After setting up Jitsi Meet, you may be left with connectivity issues rearing their heads whenever a participant tries to join from behind a firewall, or if you are behind a firewall yourself.

You may want to set up a TURN server to overcome such problems. A TURN server is practically a server both instances can reach, and use to relay traffic between them. It receives traffic from the participant using 443/tcp, and relays it to videobridge. In this guide, we'll detail how to go about doing just that.

Turn Server Setup

Setting up the Firewall

Making sure your firewall allows the necessary communication is a good first step to start with. Make sure the following ports are open;

22/tcp
80/tcp
80/tcp
443/tcp
5349/tcp
3478/udp
10000/udp

Installing the Coturn Server

Start by switching to root;

sudo su

Install Coturn;

apt-get -y update &&
apt-get -y install coturn

Edit /etc/default/coturn file to start Coturn Server automatically while the instance reboots.

nano /etc/default/coturn

Uncomment the following line by removing the # at the beginning to run Coturn as an automatic system service daemon

TURNSERVER_ENABLED=1

Check if Coturn is running;

systemctl status coturn

Creating Certificates

Particularly restrictive firewalls may allow traffic only through 443/tcp. Therefore, it’s very important to configure our TURN server with an SSL certificate.

Install certbot;

sudo apt-get -y update &&
sudo apt-get -y install software-properties-common &&
sudo add-apt-repository -y universe &&
sudo add-apt-repository -y ppa:certbot/certbot &&
sudo apt-get -y update &&
sudo apt-get -y install certbot

Now create certificates;

Copy /usr/share/jitsi-meet-turnserver/coturn-certbot-deploy.sh in your JMS to your Coturn instance as /root/coturn-certbot-deploy.sh

Then run the following commands;

DOMAIN=”your.domain.com” &&
EMAIL=”your@email.com” &&
EMAIL=”your@email.com” &&
TURN_HOOK=/etc/letsencrypt/renewal-hooks/deploy/0000-coturn-certbot-deploy.sh &&
mkdir /etc/letsencrypt/renewal-hooks/ &&
mkdir /etc/letsencrypt/renewal-hooks/deploy &&
cp /root/coturn-certbot-deploy.sh $TURN_HOOK &&
chmod u+x $TURN_HOOK &&
sed -i “s/jitsi-meet.example.com/$DOMAIN/g” $TURN_HOOK &&
/usr/bin/certbot certonly — noninteractive \
 — standalone \
-d $DOMAIN \
 — agree-tos — email $EMAIL \
— deploy-hook $TURN_HOOK

Configuring the Coturn Server

As ever, creating a backup of the original file before creating a new configuration is recommended

mv /etc/turnserver.conf /etc/turnserver.conf_backup &&
touch /etc/turnserver.conf &&
nano /etc/turnserver.conf

Content of /etc/turnserver.conf file will be as follows;

use-auth-secret
keep-address-family
static-auth-secret=yourauthsecret
realm=your.turnserver.com
cert=/etc/letsencrypt/live/your.turnserver.com/cert.pem
pkey=/etc/letsencrypt/live/your.turnserver.com/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
no-tcp-relay
no-tcp
listening-port=443
tls-listening-port=5349
no-tlsv1
no-tlsv1_1
verbose
log-file=”/var/log/turnserver/turnserver.log”
cipher-list=ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
denied-peer-ip=0.0.0.0–0.255.255.255
denied-peer-ip=10.0.0.0–10.255.255.255
denied-peer-ip=100.64.0.0–100.127.255.255
denied-peer-ip=127.0.0.0–127.255.255.255
denied-peer-ip=169.254.0.0–169.254.255.255
denied-peer-ip=127.0.0.0–127.255.255.255
denied-peer-ip=172.16.0.0–172.31.255.255
denied-peer-ip=192.0.0.0–192.0.0.255
denied-peer-ip=192.0.2.0–192.0.2.255
denied-peer-ip=192.88.99.0–192.88.99.255
denied-peer-ip=192.168.0.0–192.168.255.255
denied-peer-ip=198.18.0.0–198.19.255.255
denied-peer-ip=198.51.100.0–198.51.100.255
denied-peer-ip=203.0.113.0–203.0.113.255
denied-peer-ip=240.0.0.0–255.255.255.255

use-auth-secret allows us to use time limited credentials, in which the secret we’ve defined as static-auth-secret can be used by Prosody to generate TURN usernames and passwords.

Now create a directory to organize the logs.

mkdir /var/log/turnserver/

Restart your Coturn server;

systemctl restart coturn

You can find your logs inside the directory you’ve created if everything goes well.

Testing the Coturn Server

In order to test your installation, you first need to create a user by running following commands;

secret=mysecret &&
time=$(date +%s) &&
expiry=8400 &&
username=$(( $time + $expiry )) &&
echo username:$username &&
echo password : $(echo -n $username | openssl dgst -binary -sha1 -hmac $secret | openssl base64)

You now should be able to see your freshly created credentials as the output in your terminal. We'll use the following as a placeholder of sorts;

username:1609160897
password :ocmsH9uf+XM1dXJlOWVMWn4hBrA=

You can find the Trickle Ice tool in the link below, which we'll use to test our server;

https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/

Enter your STUN or TURN URI (stun:your.turn.server), TURN username (1609160897), TURN password (ocmsH9uf+XM1dXJlOWVMWn4hBrA=) values. Then click Add Server and then Gather candidates button. Wait a few seconds to Gather candidates to work.

If you have done everything correctly, you should see Done as the final result Priority column. If you see error messages below the Gather candidates button you can ignore them unless you see Done as a result in the Priority column.

Jitsi Configuration

While, now we have a working TURN server (if it all goes swimmingly), we need to make sure Jitsi recognizes it.

Prosody Configuration

First, connect to your main Jitsi instance, and edit the prosody configuration.

nano /etc/prosody/conf.avail/your.jitsi.server.cfg.lua

Add the following parameters;

turncredentials_secret = "yourauthsecret";
turncredentials = {
 { type = "stun", host = "your.turnserver.com", port = "443" },
 { type = "turn", host = "your.turnserver.com", port = "443", transport = "udp" },
 { type = "turns", host = "your.turnserver.com", port = "5349", transport = "tcp" }
};

You can find yourauthsecret in the TURN server configuration file we've previously went over. While you're in there, also make sure turncredentials are included in modules_enabled

VirtualHost "your.jitsi.server"
…
 modules_enabled = {
 "bosh";
 "pubsub";
 "turncredentials"; - enable turnserver
 …
 }

Don't forget to restart Prosody after the changes.

systemctl restart prosody

Jitsi Meet Configuration

Head into /etc/jitsi/meet/your.jitsi.server-config.js and make sure both instances following line are set to true. There are indeed two instances, one governs p2p connections, while other deals with the bridge

useStunTurn: true,

Videobridge Configuration

Connect to your Videobridge instance, and add following line to /etc/jitsi/videobridge/sip-communicator.properties as;

org.jitsi.videobridge.DISABLE_TCP_HARVESTER=true

With the config parameter above, we turn off the TCP Harvester of JVB and use the Turn Server for TCP connections. With this method, JVB will only be using UDP. If a participant fails to establish a UDP connection with the bridge, TURN server will establish a TCP connection with the participant and then will relay the media traffic over UDP to the bridge. So you need to update the configurations of all your bridges. <br> Restart the videobridge

systemctl restart jitsi-videobridge2

Testing the Whole Hog

At this point, you are ready to make use of a TURN server. In order to test, start by creating a meeting, like you normally would. If you haven't any participants who can join behind a firewall, most household modems come with a simple firewall. You may try to block your own 10000/udp port, in order to stimulate a corporate one. Find the connection symbol on your video, and hover your mouse over it. Clicking Show more should present you with a modal with detailed information about your connection (it may take a second to populate). If you're not behind a firewall (meaning you can establish a connection with the videobridge yourself), you should see your own IP address in the Local address section.

If you are prevented from connecting to the bridge yourself, the TURN server takes over. It takes your traffic from 443/tcp, and relays it to the videobridge over 10000/udp. Which means, as far as the bridge is concerned, Local address is the IP of the TURN server.

Now you have your new TURN server instance running! And if you need support for Jitsi do not hesitate to contact us. We are giving professional grade Jitsi consultation service including installation, integration, development and maintenance support.