No wokring ICE candidates returned by the TURN server

Von_Loid · May 11, 2021, 7:55am

Turn server not working using Secret Auth
I have tested our turnserver on ICE tester using username password and it worked.
But using the test inside the tak settings. it says No wokring ICE candidates returned by the TURN server.
And on the backend i can see a user <> 401 : Unauthorized .
Please Help
CentOS 8
NextCloud 21

Sanook · May 11, 2021, 6:34pm

Looks like you did not add the TURN secret to the Nextcloud admin panel of the app

Von_Loid · May 12, 2021, 11:57pm

I did add the TURN static-auth-secret.

TomTomGo · May 22, 2021, 11:14am

Got the same issue with 2 NC 21 servers, and found this : TURN "Test this server" always results in "Error: No working ICE candidates returned by the TURN server" · Issue #5563 · nextcloud/spreed · GitHub

Sanook · May 22, 2021, 11:26am

You need to turn off the Cloudflare reverse proxy.

Von_Loid · May 22, 2021, 2:26pm

May hosting does not have cloudflare reverse proxy

szaimen · May 22, 2021, 3:31pm

Please check if it is this issue: TURN "Test this server" always results in "Error: No working ICE candidates returned by the TURN server" · Issue #5563 · nextcloud/spreed · GitHub

Von_Loid · May 22, 2021, 3:55pm

Yes it is.
But there is solution yet

bb77 · May 22, 2021, 4:01pm

Does not look like it. As a workaround, you could use a different browser until the issue is resolved. The GitHub issue explicitly mentions that it only occurs with Safari. If you have problems with other browsers as well, you might have a different problem not releated to this issue…

szaimen · May 22, 2021, 4:02pm

I actually could reproduce it with Firefox, too.

bb77 · May 22, 2021, 4:05pm

Hmm for me it is working fine in Firefox and i did not change anything in my TURN server config for ages. But I have to mention, that my TURN srerver is running on a diffrent server than Nextcloud outside of my local network. But beside of that i don’t think that I did something special with it…

That’s my config. Maybe it is of any help…

# Listener IP address of relay server. Multiple listeners can be specified.
external-ip=IPv4 Address of my Server
external-ip=IPv6 Address of my Server

# TURN listener port for UDP and TCP (Default: 3478).
listening-port=3478

# TURN listener port for TLS (Default: 5349).
tls-listening-port=443

# The default realm to be used for the users when no explicit origin/realm relationship was found in the database. Must be used with long-term
# credentials mechanism or with TURN REST API.
realm=turn.mydomain.tld

# Certificate file.
cert=/etc/coturn/certs/turn.mydomain.tld.fullchain.pem

# Private key file.
pkey=/etc/coturn/certs/turn.mydomain.tld.privkey.pem

# Do not allow an TLS/DTLS version of protocol
no-tlsv1
no-tlsv1_1

# Allowed OpenSSL cipher list for TLS/DTLS connections.
cipher-list="ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-CCM8:DHE-RSA-AES256-CCM:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-A$

# Use custom DH TLS key, stored in PEM format in the file.
dh-file=/etc/coturn/certs/dhparam4096.pem

# Uncomment to use long-term credential mechanism.
lt-cred-mech

# This allows TURN credentials to be accounted for a specific user id.
use-auth-secret

# 'Static' authentication secret value (a string) for TURN REST API only.
static-auth-secret=supersecretstring

# Flag that can be used to disallow peers on the loopback addresses (127.x.x.x and ::1).
no-loopback-peers

# Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
no-multicast-peers

# Uncomment to use fingerprints in the TURN messages.
fingerprint

# Total allocation quota.
total-quota=50

# Set this option to limit the nonce lifetime.
# It defaults to 600 secs (10 min) if no value is provided. After that delay,

velocity08 · June 8, 2021, 9:46am

Hey bb77

may i ask did you follow a specific guide for setup ?

Ive referenced the following with 2 articles little success.

I apologise in advance for asking but do you have any solid reference material that i could review?

would be greatly appreciated.

thank you.
G

https://morph027.gitlab.io/blog/nextcloud-spreed-signaling/

bb77 · June 8, 2021, 10:20am

Hi @velocity08

I followed this guide (it’s in German) Eigener TURN Server für Jitsi Meet bereitstellen – Aus der IT – Praxis…

I have set it up primarily for Jitsi Meet. However, it also works with Nextcloud Talk without any problems

Please note the following…

This is not a full HPE installation, it includes only the TURN server component of the full HPE.
My coturn installation runs on a seperate VPS with a public IP address. If you want to run it on the same server as Nextcloud, there is a guide on how to do that in the “HowTo” section of this forum.
I’m not an expert on Nextcloud Talk and don’t use it very often, also I do not use it with large groups. I use mainly my Jitsi instance for that purpose…

velocity08 · June 8, 2021, 10:28am

Thanks bb77

appreciate the info and links

ill check them out shortly.

don’t laugh but about 10 min after i posted asking you for assistance i managed to figure out the issue

turned out to be a missing security key in the turn server config file.

silly mistake and now it’s all connecting without errors.

just need to test it out now with some users.

thanks again.

have a great evening.

""Cheers
G

georgesmeid · December 10, 2021, 10:09am

Hello,
since NC 23.0 there is no a single frame that is sent through the network when I test my turnserver from NC Talk administration section.

I used tshark on both servers not a single packet is exchanged between servers.

Do you encounter the same probleme ?