TALK with STUN/TURN: PORT etc. questions, for my understanding

ℹ️ Support
1

NC 13.0.5
NC Talk 2.3.5
on OpenSuse Leap 15.0

All on a VPS, with a single static IPv4 and a static IPv6 subnet.

I’ve some general and additional questions to this very nice howto: HowTo: Setup Nextcloud Talk with TURN server

STUN set to stun.nextcloud.com:443
No TURN, no signaling server.

Until today I’ve used Nextcloud Talk only for pure “inter-family” calls, audio and video, worked fine, always. Both via browser and also nextcloud talk app.

Today I wanted to make a skype call, with someone behind a company’s firewall, which several times failed, for whatever skype internal reasons. So I thought perfect situation to try Nextcloud Talk’s “public conversation” feature in real life. Self-explaining easy to create conversation, set a password. Sent other party URL (via Skype, at least that still worked :slight_smile:). Saw him at once as “guest”. We could chat inside NC Talk, he could try to call me, signaled both in Browser and on my smartphone via Talk app.

What didn’t work was any sound or video transmission, call stuck at “calling …”. We both saw a black initiation screen in Talk, and both ourself from our own webcams, not the other participant, and no sound.

From what I’ve understood/read, this might be because of the necessity of a TURN server in this specific situation.

So I installed COTURN on my VPS, and now have some questions before activating it. All new to me, don’t want any security holes on my server :wink:

  • “WHO” is really using/accessing the TURN server?
    a) Nextcloud (Talk) serverside, being able to connect on http(s)://localhost: as both NC on Apache and the TURN server will run on the same machine? side effect: no TLS etc. neccesary.
    b) or the final NC Talk clients, browser or app(s)? So the desired TURN port must be open in firewall?

To my understanding, it’s quite usual for company’s networks to restrict any outgoing port request other than 80/443, plus same essentially needed. That’s why all known by me screen sharing etc. programs like “TeamViewer” or so pass all communication via ports 80/443, in contrast to e.g. VNC, which needs it’s own port.
Because of this I would be suprised if NC Talk users would need additional open ports, but as said, unclear to me.

Regards,
Michael

2

The TURN server indeed needs to be accessible by the (WebRTC) clients, thus you need to open/forward the configured port and the end users need to be able to access it.
Usually a video call via Nextcloud Talk tries to establish a peer to peer connection between the clients. The app/web ui just handles authentication and initiation. Same is the case, if direct peer to peer fails and connection is passed through the TURN server as fallback.

Blocking of all ports (outgoing) besides e.g. default 80+443+21/22 and such on public, university or working place networks is indeed an issue an might be the reason as well for Skype failing. In those cases you might need to accept that everything besides web browsing is not wanted. It could be tested which ports are open there (should be some more, to allow correct system run and maintenance) and then configure coturn to listen to this as well.