Unable to get video and audio using TURN server

listening ip i usually put the local ip of the server . if it has many interfaces just choose one.
Relay ip is local ip too. External ip should be a static external ip. if you want to use Lets encrypt certificates for coturn server (u dont have to ) you just obtain them with LE for the domain for example turn.mydomain.com and then just make sure the path to those certificates is accessible by the coturn server (being on same machine, mount volume if you use docker , or nullfs mount if you use freebsd jails) . if port 443 is occupied you have to use other port for coturn server like 3478 or 5349 and port forward it to the ip you set up as listen ip . I`ve set it up on azure freebsd jail and it works fine like this .

1 Like

Thank you that was very helpful

Please tell me if you every find a solution!
I am losing my hair man. I did everything on every instruction I find, and I know you did the same, but still nothing.

So please post it here if you find a solution.

Hello there
I used Carsten Rieger’s tutorial here: https://www.c-rieger.de/nextcloud-ready-for-talk/
That worked for me; the only thing I had to change were the directories where my letsencrypt credentials were stored.
Hope this helps!

Sorry to inform you that it did not help … I have tried every possible setting I found out there, but nothing helps. The problem is that the log file tells me there is an authentication problem error 401, and I searched man … really searched but couldn’t find a solution for that either. I guess I will keep using the Israeli virus infected whatsapp for now.

Hey guys,

if you are behind a NAT, try to NOT set listening/relay/external IPs. These are only required when not behind NAT and I also faced issues when setting them.

Also disable TLS in coTURN. Nextcloud Talk does not use it (regardless of chosen port) and it has no security benefit anyway. WebRTC is encrypted out of the box ;).

Read to compare: HowTo: Setup Nextcloud Talk with TURN server
In the changelog at the bottom of the howto you’ll find the links to TLS related discussion.

Hi again!
Sad to tell you that I tried everything. I Have the same configs on that link, except it is directed to my domain and my credentials. I tried running Coturn on the same machine as the cloud and now running on a Pi. None of them worked. Ports are open, firewall is down, and it just wont work…
It marks “OK” when I test coturn from Talk’s settings on Nextcloud… But It doesn’t work. I think I have given up on it …

What exact issue are you facing? Black screen when you do video calls?
Any hints from the log, I think /var/tmp/turn.log by default? EDIT: Ah you checked that already.
And also check your browser(s) console for errors.
And just to sort out the client, you might also test the Android app, so test video call between two phones.

And to sort out coTURN, does it work when you make video calls between two peers within your local network? As there coTURN is not in use.

1 Like

Thanks for taking interest in my case …
All I could see from the log is the message about unauthorized error 401
I checked the browser’s console says “ICE failed, see about:webrtc for more details” and when checking that I do not understand a thing because I am not a pro who can debug reading a log file.
About the clients, I checked every possibility. Nothing works except for the local network… When i switch to 4G network on my cell phone it doesn’t work.

I turned off coTurn and made a call between two peers inside the network… It worked.
I do not know what is wrong… Ports are open, I follow every possible configuration on the internet and nothing works… Every time I search for 401 error I come back here.

Hi all,

I carried on with experimenting to get my turn server running over the past month, and I think I found the issue I had.

Until now, I was always trying from my home network, to my mobile phone on 4G. Always had a black screen. However, every once in a while, I was trying from a desktop to another desktop in my family, and that was usually successful.

A week ago, I tried from my desktop to a phone using another carrier, and bingo, it was working! So from this point on, I had a strong doubt about port 3478 on my mobile carrier side.

The last attempt I made yesterday was setting up a vps (1 core, 2GB ram) at OVH, installed docker and used the intrumentisto image to setup coturn, but now, on port 80. This solved my issues, everything is working perfect now!

I had to use the docker image because for some reasons, systemd could not start properly the turnserver daemon and it was constantly restarting …

So as far as I am concerned, I’ll mark this as solved: the port was simply blocked by the mobile data carrier, using port 80 solved the issue!

1 Like

Dear all,

I’m in about the same situation as Ali.

I’m trying to get a video call from mobile phone to windows box.

But whatever I try, I only see a black screen - and no audio…

I guess I did read about all the links mentioned above and more

My TURN server is on the Internnet - not NATed, but as I have several interfaces I am specifying the ip address to user

I want to use 80 for STUN, so chances are that it is not blocked.

I want to use 443 for TURN, so chances are that it is not blocked.

Below you see a sketch of the setup. The Virtualbox inside the Windowsbox I just mention as for some reason in the log you can see the IP of the Windows (host) side of the VBox HOST ONLY network. Nothing going on there inside… I do not know why the address does appear…

After the sketch you can see the log and after that the coturn config.

As I did read that Nextcloud does not use TLS turn I did also uncomment the TLS-LISTENING-PORT - with the strange result, that a lot less things got logged…

The iptables rules on the coturn are coming after that.

Finally a part from webrtc-internals (from a different session - not the one in the logs)

Could it be that Vodaf*** is doing deep packet inspection and preventing WebRTC???

Any suggestion?

Thanks
Wolf

+-------------------------+
!    WindowsBox           !
!    Chrome Guest Session !
!    CALL                 !
!         +---------------!
!         ! VirtualBox    !
!         ! NO Nextcloud  !
!         ! Session       !
!         ! NO CALL       !
!         +---------------+
! WINDOWS_VBOX_HOSTONLY_IP!
!                         !
!                         !
+---------+---------------+
   WINDOWS_INTERNAL_IP
===========================  Corporate Firewall
   WINDOWS_EXTERNAL_IP
              \\
               \\
                \\               +--------+
                TURN_SERVER_IP   ! Coturn !
                //               +--------+
               //                
              //                 
   MOBILE_EXTERNAL_IP
=========================== Mobile Operator Firewall
   MOBILE_INTERNAL_IP
+-----------------------+
!  MobilePhone          !
!  Chrome Guest Session !
!  CALL                 !
+-----------------------+
----------------------------------------------------------------------------------------
0: log file opened: /var/log/turn_26572_2019-07-19.log
0: 
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.0.2 'dan Eider'
0: 
Max number of open files/sockets allowed for this process: 4096
0: 
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0: 

==== Show him the instruments, Practical Frost: ====

0: TLS supported
0: DTLS supported
0: DTLS 1.2 is not supported
0: TURN/STUN ALPN is not supported
0: Third-party authorization (oAuth) supported
0: GCM (AEAD) supported
0: OpenSSL compile-time version: OpenSSL 1.0.1k 8 Jan 2015
0: 
0: SQLite supported, default database location is /var/lib/turn/turndb
0: Redis supported
0: PostgreSQL supported
0: MySQL supported
0: MongoDB is not supported
0: 
0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Listener address to use: TURN_SERVER_IP
0: Relay address to use: TURN_SERVER_IP
0: 0 bytes per second allowed, combined server capacity

*************************************************************************
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: IO method (admin thread): epoll (with changelist)
0: IPv4. CLI listener opened on : 127.0.0.1:5766
0: IO method (auth thread): epoll (with changelist)
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54468
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54469
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54470
131: session 027000000000000001: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54472
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54471
131: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54473
131: session 018000000000000001: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
131: session 027000000000000002: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
131: IPv4. Local relay addr: TURN_SERVER_IP:65515
131: session 027000000000000001: new, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=600
131: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet ALLOCATE processed, success
131: IPv4. Local relay addr: TURN_SERVER_IP:55127
131: session 027000000000000002: new, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=600
131: IPv4. Local relay addr: TURN_SERVER_IP:58840
131: session 027000000000000002: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet ALLOCATE processed, success
131: session 018000000000000001: new, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=600
131: session 018000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet ALLOCATE processed, success
133: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:80, remote addr MOBILE_EXTERNAL_IP:6026
133: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:443, remote addr MOBILE_EXTERNAL_IP:27301
133: session 029000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
133: session 002000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
133: session 002000000000000001: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
133: IPv4. Local relay addr: TURN_SERVER_IP:64683
133: session 002000000000000001: new, realm=<MY_REALM>, username=<1563623249:wueunXpZtCej6DCM>, lifetime=600
133: session 002000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet ALLOCATE processed, success
133: IPv4. tcp or tls connected to: MOBILE_EXTERNAL_IP:26247
133: session 008000000000000001: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
133: session 002000000000000001: peer WINDOWS_A_VBOX_HOST_ONLY_IP lifetime updated: 300
133: session 002000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
133: session 002000000000000001: peer WINDOWS_INTERNAL_IP lifetime updated: 300
133: session 002000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
133: session 002000000000000001: peer TURN_SERVER_IP lifetime updated: 300
133: session 002000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
133: IPv4. Local relay addr: TURN_SERVER_IP:64591
133: session 008000000000000001: new, realm=<MY_REALM>, username=<1563623249:wueunXpZtCej6DCM>, lifetime=600
133: session 008000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet ALLOCATE processed, success
133: session 008000000000000001: peer WINDOWS_A_VBOX_HOST_ONLY_IP lifetime updated: 300
133: session 008000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
133: session 008000000000000001: peer WINDOWS_INTERNAL_IP lifetime updated: 300
133: session 008000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
133: session 008000000000000001: peer TURN_SERVER_IP lifetime updated: 300
133: session 008000000000000001: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
134: session 020000000000000001: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54470
134: session 020000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54470, reason: TCP connection closed by client (callback)
134: session 018000000000000001: refreshed, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=0
134: session 018000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet REFRESH processed, success
134: session 018000000000000001: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54471
134: session 018000000000000001: closed (2nd stage), user <1563621270:pxm2+75J6tlsZ/XN> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54471, reason: TCP connection closed by client (callback)
134: session 018000000000000001: delete: realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>
134: session 020000000000000002: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54472
134: session 020000000000000002: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54472, reason: TCP connection closed by client (callback)
134: session 027000000000000002: refreshed, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=0
134: session 027000000000000002: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet REFRESH processed, success
134: session 027000000000000002: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54473
134: session 027000000000000002: closed (2nd stage), user <1563621270:pxm2+75J6tlsZ/XN> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54473, reason: TCP connection closed by client (callback)
134: session 027000000000000002: delete: realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>
135: session 027000000000000001: peer MOBILE_INTERNAL_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer TURN_SERVER_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer TURN_SERVER_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 300
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
135: session 027000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 600
135: session 027000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CHANNEL_BIND processed, success
135: session 002000000000000001: closed (2nd stage), user <1563623249:wueunXpZtCej6DCM> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote MOBILE_EXTERNAL_IP:27301, reason: general
135: session 002000000000000001: delete: realm=<MY_REALM>, username=<1563623249:wueunXpZtCej6DCM>
135: session 002000000000000001: peer WINDOWS_INTERNAL_IP deleted
135: session 002000000000000001: peer TURN_SERVER_IP deleted
135: session 002000000000000001: peer WINDOWS_A_VBOX_HOST_ONLY_IP deleted
135: session 008000000000000001: closed (2nd stage), user <1563623249:wueunXpZtCej6DCM> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote MOBILE_EXTERNAL_IP:26247, reason: general
135: session 008000000000000001: delete: realm=<MY_REALM>, username=<1563623249:wueunXpZtCej6DCM>
135: session 008000000000000001: peer WINDOWS_INTERNAL_IP deleted
135: session 008000000000000001: peer TURN_SERVER_IP deleted
135: session 008000000000000001: peer WINDOWS_A_VBOX_HOST_ONLY_IP deleted
135: session 027000000000000001: closed (2nd stage), user <1563621270:pxm2+75J6tlsZ/XN> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54469, reason: general
135: session 027000000000000001: delete: realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>
135: session 027000000000000001: peer MOBILE_INTERNAL_IP deleted
135: session 027000000000000001: peer TURN_SERVER_IP deleted
135: session 027000000000000001: peer MOBILE_EXTERNAL_IP deleted
135: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:443, remote addr MOBILE_EXTERNAL_IP:27301
140: session 004000000000000001: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54468
140: session 004000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54468, reason: TCP connection closed by client (callback)
140: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54476
140: IPv4. tcp or tls connected to: WINDOWS_EXTERNAL_IP:54477
140: session 014000000000000001: realm <MY_REALM> user <>: incoming packet message processed, error 401: Unauthorized
140: IPv4. Local relay addr: TURN_SERVER_IP:49419
140: session 014000000000000001: new, realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>, lifetime=600
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet ALLOCATE processed, success
140: session 014000000000000001: peer MOBILE_INTERNAL_IP lifetime updated: 300
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
140: session 014000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 300
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
140: session 014000000000000001: peer MOBILE_EXTERNAL_IP lifetime updated: 300
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
140: session 014000000000000001: peer TURN_SERVER_IP lifetime updated: 300
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
140: session 014000000000000001: peer TURN_SERVER_IP lifetime updated: 300
140: session 014000000000000001: realm <MY_REALM> user <1563621270:pxm2+75J6tlsZ/XN>: incoming packet CREATE_PERMISSION processed, success
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 438: Wrong nonce
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 438: Stale nonce
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 438: Stale nonce
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 400: Bad Request
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 400: Bad Request
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet CREATE_PERMISSION processed, success
142: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 400: Bad Request
143: session 014000000000000001: closed (2nd stage), user <1563621270:pxm2+75J6tlsZ/XN> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54477, reason: general
143: session 014000000000000001: delete: realm=<MY_REALM>, username=<1563621270:pxm2+75J6tlsZ/XN>
143: session 014000000000000001: peer MOBILE_INTERNAL_IP deleted
143: session 014000000000000001: peer TURN_SERVER_IP deleted
143: session 014000000000000001: peer MOBILE_EXTERNAL_IP deleted

.... cut here because of message length limit....

171: session 015000000000000002: realm <MY_REALM> user <>: incoming packet BINDING processed, success
171: session 005000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
173: session 024000000000000002: realm <MY_REALM> user <>: incoming packet BINDING processed, success
173: session 024000000000000003: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet BINDING processed, success
173: session 029000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
173: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet BINDING processed, success
176: session 015000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 438: Wrong nonce
176: session 024000000000000003: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet REFRESH processed, error 437: Invalid allocation
176: session 024000000000000003: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 437: Invalid allocation
176: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet REFRESH processed, error 437: Invalid allocation
176: session 002000000000000002: realm <MY_REALM> user <1563623249:wueunXpZtCej6DCM>: incoming packet message processed, error 437: Invalid allocation
177: session 019000000000000001: TCP socket closed remotely WINDOWS_EXTERNAL_IP:54485
177: session 019000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote WINDOWS_EXTERNAL_IP:54485, reason: TCP connection closed by client (callback)
193: session 029000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:6026, reason: allocation watchdog determined stale session state
195: session 002000000000000002: closed (2nd stage), user <1563623249:wueunXpZtCej6DCM> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote MOBILE_EXTERNAL_IP:27301, reason: allocation watchdog determined stale session state
203: session 024000000000000002: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:25910, reason: allocation watchdog determined stale session state
205: session 024000000000000003: closed (2nd stage), user <1563623249:wueunXpZtCej6DCM> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote MOBILE_EXTERNAL_IP:15939, reason: allocation watchdog determined stale session state
221: session 005000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:2449, reason: allocation watchdog determined stale session state
224: session 015000000000000002: closed (2nd stage), user <1563623249:wueunXpZtCej6DCM> realm <MY_REALM> origin <>, local TURN_SERVER_IP:443, remote MOBILE_EXTERNAL_IP:3769, reason: allocation watchdog determined stale session state

==============================================================


# Coturn TURN SERVER configuration file
listening-port=80
tls-listening-port=443
listening-ip=TURN_SERVER_IP
relay-ip=TURN_SERVER_IP
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=SHARED_SECRET_WITH_NEXTCLOUD
realm=MY_REALM
total-quota=0
bps-capacity=0
stale-nonce=600
cert=/etc/letsencrypt/live/TURN_SERVER_DNS/cert.pem
pkey=/etc/letsencrypt/live/TURN_SERVER_DNS/privkey.pem
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/ssl/private/dhparam.pem
log-file=/var/log/turn.log
no-loopback-peers
no-multicast-peers
no-sslv3
no-tlsv1
no-tlsv1_1

===============================================================
LOG WITH DIFFERENT CONFIG

# Coturn TURN SERVER configuration file
listening-port=80
#tls-listening-port=443
listening-ip=TURN_SERVER_IP
relay-ip=TURN_SERVER_IP
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=Solar-Hausnummer19a
realm=MY_REALM
total-quota=0
bps-capacity=0
stale-nonce=600
cert=/etc/letsencrypt/live/turn.MY_REALM/cert.pem
pkey=/etc/letsencrypt/live/turn.MY_REALM/privkey.pem
cipher-list="ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384"
dh-file=/etc/ssl/private/dhparam.pem
log-file=/var/log/turn.log
no-loopback-peers
no-multicast-peers
no-sslv3
no-tlsv1
no-tlsv1_1

=============================================================

68: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:80, remote addr MOBILE_EXTERNAL_IP:18824
68: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:80, remote addr MOBILE_EXTERNAL_IP:31996
68: handle_udp_packet: New UDP endpoint: local addr TURN_SERVER_IP:80, remote addr MOBILE_EXTERNAL_IP:23723
68: session 023000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
68: session 026000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
68: session 010000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
78: session 026000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
88: session 026000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
98: session 026000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
108: session 026000000000000001: realm <MY_REALM> user <>: incoming packet BINDING processed, success
128: session 026000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:23723, reason: allocation watchdog determined stale session state
128: session 010000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:18824, reason: allocation watchdog determined stale session state
128: session 023000000000000001: closed (2nd stage), user <> realm <MY_REALM> origin <>, local TURN_SERVER_IP:80, remote MOBILE_EXTERNAL_IP:31996, reason: allocation watchdog determined stale session state

===============================================================

Chain INPUT (policy DROP 584 packets, 33269 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  274 34531 fail2ban-exim  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 25,465,587
 3722  400K fail2ban-ssh  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            multiport dports 22
  237 14208            tcp  --  venet+ *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: SET name: DEFAULT side: source
    0     0 DROP       tcp  --  venet+ *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW recent: UPDATE seconds: 60 hit_count: 4 name: DEFAULT side: source
  237 14208 ACCEPT     tcp  --  venet+ *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22 state NEW
37415 3953K ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
13541 3127K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
  157 35536 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
  809 42886 ACCEPT     tcp  --  venet+ *       0.0.0.0/0            SERVER_IP_FOR_OTHER_THINGS        multiport dports 20,21,80,443,25,143,110,993,465,587 ctstate NEW
    0     0 ACCEPT     udp  --  venet+ *       0.0.0.0/0            SERVER_IP_FOR_OTHER_THINGS        multiport dports 123 ctstate NEW
   43  2224 ACCEPT     tcp  --  venet+ *       0.0.0.0/0            TURN_SERVER_IP         multiport dports 80,3478,443,49152:65535 ctstate NEW
  483 55664 ACCEPT     udp  --  venet+ *       0.0.0.0/0            TURN_SERVER_IP         multiport dports 80,3478,443,49152:65535 ctstate NEW
    6   308 ACCEPT     tcp  --  venet+ *       0.0.0.0/0            SERVER_IP_FOR_YET_OTHER_THINGS         multiport dports 80 ctstate NEW
    0     0 ACCEPT     udp  --  venet+ *       0.0.0.0/0            SERVER_IP_FOR_YET_OTHER_THINGS         multiport dports 1194 ctstate NEW
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           
   10   400 ACCEPT     icmp --  venet+ *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 5/sec burst 5
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
    0     0 ACCEPT     all  --  tun+   *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 29 packets, 2456 bytes)
 pkts bytes target     prot opt in     out     source               destination         
37415 3953K ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0           
14553 5167K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
   74  3848 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate INVALID
   25  1515 ACCEPT     tcp  --  *      venet+  SERVER_IP_FOR_OTHER_THINGS        0.0.0.0/0            multiport dports 20,21,22,80,443,25,465,587,873 ctstate NEW
  634 46437 ACCEPT     udp  --  *      venet+  SERVER_IP_FOR_OTHER_THINGS        0.0.0.0/0            multiport dports 123,53 ctstate NEW
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 0
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 11
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            icmptype 3 code 4

Chain fail2ban-exim (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  274 34531 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain fail2ban-ssh (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3722  400K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0  

==================================================================================================================

19.7.2019, 13:58:04	
addIceCandidateFailed
sdpMid: audio, sdpMLineIndex: 0, candidate: candidate:3256393143 1 udp 25108223 TURN_SERVER_IP 50793 typ relay raddr MOBILE_EXTERNAL_IP rport 28262 generation 0 ufrag oBiZ network-id 1 network-cost 900
19.7.2019, 13:58:04	
addIceCandidateFailed
sdpMid: audio, sdpMLineIndex: 0, candidate: candidate:2358993223 1 udp 41885695 TURN_SERVER_IP 49305 typ relay raddr MOBILE_EXTERNAL_IP rport 29322 generation 0 ufrag oBiZ network-id 1 network-cost 900
19.7.2019, 13:58:04	
addIceCandidateFailed
sdpMid: audio, sdpMLineIndex: 0, candidate: candidate:3403688791 1 tcp 1518280447 MOBILE_INTERNAL_IP 9 typ host tcptype active generation 0 ufrag oBiZ network-id 1 network-cost 900
19.7.2019, 13:58:04	
addIceCandidateFailed
sdpMid: audio, sdpMLineIndex: 0, candidate: candidate:2221135783 1 udp 2122260223 MOBILE_INTERNAL_IP 52821 typ host generation 0 ufrag oBiZ network-id 1 network-cost 900

Yup - not fully sanitized - seen and changed…

And - when using a VPN on the mobile phone - it does work (well - probably without turn, as the VPN finishes on the turn box…)

So - AFAIK - we would need to have TUNS:// running so that we can use 443 AND have encrypted traffic…

Hi again guys … Just to be clear I have found the issue with my problem.
I was using an ad-blocker on my phone that uses a VPN which blocks all kind of stuff. I whitelisted Nextcloud Talk and bingo… It worked.

@Ali Please can you report back what was your final config which worked?

listening-port=3478
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=“my secret”
realm=“my domain”
total-quota=100
bps-capacity=0
stale-nonce
no-loopback-peers
no-multicast-peers
no-cli
no-tls
no-dtls
log-file=/var/log/turn.log

This was my config which worked for. I had a problem with the VPN I used on the phone. But after whitelisting the nextcloud talk app.

To add to the possible problems:

I tried to test it by going once via guest WIFI mode and normal WIFI mode, as they are not allowed to talk to each other and both are behind a NAT.

Turned out that I disallowed my poor guests to use other stuff than browsing and mail :grimacing: