BBB and Coturn behind same FW/NAT
265 views
Skip to first unread message
Tomaž Turk
Feb 23, 2022, 6:57:14 AM2/23/22
to BigBlueButton-Setup
Hi,
I'd like to have BBB installed on premises, that means behind firewall and NAT, and also a TURN server, if possible behind the same firewall and NAT.
I'd like to have BBB installed on premises, that means behind firewall and NAT, and also a TURN server, if possible behind the same firewall and NAT.
I firstly tried to have a working BBB/Coturn team where Coturn is somewhere in the cloud, and succeeded in doing that. For that purpose I installed Coturn on the Ubuntu 20.04 virtual box in the cloud with
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c turnoncloud.mydomain.co:mysecret -e mye...@gmail.com
and then set up my "on premises" firewall and NAT according to guidelines - specifically, I implemented port forwarding, tested it, together with hairpin NAT which works (tested with netcat -4 -l 80 & netcat -4 bbb.mydomain.co 80, also for ports TCP/443 and UDP/16384-32768).
Then I installed BBB on premises (behind on premises firewall) with
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -w -g -v bionic-24 -s bbb.mydomain.co -e mye...@gmail.com -c turnoncloud.mydomain.co:mysecret
In this setup, BBB runs as it should, I also tried it out according to guidelines and in practice with users behing a restrictive firewall. It uses the Coturn server in the cloud.
Then I installed a second Coturn server on separate Ubuntu server, behind the same firewall/NAT as BBB server resides. For this machine, the hairpin NAT also works as it should. I once again used the same bbb-install.sh utility like:
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c turnathome.mydomain.co:mysecret -e mye...@gmail.com
I then changed the stun/turn references in files
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c turnoncloud.mydomain.co:mysecret -e mye...@gmail.com
and then set up my "on premises" firewall and NAT according to guidelines - specifically, I implemented port forwarding, tested it, together with hairpin NAT which works (tested with netcat -4 -l 80 & netcat -4 bbb.mydomain.co 80, also for ports TCP/443 and UDP/16384-32768).
Then I installed BBB on premises (behind on premises firewall) with
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -w -g -v bionic-24 -s bbb.mydomain.co -e mye...@gmail.com -c turnoncloud.mydomain.co:mysecret
In this setup, BBB runs as it should, I also tried it out according to guidelines and in practice with users behing a restrictive firewall. It uses the Coturn server in the cloud.
Then I installed a second Coturn server on separate Ubuntu server, behind the same firewall/NAT as BBB server resides. For this machine, the hairpin NAT also works as it should. I once again used the same bbb-install.sh utility like:
wget -qO- https://ubuntu.bigbluebutton.org/bbb-install.sh | bash -s -- -c turnathome.mydomain.co:mysecret -e mye...@gmail.com
I then changed the stun/turn references in files
/usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml
/etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
(according to BBB and Kurento guidelines)
The BBB works for all non-restricted users, both on-premises and from the internet, BUT the restricted users get the infamous ICE 1007 error message. The Coturn works flawlessly for all the STUN/TURN requests coming from on premises clients and from those on the internet. However, if I test it from the BBB server like
stunclient --mode full --localport 30000 turn.bibi.si 3478
all three tests fail.
stunclient --mode full --localport 30000 turn.bibi.si 3478
all three tests fail.
Checking the BBB system I noticed that while installing BBB a dummy NIC was automatically added to the Ubuntu with external IP address (as described in guidelines). If I remove that NIC and restart BBB, it starts OK without any errors reported. Also the above stunclient test works. However, in this setup all the clients get the ICE 1002 error message (even non restricted users) when they try to connect with audio, so BBB fails generally.
I'm confused, since despite the fact that I have working hairpin NAT the dummy NIC gets "installed", and it obviously messes with BBB/Coturn communication.
I'm confused, since despite the fact that I have working hairpin NAT the dummy NIC gets "installed", and it obviously messes with BBB/Coturn communication.
I'd appreciate any clues of how to set up BBB and Coturn behind same FW/NAT
Thanks,
Tomaz
Reply all
Reply to author
Forward
0 new messages