Testing and configuring Nextcloud Talk

NethServer Version: NethServer release 7.4.1708 (Final)
**Module:**Nextcloud

Hi community,

I wonder if someone tested and/or configured Nextcloud Talk.

On my tests on Nextcloud 13 only works partially on the same lan. Should we install and configure stun/turn server manually?

Beyond that the the screensharing functions does not work.

Thanks in advance!
A.

I think the firewall is blocking webrtc or the connection form the stun server.
@alep @alefattorini, any advice? did you try Nextcloud Talk from public network?

Screensharing is supposed to work natively from Firefox 52+. On Chrome an extension is required.

Yes. And it doesn’t work, local network only. @alep gonna make some tests

1 Like

Me too have done only local tests, sorry.
I hope to try it on the public.

FYI Now it’s working on NC 13!

2 Likes

Please tell us how you get it working and mark it as solved please.

Today I’ve tried to configure it with a TURN server.

Download and install a TURN server (here we use coturn).

wget http://coturn.net/turnserver/v4.5.0.7/turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz    # check coturn's release page for latest version
tar xvfz turnserver-4.5.0.7-CentOS7.4-x86_64.tar.gz
cd turnserver-4.5.0.7/
chmod +x install.sh
./install.sh

Prepare some information to configure coturn:

openssl rand -hex 32  # generate an static-auth-secret; example: de187fd1cefc7cd6dade0eee65dfc3c242affe6027574597344be43c467a54ef
config show pki       # get certificate information, otherwise consider generating a specific certificate for turnserver.

Edit turnserver configuration, uncommenting the following settings (not all of them are required):

vi /etc/turnserver/turnserver.conf
# port for plain connection (no TLS)
#listening-port=3478

# TURN listener port for TLS
tls-listening-port=5349

# Uncomment to use fingerprints in the TURN messages
fingerprint

# Uncomment to use long-term credential mechanism.
# By default no credentials mechanism is used (any user allowed).
# If lt-cred-mech and user-auth-secret are used at the same time, the latter will override the former.
#lt-cred-mech

# TURN REST API flag for secret-based authentication
# This feature can be used with the long-term authentication mechanism, only.
# secret defined either by static-auth-secret, or found in the turn_secret table in the database
use-auth-secret

# 'Static' authentication secret value (a string) for TURN REST API only.
# If not set, then the turn server will try to use the 'dynamic' value in turn_secret table
# The database-stored value can be changed on-the-fly by a separate program.
#
static-auth-secret=YOUR_SECRET

#The default realm to be used for the users when no explicit origin/realm
#relationship was found in the database. Must be used with long-term
#credentials mechanism or with TURN REST API.
#
realm=server.domain.tld

# Total allocation quota.
total-quota=100

# Maximum server capacity.
# Total bytes-per-second bandwidth the TURN server is allowed to allocate for the sessions
bps-capacity=0

# Uncomment if extra security is desired
stale-nonce=600

# Certificate file (for TLS)
cert=/path/to/your/cert.pem

# Private key file (for TLS)
pkey=/path/to/your/privkey.pem

# Allowed OpenSSL cipher list for TLS/DTLS connections
# (optional) tweak as you need
cipher-list="EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"

# prevent stdout log messages (uncommented by default)
no-stdout-log

# (optional) set the log file name
# warning: set proper file permissions for turnserver
#log-file=/var/log/turnserver/turn.log

# redirect all log output into system log (uncommented by default)
syslog

# no log file rollover will be used, and the log file name
# will be constructed as-is, without PID and date appendage.
# This option can be used, for example, together with the logrotate tool.
#
#simple-log

# disallow peers on the loopback addresses
no-loopback-peers

# disallow peers on well-known broadcast addresses
no-multicast-peers

# File name to store the pid of the process. (uncommented by default)
pidfile="/var/run/turnserver/turnserver.pid"

# Turn OFF the CLI support.
# By default it is always ON.
# (optional)
#no-cli

# (optional) Do not allow an TLS/DTLS version of protocol
no-tlsv1
no-tlsv1_1

Open port(s) for turnserver (and forward them if necessary):

config set fw_turnserver service status enabled TCPPort 5349 UDPPort 5349 access public
signal-event firewall-adjust

Start and enable turnserver service:

systemctl enable --now turnserver

Configure Nextcloud Talk:

  • STUN servers: server.domain.tld:5349
  • TURN server: server.domain.tld:5349
  • TURN secret: YOUR_SECRET
  • UDP and TCP

When using TLS, make sure the certificate and private key have the right file permissions for turnserver user.
It’s easier to start without TLS to check it is working. Then change to TLS and troubleshoot if problems arise.

References:

WebRTC uses long-term authentication mechanism, so you have to use -a option (or
–lt-cred-mech). WebRTC relaying will not work with anonymous access. With -a option, do
not forget to set the default realm (-r option). You will also have to set up the user
accounts, for that you have a number of options:

        a) command-line options (-u).
        b) a database table (SQLite or PostgreSQL or MySQL or MongoDB)
        c) Redis key/value pair(s)
        d) You also can use the TURN REST API. You will need shared secret(s)

Assorted things for your consideration:

  • Can this interfere with FreePBX (does it have a similar feature)?
  • Try if calls are sustained for long time (>30 minutes)
  • Try it through VPN
  • Try internal/external calls
  • Integation with NethServer: make nethserver-coturn package?
  • Security considerations?
  • turnadmin interface?
4 Likes

Take a look at https://help.nextcloud.com/t/nextcloud-talk-not-working-with-symmetric-nat/30027

HTH

How can i update to the latest version of coturn.

4.5.1.2

even tried to just install, seems to be different

EPEL repo has 4.5.1.1.

Minimal setup according to https://nextcloud-talk.readthedocs.io/en/latest/TURN/ (without TLS and without configured certs for coturn):

yum install coturn
openssl rand -hex 32

vi /etc/coturn/turnserver.conf
listening-port=3478
fingerprint
use-auth-secret
static-auth-secret=<yourChosen/GeneratedSecret>
realm=server.domain.tld
bps-capacity=0
stale-nonce=600
no-multicast-peers
config set coturn service status enabled TCPPort 3478 UDPPort 3478 access public
signal-event firewall-adjust
systemctl enable --now coturn

Install and configure Nextcloud Talk app:

  • STUN servers: server.domain.tld:3478
  • TURN server: server.domain.tld:3478
    • TURN secret: YOUR_SECRET
    • UDP and TCP

Chat and screen sharing working (LAN/WAN). Video/audio calls not tested.
To be expanded with other settings from conf file and more security options.

Maybe these are other helpful sources:

1 Like

ahem?!
@dnutan what does that mean there?

plain connection (no TLS), different port than the first example. More simple, less things to debug. First example was with TLS and certificate:

TURN listener port for TLS
Certificate file (for TLS)
Private key file (for TLS)
Allowed OpenSSL cipher list for TLS/DTLS connections

It’s easier to start without TLS to check it is working. Then change to TLS and troubleshoot if problems arise.

Then i have been experiencing a very weired phenomena.

With calls on the office environment,
All users connect and see each othe rwith no issue.

But with calls outside people cant see each other.

This is weird beause the server is in the cloud and not local

getting conflict, how can i remove the older one

file /usr/share/man/man1/turnserver.1.gz from install of coturn-4.5.1.1-3.el7.x86_64 conflicts with file fr om package turnserver-4.5.0.7-0.el7.centos.x86_64

EDIT: deleted all folder, then run yum remove turnserver-4.5.0.7-0.el7.centos.x86_64 it worked

@dnutan it works great.

Thank you very much.

now even my other apps work on call.