Using NextCloud Talk in a VPN

Hello Nextcloud community!

We have a business network which you connect to via a VPN. All of our clients are inside of this VPN. We do not allow tunnel forwarding - no clients can talk via p2p. We want to use Nextcloud Talk for text, voice and video video conferencing. As I understand it Talk/spreed communicates with p2p so this is not possible for us (as we do not leak the local IPs between clients).
As a test Ive setup a Nextcloud Talk server, text works and connecting voice calls work, but then it’s just black & no audio (I believe this is where the p2p starts, the rest is handled by the server).
What is the best practice for us to use Nextcloud Talk? Is it recommended for us to setup a TURN (or STUN? Not completely grasping the differences) server as a form of proxy on the inside? Which TURN/STUN server is recommended and works with Nextcloud Talk?

Thankful for any feedback, links or ideas!

If it is a bigger installation and should be secure without leaking it would be best for you to host all three (STUN, TURN and Signalling) services on your own servers.

To connect clients that can’t see each other, a TURN (Traversal Using Relay NAT) server would be needed.

I have now setup a TURN server (coturn) which both clients connects to - I see this when running tcpdump - but it’s still completely black.

TURN log:

0: log file opened: /var/log/turnserver/turn_2018-01-19.log
0: pid file created: /var/run/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
0: Wait for relay ports initialization…
0: relay 10.20.50.50 initialization…
0: relay 10.20.50.50 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IPv4. SCTP listener opened on : 10.20.50.50:3478
0: IPv4. TCP listener opened on : 10.20.50.50:3478
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IPv4. TCP listener opened on : 10.20.50.50:3478
0: IPv4. UDP listener opened on: 10.20.50.50:3478
0: Total General servers: 2
0: IO method (admin thread): epoll (with changelist)
0: IPv4. CLI listener opened on : 127.0.0.1:5766
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: SQLite DB connection success: /var/lib/turn/turndb
19: IPv4. tcp or tls connected to: 10.0.128.17:52383
19: IPv4. tcp or tls connected to: 10.0.128.17:55490
19: IPv4. tcp or tls connected to: 10.0.128.17:51891
22: IPv4. tcp or tls connected to: 10.0.134.49:55534
23: session 000000000000000001: TCP socket closed remotely 10.0.128.17:55490
23: session 000000000000000001: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:55490, reason: TCP connection closed by client (callback)
23: session 000000000000000002: TCP socket closed remotely 10.0.128.17:51891
23: session 000000000000000002: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:51891, reason: TCP connection closed by client (callback)

Where 10.20.50.50 is the Nextcloud and TURN server (port 3478 for TURN).
10.0.128.17 is client 1
10.0.134.49 is client 2

Tcpdump:

13:54:39.210367 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [P.], seq 671:1362, ack 728, win 340, options [nop,nop,TS val 1389793 ecr 252632], length 691
13:54:39.210376 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [.], ack 1362, win 535, options [nop,nop,TS val 252644 ecr 1389793], length 0
13:54:39.214851 IP 10.20.50.50.https > 10.0.134.49.36563: Flags [.], ack 569, win 470, options [nop,nop,TS val 252646 ecr 1389790], length 0
13:54:39.245402 IP 10.0.134.49.36563 > 10.20.50.50.https: Flags [P.], seq 569:1262, ack 153, win 329, options [nop,nop,TS val 1389797 ecr 252646], length 693
13:54:39.245417 IP 10.20.50.50.https > 10.0.134.49.36563: Flags [.], ack 1262, win 491, options [nop,nop,TS val 252653 ecr 1389797], length 0
13:54:39.263858 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [P.], seq 728:1455, ack 1362, win 535, options [nop,nop,TS val 252658 ecr 1389793], length 727
13:54:39.284196 IP 10.20.50.50.https > 10.0.134.49.36563: Flags [P.], seq 153:893, ack 1262, win 491, options [nop,nop,TS val 252663 ecr 1389797], length 740
13:54:39.327374 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [.], ack 1455, win 346, options [nop,nop,TS val 1389806 ecr 252658], length 0
13:54:39.340416 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [P.], seq 1362:2055, ack 1455, win 346, options [nop,nop,TS val 1389806 ecr 252658], length 693
13:54:39.340423 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [.], ack 2055, win 556, options [nop,nop,TS val 252677 ecr 1389806], length 0
13:54:39.342317 IP 10.0.134.49.36563 > 10.20.50.50.https: Flags [.], ack 893, win 334, options [nop,nop,TS val 1389808 ecr 252663], length 0
13:54:39.368732 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [P.], seq 1455:2194, ack 2055, win 556, options [nop,nop,TS val 252684 ecr 1389806], length 739
13:54:39.392474 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [.], ack 2194, win 351, options [nop,nop,TS val 1389812 ecr 252684], length 0
13:54:39.430476 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [P.], seq 2055:2748, ack 2194, win 351, options [nop,nop,TS val 1389815 ecr 252684], length 693
13:54:39.460639 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 948199420:948200192, ack 2962451123, win 513, options [nop,nop,TS val 252707 ecr 3949126], length 772
13:54:39.461014 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [P.], seq 2194:2933, ack 2748, win 578, options [nop,nop,TS val 252707 ecr 1389815], length 739
13:54:39.469021 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [.], ack 772, win 340, options [nop,nop,TS val 3949932 ecr 252707], length 0
13:54:39.469805 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 1:671, ack 772, win 340, options [nop,nop,TS val 3949932 ecr 252707], length 670
13:54:39.469812 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [.], ack 671, win 534, options [nop,nop,TS val 252709 ecr 3949932], length 0
13:54:39.497622 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 772:1544, ack 671, win 534, options [nop,nop,TS val 252716 ecr 3949932], length 772
13:54:39.505977 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [P.], seq 2748:3441, ack 2933, win 357, options [nop,nop,TS val 1389823 ecr 252707], length 693
13:54:39.509982 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 671:1341, ack 1544, win 346, options [nop,nop,TS val 3949936 ecr 252716], length 670
13:54:39.542848 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [.], ack 3441, win 600, options [nop,nop,TS val 252728 ecr 1389823], length 0
13:54:39.546843 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [.], ack 1341, win 555, options [nop,nop,TS val 252729 ecr 3949936], length 0
13:54:39.560425 IP 10.20.50.50.https > 10.0.134.49.36562: Flags [P.], seq 2933:3672, ack 3441, win 600, options [nop,nop,TS val 252732 ecr 1389823], length 739
13:54:39.561017 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 1544:2316, ack 1341, win 555, options [nop,nop,TS val 252732 ecr 3949936], length 772
13:54:39.566375 IP 10.20.50.50.https > 10.0.134.49.36561: Flags [P.], seq 2828750114:2828750886, ack 2044698794, win 513, options [nop,nop,TS val 252733 ecr 1389125], length 772
13:54:39.591935 IP 10.0.134.49.36561 > 10.20.50.50.https: Flags [.], ack 772, win 340, options [nop,nop,TS val 1389832 ecr 252733], length 0
13:54:39.601381 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [.], ack 2316, win 352, options [nop,nop,TS val 3949946 ecr 252732], length 0
13:54:39.611038 IP 10.0.134.49.36561 > 10.20.50.50.https: Flags [P.], seq 1:665, ack 772, win 340, options [nop,nop,TS val 1389833 ecr 252733], length 664
13:54:39.611049 IP 10.20.50.50.https > 10.0.134.49.36561: Flags [.], ack 665, win 534, options [nop,nop,TS val 252745 ecr 1389833], length 0
13:54:39.616898 IP 10.0.134.49.36562 > 10.20.50.50.https: Flags [.], ack 3672, win 363, options [nop,nop,TS val 1389835 ecr 252732], length 0
13:54:39.639374 IP 10.20.50.50.https > 10.0.134.49.36561: Flags [P.], seq 772:1544, ack 665, win 534, options [nop,nop,TS val 252752 ecr 1389833], length 772
13:54:39.696070 IP 10.0.134.49.36561 > 10.20.50.50.https: Flags [P.], seq 665:1329, ack 1544, win 346, options [nop,nop,TS val 1389842 ecr 252752], length 664
13:54:39.723880 IP 10.20.50.50.https > 10.0.134.49.36561: Flags [P.], seq 1544:2316, ack 1329, win 555, options [nop,nop,TS val 252773 ecr 1389842], length 772
13:54:39.787042 IP 10.20.50.50.57588 > 10.20.56.10.domain: 62059+ PTR? 49.134.0.10.in-addr.arpa. (42)
13:54:39.787467 IP 10.20.56.10.domain > 10.20.50.50.57588: 62059 NXDomain* 0/1/0 (92)
13:54:39.792574 IP 10.0.134.49.36561 > 10.20.50.50.https: Flags [.], ack 2316, win 352, options [nop,nop,TS val 1389852 ecr 252773], length 0
13:54:40.790884 ARP, Request who-has 10.20.56.10 tell 10.20.50.50, length 28
13:54:40.791130 ARP, Reply 10.20.56.10 is-at 8a:16:8f:85:70:30 (oui Unknown), length 46
13:54:42.136808 IP 10.0.134.49.54590 > 10.20.50.50.3478: Flags [F.], seq 3415617292, ack 3490395854, win 324, options [nop,nop,TS val 1390086 ecr 242189], length 0
13:54:42.136945 IP 10.20.50.50.3478 > 10.0.134.49.54590: Flags [R.], seq 1, ack 1, win 453, options [nop,nop,TS val 253376 ecr 1390086], length 0
13:54:42.138770 IP 10.0.134.49.40905 > 10.20.50.50.3478: Flags [F.], seq 2316692247, ack 1825295247, win 324, options [nop,nop,TS val 1390086 ecr 242190], length 0
13:54:42.138843 IP 10.20.50.50.3478 > 10.0.134.49.40905: Flags [.], ack 1, win 453, options [nop,nop,TS val 253377 ecr 1390086], length 0
13:54:42.138978 IP 10.20.50.50.3478 > 10.0.134.49.40905: Flags [R.], seq 1, ack 1, win 453, options [nop,nop,TS val 253377 ecr 1390086], length 0
13:54:42.552963 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 1341:2040, ack 2316, win 352, options [nop,nop,TS val 3950240 ecr 252732], length 699
13:54:42.552982 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [.], ack 2040, win 577, options [nop,nop,TS val 253480 ecr 3950240], length 0
13:54:42.581165 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 2316:3055, ack 2040, win 577, options [nop,nop,TS val 253487 ecr 3950240], length 739
13:54:42.584711 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [.], ack 3055, win 358, options [nop,nop,TS val 3950244 ecr 253487], length 0
13:54:42.614428 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 2040:2739, ack 3055, win 358, options [nop,nop,TS val 3950247 ecr 253487], length 699
13:54:42.641788 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 3055:3794, ack 2739, win 599, options [nop,nop,TS val 253502 ecr 3950247], length 739
13:54:42.662011 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 2739:3438, ack 3794, win 364, options [nop,nop,TS val 3950252 ecr 253502], length 699
13:54:42.688741 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 3794:4533, ack 3438, win 621, options [nop,nop,TS val 253514 ecr 3950252], length 739
13:54:42.712279 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [P.], seq 3438:4137, ack 4533, win 370, options [nop,nop,TS val 3950257 ecr 253514], length 699
13:54:42.739952 IP 10.20.50.50.https > 10.0.128.17.45446: Flags [P.], seq 4533:5272, ack 4137, win 643, options [nop,nop,TS val 253527 ecr 3950257], length 739
13:54:42.782887 IP 10.0.128.17.45446 > 10.20.50.50.https: Flags [.], ack 5272, win 376, options [nop,nop,TS val 3950264 ecr 253527], length 0

We’re still having the issues. I’m not able to see anything unusual in the server logs nor on the clients. Is it possible to turn on verbose logging in the Nextcloud Talk android app?

Pleaase open one user on the web, one on mobile. Once you’ve seen it try to connect, type in: “about:webrtc” in your Firefox. For starters, you’ll see if both sides get relay candidates.

Turn makes connections WAY more likely to succeed under certain circumstances, but is not a bulletproof solution - firewalls, routers, etc could still block things.

Also check TURN. Does your log contains things like:
181815: session 000000000000000023: realm user <>: incoming packet ALLOCATE processed, success

about:webrtc indicates that there is some issue.

TURN server log (I do see some ALLOCATE)

247983: session 001000000000004794: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:47626, reason: allocation watchdog determined stale session state
247983: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:47626
247983: session 001000000000004798: realm <> user <>: incoming packet BINDING processed, success
247985: session 000000000000010426: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:57594, reason: allocation watchdog determined stale session state
247985: session 000000000000010427: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:59796, reason: allocation watchdog determined stale session state
247985: session 000000000000010428: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:50342, reason: allocation watchdog determined stale session state
247985: session 001000000000004795: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:45256, reason: allocation watchdog determined stale session state
247985: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:57594
247985: session 000000000000010436: realm <> user <>: incoming packet BINDING processed, success
247985: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:50342
247985: session 000000000000010437: realm <> user <>: incoming packet BINDING processed, success
247985: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:59796
247985: session 000000000000010438: realm <> user <>: incoming packet BINDING processed, success
247985: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:45256
247985: session 001000000000004799: realm <> user <>: incoming packet BINDING processed, success
247988: session 000000000000010429: realm <> user <>: incoming packet BINDING processed, success
247988: session 000000000000010430: realm <> user <>: incoming packet BINDING processed, success
247988: session 001000000000004796: realm <> user <>: incoming packet BINDING processed, success
247989: session 001000000000004789: realm <> user <>: incoming packet BINDING processed, success
247989: session 000000000000010431: realm <> user <>: incoming packet BINDING processed, success
247989: session 000000000000010434: realm <> user <>: incoming packet BINDING processed, success
247989: session 000000000000010433: realm <> user <>: incoming packet BINDING processed, success
247989: session 000000000000010435: realm <> user <>: incoming packet BINDING processed, success
247989: session 000000000000010432: realm <> user <>: incoming packet BINDING processed, success
247989: session 001000000000004797: realm <> user <>: incoming packet BINDING processed, success
247992: session 001000000000004776: realm <> user <>: incoming packet BINDING processed, success
247993: session 001000000000004798: realm <> user <>: incoming packet BINDING processed, success
247995: session 000000000000010436: realm <> user <>: incoming packet BINDING processed, success
247995: session 000000000000010437: realm <> user <>: incoming packet BINDING processed, success
247995: session 000000000000010438: realm <> user <>: incoming packet BINDING processed, success
247995: session 001000000000004799: realm <> user <>: incoming packet BINDING processed, success
247998: session 000000000000010429: realm <> user <>: incoming packet BINDING processed, success
247998: session 000000000000010430: realm <> user <>: incoming packet BINDING processed, success
247998: session 001000000000004796: realm <> user <>: incoming packet BINDING processed, success
247999: session 001000000000004789: realm <> user <>: incoming packet BINDING processed, success
247999: session 000000000000010432: realm <> user <>: incoming packet BINDING processed, success
247999: session 000000000000010435: realm <> user <>: incoming packet BINDING processed, success
247999: session 000000000000010433: realm <> user <>: incoming packet BINDING processed, success
247999: session 000000000000010431: realm <> user <>: incoming packet BINDING processed, success
247999: session 000000000000010434: realm <> user <>: incoming packet BINDING processed, success
247999: session 001000000000004797: realm <> user <>: incoming packet BINDING processed, success
248000: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248002: session 001000000000004776: realm <> user <>: incoming packet BINDING processed, success
248003: session 001000000000004798: realm <> user <>: incoming packet BINDING processed, success
248005: session 000000000000010436: realm <> user <>: incoming packet BINDING processed, success
248005: session 000000000000010437: realm <> user <>: incoming packet BINDING processed, success
248005: session 000000000000010438: realm <> user <>: incoming packet BINDING processed, success
248005: session 001000000000004799: realm <> user <>: incoming packet BINDING processed, success
248008: session 000000000000010429: realm <> user <>: incoming packet BINDING processed, success
248008: session 000000000000010430: realm <> user <>: incoming packet BINDING processed, success
248008: session 001000000000004796: realm <> user <>: incoming packet BINDING processed, success
248009: session 001000000000004789: realm <> user <>: incoming packet BINDING processed, success
248009: session 000000000000010432: realm <> user <>: incoming packet BINDING processed, success
248009: session 000000000000010431: realm <> user <>: incoming packet BINDING processed, success
248009: session 000000000000010433: realm <> user <>: incoming packet BINDING processed, success
248009: session 000000000000010434: realm <> user <>: incoming packet BINDING processed, success
248009: session 000000000000010435: realm <> user <>: incoming packet BINDING processed, success
248009: session 001000000000004797: realm <> user <>: incoming packet BINDING processed, success
248012: session 001000000000004776: realm <> user <>: incoming packet BINDING processed, success
248013: session 001000000000004798: realm <> user <>: incoming packet BINDING processed, success
248018: session 000000000000010429: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:41001, reason: allocation watchdog determined stale session state
248018: session 000000000000010430: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:43197, reason: allocation watchdog determined stale session state
248018: session 001000000000004796: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:44979, reason: allocation watchdog determined stale session state
248019: session 000000000000010431: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:53737, reason: allocation watchdog determined stale session state
248019: session 000000000000010432: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:56507, reason: allocation watchdog determined stale session state
248019: session 000000000000010433: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:46860, reason: allocation watchdog determined stale session state
248019: session 000000000000010434: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:58686, reason: allocation watchdog determined stale session state
248019: session 000000000000010435: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:59848, reason: allocation watchdog determined stale session state
248019: session 001000000000004797: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:60119, reason: allocation watchdog determined stale session state
248026: session 000000000000010436: realm <> user <>: incoming packet BINDING processed, success
248026: session 000000000000010438: realm <> user <>: incoming packet BINDING processed, success
248026: session 000000000000010437: realm <> user <>: incoming packet BINDING processed, success
248026: session 001000000000004799: realm <> user <>: incoming packet BINDING processed, success
248037: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248043: session 001000000000004798: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:47626, reason: allocation watchdog determined stale session state
248045: session 000000000000010436: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:57594, reason: allocation watchdog determined stale session state
248045: session 000000000000010437: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:50342, reason: allocation watchdog determined stale session state
248045: session 000000000000010438: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:59796, reason: allocation watchdog determined stale session state
248045: session 001000000000004799: closed (2nd stage), user <> realm <> origin <>, local 10.20.50.50:3478, remote 10.0.128.17:45256, reason: allocation watchdog determined stale session state
248070: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248083: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248093: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248099: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:41001
248099: session 000000000000010439: realm <> user <>: incoming packet BINDING processed, success
248099: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:43197
248099: session 000000000000010440: realm <> user <>: incoming packet BINDING processed, success
248099: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:44979
248099: session 001000000000004800: realm <> user <>: incoming packet BINDING processed, success
248102: session 001000000000004789: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:56507
248102: session 000000000000010441: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:53737
248102: session 000000000000010442: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:46860
248102: session 000000000000010443: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:59848
248102: session 000000000000010444: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:58686
248102: session 000000000000010445: realm <> user <>: incoming packet BINDING processed, success
248102: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:60119
248102: session 001000000000004801: realm <> user <>: incoming packet BINDING processed, success
248103: session 000000000000010397: realm <> user <>: incoming packet BINDING processed, success
248104: session 001000000000004776: realm <> user <>: incoming packet BINDING processed, success
248105: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:47626
248105: session 001000000000004802: realm <> user <>: incoming packet BINDING processed, success
248108: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:57594
248108: session 000000000000010446: realm <> user <>: incoming packet BINDING processed, success
248108: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:59796
248108: session 000000000000010447: realm <> user <>: incoming packet BINDING processed, success
248108: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:50342
248108: session 000000000000010448: realm <> user <>: incoming packet BINDING processed, success
248108: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.128.17:45256
248108: session 001000000000004803: realm <> user <>: incoming packet BINDING processed, success
248117: handle_udp_packet: New UDP endpoint: local addr 10.20.50.50:3478, remote addr 10.0.134.49:54791
248117: session 000000000000010449: realm <> user <>: incoming packet BINDING processed, success
248117: IPv4. Local relay addr: 10.20.50.50:54896
248117: session 000000000000010449: new, realm=<>, username=<>, lifetime=600
248117: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248117: IPv4. tcp or tls connected to: 10.0.134.49:38155
248117: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248118: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248119: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248121: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248125: session 000000000000010449: realm <> user <>: incoming packet ALLOCATE processed, success
248127: session 000000000000010449: realm <> user <>: incoming packet BINDING processed, success

It sounds strange that there is only 1 candidate. Hm. Are you sure whatever VPN you’re using allows all the ports etc etc?

Yes, we allow everything inside. The clients are on the same internal network via the VPN.

@PrinceProspero

Thinking about this, a MUC would solve the issue as it merges everything into one proper stream rather than using P2P. You need a Nextcloud Talk subscription to get access to the server-side components that you’d then install on your servers.