Turn server for Nextcloud Talk - can I do this within pfSense?
-
I have a Nextcloud server running, it's on an isolated interface (OPT) on my pfSense router. I am using NAT reflection so that I can access my NC server from my local LAN devices.
Been using Nextcloud for a while now and very happy with it.
I'm looking to get the Talk app going. I installed it and can almost connect different clients but not quite (no connection is finalized). . I get an error that I need to set up a TURN server.
As I understand it, the TURN server lets each Talk client know the LAN IP of each client in a call. Not really crazy about that idea but maybe it doesn't actually matter.
Is there a way to get Nextcloud Talk to work by using custom firewall rules, or something else, within my pfSense instance itself?
-
@NGUSER6947 I guess you could see the TURN server as the "switchboard" where all your clients can "meet". They each need to be in contact with that server to provide their "home address" (IP), so that they can then use that to set up a direct (peer to peer) connection. And this applies also if the client is on the internet (like a mobile), so it's not only for your local IP clients.
The communication with the TURN server is encrypted and quite safe... -
@Gblenn Ok thanks, is there a way to accomplish this within pfSense or perhaps using an add-on Package?
Or am I completely misunderstanding how this needs to work (likely).
-
@NGUSER6947 I believe that clients on the same LAN should be able to talk directly to each other. As far as I understand, Talk uses a "signalling" server to let clients discover each other and exchange the necessary connection information.
Are you saying they can't even when clients are on the LAN?If one or more of them are outside your firewall, I believe you need STUN and/or TURN. I assume the STUN settings are done in NextCloud Talk? And there are public STUN servers you can use, like stun.l.google.com, stun1.l.google.com etc.
The one thing you can try in pfsense is to change your Outbound NAT to Hybrid, and set Static port for your NextCloud clients to see if this helps.
If it still doesn't work, I'm guessing you have to use a TURN server.
-
@Gblenn Ok.
My server is on its own pfSense interface (OPT) and it can't get to the LAN, nor can LAN devices get to the server (all on purpose).
Two LAN devices can initiate a call with each other (i.e. I can launch a call on one PC and my phone gets the notification). On the phone I can answer the call, but that's it. The actual video call never really 'starts'. That's when I get a notice about needing a TURN server.
I think for now I'll just use some other option like Jimi or even Zoom. My meetings are usually short so a 40-minute Zoom limitation isn't that huge of a deal.
I'm not crazy about a google or other public TURN server being introduce into the mix and shuffling packets between devices on my network.
Thanks for your help.
-
@NGUSER6947 Well, a STUN server, (from Google or others) is in no way shape of form involved in any traffic. It is used by VoIP or in this case the Talk client to find out the Public IP, what type of NAT you have and the port to use. After that, it's the client connecting to the other client, nothing more, nothing less.
One issue I think you do have is that you probably have Symmetric NAT, which will not really work that well with Talk. You can check it via this or some similar service : https://www.checkmynat.com/
By changing your Outbound NAT settings to Hybrid as I mentioned, and setting Static Port for the clients. With this you will have changed your NAT to Port Restricted NAT which should work fine.
Try this first to see if it makes things work better... Perhaps you also need to add the server IP to the list of devices with Static Port.
-
@NGUSER6947 said in Turn server for Nextcloud Talk - can I do this within pfSense?:
I think for now I'll just use some other option like Jimi or even Zoom. My meetings are usually short so a 40-minute Zoom limitation isn't that huge of a deal.
Just a thought about that, since using Google's STUN server concerns you. Just know that Zoom and other such services also uses STUN and TURN when needed (their own servers of course). So perhaps selfhosting a TURN server is not the worst idea ever...
-
you can install coturn on your Nextcloud server, here is a german howto:
https://www.c-rieger.de/stunserver-coturnserver/