Turn Server Setup for Jitsi on Ubuntu 20.04 TLS

Turn Server Setup

Setting up the Firewall

Making sure your firewall allows the necessary communication is a good first step to start with. Make sure the following ports are open;

22/tcp
80/tcp
443/tcp
5349/tcp
3478/udp
10000/udp

Installing the Coturn Server

Start by switching to root;

sudo su
apt-get -y update &&
apt-get -y install coturn
nano /etc/default/coturn
TURNSERVER_ENABLED=1
systemctl status coturn

Creating Certificates

Particularly restrictive firewalls may allow traffic only through 443/tcp. Therefore, it’s very important to configure our TURN server with an SSL certificate.

sudo apt-get -y update &&
sudo apt-get -y install software-properties-common &&
sudo add-apt-repository -y universe &&
sudo add-apt-repository -y ppa:certbot/certbot &&
sudo apt-get -y update &&
sudo apt-get -y install certbot
DOMAIN=”your.domain.com” &&
EMAIL=”your@email.com” &&
TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh &&
mkdir /etc/letsencrypt/renewal-hooks/ &&
mkdir /etc/letsencrypt/renewal-hooks/deploy &&
cp /root/coturn-certbot-deploy.sh $TURN_HOOK &&
chmod u+x $TURN_HOOK &&
sed -i “s/jitsi-meet.example.com/$DOMAIN/g” $TURN_HOOK &&
/usr/bin/certbot certonly — noninteractive \
— standalone \
-d $DOMAIN \
— agree-tos — email $EMAIL \
— deploy-hook $TURN_HOOK

Configuring the Coturn Server

As ever, creating a backup of the original file before creating a new configuration is recommended

mv /etc/turnserver.conf /etc/turnserver.conf_backup &&
touch /etc/turnserver.conf &&
nano /etc/turnserver.conf
use-auth-secret
keep-address-family
static-auth-secret=yourauthsecret
realm=your.turnserver.com
cert=/etc/letsencrypt/live/your.turnserver.com/cert.pem
pkey=/etc/letsencrypt/live/your.turnserver.com/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=443
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
verbose
log-file=”/var/log/turnserver/turnserver.log”
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
denied-peer-ip=0.0.0.0–0.255.255.255
denied-peer-ip=10.0.0.0–10.255.255.255
denied-peer-ip=100.64.0.0–100.127.255.255
denied-peer-ip=127.0.0.0–127.255.255.255
denied-peer-ip=169.254.0.0–169.254.255.255
denied-peer-ip=127.0.0.0–127.255.255.255
denied-peer-ip=172.16.0.0–172.31.255.255
denied-peer-ip=192.0.0.0–192.0.0.255
denied-peer-ip=192.0.2.0–192.0.2.255
denied-peer-ip=192.88.99.0–192.88.99.255
denied-peer-ip=192.168.0.0–192.168.255.255
denied-peer-ip=198.18.0.0–198.19.255.255
denied-peer-ip=198.51.100.0–198.51.100.255
denied-peer-ip=203.0.113.0–203.0.113.255
denied-peer-ip=240.0.0.0–255.255.255.255
mkdir /var/log/turnserver/
systemctl restart coturn

Testing the Coturn Server

In order to test your installation, you first need to create a user by running following commands;

secret=mysecret &&
time=$(date +%s) &&
expiry=8400 &&
username=$(( $time + $expiry )) &&
echo username:$username &&
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)
username:1609160897
password :ocmsH9uf+XM1dXJlOWVMWn4hBrA=
https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/

Jitsi Configuration

While, now we have a working TURN server (if it all goes swimmingly), we need to make sure Jitsi recognizes it.

Prosody Configuration

First, connect to your main Jitsi instance, and edit the prosody configuration.

nano /etc/prosody/conf.avail/your.jitsi.server.cfg.lua
turncredentials_secret = yourauthsecret”;
turncredentials = {
{ type = “stun”, host = “your.turnserver.com”, port = “443” },
{ type = “turn”, host = “your.turnserver.com”, port = “443”, transport = “udp” },
{ type = “turns”, host = “your.turnserver.com”, port = “5349”, transport = “tcp” }
};
VirtualHost “your.jitsi.server”

modules_enabled = {
“bosh”;
“pubsub”;
“turncredentials”; — enable turnserver

}
systemctl restart prosody

Jitsi Meet Configuration

Head into /etc/jitsi/meet/your.jitsi.server-config.js and make sure both instances following line are set to true. There are indeed two instances, one governs p2p connections, while other deals with the bridge

useStunTurn: true,

Videobridge Configuration

Connect to your Videobridge instance, and add following line to /etc/jitsi/videobridge/sip-communicator.properties as;

org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true
systemctl restart jitsi-videobridge2

Testing the Whole Hog

At this point, you are ready to make use of a TURN server. In order to test, start by creating a meeting, like you normally would. If you haven’t any participants who can join behind a firewall, most household modems come with a simple firewall. You may try to block your own 10000/udp port, in order to stimulate a corporate one.

I struck out the IPs, but it should display yours in the red part.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store