internal coturn setup issues (bbb-2.6, bbb-2.7)

[dmitri h]

hey,

we have issues with firefox in restrictive networks (i.e. no UDP allowed) - audio is simply not connecting, there are no ICE-candidates in 'about:webrtc'.
i suppose this is related to ICE-lite & firefox, as there are no issues establishing an audio connection with chrome with the same bbb-server from the same client.

however, i noticed that in the same network, with the same firefox, audio *does* work, when i change the internal coturn to an external one.
the internal coturn is installed via bbb-install.sh (from http://ppa.launchpad.net/martin-uni-mainz/coturn/ubuntu) and is behind ha-proxy. (we have not modified bbb-install.sh).
modifying /etc/bigbluebutton/turn-stun-servers.xml to only offer tcp, port 443 does not help.

the external coturn is a dockerized install (coturn/coturn:4.5.2-alpine ) with the following config:

listening-port=3478
tls-listening-port=443
listening-ip=<coturn-ip-address>
relay-ip=<coturn-ip-address>
min-port=32769
max-port=65535
verbose

fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=<secret>
realm=<coturn.domain.tld>

cert=<tls-cert-file>
pkey=<tls-key-file>
cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
dh-file=/etc/dhparam-4096.pem

log-file=/var/log/turnserver/coturn.log
simple-log

keep-address-family

no-cli
no-tlsv1
no-tlsv1_1

denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=::1

denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
# Other IPv4 Special-Purpose addresses
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
# IPv6 Unique-Local
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# IPv6 Link-Local Unicast
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
# Other IPv6 Special-Purpose assignments
denied-peer-ip=::ffff:0:0-::ffff:ffff:ffff
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=64:ff9b:1::-64:ff9b:1:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff


does anybody have an idea how to make firefox successfully use the internal coturn-server?

thanks!

[dmitri h]

heyhey,

i've also just tested to get an audio connection on demo.bigbluebutton.org/ test27.bigbluebutton.org. it also does not work.

connecting from firefox 115.5.0 esr, which is in a restrictive network setup (no UDP allowed), the 'Connecting audio...' popup disappears and then the audio-button is greyed out.

as written before, i can get an audio connection when using an external coturn.

therefore i assume that there is an issue with coturn and/or haproxy when installed via bbb-install.sh

is anyone experiencing the same problem and knows a solution besides using the external coturn?

thanks!