Problems getting Coturn TURN server to work outside of LAN

xthursdayx

Hi folks, over the last month or so I've been working on learning about everything that pfSense has to offer, and getting it set up well for my network. I'm running pfSense on a standalone box with 8Gb RAM and an I5 CPU. I'm currently trying figure out what is preventing me from getting VoIP calls to work through Matrix Synapse using Coturn. When a user calls from outside of the local network to another user on the same local network as the VM the call rings but never fully connects after being answered. This also happens if the user on the LAN calls the external user. However, if both users are on the same LAN (the LAN the Coturn/Synapse VM is on) then both voice and video calls work.

I am using this Coturn docker image as part of the matrix-docker-ansible-deploy stack running in an Ubuntu Server VM. My web server is on the host machine so the domain name and certain other Matrix function are reverse proxied to the VM using NGINX.

In pfSense I have the ports 3478(tcp/udp), 5349 (tcp/udp), and 49152-49172 (udp) forwarded to the VM directly and NAT outbound traffic from the VM is set to use static ports.

This is my turnserver.conf

use-auth-secret
static-auth-secret=<secret-pass>
realm=my.domain

listening-port=3478
tls-listening-port=5349
min-port=49152
max-port=49172
external-ip=<my-external-ip>

log-file=stdout
pidfile=/var/tmp/turnserver.pid
userdb=/var/tmp/turnserver.db

no-cli

cert=/matrix/ssl/config/live/my.domain/fullchain.pem
pkey=/matrix/ssl/config/live/my.domain/privkey.pem

prod
no-tcp-relay

user-quota=12
total-quota=1200

denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
allowed-peer-ip=10.0.0.1

In my Synapse homserver.yaml Coturn is set to allow guests (at the moment at least), the shared-auth-secret is set, and the turn-uris are:

- turns:my.domain?transport=udp
- turns:my.domain?transport=tcp
- turn:my.domain?transport=udp
- turn:my.domain?transport=tcp

I've been trying to figure this out for a couple of weeks now but haven't had any luck even figuring out where the problem is originating. When I run journalctl -fu matrix-coturn the logs don't show anything except for the creation of the turn servers and connection to the SQlite database.

Any ideas about how I can continue trouble shooting this, or what might be going wrong?

noplan

@xthursdayx

any luck or success ?

/me diggin up old stuff ;)
nP

xthursdayx

I did eventually get this working but I'm sad to say that I can't remember exactly what it was that sorted it out. Going back through my rules I believe it may have had to do setting up two NAT outbound rules (one for TCP and one for UDP) with the "static port" option selected using two port aliases - TURNPortsTCP and TURNPorts UDP - that included my chosen ports, 3478, 5349, 49152:49172. Hope that helps!

noplan

@xthursdayx

thanks !
gonna give it a shot !

NP

pixel24

I am facing the same problem. Could you show me your rules? I can't get it right :-(