Different local and external connection issues

[madindehead]

I'm finding some weird behaviour when running neko-rooms and accessing locally and via the external domain.

I've been running neko-rooms on my server and it works well.

I can access the landing page at 8080 via both my desktop (different network to the server) and a VM running on the same subnet as the server.

This is where I encounter problems.

The server runs at 10.0.10.47.
My desktop is 10.90.0.5.
VM to test is on 10.0.10.45
My reverse proxy is at 10.0.90.10

Running locally:
I can access the landing page from both my desktop and the VM.
I can create rooms just fine using both my desktop and the VM.
I can access the rooms fine using the VM. The desktop does sometimes connect, but only once the client from the VM has connected.

Running via the internet:
I can access the landing page from both my desktop and the VM.
I can create rooms just fine using both my desktop and the VM.
Neither VM or my desktop can access the rooms.

I get this error: WRN undeclaredMediaProcessor failed to open SrtpSession: the DTLS transport has not started yet module=webrtc subsystem=pc when trying to connect.

Just wondering if I'm missing anything regarding port forwarding or my reverse proxy. I used Cloudflare to proxy my IP if that matters.

[m1k1o]

Have you specified NEKO_ROOMS_NAT1TO1 as your valid public IP, and also correctly port forwarded whole UDP range?

[madindehead]

Have you specified NEKO_ROOMS_NAT1TO1 as your valid public IP, and also correctly port forwarded whole UDP range?

NEKO_ROOMS_NAT1TO1 this is set too my public IP.

As far as I can see, the UDP range is being forwarded properly in OPNsense.

One thing I did discover - when I disable the datacenter level firewall in Proxmox, things seem better/OK. I had a long period of connections and now just constant timeouts.

[dawode112]

Ive the same problem. Ive set the - "NEKO_ROOMS_NAT1TO1=my.ip" # IP address of your server to my public ip and im unable to to connect outside of my network as well as from the inside. If i change it to the local ip of the docker instance im able to connect from my local network.
Im not that long woking with Docker, so im not 100% sure if all ports are udp as needed.

Its running on proxmox and i already tryed to open the firewall. Do i need to open all 59010-59019 udp ports on my router?

I want to use it for a workadventure shared browser for meetings and as far as i know, this is the only solution for doing it.

btw Im running nginx proxy manager if there is something to set up here:

[m1k1o]

im not 100% sure if all ports are udp as needed.

Yes, all ports need to be correctly forwarded. And all of them are UDP. If you don't expect many users to visit your services concurrently, you can choose smaller range.

E.G. having 2 rooms, every with max 5 users, you only need 10 ports so the range can be 59000-59009.

nginx proxy manager

That looks good, all UDP ports need to be directly exposed and they don't go through nginx.

[dawode112]

For example,
www->mywwwip:59001->room
would work for only 1 person at a time? I was trying
www->mydomain:8080/room/pwd->room.
And if i want to have 10 people join the session i have to provide 10 seperate urls?
eg
mydomain:59001
mydomain:59002
mydomain:59003
...
Seems like i missunderstood sth.

[dawode112]

1. port 59000-59254 are open on the router(udp)

2. port 59000-59009 are open in proxmox(udp)

I dont think proxmox is the problem because it works locally

3. directing to the ip:8080 via nginx

do i need to add any custom locations in order to reach for the 59xxx udp ports? I think this is the part of traffic.

Router contig in case i messed sth up here:

[m1k1o]

And if i want to have 10 people join the session i have to provide 10 seperate urls?

No, you normally access it using gui, so all your clients visit www->mydomain:8080/room/pwd->room. Once they logged in, they get one of the ports allocated where the data flows. That is how WebRTC works, it happens inside SDP negotiation and is completly transparent to your users and also to you. Therefore you need to have open those ports, but never actually visit them directly in browser.

[dawode112]

Okay, so UDP is only in the background, thank you.
The - "NEKO_ROOMS_NAT1TO1=my.ip" # IP address of your server setting is still strange to me.
Do i need to enter my local (works) or my public (doesn't work) ip? And if i need to pass in the public ip, how do i react to changes without using my domain?

[m1k1o]

That must be the IP where the mentioned UDP ports are forwarded.

If you omit NEKO_ROOMS_NAT1TO1. it will pull automatically your public IP at start of every room. If you put local IP, that will be sent to anyone who is connecting to a room.

[dawode112]

i tryed:
NEKO_ROOMS_NAT1TO1=my.ip
NEKO_ROOMS_NAT1TO1=my.domain
NEKO_ROOMS_NAT1TO1=empty
Do i have to leave it empty in order to let to get the ip by itself or do i delete the whole line?

[m1k1o]

For now, it only accepts IP, no domains. You can delete whole line to get IP automatically.

[dawode112]

I was leaving it empty... That was the whole Problem. Now that i deleted the line it works. Thank you so much!

[dawode112]

I think i would have found it by accident earlier if the word "omit" in german wounld not be that close to "leave out/leave empty". Thanks again!

[m1k1o]

Though, it should not make any difference and even just leaving it empty should not be such a big problem. I'lll look into it.

Also added more information to docs for future users to help with troubleshooting. https://github.com/m1k1o/neko-rooms/tree/master/docs#docs

[madindehead]

Thanks for adding the additional documentation.

I think this makes sense to me now, but I have yet to test it out. I proxy my domains through Cloudflare - does this have an impact on what needs to go into NEKO_ROOMS_NAT1TO1? I will test again and see if I can solve the previous disconnection issues.

I use LinuxServer.io SWAG for my reverse proxy, so I can use the Cloudflare_Real_IP mod if required.

[m1k1o]

Since UDP ports bypass reverse proxy, X-Real-IP in the headers would not make difference.

If you proxy additionally even your UDP ports through cloudfare, then you must specify their public IP in NEKO_ROOMS_NAT1TO1. If that is only HTTPs traffic that is going through cloudfare, then it does not have any impact.

[madindehead]

So my root domain example.com is proxied, so technically all traffic is. But, I think that Cloudflare doesn't proxy certain port ranges, so it may be the case that it's not proxied at all.

I've still seen the port problem today (although not doing extensive testing), so will need to see what the issue is.

How would I define more than one IP in NEKO_ROOMS_NAT1TO1? With a comma?

[m1k1o]

How would I define more than one IP in NEKO_ROOMS_NAT1TO1? With a comma?

That is, unfortunetly, not possible: m1k1o/neko#47