BigBlueButton Turn and DTLS
293 views
Skip to first unread message
Thierry Kauffmann
Sep 24, 2020, 5:52:44 AM9/24/20
to BigBlueButton-Setup
Hi,
The official BigBlueButton documentation recommends tu setup a stun server on port 3478/udp (stun protocole) and a turn server on port 443/tcp with DTLS enabled (turns protocole). (https://docs.bigbluebutton.org/2.2/setup-turn-server.html#required-ports)
I would recommend to pass all traffic throuhg port 443/tcp since in most cases port 443/tcp will be open in firewalls but not port 3478/udp. So I would recommend the following instead :
in file /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml :
...
<bean id="stun1" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:turn.example.com:443"/>
</bean>
<bean id="stun1" class="org.bigbluebutton.web.services.turn.StunServer">
<constructor-arg index="0" value="stun:turn.example.com:443"/>
</bean>
...
<bean id="turn1" class="org.bigbluebutton.web.services.turn.TurnServer">
<constructor-arg index="0" value="<yourChosen/GeneratedTurnSecret>"/>
<constructor-arg index="1" value="turn:turn.example.com:443?transport=tcp"/>
<constructor-arg index="2" value="86400"/>
</bean>
<constructor-arg index="0" value="<yourChosen/GeneratedTurnSecret>"/>
<constructor-arg index="1" value="turn:turn.example.com:443?transport=tcp"/>
<constructor-arg index="2" value="86400"/>
</bean>
...
I propose to use turn protocole (no-dtls) instead of turns since I think voice and video traffic is already encrypted end-to-end so using DTLS is an overhead. Please confirm that traffic is actually encrypted and-to-end !
In accordance, CoTurn could be setup the following (easy) way :
----
listening-port=443
fingerprint
lt-cred-mech # Only on coTURN below v4.5.0.8!
use-auth-secret
static-auth-secret=<yourChosen/GeneratedSecret>
realm=your.domain.org
----------------
You then only need to open port 443/tcp and 49152-65535/udp on the turn server to have it work correctly in every situations with BigBlueButton.
I tested this configuration successfully on a virtual machine that was configured to only allow 443/tcp outbounds (and 53/udp for DNS requests).
Kind regards,
Thierry
Mohammed Ali
Sep 28, 2020, 9:32:11 AM9/28/20
to BigBlueButton-Setup
Hello Thierry,
Did you test this in production, I have a heavy production I wanted to see if this can help me.
As sometime after upgrading to the 2.2.25, the servers is showing "connecting .." and sometime fail with timeout error.
but in the same time "https://test.bigbluebutton.org/" is working fine with my client.
I thought the problem might be from the turn, stun server.
Best Regrades
Mohammed
Thierry Kauffmann
Sep 30, 2020, 11:12:31 AM9/30/20
to BigBlueButton-Setup
Hi Mohammed,
I haven't tested this in production yet but will very soon.
I confirm already that it is working well since my client tested it successfully too.
Kind regards,
Thierry
Reply all
Reply to author
Forward
0 new messages