[SOLVED] Nextcloud Talk on AIO: does it needs and external STUN/TURN server?

daks · March 5, 2026, 2:59pm

The Basics

Nextcloud Server version (e.g., 29.x.x):
- 32.0.6 running on NextCloud AIO
Operating system and version (e.g., Ubuntu 24.04):
- Debian stable
Reverse proxy and version _(e.g. nginx 1.27.2)
- Nginx 1.22.1-9
Is this the first time you’ve seen this error? (Yes / No):
- Yes
Installation method (e.g. AlO, NCP, Bare Metal/Archive, etc.)
- AIO
Are you using CloudfIare, mod_security, or similar? (Yes / No)
- No

Summary of the issue you are facing:

I have created a a discussion on Talk with the objective to host a call. The server use AIO and it’s hosted on internet (no NAT)

I tried with both

Firefox on Linux desktop, on a LAN with NAT: I see the conversation but can’t join the call
Firefox on mobile desktop, on both Wifi LAN with NAT and roaming data (no NAT): I can join the call in both situations

I have read the AIO readme again and nowhere it talks about the need to host a dedicated STUN or TURN server, but older docs does (like this one HowTo: Setup Nextcloud Talk with TURN server ).

I want to know what exactly I need to do to be able to self-host all my video and audio calls on my Nextcloud Talk server, in all situations (roaming, LAN with NAT, etc).

Do I need a dedicated TURN/STUN server and which is there any updtodate documentation?

Thanks

szaimen · March 5, 2026, 3:00pm

Hi, Talk and Stun servers are included in the AIO setup.

daks · March 5, 2026, 3:02pm

So it should work directly

I specified a specific port with TALK_PORT=3490 and opened it both TCP and UDP on my firewall.

What did I missed?

szaimen · March 5, 2026, 3:02pm

Did you enable the talk container in the aio-interface?

daks · March 5, 2026, 3:05pm

yes

szaimen · March 5, 2026, 3:07pm

Can you follow How to debug problems with Collabora and/or Talk · nextcloud/all-in-one · Discussion #1358 · GitHub?

daks · March 5, 2026, 3:08pm

Because I changed things in Talk Admin Settings, what are the default options I should have?

for STUN server: there was one on my domain and I changed it for google

for TURN: nothing there

szaimen · March 5, 2026, 3:10pm

Ah right. If you delete the custom settings and restart the containers it should refill the values correctly.

daks · March 5, 2026, 3:14pm

Done.

Do I need to open 3508 port in the firewall?

daks · March 5, 2026, 3:15pm

I ran the curl command in the docker talk container and got a lenghty response with TLS stuff

Do you need it?

daks · March 5, 2026, 3:16pm

or do I need to install a TURN server?

szaimen · March 5, 2026, 3:22pm

no you dont. The turn server is included in AIO

szaimen · March 5, 2026, 3:23pm

Yes, as mentioned in the readme

MichaIng · March 5, 2026, 3:24pm

Maybe simpler quick test is the one in the web UI settings: there is this lightning button at the right side of the TURN server input fields. Does it show a green tick/success when clicking it?

The TLS warnings from curl are probably since you do not send the request with the domain name your TLS cert is valid for. But TURN does not use the TLS cert anyway, so that does not matter. If you can access the Nextcloud web UI, and there are no browser warnings, all fine with that.

daks · March 5, 2026, 3:27pm

I don’t see it there GitHub - nextcloud/all-in-one: 📦 The official Nextcloud installation method. Provides easy deployment and maintenance with most features included in this one Nextcloud instance. · GitHub

Those are already opened: 443 for HTTPS of course, and 3490 TCP and UDP because I set TALK_PORT=3490

No mention of 3508

daks · March 5, 2026, 3:30pm

When I click on it, I got a warning which indicates that no TURN server is available. But I think it’s normal:

I had not opened 3508, it is now
there is no 3508 opened on my server checked with
- ss -tupln|grep 3508
- docker ps

szaimen · March 5, 2026, 3:30pm

Hm, can you change the port manually to the configured 3409?

MichaIng · March 5, 2026, 3:41pm

It seems to reset Nextcloud-side settings, STUN and TURN server entries need to be removed entirely (trash bin icon at the right side):

github.com/nextcloud/all-in-one

Containers/nextcloud/entrypoint.sh

main


      
          if [ -z "$(php /var/www/html/occ talk:turn:list --output="plain")" ]; then
              # shellcheck disable=SC2153
              php /var/www/html/occ talk:turn:add turn "$TURN_DOMAIN:$TALK_PORT" "udp,tcp" --secret="$TURN_SECRET"
          fi
          STUN_SERVER="$(php /var/www/html/occ talk:stun:list --output="plain")"
          if [ -z "$STUN_SERVER" ] || echo "$STUN_SERVER" | grep -oP '[a-zA-Z.:0-9]+' | grep -q "^stun.nextcloud.com:443$"; then
              php /var/www/html/occ talk:stun:add "$TURN_DOMAIN:$TALK_PORT"
              php /var/www/html/occ talk:stun:delete "stun.nextcloud.com:443"
          fi

The eturnal (TURN server) config is however always updated with the TALK_PORT variable:

github.com/nextcloud/all-in-one

Containers/talk/start.sh

main


      
          listen:
            - ip: "$IP_BINDING"
              port: $TALK_PORT
              transport: udp
            - ip: "$IP_BINDING"
              port: $TALK_PORT
              transport: tcp

So yeah, when fiddling with the settings, remember that TALK_PORT must be used, for both STUN and TURN, and that this port needs to be open/forwarded.

Since you used TALK_PORT=3490, only that port needs to be open, and applied for both STUN in TURN in the Nextcloud settings. Why ever 3508 was there, it is wrong.

Then test again with the lightning button, and if that shows success now, joining a video call with your desktop browser.

daks · March 5, 2026, 3:48pm

Yes!

Both are now on 3490 and port is opened on the firewall both TCP and UDP.
And visual check for TURN indicates connectivity.

It seems to have solved my problem: I could made a video call between 3 devices on 3 different networks.

Thanks a lot for your help and reactivity

Do you think it’s a bug that the TURN config did not had the right port? And do you want me to open an issue on github?

szaimen · March 5, 2026, 3:53pm

No, I dont think it is a bug and you were able to fix it. So should be fine.