here my configuration for meet + turn
a turnserver was added to provide a good meeting for many users per meeting.
( as my users are behind a NAT, meet failed with more than 2 users )
Turnserver dependencies with meet
When is a turn server necessary?
- the following port range 1024-65536 blocked on Publisher/Receiver side
- one of the peers located under symmetric NAT
- Your internet provider blocks p2p connections - sometimes it's happened with ADSL providers.
01 - turnserver configuration in a jitsi-meet environement
Configuration in an opensuse environment:
http://<domain.name>/meet/ - entry for loadbalancer defined path to nginx 443 to activate <meeting-roomname> via index.html and config.js
/srv/jitsi-meet - files folder for configuration files config.js, index.html, etc.
/etc/prosody/prosody.cfg.lua - configuration file for prosody
/etc/prosody/conf.d/<domain.name>.cfg.lua - configuration file for xmpp-environment
/etc/jitsi/jicofo - configuration files for Jicofo
/etc/jitsi/videobridge - configuration files for JVB's
/etc/coturn/turnserver.cfg - configuration file Stun/Turn
01.1. meet related configuration settings on a loadbalancer (haproxy):
( no turnserver related config )
acl meet path_beg /meet
acl colibri path_beg /colibri-ws
acl hdr_connection_upgrade hdr(Connection) -i upgrade
acl hdr_upgrade_websocket hdr(Upgrade) -i websocket
use_backend be_meetnodes if meet
use_backend be_meetnodes if colibri
use_backend be_meetnodes if hdr_connection_upgrade hdr_upgrade_websocket
backend be_meetnodes
stick-table type ip size 10240k expire 60m
stick on src
option http-server-close
balance roundrobin
option redispatch
server web01 hostname1.domain:443 check ssl verify none
#in case of multiple prosody's without s2s setting to sync the prosody servers, the backend for meetnodes need an adjustment to balance by room-names:
balance url_param room
hash-type consistent
01.2. jitsi-meet configuration settings for a STUNserver
/srv/jitsi-meet/config.js:
var config = {
...
p2p: {
enabled: true,
preferH264: true,
#no longer urgently required - if no stun added here - prosody setting will get used for stun
useStunTurn: true,
stunServers: [
{ urls: 'stun:turn01.<${FQDN}>:3478' },
{ urls: 'stun:turn02.<${FQDN}>:3478' }
]
},
01.3. Prosody configuration for a turnserver - /etc/prosody/conf.d/${FQDN}.cfg.lua
default declaration:
-- turncredentials_secret = "CHANGETHISPASSWORDTOYOURTURNSERVERSECRET";
-- turncredentials = {
-- { type = "stun", host = "${FQDN}", port = "3478" },
-- { type = "turn", host = "${FQDN}", port = "3478", transport = "udp" },
-- { type = "turns", host = "${FQDN}", port = "443", transport = "tcp" }
-- };
or external_service declaration:
external_service_secret = "CHANGETHISPASSWORDTOYOURTURNSERVERSECRET";
external_services = {
{ type = "stun", host = "turn01.${FQDN}", port = 3478 },
{ type = "turn", host = "turn01.${FQDN}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "turn01.${FQDN}", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "stun", host = "turn02.${FQDN}", port = 3478 },
{ type = "turn", host = "turn02.${FQDN}", port = 3478, transport = "udp", secret = true, ttl = 86400, algorithm = "turn" },
{ type = "turns", host = "turn02.${FQDN}", port = 443, transport = "tcp", secret = true, ttl = 86400, algorithm = "turn" }
};
01.4. Videobridge (JVB) configuration for a turnserver
config related file = /etc/jitsi/videobridge/sip-communicator.properties
depending on the environment setup - settings can be different - added more options
#use TURN INSTEAD
org.ice4j.ice.harvest.DISABLE_AWS_HARVESTER=true
org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
#potentially needed...
org.ice4j.ice.harvest.AbstractUdpHarvester.SO_RCVBUF
#needed if turn-server is not in same vpn an reachable with local ip on upd 10000
#org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Virtual IP address for jvb>
#org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<public-IP of jvb>
#org.jitsi.videobridge.SINGLE_PORT_HARVESTER_PORT=10000
01.5. Turnserver configuration
config related file = /etc/coturn/turnserver.conf
#Listener IP address of relay server. Multiple listeners can be specified.
external-ip=<public-IP-Turn1 IP Address>
#TURN listener port for UDP and TCP (Default: 3478).
listening-port=3478
#TURN listener port for TLS (Default: 5349).
tls-listening-port=443
#The default realm to be used for the users when no explicit origin/realm relationship was found in the database. Must be used with long-term
#credentials mechanism or with TURN REST API.
realm=turn.${FQDN}
relay-ip=<Virtual IP address bound to Turn1>
#Certificate file.
cert=/etc/coturn/certs/${FQDN}.cert
min-port=10000
max-port=20000
#Private key file.
pkey=/etc/coturn/certs/${FQDN}.key
#Do not allow an TLS/DTLS version of protocol
no-tlsv1
no-tlsv1_1
#Allowed OpenSSL cipher list for TLS/DTLS connections.
cipher-list="ECDHE-RSA-AES256-GCM-SHA384: DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305: DHE-RSA-AES256-CCM8: DHE-RSA-AES256-CCM:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA"
#Use custom DH TLS key, stored in PEM format in the file.
dh-file=/etc/turnserver/dhp.pem
#This allows TURN credentials to be accounted for a specific user id.
use-auth-secret
#'Static' authentication secret value (a string) for TURN REST API only.
static-auth-secret=CHANGETHISPASSWORDTOYOURTURNSERVERSECRET
#Flag that can be used to disallow peers on well-known broadcast addresses (224.0.0.0 and above, and FFXX:*).
no-multicast-peers
#Uncomment to use fingerprints in the TURN messages.
fingerprint
#Total allocation quota.
total-quota=100
#Set this option to limit the nonce lifetime.
#It defaults to 600 secs (10 min) if no value is provided. After that delay,
#the client will get 438 error and will have to re-authenticate itself.
stale-nonce=600
#Maximum server capacity.
#Total bytes-per-second bandwidth the TURN server is allowed to allocate
bps-capacity=0
#Uncomment to run TURN server in 'normal' 'moderate' verbose mode.
#normal
verbose
no-cli
#Option to set the log file name.
log-file=/var/log/coturn/coturn.log