You have 30 minutes to complete this form before the CAPTCHA will expire.

Security image * Required field
This is a reported post for a post in the topic <input class="cms_keep_ui_controlled" size="45" title="[post param=&quot;Jitsi and a turnserver&quot;]953[/post]" type="button" value="post Comcode tag (dbl-click to edit/delete)" />, by LethalProtector<br /><br /><comcode-quote param="675">Hi,<br />I have a customer that is not able to send or receive audio or video when he uses my Jitsi installation from his PC. He can use Google Meet with me fine: so his setup can work with WebRTC.<br />It seems that the problem is that my jitsi implementation tries to send media packets via high numbered UDP ports and many restrictive firewalls will not allow that. What is needed is a solution so that a restricted client can do all of their Jitsi meeting business over an openable port, likely port 443.<br />The orthodox position seems to be that Jitsi can &#39;fall back&#39; to the use of a turnserver. This server communicates with the client over trusted ports like 443, before sending the data on to the videobridge as UDP packets, which are then returned to the turnserver etc.<br />There are guides such as this one: <a class="user_link" href="https://jitsi.github.io/handbook/docs/devops-guide/turn/" rel="nofollow noopener external" target="_blank" title="https://jitsi.github.io/handbook/docs/devops-guide/turn/ (this link will open in a new window)">https://jitsi.github.io/handbook/docs/devops-guide/turn/</a><br />but I find that any guides on this topic are frequently incomplete. One requirement is that user credentials are ephemeral<br />&quot;The usage of ephemeral credentials <b>ensures that access to the TURN server can be controlled even if the credentials can be discovered by the user</b>. Jitsi Meet can fetch the TURN credentials from the XMPP server via XEP-0215 and this is configured by default using mod_external_services.&quot;<br />but I have not been able to get my implementation working.<br />I have a turnserver on one machine. xmpp (prosody), the videobridge etc. on another as per Jacob&#39;s excellent guide. Let&#39;s call that machine the jitsi server. Both are on amazon lightsail instances.<br />To be clear, calls work in all circumstances except in a restricted environment.<br />Using a python script on the jitsi server I can generate ephemeral credentials on the command line. These can then be entered into a tool such as Trickle ICE here: <a class="user_link" href="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/" rel="nofollow noopener external" target="_blank" title="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ (this link will open in a new window)">https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/</a><br />A connection is made with the turnserver and there is packet exchange. This can be observed from the turnserver logs.<br />The websocket specified in jvb.conf can be tested successfully from a client using wscat. A dialogue is opened.<br />My problem is that in a restricted environment, jitsi does not seem to be trying to use the turnserver. I see no communication logged in the turnserver log or jvb.log.<br />Testing this is especially problematic due to the need for another operator to test outside peer to peer mode.<br />In my example, I have a Jitsi installation &#39;behind&#39; nginx. I have a domain myturnserver-example.com with an A record that points to the IP address of my jitsi server. Via the .conf file in nginx, traffic to port 443 of myturnserver-example.com is sent to port 5349 (tls port) at the IP address of my turnserver lightsail instance. These port numbers and IP addressess match my turnserver.conf file.<br />Having written that out and thinking about it, it would make sense that any traffic intended from my jitsi server for my turnserver must be sent, not to the domain atrtributed to the turnserve in the A record, but to the IP address of the turnserver. Thus a configuration like that suggested in the guide above only works if the turnserver and xmpp are on the same machine, thus the domain resolves to the same IP address.<br />Any ideas please fire them over. Thanks in advance.<br />LethalProtector<br /><br /></comcode-quote><br />//// PUT YOUR REPORT BELOW \\\\<br /><br /> Add: Add: Font Size Color [Font] Arial Courier Georgia Impact Times Trebuchet Verdana Tahoma Geneva Helvetica [Size] 0.8 1 1.5 2 2.5 3 4 [Color] Black Blue Gray Green Orange Purple Red White Yellow This is a reported post for a post in the topic [post param="Jitsi and a turnserver"]953[/post], by LethalProtector [quote="675"] Hi, I have a customer that is not able to send or receive audio or video when he uses my Jitsi installation from his PC. He can use Google Meet with me fine: so his setup can work with WebRTC. It seems that the problem is that my jitsi implementation tries to send media packets via high numbered UDP ports and many restrictive firewalls will not allow that. What is needed is a solution so that a restricted client can do all of their Jitsi meeting business over an openable port, likely port 443. The orthodox position seems to be that Jitsi can &#39;fall back&#39; to the use of a turnserver. This server communicates with the client over trusted ports like 443, before sending the data on to the videobridge as UDP packets, which are then returned to the turnserver etc. There are guides such as this one: [url="https://jitsi.github.io/handbook/docs/devops-guide/turn/" rel="nofollow noopener external" target="_blank"]https://jitsi.github.io/handbook/docs/devops-guide/turn/[/url] but I find that any guides on this topic are frequently incomplete. One requirement is that user credentials are ephemeral &quot;The usage of ephemeral credentials [b]ensures that access to the TURN server can be controlled even if the credentials can be discovered by the user[/b]. Jitsi Meet can fetch the TURN credentials from the XMPP server via XEP-0215 and this is configured by default using mod_external_services.&quot; but I have not been able to get my implementation working. I have a turnserver on one machine. xmpp (prosody), the videobridge etc. on another as per Jacob&#39;s excellent guide. Let&#39;s call that machine the jitsi server. Both are on amazon lightsail instances. To be clear, calls work in all circumstances except in a restricted environment. Using a python script on the jitsi server I can generate ephemeral credentials on the command line. These can then be entered into a tool such as Trickle ICE here: [url="https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/" rel="nofollow noopener external" target="_blank"]https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/[/url] A connection is made with the turnserver and there is packet exchange. This can be observed from the turnserver logs. The websocket specified in jvb.conf can be tested successfully from a client using wscat. A dialogue is opened. My problem is that in a restricted environment, jitsi does not seem to be trying to use the turnserver. I see no communication logged in the turnserver log or jvb.log. Testing this is especially problematic due to the need for another operator to test outside peer to peer mode. In my example, I have a Jitsi installation &#39;behind&#39; nginx. I have a domain myturnserver-example.com with an A record that points to the IP address of my jitsi server. Via the .conf file in nginx, traffic to port 443 of myturnserver-example.com is sent to port 5349 (tls port) at the IP address of my turnserver lightsail instance. These port numbers and IP addressess match my turnserver.conf file. Having written that out and thinking about it, it would make sense that any traffic intended from my jitsi server for my turnserver must be sent, not to the domain atrtributed to the turnserve in the A record, but to the IP address of the turnserver. Thus a configuration like that suggested in the guide above only works if the turnserver and xmpp are on the same machine, thus the domain resolves to the same IP address. Any ideas please fire them over. Thanks in advance. LethalProtector [/quote] //// PUT YOUR REPORT BELOW \\\\ View all Use of this website implies that you agree to the website rules and privacy policy.