TURN Server support

[ThomasAppDev]

Is it possible to configure a Turn-Server? I could not find the needed settings

[sapkra]

You can set alternative TURN servers by using the JVB_STUN_SERVERS env var. But setting up an own TURN server is still WIP in the docker repo. There are already several PRs for it.

More configs you can find here:
https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-docker#advanced-configuration

To configure it in helm:

jvb:
  stunServers: meet-jit-si-turnrelay.jitsi.net:443

[sapkra]

jitsi/docker-jitsi-meet#1074 <-- This PR has now been merged and will be part of the next release. If this is what you want, a PR to add these options as helm values would be very welcome.

[Natureshadow]

I am not sure this is sufficient. How to set these STUN and/or TURN servers for Jitsi Meet Web?

[sapkra]

@Natureshadow Yeah right, for the P2P connection in the web client there is no config yet. For this it would be great if you or someone else can create a PR on the official docker-jitsi-meet repo to add environment variable mapping to the settings-config.js.

The structure would be:

{
  p2p: {
    enabled: true,
    stunServers: [
      { urls: 'stun:meet-jit-si-turnrelay.jitsi.net:443' },
    ],
  },
}

[drusov]

I think it would be still nice to get :)

[kpeiruza]

Hi @drusov ,

We made a docker with coturn to bring coturn up with it's own LB. It would be great to work a bit further with ingress-nginx to see if we can save 1 LB.

Our docker is just a quick fix, once Let's encrypt certificate expires, you should delete it because there's no update process on it and it would probably be incompatible with the Ingress but here it is:

FROM alpine:3.18.4

RUN apk add --no-cache coturn certbot
COPY entrypoint.sh /entrypoint.sh

EXPOSE 3478 3478/udp 5349 5349/udp

RUN chmod +x /entrypoint.sh

ENTRYPOINT ["/entrypoint.sh"]

#!/bin/sh

# Define the path to the Let's Encrypt certificate
CERT_PATH="/etc/letsencrypt/live/$FQDN"

# Function to obtain or renew the certificate
renew_certificate() {
    # Check if the certificate already exists
    if [ -d "$CERT_PATH" ]; then
        # Renew the certificate
        certbot renew --standalone --non-interactive
    else
        # Obtain a new certificate
        certbot certonly --standalone \
            --preferred-challenges http \
            --agree-tos \
            --non-interactive \
            --email $EMAIL \
            --domains $FQDN
    fi
}

# Main execution
renew_certificate


echo "# jitsi-meet coturn config. Do not modify this line
use-auth-secret
keep-address-family
static-auth-secret=$TURNSECRET
server-name=$FQDN
realm=$DOMAIN
cert=$CERT_PATH/fullchain.pem
pkey=$CERT_PATH/privkey.pem
no-multicast-peers
no-cli
no-loopback-peers
tls-listening-port=443
no-tlsv1
no-tlsv1_1
#lt-cred-mech
log-file=stdout
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
fingerprint
listening-ip=0.0.0.0
external-ip=$TURNIP
permission-lifetime=48000

# Start the Coturn server" > /etc/turnserver.conf

turnserver

Then a Deployment with these vars & ingress.

[kpeiruza]

PS:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: coturn-deployment
  labels:
    app: coturn
spec:
  replicas: 1
  selector:
    matchLabels:
      app: coturn
  template:
    metadata:
      labels:
        app: coturn
    spec:
      containers:
      - name: coturn
        image: ourcoturnimage:1.0.0
        volumeMounts:
        - name: cert-volume
          mountPath: /etc/letsencrypt
        env:
        - name: EMAIL
          value: [email protected]
        - name: DOMAIN
          value: yourdomain.com
        - name: FQDN
          value: coturn.yourdomain.com
        - name: TURNSECRET
          value: WHATEVER
        - name: TURNIP
          value: 1.2.3.4
        ports:
        - containerPort: 80
          protocol: TCP
        - containerPort: 3478
          protocol: TCP
        - containerPort: 3478
          protocol: UDP
        - containerPort: 443
          protocol: TCP
        - containerPort: 5349
          protocol: UDP
      volumes:
      - name: cert-volume
        persistentVolumeClaim:
          claimName: letsencrypt-pvc

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: letsencrypt-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

apiVersion: v1
kind: Service
metadata:
  name: coturn-loadbalancer
spec:
  type: LoadBalancer
  selector:
    app: coturn
  ports:
    - name: turn
      protocol: TCP
      port: 3478
      targetPort: 3478
    - name: turn-udp
      protocol: UDP
      port: 3478
      targetPort: 3478
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: turns
      protocol: TCP
      port: 443
      targetPort: 443
    - name: turns-udp
      protocol: UDP
      port: 5349
      targetPort: 5349

[Ameurgarraoui]

How to integrate a TURN server that has credentials using the helm chart values.yaml?