UPDATE 2018-03-27
Hi all,
all calls (both audio and video) only work between devices inside the local LAN.
Calls outside our local network remain in black screen with no audio even if apparently there is an exchange of data between the devices.
The audio icon flashes if we try to talk and on device 1 (iPhone) call is not waiting for a caller but the connection is established successfully.

Below you can find the configuration .
Do I have to do other configurations?
If yes, what I have to modify?

Server CentOS 7 - DMZ - box.mydomain.net

-nextcloud-15.0.5
-app Talk

Configure Nextcloud Talk:
STUN servers: box.mydomain.net:3478
TURN server: box.mydomain.net:3478
TURN secret: de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef
UDP and TCP

Download and install a TURN server

wget http://coturn.net/turnserver/v4.5.0.7/turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz
tar xvfz turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz
cd turnserver-4.5.0.7/
chmod +x install.sh
./install.sh

Prepare some information to configure coturn:

openssl rand -hex 32 # generate an static-auth-secret; example: de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef

#edit configuration file /etc/turnserver/turnserver.conf

listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef
realm=box.mydomain.net
total-quota=100
bps-capacity=0
stale-nonce=600
no-loopback-peers
no-multicast-peers
pidfile="/var/run/turnserver/turnserver.pid"

systemctl disable firewalld # (if all is ok I fix the firewalld)
systemctl restart turnserver

are the server-ports nated, eq available from outside?

i assume the problem is network related

Hi,
can you please be more specific?
our servers are not nated, they’re configured with a public IP address in our DMZ on the same subnet.
Thanks.

may be you find the answer here:

i understood that the purpose of the turn server is to avoid exactly this black screen. and therefore the turn server is mend to be place in the internet. so if you put the turn server also behind a nat device you have to understand the config for this scenario. in my link above it should be de scripted. ok?

just offering my free support btw, so dont be mad at me willing to help you.

i assume you’re not a native english speaker - so am I.

If german is a language you’d prefer, so will I.

Sorry but I’m still not understanding how to configure our TURN server.
It is already configured with a public IP, are you suggesting to move it inside our local network and configure a NAT?

Reading your guide, i can clearly confirm that our case is a TURN server running not behind a NAT , but with direct www connection and static public IP

However @victorbw, i’m really appreciating your support, please don’t misunderstand my words as mad

no. never.

i just wanted to say that there is already a long thead with a lot config examples. so maybe your problem is also covered there. or you find an expert among the experts posting config there. and i didn’t see “DMZ” so i assumed you run your turn server in your intranet. my mistake.

btw: we are on the same site. i’m desperately seeking a solution for turn in docker. (what is a kind of “behind-nat-problem”.)

in my playbook - as far as i remember - i was able to get talk running on debian/ubuntu (without docker) i’m not sure if i ever tested it with centos.
anyhow my playbook wouldn’t help you because nc and turn would be on the same maschine. but maybe you could setup a test maschine with a working config and bring it to your turn server.

try this howto, it seems like the most detailed version of an instruction ive found so far:

unfortunately I’ve lost my script for setting up a stun/turn server

@mirkot did you look at the the lt-cred-mech parameter? they talk about “not necessary in some version”…

@Reiner_Nippes I didn’t set lt-cred-mech parameter.

I have set only :

listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef
[realm=coturn.mydomain.net](http://realm=coturn.mydomain.net)
total-quota=100
bps-capacity=0
stale-nonce=600
no-loopback-peers
no-multicast-peers
pidfile="/var/run/turnserver/turnserver.pid"

Are you sure that the turn server is not firewalled? Or the nextcloud server? You turn off firewalld locally. But you dont say anything about the router/firewall that most probably sits in front of the dmz, how is that configured? Have you turned on debug on the turn server or listened on the traffic with tcpdump?

Also try open the port on DMZ firewall for TCP and UDP.
What are your test devices? Testing with mobile Android phones on 3g/4g network with Talk App makes it easier than testing with desktops who may have their own firewalls and settings or sitting behind something.

firewalld is disabled, the VMs are on DMZ.

1 iphone on 4G and 1 android on 4G.
All test in all direction:

iphone - android both of them on wifi LAN (working).
iphone - android both of them on 4G.
iphone - android one on wifi LAN and one 4G.
notebook - iphone one on LAN and one 4G.
notebook - iphone one on LAN and one wifi LAN (working).
notebook - android one on LAN and one 4G.
notebook - android one on LAN and one wifi LAN (working).

Please assure first that the coturn is running without error messages.

As I can see above you use v4.5.0.7 (I guess since there is a special CentOS7 tarball available?), so in this case indeed you need to add lt-cred-mech which is required for all versions below 4.5.0.8 but throws a warning for all versions above.

You might have found the guide without this setting as I removed it due to the error message and meanwhile re-added it after realizing that it is required for older versions. coTURN was quite a bid changing around their settings behaviour.

When starting coturn carefully watch the log for any other config quirks.

I changed everything, I installed nextcloud and turnserver on the same server.
The VM is still on DMZ, connecting directly on the internet.
Now I’m trying to configure the turn server file on localhost.
Do you have any tips?

despite what is frequently said, I had to use lt-cred-mech in coturn configuration to make it work.
Then I started to notice user id logged in turn log file and talk started to work.
Unfortunately, I decided not to propose nextcloud talk because it’s not reliable on firefox !

lt-cred-mech added on config file but the problem are still present

can you show us the content of your turn log file ?