can hide advanced/optional details behind expandable <details> tags or so to have only the mandatory info and steps shown OOTB 
.
Thanks for the response this is helping me a lot.
Forgetting nginix for a moment and taking it out of the picture. What physical configuration is recommended ?
One last nginix question:
-Does the nginix server proxy really provide any added security to nextcloud I only have this proxy because I was told itās more secure way of doing things.
This post will help quite a few people as Iām reading a lot of this subject on the web.
Thanks thanks thanks
As said above, run it on the same server and observe whether the machine is able to handle the additional system load. If it is too high during video calls, e.g. breaking down performance of the Nextcloud web interface, or browsing Nextcloud breaks fluent video calls, then obviously its better to run Coturn on a dedicated machine.
Not sure where you got this from. Forget about any other guide you read, there is a lot of wrong/misleading information floating around, use the linked HowTo or the official Talk docs only.
A proxy is not meant to provide security, but to load balance or make available multiple web servers/applications behind a single forwarded port. If you run Nextcloud on an e.g. Apache2 webserver already, and no other web applications is using the Nginx proxy, then it is useless indeed 
.
Thanks that helps a lot.
I once thought I might want to use other web pages that might share ports 80/443 using proxy_pass to a separate VM like web server or webstore of some type.
However, Iām enjoying nextcloud so I may simplify this and just get VPS for those things later.
Thanks
Note that also the webserver you use for Nextcloud can be the proxy, i.e. Apache2 can be easily configured to listen to additional ports and/or proxy a sub path to another application/port. Generally running two webservers is an unnecessary overhead as long as you do not have specific needs for the proxy and the backend webserver which cannot be satisfied with one webserver alone.
PROGRESS made thanks.
TALK voice/video Working Good over WAN. Thanks.
I think I complicated things with information overload.
Nginx proxy is still in place, but I plan to remove it.
TALK is working with coturn VM but I plan to remove nginx and leave coturn VM
Pico even complains about it not being https and references behind proxy subject too. The proxy seems to make things more complicated.
THIS IS A DARN EXCITING DEVELOPMENT I must say.
THANKS
Thanks again, this worked with coturn VM and nginx still in place. I just didnāt understand that it could/should work behind nginx.
FYI realm = nextcloud.mydomain.com same as my nextcloud. I donāt know if that is what it should be but itās working that way for now.
Thanks again
For video calls (WebRTC), the webserver config/proxy is indeed irrelevant.
Indeed it does . Of course it would be possible to have the backend webserver using HTTPS as well, but Nginx as proxy will always terminate the client => Nginx encryption and redo Nginx => backend encryption, so it implies quite some overhead. So yes, unless required for a specific reason, skip Nginx and expose the backend webserver (with HTTPS) to WAN directly.
The proxy is bypassed for Coturn and WebRTC traffic as you forward port 3478 directly. So traffic goes as this:
Some more settings are needed. Else Turn does not start up when system reboots:
To start as a deamon:
sudo sed -i ā/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1ā /etc/default/coturn
and in the config the listening-ip is needed for auto boot
listening-port=3478
tls-listening-port=5349 (if TLS connection is used; needed because some deny http)
listening-ip=< the local ip address of your machine >
cert=/var/www/clients/cā¦crt
pkey=/var/www/clients/cā¦key
Generate a cli-password and set this in the conf
turnadmin -P -p < password to encrypt >
Then test with your static-auth-secret with next command:
turnutils_uclient -p 3478 -W < your secret > -v -y < your FQDN >
Some instruction say that you have to define an IP range (very large!)
I did:
min-port=49160
max-port=49260
And in your Router you have to set forwarders for:
TCP 3478,5349,49160-49260
UDP 3478,5349,49160-49260
And the same in the firewall on your machine.
Do not set the local IPv6 in the config. It does not work with IPv6.