/etc/turnserver.conf
##############################################################
# These are the two network ports used by the TURN server which the client
# may connect to. We enable the standard unencrypted port 3478 for STUN,
# as well as port 443 for TURN over TLS, which can bypass firewalls.
#listening-ip=104.248.142.226
listening-port=3478
tls-listening-port=443
server-name=rooms.the5stars.org
mobility
# If the server has multiple IP addresses, you may wish to limit which
# addresses coturn is using. Do that by setting this option (it can be
# specified multiple times). The default is to listen on all addresses.
# You do not normally need to set this option.
#listening-ip=104.248.142.226
# If the server is behind NAT, you need to specify the external IP address.
# If there is only one external address, specify it like this:
external-ip=104.248.142.226
# If you have multiple external addresses, you have to specify which
# internal address each corresponds to, like this. The first address is the
# external ip, and the second address is the corresponding internal IP.
#external-ip=104.248.142.226/10.0.0.11
#external-ip=104.248.142.226/10.0.0.12
# Fingerprints in TURN messages are required for WebRTC
fingerprint
# The long-term credential mechanism is required for WebRTC
lt-cred-mech
# Configure coturn to use the "TURN REST API" method for validating
time-limited credentials.
# You can generate a new random value by running the command:
# openssl rand -hex 16
use-auth-secret
static-auth-secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# user=
stale-nonce=0
# If the realm value is unspecified, it defaults to the TURN server
hostname.
# You probably want to configure it to a domain name that you control to
# improve log output. There is no functional impact.
realm=rooms.the5stars.org
# Configure TLS support.
# Adjust these paths to match the locations of your certificate files
cert=/etc/letsencrypt/live/rooms.the5stars.org/fullchain.pem
pkey=/etc/letsencrypt/live/rooms.the5stars.org/privkey.pem
# Limit the allowed ciphers to improve security
# Based on https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
# Enable longer DH TLS key to improve security
dh2066
# All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
# older protocols
no-tlsv1
no-tlsv1_1
# Log to a single filename (rather than new log files each startup). You'll
# want to install a logrotate configuration (see below)
log-file=/var/log/coturn/coturn.log
# To enable single filename logs you need to enable the simple-log flag
simple-log
proc-user=nobody
proc-group=nogroup
##############################################################
On 12/17/20 7:13 AM, Ali Alhaidary wrote:
For us, and since I had long discussion and research, I removes the
'user' entry from all files:
/etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
/opt/opt510/webapps/openmeetings/WEB-INF/classes/openmeetings.properties
/etc/turnserver.conf
so we are using only STUN service, all working well....
On 12/17/20 7:08 AM, Maxim Solodovnik wrote:
On Thu, 17 Dec 2020 at 00:36, kaffeesurrogat
<kaffeesurro...@posteo.de <mailto:kaffeesurro...@posteo.de>> wrote:
now i am ashamed, it was me who asked this question a while ago
and you
did answer it.
sorry for that ....
this means i should leave the line in
/opt/open510/webapps/openmeetings/WEB-INF/classes/openmeetings.properties
like this:
kurento.turn.user=
you can put any user-name to this line :)
for ex.
kurento.turn.user=kaffeesurrogat
(I guess it can be used while log checking)
or can leave it empty :)
Commenting it out doesn't work .....
I find some error in openmeetings.log
(Could not resolve placeholder kurento.turn.user .....)
and the webfrontend is not reachable ....
On 16/12/2020 17:12, Maxim Solodovnik wrote:
> I would recommend to remove the `user` from coturn config
> (/etc/turnserver.conf)
> please search mailing lists, I've shared my config (as well as
others
> ... :)))
>
> On Wed, 16 Dec 2020 at 22:49, kaffeesurrogat
<kaffeesurro...@posteo.de <mailto:kaffeesurro...@posteo.de>
> <mailto:kaffeesurro...@posteo.de
<mailto:kaffeesurro...@posteo.de>>> wrote:
>
>
>
> On 16/12/2020 16:39, Maxim Solodovnik wrote:
> >
> >
> > On Wed, 16 Dec 2020 at 21:28, kaffeesurrogat
> <kaffeesurro...@posteo.de <mailto:kaffeesurro...@posteo.de>
<mailto:kaffeesurro...@posteo.de <mailto:kaffeesurro...@posteo.de>>
> > <mailto:kaffeesurro...@posteo.de
<mailto:kaffeesurro...@posteo.de>
> <mailto:kaffeesurro...@posteo.de
<mailto:kaffeesurro...@posteo.de>>>> wrote:
> >
> > Dear list,
> >
> > just trying to understand things a little better.
> >
> > I tried to check if my turn/stun server is working
correctly.
> >
> > my turnserver.conf contains the line
> >
> > user=nobody:PASSWORD
> >
> >
> > Why have you added this line to coturn config?
>
> That was mentioned in
>
>
Installation_SSL_certificates_and_Coturn_for_OpenMeetings_5.1.0_on_Ubuntu_18.04.pdf
>
>
>
>
>
> >
> >
> >
> > Now i'm using
> >
> >
> >
>
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>
<https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>
> >
>
<https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>
<https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>>
> >
> > to check my turn server.
> >
> > The entries on trickle are:
> >
> > turn:MYIP:3478
> > turn username: nobody
> > turn password: PASSWORD
> >
> >
> > The test result is negativ.
> >
> >
> > I guess this is expected
> >
> >
> > My log file shows
> >
> >
##############################################################
> >
> > 80: handle_udp_packet: New UDP endpoint: local addr
> MYIP:3478, remote
> > addr 149.224.83.188:43949
<http://149.224.83.188:43949> <http://149.224.83.188:43949>
> <http://149.224.83.188:43949 <http://149.224.83.188:43949>>
> > 80: session 002000000000000001: realm <MYIP> user <>:
> incoming packet
> > message processed, error 401: Unauthorized
> > 80: handle_udp_packet: New UDP endpoint: local addr
> MYIP:3478, remote
> > addr 149.224.83.188:32997
<http://149.224.83.188:32997> <http://149.224.83.188:32997>
> <http://149.224.83.188:32997 <http://149.224.83.188:32997>>
> > 80: session 002000000000000002: realm <MYIP> user <>:
> incoming packet
> > message processed, error 401: Unauthorized
> > 80: check_stun_auth: Cannot find credentials of user
<nobody>
> > 80: session 002000000000000001: realm <MYIP> user
<nobody>:
> incoming
> > packet message processed, error 401: Unauthorized
> > 80: check_stun_auth: Cannot find credentials of user
<nobody>
> > 80: session 002000000000000002: realm <MYIP> user
<nobody>:
> incoming
> > packet message processed, error 401: Unauthorized
> > 83: handle_udp_packet: New UDP endpoint: local addr
> MYIP:3478, remote
> > addr 149.224.83.188:46559
<http://149.224.83.188:46559> <http://149.224.83.188:46559>
> <http://149.224.83.188:46559 <http://149.224.83.188:46559>>
> > 83: session 002000000000000003: realm <MYIP> user <>:
> incoming packet
> > message processed, error 401: Unauthorized
> > 83: handle_udp_packet: New UDP endpoint: local addr
> MYIP:3478, remote
> > addr 149.224.83.188:37545
<http://149.224.83.188:37545> <http://149.224.83.188:37545>
> <http://149.224.83.188:37545 <http://149.224.83.188:37545>>
> > 83: session 005000000000000002: realm <MYIP> user <>:
> incoming packet
> > message processed, error 401: Unauthorized
> > 83: check_stun_auth: Cannot find credentials of user
<nobody>
> > 83: session 002000000000000003: realm <MYIP> user
<nobody>:
> incoming
> > packet message processed, error 401: Unauthorized
> > 83: check_stun_auth: Cannot find credentials of user
<nobody>
> > 83: session 005000000000000002: realm <MYIP> user
<nobody>:
> incoming
> > packet message processed, error 401: Unauthorized
> >
> >
> >
##############################################################
> >
> >
> > user nobody with PASSWORD is not found ..... ;-(
> >
> > loging into my om room, activating my camera gives:
> >
> >
##############################################################
> >
> > 863: handle_udp_packet: New UDP endpoint: local addr
MYIP:3478,
> > remote
> > addr REMOTEIP:41039
> > 863: session 005000000000000003: realm <MYIP> user
<>: incoming
> > packet
> > BINDING processed, success
> > 863: session 005000000000000003: realm <MYIP> user
<>: incoming
> > packet
> > message processed, error 401: Unauthorized
> > 863: IPv4. Local relay addr: MYIP:63505
> > 863: session 005000000000000003: new, realm=<MYIP>,
> > username=<1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>,
> > lifetime=600
> > 863: session 005000000000000003: realm <MYIP> user
> > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>: incoming
> packet
> > ALLOCATE processed, success
> > 863: session 005000000000000003: peer MYIP lifetime
updated: 300
> > 863: session 005000000000000003: realm <MYIP> user
> > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>: incoming
> packet
> > CREATE_PERMISSION processed, success
> > 863: session 005000000000000003: realm <MYIP> user
> > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>: incoming
> packet
> > CREATE_PERMISSION processed, error 403: Forbidden IP
> > 863: session 005000000000000003: realm <MYIP> user
> > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>: incoming
> packet
> > message processed, error 403: Forbidden IP
> >
> >
##############################################################
> >
> >
> > gives a user name with a long number ...... ?
> >
> >
> > Special hash of user and password is being used by OM
> >
> >
> >
> >
> > There are two questions :
> >
> > 1) why do i need a user nobody:password in my config
lines
> if the
> > username generated by om is a long hash but not
nobody ... ?
> >
> >
> > your config is your responsibility :))))
> > I guess you can google
> > Or check this
> >
> doc
https://github.com/coturn/coturn/blob/master/README.turnserver
>
<https://github.com/coturn/coturn/blob/master/README.turnserver>
> >
<https://github.com/coturn/coturn/blob/master/README.turnserver
>
<https://github.com/coturn/coturn/blob/master/README.turnserver>>
> for ex.
> will read this doc. One day i will understand this turn server
> thing ...
>
>
> > Or search mailing-list archives for working
configurations :)))
> >
>
>
>
> >
> >
> > 2) why does my trickle test fail or why does it not
find the
> > credentials
> > ... ?
> >
> >
> > I believe your configuration might be wrong ...
> >
> >
> >
> >
> > Many thanks,
> >
> > kaffeesurrogat
> >
> >
> >
> >
>
> thanks again....
>
> kaffeesurrogat ;-)
>
> >
> > --
> > Best regards,
> > Maxim
>
>
>
> --
> Best regards,
> Maxim
--
Best regards,
Maxim