TURN security and setup question


#1

I’m trying to understand how to correctly and securely setup Talk with TURN. Let’s say, I have two organizations, example1.com and example2.com both running Nextcloud at public IP addresses, with Talk installed. Let’s also assume that each organization runs their own TURN server with a shared secret that’s specific to their respective organization. And members of those organizations, who use their browsers behind two different corporate firewalls, want to chat with each other. Just what needs to happen here to establish a call?

Specifically:

  • Does anybody in example2.com need to know the location, shared secret etc. of example1.com’s TURN server?
  • It’s called a “shared secret” – just who is that secret being shared with, and who not?
  • How is being decided which of the two TURN servers is being used?

Thanks,

Johannes.


#2

AFAIK:

  • Shared secret just means that it is an authentication secret that you can share to anybody. So everybody who knows the secret can use the turn sever without user/pass authentication or any other supported method.
  • Two users that want to video chat, need to authenticate/use the same TURN server. All traffic is then going through this one TURN server.
  • But in case of Nextcloud Talk, users just authenticate against Nextcloud, while just Nextcloud itself then uses the by admin configured TURN server + secret to initiate the call connection. So non of the users will see the TURN secret.
  • So if users from different Nextcloud instances do a video chat, it’s I guess up to the call initiator (respectively it’s Nextcloud instance), which TURN server is used.

#3

I think I had a misunderstanding that Talk would federate if set up correctly. But it might not (right?). In which case, all users on a video session will use the same Nextcloud instance, which then uses the same TURN server with the same shared secret that is known because it is set once in the Nextcloud/Talk configuration. Is that right?


#4

Honestly I am not sure if/how federation with Nextcloud Talk works. But if out does, only the authentication of the participating users against Nextcloud is of course against their own instance. The authentication against the TURN server is made by one of the Nextcloud instances against it’s configured one, most properly the instance of the user who initiated the call and invited the other user(s). Relay over two TURN severs is not possible, AFAIK, and would be an unnecessary traffic + delay, that would need fix/rework otherwise.


#5

never tried with two nextcloud installations.

you can invite your own users into a call or create a public link. (like sharing documents.)
so user at example1 would send a link to user at example2. and they would do their call only on server example1. or?
(no access to turn server needed from example2.)