Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't get built-in STUN/TURN server to work #113

Open
gabriel-eladi opened this issue May 29, 2024 · 6 comments
Open

Can't get built-in STUN/TURN server to work #113

gabriel-eladi opened this issue May 29, 2024 · 6 comments

Comments

@gabriel-eladi
Copy link

gabriel-eladi commented May 29, 2024
edited by badlop
Loading

Hello! I recently installed and set up the docker version of Ejabberd from docker.io/ejabberd/ecs. Here is my docker-compose.yml file:

services:
  ejabberd:
    image: ejabberd/ecs
    container_name: ejabberd
    restart: unless-stopped
    ports:
      - "5222:5222"
      - "5223:5223"
      - "5269:5269"
      - "5280:5280"
      - "5443:5443"
      - "3478:3478" # stun/turn
      - "5349:5349" # stuns/turns
      - "49152-49500:49152-49500" # turn
    volumes:
      - ./config:/home/ejabberd/conf
      - ./db:/home/ejabberd/database
      - ./logs:/home/ejabberd/logs
      - ./upload:/home/ejabberd/upload
    depends_on:
      - ejabberd-postgres

  ejabberd-postgres:
    image: postgres:15-alpine
    container_name: ejabberd-postgres
    restart: unless-stopped
    volumes:
      - ./postgres/data:/var/lib/postgresql/data
      - ./postgres/config:/config/sql
      - ./postgres/docker:/docker-entrypoint-initdb.d
    environment:
      POSTGRES_DB: ejabberd
      POSTGRES_USER: ejabberd
      POSTGRES_PASSWORD: secret-password
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]

All the chat functions seem to work great. I then tried to set up the built-in STUN/TURN server to enable voice and video calls. I added/edited the following in my ejabberd.yml file:

...
certfiles:
...
  - /home/ejabberd/conf/certs/stun-turn/fullchain.pem
  - /home/ejabberd/conf/certs/stun-turn/privkey.pem
...
...
listen:
...
  -
    port: 3478
    transport: udp
    module: ejabberd_stun
    use_turn: true
    ## The server's public IPv4 address:
    turn_ipv4_address: "my-external-ipv4-address"
    ## The server's public IPv6 address:
    # turn_ipv6_address: "2001:db8::3"
    turn_min_port: 49152
    turn_max_port: 49500
  -
    port: 5349
    transport: tcp
    module: ejabberd_stun
    use_turn: true
    tls: true
    turn_ipv4_address: "my-external-ipv4-address"
    turn_min_port: 49152
    turn_max_port: 49500
...
...
modules:
...
  mod_stun_disco:
    secret: my-secret
    services:
      -
        host: my-external-ipv4-address
        port: 3478
        type: stun
        transport: udp
        restricted: false
      -
        host: my-external-ipv4-address
        port: 3478
        type: turn
        transport: udp
        restricted: true
      -
        host: xmpp.mydomain.com
        port: 5349
        type: stuns
        transport: tcp
        restricted: false
      -
        host: xmpp.mydomain.com
        port: 5349
        type: turns
        transport: tcp
        restricted: true
...

I have the following ports forwarded on my router:

  • For XMPP: 5222, 5269, 5443
  • For STUN/TURN: 3478(tcp/udp), 5349(tcp/udp), 49152-49500(udp)

I also have the following DNS records set up:

+ A            | mydomain.com                                  | my-external-ipv4-address
+ CNAME | *.mydomain.com                               | mydomain.com
+ SRV        | _stun._tcp.xmpp.mydomain.com   | 0 0 3478 xmpp.mydomain.com
+ SRV        | _stun._udp.xmpp.mydomain.com | 0 0 3478 xmpp.mydomain.com
+ SRV        | _stuns._tcp.xmpp.mydomain.com | 0 0 5349 xmpp.mydomain.com
+ SRV        | _turn._tcp.xmpp.mydomain.com   | 0 0 3478 xmpp.mydomain.com
+ SRV        | _turn._udp.xmpp.mydomain.com | 0 0 3478 xmpp.mydomain.com
+ SRV        | _turns._tcp.xmpp.mydomain.com | 0 0 5349 xmpp.mydomain.com

I haven't been able to get the STUN/TURN server to work. Any advice would be greatly appreciated!

It is also worth noting that I have a Nginx Proxy Manager reverse proxy setup that manages my SSL certificates and through which all the HTTP/HTTPS traffic gets routed. However, the XMPP and STUN/TURN traffic should not get routed through it since (as far as I'm aware) they don't use ports 80/443.
@sando38
Copy link

sando38 commented Jul 22, 2024

Hi, I think your docker-compose.yml is not correct. You need to open the UDP ports for TURN to work:

old:

    ports:
      - "5222:5222"
      - "5223:5223"
      - "5269:5269"
      - "5280:5280"
      - "5443:5443"
      - "3478:3478" # stun/turn
      - "5349:5349" # stuns/turns
      - "49152-49500:49152-49500" # turn

new:

    ports:
      - "5222:5222"
      - "5223:5223"
      - "5269:5269"
      - "5280:5280"
      - "5443:5443"
      - "3478:3478/udp" # stun/turn
      - "5349:5349" # stuns/turns
      - "49152-49500:49152-49500/udp" # turn

@gabriel-eladi
Copy link
Author

Unfortunately, that still doesn't work. :/

@sando38
Copy link

sando38 commented Jul 24, 2024

Although not recommended from Docker best practices, could you give it a try to run it in the host network instead with Docker port forwarding? (although I am not convinced it is the problem).

instead of the ports definition in the docker-compose.yml, can you use:

   network_mode: "host"

@gabriel-eladi
Copy link
Author

Just tried it, and that doesn't seem to work either.

My tests involved starting video calls between two different accounts on different devices and different networks, a PC running Gajim and an Android phone running Conversations. I also tried testing the STUN/TURN server using the Trickle ICE test with negative results in all configurations.

It is possible that I am doing something wrong with the configuration outside of Ejabberd (DNS or port forwarding), but I've tried all the ideas I had and double-checked everything and nothing worked.

I might try setting up a Coturn server, making sure it actually works with the ICE test, then configuring Ejabberd to use it, either temporarily (to see if the problem lies with docker-ejabberd or with my external configuration) or as a permanent solution.

If anyone has any pointers of where I might be doing something wrong or any advice, that would be greatly appreciated.

@sando38
Copy link

sando38 commented Jul 25, 2024
edited
Loading

Hm.. I will need to test it myself locally, because I do not spot anything obvious in your configuration.
You may also try https://github.com/processone/eturnal/blob/master/doc/CONTAINER.md which uses the same stun library as ejabberd. There is also a quick-start example for simple connectivity tests with trickle ICE and else.

P.S. I tested icetest.info with the following podman command:

podman run --rm --name ejabberd -d -p 3479:3478/udp -v $PWD/ejabberd.yml:/home/ejabberd/conf/ejabberd.yml docker.io/ejabberd/ecs

For ejabberd.yml I just used a copy w/o modification from here.

When configuring icetest with stun:203.0.113.3:3479 I have a positive STUN response. TURN I could not yet test.

P.S. 2:

I added the following auth_type: anonymous for basic testing into my ejabberd.yml stun listener:

  -
    port: 3478
    ip: "::"
    transport: udp
    module: ejabberd_stun
    use_turn: true
    auth_type: anonymous

When running icetest.info with URL: turn:203.0.113.3:3479 Username: abc Credential: abc I can obtain relay candidates.

Note: 203.0.113.3 is my public IP address -> turn_ipv4_address .

@gabriel-eladi
Copy link
Author

Thank you. I will go over my configuration one more time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gabriel-eladi @sando38