A TURN-Server relays webrtc traffic (talk video / audio) between the peers - so imagine: I you are at home in a private network (e.g. 192.168.0.1) and your friend is at his / her house in another private LAN. In this situation, it would be impossible to route the traffic between these 2 peers.
So in order to relay the traffic your turn-server has to be accessible from the internet - it does not matter if it is located at home (fw port open and port forwarding of port 3478 to the private ip of your server) or in the cloud. I decided to install mine in the cloud due to better bandwith (i just have a 300/30 mbps line at home) and latency ā¦
I think I understand.
Thanks.
So these services need Turn Servers too: Skype, Zoom, Discord etc. ? Because itās connecting peers I think I get that. Not like hosting website exactly but direct connect of peers.
Anyhow now Iām wondering what method.
-So I could put the Turn server on some VPS with different public IP then the nextcloud public IP ?
-OR put Turn on my nginix box the same public ip for nextcloud
-OR put Turn directly on the nextcloud but then it would not share the same public IP because technically the public IP goes to the nginx server first.
If I put coturn on separate VM and port forward port 3478 that would be the only port. There would be no port sharing of 80/443 at that point so Iām wondering how this will work if nginix is consuming ports 80/443 traffic.
Doesnāt TALK still require those ports somehow ? If not then I guess port forwards to another VM would be good enough.
It looks like ports 443 cannot already have another web application running at least according to this.
nextcloud uses ports 443 already, and nginix is receiving the 443 traffic and proxy_pass to nextcloud.
Iām not sure coturn is going to work like it should when running it on the same network that is already running 443 applications etc. At least I donāt know how.
I would like more advise if you know about this part.
Thanks
In the meantime TLS is supported, but since WebRTC is encrypted already, it doesnāt give you any security benefit but is only required when your firewall allows HTTPS only on signalling level.
If you run into hardware limits (CPU usage, bandwidth etc) with the Nextcloud server system, then indeed it makes sense to run the TURN server on a dedicated machine. Basically all WebRTC traffic is passed through the TURN server. So monitor resource usage before doing the decision.
Thanks.
Iām struggling with ease of use via VPS vs self hosting.
I would attempt a self hosting with a VM but I just canāt seem to grasp the details.
nginx is in control of port 80/443 on single IP which does proxy_pass to nextcloud.
I installed a VM Turn Server but I am unsure about how to configure nginix to work like this. From what I read, I need to use the stream module of nginx but my lack of knowledge is not giving me a clear enough picture.
The TURN server and Nextcloud are completely independent applications, using different protocols, so there is no need to proxy TURN/WebRTC traffic through Nginx only because you do so for Nextcloud. Iām not sure whether/how it is even possible, and if it was, it would imply an overhead that one would aim to avoid.
Simply forward port 3478 (yes this is required then) and leave Nginx out of the game. The HowTo should actually contain all required steps which you should be able to follow regardless whether you setup the TURN server on an own physical machine, VM or VPS. It has been btw adopted/added to the official Nextcloud Talk docs in the meantime, where it is maintained and extended by Nextcloud developers: https://nextcloud-talk.readthedocs.io/en/latest/TURN/ It has especially grown further, which may make people scared , when I find time Iāll go through it to see where we can hide advanced/optional details behind expandable <details> tags or so to have only the mandatory info and steps shown OOTB .
Thanks for the response this is helping me a lot.
Forgetting nginix for a moment and taking it out of the picture. What physical configuration is recommended ?
Can coturn run on the same server as nextcloud server or is this not recommended ?
-Does Turn server really have to be a separate domain as some articles indicate ?
One last nginix question:
-Does the nginix server proxy really provide any added security to nextcloud I only have this proxy because I was told itās more secure way of doing things.
This post will help quite a few people as Iām reading a lot of this subject on the web.
As said above, run it on the same server and observe whether the machine is able to handle the additional system load. If it is too high during video calls, e.g. breaking down performance of the Nextcloud web interface, or browsing Nextcloud breaks fluent video calls, then obviously its better to run Coturn on a dedicated machine.
Not sure where you got this from. Forget about any other guide you read, there is a lot of wrong/misleading information floating around, use the linked HowTo or the official Talk docs only.
A proxy is not meant to provide security, but to load balance or make available multiple web servers/applications behind a single forwarded port. If you run Nextcloud on an e.g. Apache2 webserver already, and no other web applications is using the Nginx proxy, then it is useless indeed .
I once thought I might want to use other web pages that might share ports 80/443 using proxy_pass to a separate VM like web server or webstore of some type.
However, Iām enjoying nextcloud so I may simplify this and just get VPS for those things later.
Note that also the webserver you use for Nextcloud can be the proxy, i.e. Apache2 can be easily configured to listen to additional ports and/or proxy a sub path to another application/port. Generally running two webservers is an unnecessary overhead as long as you do not have specific needs for the proxy and the backend webserver which cannot be satisfied with one webserver alone.
For video calls (WebRTC), the webserver config/proxy is indeed irrelevant.
Indeed it does . Of course it would be possible to have the backend webserver using HTTPS as well, but Nginx as proxy will always terminate the client => Nginx encryption and redo Nginx => backend encryption, so it implies quite some overhead. So yes, unless required for a specific reason, skip Nginx and expose the backend webserver (with HTTPS) to WAN directly.
Browser Coturn/WebRTC access => Coturn => other video call client browser (Nginx not used at all)
The browser gets Coturn access details and authentication token from Nextcloud when you start a video call, but then establishes a completely independent WebRTC connection using a different protocol which is not even understood by Nginx/webservers.
Some more settings are needed. Else Turn does not start up when system reboots:
To start as a deamon:
sudo sed -i ā/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1ā /etc/default/coturn
and in the config the listening-ip is needed for auto boot
listening-port=3478
tls-listening-port=5349 (if TLS connection is used; needed because some deny http)
listening-ip=< the local ip address of your machine >
cert=/var/www/clients/cā¦crt
pkey=/var/www/clients/cā¦key
Generate a cli-password and set this in the conf
turnadmin -P -p < password to encrypt >
Then test with your static-auth-secret with next command:
turnutils_uclient -p 3478 -W < your secret > -v -y < your FQDN >
Some instruction say that you have to define an IP range (very large!)
I did:
min-port=49160
max-port=49260
And in your Router you have to set forwarders for:
TCP 3478,5349,49160-49260
UDP 3478,5349,49160-49260
And the same in the firewall on your machine.
Do not set the local IPv6 in the config. It does not work with IPv6.