I can’t get talk to work on all of our devices.
I found that works fine on Chrome (Mac) and on Firefox (Win).
With all other browsers and devices that I have tested I only get a black video screen and no audio.
Non working systems are:
edge (Win), Safari and Firefox (Mac) and the Android nextcloud talk app.
Has anybody been successfull in getting these to work?
a) Do you use HTTPS?
b) Do you have TURN configured?
Hi Mario,
Thanks for asking. The Android talk app works now! Yay!
(Edit: No, it did not. Please read my follow up messages)
I was about to provide my VirtualServer and turnserver configurations for troubleshooting. While anonymising our server name I found that I had missspelled it in turnserver.conf (like: realm=mycerver.com - Ouch!)
After correcting the typo it now works lika breeze.
I only wonder why some browsers still worked with the faulty configuration while others on the same machine did not.
Tomorrow I am going to test the entire bunch of browser/device combinations used in our company and then come back with the results.
Andreas
I was celebrating to early. Back in the office I found that both devices that I had tested with at home were in the same WLAN thus skipping the turn server.
It still does not work over the internet.
So here are my configuration details. I hope somebody can help.
First to answer the questions:
a) I use HTTPS (but not TLS).
b) a turnserver is running on the same machine side by side with nextcloud.
Checking the configuration I made a strange observation:
opening mysite.com:3478 with the browser produces:
TURN Server
use https connection for the admin session
But only if the computer is connected via LAN
When using a WLAN connection through the same router the connection is refused by the server.
This might explain why the android app did not connect while some browsers on LAN machines did.
I hope this can be fixed by correcting my server configuration:
/etc/apache2/sites-available/default.conf
(...)
<VirtualHost *:80>
ServerName cloud.mysite.com
Redirect permanent / https://cloud.mysite.com/
</VirtualHost>
<VirtualHost *:443>
ServerName cloud.mysite.com
DocumentRoot /var/www/nextcloud
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem
Alias /nextcloud "/var/www/nextcloud/"
<Directory /var/www/nextcloud/>
Options +FollowSymlinks
AllowOverride All
<IfModule mod_dav.c>
Dav off
</IfModule>
SetEnv HOME /var/www/nextcloud
SetEnv HTTP_HOME /var/www/nextcloud
</Directory>
</VirtualHost>
/etc/turnserver.conf
listening-port=3478
#tls-listening-port=5349
listening-ip=xxx.xxx.xxx.xxx
relay-ip=xxx.xxx.xxx.xxx
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=mysecret
realm=mysite.com
stale-nonce
total-quota=100
bps-capacity=0
cert=/etc/letsencrypt/live/mysite.com/fullchain.pem
pkey=/etc/letsencrypt/live/mysite.com/privkey.pem
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!AD$
no-loopback-peers
no-multicast-peers
Turn server settings in Nextcloud > Settings > Administration > Talk
mysite.com:3478 / mysecret / UDP and TCP
Update:
After changing the wlan configuration of the router I was finally able to also connect over WLAN.
I am pretty confident that the guest WLAN is isolated from the LAN by the router. At least I was not able to ping across the networks using the local IPs.
Question: Is there a way to (ab)use the http/https standard ports for the turn server?
This would hopefully allow us to use Talk also behind a more restrictive firewall.
Our team members travel a lot and most often we have no control over the local network configurations.
Note that the talkserver is now running side by side with an apache server that is listening to ports 80/443.
I would rather not rent a second server only for turn.
So the questions are:
- Is there a feasable option to have the talk server behind apache?
- Would that at all make sense considering the additional load on the apache server?
- what about TLS encrytpted connections?
Thanks!
The answers are:
- I will assume you mean the TURN server here. Sure. Get a subdomain, create a virtual host for it and proxypass everything to the TURN. In Talk config, use this subdomain from now on. Keep in mind while this trick indeed helps due to nature of WebRTC that uses bunch of random ports in p2p connections, this might not work in some of the stranger networks out there.
- I wouldn’t worry for now
- what about them?
Thanks Mario!
Can you point me to a working example? I have already put all services on our server behind apache using subdomains. So in principle I know how to do it.
With the turnserver on the other hand I would need some more details of the implementation.
listening-ip and relay-ip in turnserver.conf: should these be set to to adresses out of the local range?
regarding TLS: I assume the encryption is handled by the apache server and not the turnserver itself?
Thanks!
No, but I can assist a bit even though this would usually be part of the enterprise offering.
Listening IP and Relay IP should probably be set to 127.0.0.1
As for TLS and TURN, best possible answer is here: https://stackoverflow.com/questions/23085335/is-webrtc-traffic-over-turn-end-to-end-encrypted
Thanks again for the answer. This is very helpful as always.
should these be set to to adresses out of the local range?
Oops, blooper. That was a piece of denglish. I actually meant the opposite: … within the local range.
(you already covered that in your answer.)