Turn Server Setup for Jitsi on Ubuntu 20.04 TLS

After setting up Jitsi Meet, you may be left with connectivity issues rearing their heads whenever a participant tries to join from behind a firewall, or if you are behind a firewall yourself.

You may want to set up a TURN server to overcome such problems. A TURN server is practically a server both instances can reach, and use to relay traffic between them. It receives traffic from the participant using 443/tcp, and relays it to videobridge. In this guide, we’ll detail how to go about doing just that.

Turn Server Setup

Making sure your firewall allows the necessary communication is a good first step to start with. Make sure the following ports are open;

Start by switching to root;

Install coturn;

Edit /etc/default/coturn file to start Coturn Server automatically while the instance reboots.

Uncomment the following line by removing the # at the beginning to run Coturn as an automatic system service daemon

Check if Coturn is running;

Particularly restrictive firewalls may allow traffic only through 443/tcp. Therefore, it’s very important to configure our TURN server with an SSL certificate.

Install certbot;

Now create certificates;

Copy /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh in your JMS to your Coturn instance as /root/coturn-certbot-deploy.sh

Then run the following commands;

As ever, creating a backup of the original file before creating a new configuration is recommended

Content of /etc/turnserver.conf file will be as follows;

use-auth-secret allows us to use time limited credentials, in which the secret we’ve defined as static-auth-secret can be used by Prosody to generate TURN usernames and passwords.

Now create a directory to organize the logs.

Restart your Coturn server;

You can find your logs inside the directory you’ve created if everything goes well.

Testing the Coturn Server

In order to test your installation, you first need to create a user by running following commands;

You now should be able to see your freshly created credentials as the output in your terminal. We’ll use the following as a placeholder of sorts;

You can find the Trickle Ice tool in the link below, which we’ll use to test our server;

Enter your STUN or TURN URI (stun:your.turn.server), TURN username (1609160897), TURN password (ocmsH9uf+XM1dXJlOWVMWn4hBrA=) values. Then click Add Server and then Gather candidates button. Wait a few seconds to Gather candidates to work.

If you have done everything correctly, you should see Done as the final result Priority column. If you see error messages below the Gather candidates button you can ignore them unless you see Done as a result in the Priority column.

Jitsi Configuration

While, now we have a working TURN server (if it all goes swimmingly), we need to make sure Jitsi recognizes it.

First, connect to your main Jitsi instance, and edit the prosody configuration.

Add the following parameters;

You can find yourauthsecret in the TURN server configuration file we’ve previously went over. While you’re in there, also make sure turncredentials are included in modules_enabled

Don’t forget to restart Prosody after the changes.

Head into /etc/jitsi/meet/your.jitsi.server-config.js and make sure both instances following line are set to true. There are indeed two instances, one governs p2p connections, while other deals with the bridge

Connect to your Videobridge instance, and add following line to /etc/jitsi/videobridge/sip-communicator.properties as;

With the config parameter above, we turn off the TCP Harvester of JVB and use the Turn Server for TCP connections. With this method, JVB will only be using UDP. If a participant fails to establish a UDP connection with the bridge, TURN server will establish a TCP connection with the participant and then will relay the media traffic over UDP to the bridge. So you need to update the configurations of all your bridges.

Restart the videobridge

Testing the Whole Hog

At this point, you are ready to make use of a TURN server. In order to test, start by creating a meeting, like you normally would. If you haven’t any participants who can join behind a firewall, most household modems come with a simple firewall. You may try to block your own 10000/udp port, in order to stimulate a corporate one.

Find the connection symbol on your video, and hover your mouse over it. Clicking Show more should present you with a modal with detailed information about your connection (it may take a second to populate).

I struck out the IPs, but it should display yours in the red part.

If you’re not behind a firewall (meaning you can establish a connection with the videobridge yourself), you should see your own IP address in the Local address section.

If you are prevented from connecting to the bridge yourself, the TURN server takes over. It takes your traffic from 443/tcp, and relays it to the videobridge over 10000/udp. Which means, as far as the bridge is concerned, Local address is the IP of the TURN server.

Now you have your new TURN server instance running! And if you need support for Jitsi do not hesitate to contact us at doganbros.com. We are giving professional grade Jitsi consultation service including installation, integration, development and maintenance support. For your questions and comments please contribute below.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store