Testing and configuring Nextcloud Talk

Today I’ve tried to configure it with a TURN server.

Download and install a TURN server (here we use coturn).

wget http://coturn.net/turnserver/v4.5.0.7/turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz    # check coturn's release page for latest version
tar xvfz turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz
cd turnserver-4.5.0.7/
chmod +x install.sh
./install.sh

Prepare some information to configure coturn:

openssl rand -hex 32  # generate an static-auth-secret; example: de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef
config show pki       # get certificate information, otherwise consider generating a specific certificate for turnserver.

Edit turnserver configuration, uncommenting the following settings (not all of them are required):

vi /etc/turnserver/turnserver.conf

# port for plain connection (no TLS)
#listening-port=3478

# TURN listener port for TLS
tls-listening-port=5349

# Uncomment to use fingerprints in the TURN messages
fingerprint

# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
# If lt-cred-mech and user-auth-secret are used at the same time, the latter will override the former.
#lt-cred-mech

# TURN REST API flag for secret-based authentication
# This feature can be used with the long-term authentication mechanism, only.
# secret defined either by static-auth-secret, or found in the turn_secret table in the database
use-auth-secret

# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server will try to use the 'dynamic' value in turn_secret table
# The database-stored value can be changed on-the-fly by a separate program.
#
static-auth-secret=YOUR_SECRET

#The default realm to be used for the users when no explicit origin/realm
#relationship was found in the database. Must be used with long-term
#credentials mechanism or with TURN REST API.
#
realm=server.domain.tld

# Total allocation quota.
total-quota=100

# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate for the sessions
bps-capacity=0

# Uncomment if extra security is desired
stale-nonce=600

# Certificate file (for TLS)
cert=/path/to/your/cert.pem

# Private key file (for TLS)
pkey=/path/to/your/privkey.pem

# Allowed OpenSSL cipher list for TLS/DTLS connections
# (optional) tweak as you need
cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

# prevent stdout log messages (uncommented by default)
no-stdout-log

# (optional) set the log file name
# warning: set proper file permissions for turnserver
#log-file=/var/log/turnserver/turn.log

# redirect all log output into system log (uncommented by default)
syslog

# no log file rollover will be used, and the log file name
# will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log

# disallow peers on the loopback addresses
no-loopback-peers

# disallow peers on well-known broadcast addresses
no-multicast-peers

# File name to store the pid of the process. (uncommented by default)
pidfile="/var/run/turnserver/turnserver.pid"

# Turn OFF the CLI support.
# By default it is always ON.
# (optional)
#no-cli

# (optional) Do not allow an TLS/DTLS version of protocol
no-tlsv1
no-tlsv1_1

Open port(s) for turnserver (and forward them if necessary):

config set fw_turnserver service status enabled TCPPort 5349 UDPPort 5349 access public
signal-event firewall-adjust

Start and enable turnserver service:

systemctl enable --now turnserver

Configure Nextcloud Talk:

• STUN servers: server.domain.tld:5349
• TURN server: server.domain.tld:5349
• TURN secret: YOUR_SECRET
• UDP and TCP

When using TLS, make sure the certificate and private key have the right file permissions for turnserver user.
It’s easier to start without TLS to check it is working. Then change to TLS and troubleshoot if problems arise.

References:

• Pages · coturn/coturn Wiki · GitHub

• HowTo: Setup Nextcloud Talk with TURN server - 📑 How to - Nextcloud community

• Setting up a TURN Server for Nextcloud Video Calls

• http://www.perdichizzi.net/?p=1460

• Use TURN server · spreedbox/spreedbox Wiki · GitHub

• TURN Server not working · Issue #162 · coturn/coturn · GitHub

• "Cannot find credentials of user" · Issue #180 · coturn/coturn · GitHub

• Failure using chrome with symmetric nat · Issue #233 · coturn/coturn · GitHub

  man turnserver; man coturn # see also turnadmin, turnutils

WebRTC uses long-term authentication mechanism, so you have to use -a option (or
–lt-cred-mech). WebRTC relaying will not work with anonymous access. With -a option, do
not forget to set the default realm (-r option). You will also have to set up the user
accounts, for that you have a number of options:

        a) command-line options (-u).
        b) a database table (SQLite or PostgreSQL or MySQL or MongoDB)
        c) Redis key/value pair(s)
        d) You also can use the TURN REST API. You will need shared secret(s)

Assorted things for your consideration:

• Can this interfere with FreePBX (does it have a similar feature)?
• Try if calls are sustained for long time (>30 minutes)
• Try it through VPN
• Try internal/external calls
• Integation with NethServer: make nethserver-coturn package?
• Security considerations?
• turnadmin interface?