Nextcloud Talk app Could not establish a connection A TURN server?

The TURN server and Nextcloud are completely independent applications, using different protocols, so there is no need to proxy TURN/WebRTC traffic through Nginx only because you do so for Nextcloud. I’m not sure whether/how it is even possible, and if it was, it would imply an overhead that one would aim to avoid.

Simply forward port 3478 (yes this is required then) and leave Nginx out of the game. The HowTo should actually contain all required steps which you should be able to follow regardless whether you setup the TURN server on an own physical machine, VM or VPS. It has been btw adopted/added to the official Nextcloud Talk docs in the meantime, where it is maintained and extended by Nextcloud developers: https://nextcloud-talk.readthedocs.io/en/latest/TURN/
It has especially grown further, which may make people scared :grinning_face_with_smiling_eyes:, when I find time I’ll go through it to see where we can hide advanced/optional details behind expandable <details> tags or so to have only the mandatory info and steps shown OOTB :thinking:.

Thanks for the response this is helping me a lot.
Forgetting nginix for a moment and taking it out of the picture. What physical configuration is recommended ?

  • Can coturn run on the same server as nextcloud server or is this not recommended ?
    -Does Turn server really have to be a separate domain as some articles indicate ?

One last nginix question:
-Does the nginix server proxy really provide any added security to nextcloud I only have this proxy because I was told it’s more secure way of doing things.

This post will help quite a few people as I’m reading a lot of this subject on the web.

Thanks thanks thanks

As said above, run it on the same server and observe whether the machine is able to handle the additional system load. If it is too high during video calls, e.g. breaking down performance of the Nextcloud web interface, or browsing Nextcloud breaks fluent video calls, then obviously its better to run Coturn on a dedicated machine.

Not sure where you got this from. Forget about any other guide you read, there is a lot of wrong/misleading information floating around, use the linked HowTo or the official Talk docs only.

A proxy is not meant to provide security, but to load balance or make available multiple web servers/applications behind a single forwarded port. If you run Nextcloud on an e.g. Apache2 webserver already, and no other web applications is using the Nginx proxy, then it is useless indeed :wink:.

1 Like

Thanks that helps a lot.

I once thought I might want to use other web pages that might share ports 80/443 using proxy_pass to a separate VM like web server or webstore of some type.

However, I’m enjoying nextcloud so I may simplify this and just get VPS for those things later.

Thanks

Note that also the webserver you use for Nextcloud can be the proxy, i.e. Apache2 can be easily configured to listen to additional ports and/or proxy a sub path to another application/port. Generally running two webservers is an unnecessary overhead as long as you do not have specific needs for the proxy and the backend webserver which cannot be satisfied with one webserver alone.

PROGRESS made thanks.
TALK voice/video Working Good over WAN. Thanks.

I think I complicated things with information overload.

Nginx proxy is still in place, but I plan to remove it.
TALK is working with coturn VM but I plan to remove nginx and leave coturn VM

Pico even complains about it not being https and references behind proxy subject too. The proxy seems to make things more complicated.

THIS IS A DARN EXCITING DEVELOPMENT I must say.

THANKS

Thanks again, this worked with coturn VM and nginx still in place. I just didn’t understand that it could/should work behind nginx.

FYI realm = nextcloud.mydomain.com same as my nextcloud. I don’t know if that is what it should be but it’s working that way for now.

Thanks again

For video calls (WebRTC), the webserver config/proxy is indeed irrelevant.

Indeed it does :wink:. Of course it would be possible to have the backend webserver using HTTPS as well, but Nginx as proxy will always terminate the client => Nginx encryption and redo Nginx => backend encryption, so it implies quite some overhead. So yes, unless required for a specific reason, skip Nginx and expose the backend webserver (with HTTPS) to WAN directly.

1 Like

The proxy is bypassed for Coturn and WebRTC traffic as you forward port 3478 directly. So traffic goes as this:

  • Browser Nextcloud access => Nginx => backend webserver => Nextcloud
  • Browser Coturn/WebRTC access => Coturn => other video call client browser (Nginx not used at all)
    • The browser gets Coturn access details and authentication token from Nextcloud when you start a video call, but then establishes a completely independent WebRTC connection using a different protocol which is not even understood by Nginx/webservers.
1 Like

Some more settings are needed. Else Turn does not start up when system reboots:
To start as a deamon:
sudo sed -i ‘/TURNSERVER_ENABLED/c\TURNSERVER_ENABLED=1’ /etc/default/coturn
and in the config the listening-ip is needed for auto boot

listening-port=3478
tls-listening-port=5349 (if TLS connection is used; needed because some deny http)
listening-ip=< the local ip address of your machine >
cert=/var/www/clients/c…crt
pkey=/var/www/clients/c…key

Generate a cli-password and set this in the conf
turnadmin -P -p < password to encrypt >

Then test with your static-auth-secret with next command:
turnutils_uclient -p 3478 -W < your secret > -v -y < your FQDN >

Some instruction say that you have to define an IP range (very large!)
I did:
min-port=49160
max-port=49260

And in your Router you have to set forwarders for:
TCP 3478,5349,49160-49260
UDP 3478,5349,49160-49260
And the same in the firewall on your machine.

Do not set the local IPv6 in the config. It does not work with IPv6.