search

spantaleev / matrix-docker-ansible-deploy

🐳 Matrix (An open network for secure, decentralized communication) server setup using Ansible and Docker
GNU Affero General Public License v3.0
4.78k stars 1.03k forks source link

Element calls not possible without turn.matrix.org enabled (jitsi works however) #3357

Open mdPlusPlus opened 3 months ago

mdPlusPlus commented 3 months ago

Playbook Configuration:

My vars.yml file looks like this:

devture_postgres_connection_password: 'DEF'
devture_traefik_config_certificatesResolvers_acme_email: 'some@email.com'

jitsi_enabled: true
jitsi_enable_auth: true
jitsi_enable_guests: true

jitsi_prosody_auth_internal_accounts:
  - username: "someacc1"
    password: "somepass1"
  - username: "someacc2"
    password: "somepass2"

jitsi_prosody_max_participants: 32    

jitsi_web_custom_config_extension: |
  config.enableLayerSuspension = true;

  // Limit the number of video feeds forwarded to each client
  config.channelLastN = 6;

jitsi_web_config_resolution_width_ideal_and_max: 1920
jitsi_web_config_resolution_height_ideal_and_max: 1080

matrix_dendrite_max_file_size_bytes: 419430400 # 400mib
matrix_dendrite_sync_api_search_enabled: true
matrix_dendrite_tmp_directory_size_mb: 1300

matrix_domain: somedomain.com

matrix_homeserver_federation_enabled: false
matrix_homeserver_generic_secret_key: 'ABC'
matrix_homeserver_implementation: dendrite

matrix_playbook_reverse_proxy_type: playbook-managed-traefik

matrix_sliding_sync_enabled: true

matrix_static_files_container_labels_base_domain_enabled: true
matrix_static_files_file_index_html_enabled: false

/matrix/coturn/turnserver.conf:

use-auth-secret
static-auth-secret=AAA-BBB-CCC-DDD
userdb=/var/tmp/turnserver.db

realm=turn.matrix.somedomain.com

min-port=49152
max-port=49172

external-ip=12.34.56.78

log-file=stdout
pidfile=/var/tmp/turnserver.pid

no-cli

cert=/certificate.crt
pkey=/privatekey.key
no-tlsv1
no-tlsv1_1

prod

no-tcp-relay

no-rfc5780

no-stun-backward-compatibility

response-origin-only-with-rfc5780

no-multicast-peers

denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Matrix Server:

Problem description: Calls in Element do not connect unless the turn.matrix.org relay option is enabled in settings. Using Jitsi in the browser works however.

Notably I see JVB_STUN_SERVERS=meet-jit-si-turnrelay.jitsi.net:443 in /matrix/jitsi/jvb/env and addresses = [ "meet-jit-si-turnrelay.jitsi.net:443" in /matrix/jitsi/jvb/config/jvb.conf. Are those values correct? Shouldn't those be set to turn.matrix.somedomain.com or similar?
I suspect Coturn is somehow misconfigured and Jitsi is working because it uses an external relay server for some reason.

ZelChief commented 3 months ago

Problem could be in authorization under NAT.

mdPlusPlus commented 3 months ago

The Coturn server and the homeserver (same host) are both not behind NAT, if that is what you've been implying. The clients however are.

And it is my understanding that using lt-cred-mech prevents Jitsi from working with Coturn. Is that correct?

ZelChief commented 3 months ago

Changing the authentication mechanism to lt-cred-mech helps Coturn server to work with static-auth-secret under NAT as a TURN server.