many thanks ali .... this helps ...
On 17/12/2020 07:38, Ali Alhaidary wrote:
>
> /etc/turnserver.conf
>
> ##############################################################
> # These are the two network ports used by the TURN server which the client
> # may connect to. We enable the standard unencrypted port 3478 for STUN,
> # as well as port 443 for TURN over TLS, which can bypass firewalls.
> #listening-ip=104.248.142.226
>
> listening-port=3478
> tls-listening-port=443
>
> server-name=rooms.the5stars.org
> mobility
>
> # If the server has multiple IP addresses, you may wish to limit which
> # addresses coturn is using. Do that by setting this option (it can be
> # specified multiple times). The default is to listen on all addresses.
> # You do not normally need to set this option.
> #listening-ip=104.248.142.226
>
> # If the server is behind NAT, you need to specify the external IP
> address.
> # If there is only one external address, specify it like this:
> external-ip=104.248.142.226
>
> # If you have multiple external addresses, you have to specify which
> # internal address each corresponds to, like this. The first address
> is the
> # external ip, and the second address is the corresponding internal IP.
> #external-ip=104.248.142.226/10.0.0.11
> #external-ip=104.248.142.226/10.0.0.12
>
> # Fingerprints in TURN messages are required for WebRTC
> fingerprint
>
> # The long-term credential mechanism is required for WebRTC
> lt-cred-mech
>
> # Configure coturn to use the "TURN REST API" method for validating
> time-limited credentials.
> # You can generate a new random value by running the command:
> # openssl rand -hex 16
> use-auth-secret
> static-auth-secret=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>
> # user=
> stale-nonce=0
>
> # If the realm value is unspecified, it defaults to the TURN server
> hostname.
> # You probably want to configure it to a domain name that you control to
> # improve log output. There is no functional impact.
> realm=rooms.the5stars.org
>
> # Configure TLS support.
> # Adjust these paths to match the locations of your certificate files
> cert=/etc/letsencrypt/live/rooms.the5stars.org/fullchain.pem
> pkey=/etc/letsencrypt/live/rooms.the5stars.org/privkey.pem
>
> # Limit the allowed ciphers to improve security
> # Based on
> https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
> cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"
>
> # Enable longer DH TLS key to improve security
> dh2066
>
> # All WebRTC-compatible web browsers support TLS 1.2 or later, so disable
> # older protocols
> no-tlsv1
> no-tlsv1_1
>
> # Log to a single filename (rather than new log files each startup).
> You'll
> # want to install a logrotate configuration (see below)
> log-file=/var/log/coturn/coturn.log
>
> # To enable single filename logs you need to enable the simple-log flag
> simple-log
>
> proc-user=nobody
> proc-group=nogroup
>
> ##############################################################
>
> On 12/17/20 7:13 AM, Ali Alhaidary wrote:
>>
>> For us, and since I had long discussion and research, I removes the
>> 'user' entry from all files:
>>
>> /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
>> /opt/opt510/webapps/openmeetings/WEB-INF/classes/openmeetings.properties
>>
>> /etc/turnserver.conf
>>
>> so we are using only STUN service, all working well....
>>
>> On 12/17/20 7:08 AM, Maxim Solodovnik wrote:
>>>
>>>
>>> On Thu, 17 Dec 2020 at 00:36, kaffeesurrogat
>>> <[email protected] <mailto:[email protected]>> wrote:
>>>
>>> now i am ashamed, it was me who asked this question a while ago
>>> and you
>>> did answer it.
>>>
>>> sorry for that ....
>>>
>>> this means i should leave the line in
>>>
>>> /opt/open510/webapps/openmeetings/WEB-INF/classes/openmeetings.properties
>>>
>>> like this:
>>>
>>> kurento.turn.user=
>>>
>>>
>>> you can put any user-name to this line :)
>>> for ex.
>>>
>>> kurento.turn.user=kaffeesurrogat
>>>
>>> (I guess it can be used while log checking)
>>> or can leave it empty :)
>>>
>>>
>>>
>>> Commenting it out doesn't work .....
>>>
>>> I find some error in openmeetings.log
>>> (Could not resolve placeholder kurento.turn.user .....)
>>> and the webfrontend is not reachable ....
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 16/12/2020 17:12, Maxim Solodovnik wrote:
>>> > I would recommend to remove the `user` from coturn config
>>> > (/etc/turnserver.conf)
>>> > please search mailing lists, I've shared my config (as well as
>>> others
>>> > ... :)))
>>> >
>>> > On Wed, 16 Dec 2020 at 22:49, kaffeesurrogat
>>> <[email protected] <mailto:[email protected]>
>>> > <mailto:[email protected]
>>> <mailto:[email protected]>>> wrote:
>>> >
>>> >
>>> >
>>> > On 16/12/2020 16:39, Maxim Solodovnik wrote:
>>> > >
>>> > >
>>> > > On Wed, 16 Dec 2020 at 21:28, kaffeesurrogat
>>> > <[email protected]
>>> <mailto:[email protected]>
>>> <mailto:[email protected] <mailto:[email protected]>>
>>> > > <mailto:[email protected]
>>> <mailto:[email protected]>
>>> > <mailto:[email protected]
>>> <mailto:[email protected]>>>> wrote:
>>> > >
>>> > > Dear list,
>>> > >
>>> > > just trying to understand things a little better.
>>> > >
>>> > > I tried to check if my turn/stun server is working
>>> correctly.
>>> > >
>>> > > my turnserver.conf contains the line
>>> > >
>>> > > user=nobody:PASSWORD
>>> > >
>>> > >
>>> > > Why have you added this line to coturn config?
>>> >
>>> > That was mentioned in
>>> >
>>> >
>>>
>>> Installation_SSL_certificates_and_Coturn_for_OpenMeetings_5.1.0_on_Ubuntu_18.04.pdf
>>> >
>>> >
>>> >
>>> >
>>> >
>>> > >
>>> > >
>>> > >
>>> > > Now i'm using
>>> > >
>>> > >
>>> > >
>>> >
>>>
>>> https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>
>>> >
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>>
>>> > >
>>> >
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>
>>> >
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/
>>>
>>> <https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/>>>
>>> > >
>>> > > to check my turn server.
>>> > >
>>> > > The entries on trickle are:
>>> > >
>>> > > turn:MYIP:3478
>>> > > turn username: nobody
>>> > > turn password: PASSWORD
>>> > >
>>> > >
>>> > > The test result is negativ.
>>> > >
>>> > >
>>> > > I guess this is expected
>>> > >
>>> > >
>>> > > My log file shows
>>> > >
>>> > >
>>> ##############################################################
>>> > >
>>> > > 80: handle_udp_packet: New UDP endpoint: local addr
>>> > MYIP:3478, remote
>>> > > addr 149.224.83.188:43949
>>> <http://149.224.83.188:43949> <http://149.224.83.188:43949
>>> <http://149.224.83.188:43949>>
>>> > <http://149.224.83.188:43949 <http://149.224.83.188:43949>
>>> <http://149.224.83.188:43949 <http://149.224.83.188:43949>>>
>>> > > 80: session 002000000000000001: realm <MYIP> user <>:
>>> > incoming packet
>>> > > message processed, error 401: Unauthorized
>>> > > 80: handle_udp_packet: New UDP endpoint: local addr
>>> > MYIP:3478, remote
>>> > > addr 149.224.83.188:32997
>>> <http://149.224.83.188:32997> <http://149.224.83.188:32997
>>> <http://149.224.83.188:32997>>
>>> > <http://149.224.83.188:32997 <http://149.224.83.188:32997>
>>> <http://149.224.83.188:32997 <http://149.224.83.188:32997>>>
>>> > > 80: session 002000000000000002: realm <MYIP> user <>:
>>> > incoming packet
>>> > > message processed, error 401: Unauthorized
>>> > > 80: check_stun_auth: Cannot find credentials of user
>>> <nobody>
>>> > > 80: session 002000000000000001: realm <MYIP> user
>>> <nobody>:
>>> > incoming
>>> > > packet message processed, error 401: Unauthorized
>>> > > 80: check_stun_auth: Cannot find credentials of user
>>> <nobody>
>>> > > 80: session 002000000000000002: realm <MYIP> user
>>> <nobody>:
>>> > incoming
>>> > > packet message processed, error 401: Unauthorized
>>> > > 83: handle_udp_packet: New UDP endpoint: local addr
>>> > MYIP:3478, remote
>>> > > addr 149.224.83.188:46559
>>> <http://149.224.83.188:46559> <http://149.224.83.188:46559
>>> <http://149.224.83.188:46559>>
>>> > <http://149.224.83.188:46559 <http://149.224.83.188:46559>
>>> <http://149.224.83.188:46559 <http://149.224.83.188:46559>>>
>>> > > 83: session 002000000000000003: realm <MYIP> user <>:
>>> > incoming packet
>>> > > message processed, error 401: Unauthorized
>>> > > 83: handle_udp_packet: New UDP endpoint: local addr
>>> > MYIP:3478, remote
>>> > > addr 149.224.83.188:37545
>>> <http://149.224.83.188:37545> <http://149.224.83.188:37545
>>> <http://149.224.83.188:37545>>
>>> > <http://149.224.83.188:37545 <http://149.224.83.188:37545>
>>> <http://149.224.83.188:37545 <http://149.224.83.188:37545>>>
>>> > > 83: session 005000000000000002: realm <MYIP> user <>:
>>> > incoming packet
>>> > > message processed, error 401: Unauthorized
>>> > > 83: check_stun_auth: Cannot find credentials of user
>>> <nobody>
>>> > > 83: session 002000000000000003: realm <MYIP> user
>>> <nobody>:
>>> > incoming
>>> > > packet message processed, error 401: Unauthorized
>>> > > 83: check_stun_auth: Cannot find credentials of user
>>> <nobody>
>>> > > 83: session 005000000000000002: realm <MYIP> user
>>> <nobody>:
>>> > incoming
>>> > > packet message processed, error 401: Unauthorized
>>> > >
>>> > >
>>> > >
>>> ##############################################################
>>> > >
>>> > >
>>> > > user nobody with PASSWORD is not found ..... ;-(
>>> > >
>>> > > loging into my om room, activating my camera gives:
>>> > >
>>> > >
>>> ##############################################################
>>> > >
>>> > > 863: handle_udp_packet: New UDP endpoint: local addr
>>> MYIP:3478,
>>> > > remote
>>> > > addr REMOTEIP:41039
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> <>: incoming
>>> > > packet
>>> > > BINDING processed, success
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> <>: incoming
>>> > > packet
>>> > > message processed, error 401: Unauthorized
>>> > > 863: IPv4. Local relay addr: MYIP:63505
>>> > > 863: session 005000000000000003: new, realm=<MYIP>,
>>> > >
>>> username=<1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>,
>>> > > lifetime=600
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> > > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>:
>>> incoming
>>> > packet
>>> > > ALLOCATE processed, success
>>> > > 863: session 005000000000000003: peer MYIP lifetime
>>> updated: 300
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> > > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>:
>>> incoming
>>> > packet
>>> > > CREATE_PERMISSION processed, success
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> > > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>:
>>> incoming
>>> > packet
>>> > > CREATE_PERMISSION processed, error 403: Forbidden IP
>>> > > 863: session 005000000000000003: realm <MYIP> user
>>> > > <1608132140:a8675769-9280-4ab7-ab37-d271e8e5cadb>:
>>> incoming
>>> > packet
>>> > > message processed, error 403: Forbidden IP
>>> > >
>>> > >
>>> ##############################################################
>>> > >
>>> > >
>>> > > gives a user name with a long number ...... ?
>>> > >
>>> > >
>>> > > Special hash of user and password is being used by OM
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > There are two questions :
>>> > >
>>> > > 1) why do i need a user nobody:password in my config
>>> lines
>>> > if the
>>> > > username generated by om is a long hash but not
>>> nobody ... ?
>>> > >
>>> > >
>>> > > your config is your responsibility :))))
>>> > > I guess you can google
>>> > > Or check this
>>> > >
>>> >
>>> doc https://github.com/coturn/coturn/blob/master/README.turnserver
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver>
>>> >
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver>>
>>> > >
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver>
>>> >
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver
>>> <https://github.com/coturn/coturn/blob/master/README.turnserver>>>
>>> > for ex.
>>> > will read this doc. One day i will understand this turn server
>>> > thing ...
>>> >
>>> >
>>> > > Or search mailing-list archives for working
>>> configurations :)))
>>> > >
>>> >
>>> >
>>> >
>>> > >
>>> > >
>>> > > 2) why does my trickle test fail or why does it not
>>> find the
>>> > > credentials
>>> > > ... ?
>>> > >
>>> > >
>>> > > I believe your configuration might be wrong ...
>>> > >
>>> > >
>>> > >
>>> > >
>>> > > Many thanks,
>>> > >
>>> > > kaffeesurrogat
>>> > >
>>> > >
>>> > >
>>> > >
>>> >
>>> > thanks again....
>>> >
>>> > kaffeesurrogat ;-)
>>> >
>>> > >
>>> > > --
>>> > > Best regards,
>>> > > Maxim
>>> >
>>> >
>>> >
>>> > --
>>> > Best regards,
>>> > Maxim
>>>
>>>
>>>
>>>
>>> --
>>> Best regards,
>>> Maxim
