You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@openmeetings.apache.org by YUP <yu...@gmail.com> on 2020/03/13 00:09:52 UTC
Openmeetings, kurento and TURN behind NAT
Hello all,
Could someone help me with configuration of my OM setup? Any help will
be greatly appreciated.
I have a server which is for several reasons behind NAT, only 443 port
is open. There is sslh balancer, which redirect external traffic to
different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
installed in container behind nginx proxy and works well, except audio
and video. When I perform setup check after logged in (video camera
and microphone) I can see myself in camera and can also see increasing
and decreasing green line, which indicate microphone level, but I
can't save and replay the testing record. As far I understand the
problem is in NAT, so I had to use kurento server with TURN server. I
did that by adding the environment variables for kurento server in
docker container with the corresponding data for turn.anyfirewall.com:
- KMS_STUN_IP=130.211.143.110
- KMS_STUN_PORT=443
- KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
and the same for openmeetings docker container:
- TURN_USER=webrtc
- TURN_PASS=webrtc
- TURN_URL=130.211.143.110:443?transport=tcp
After restarting it allowed me immediately to perform network test
(except ip ping), but not resolved the issue with camera and
microphone.
When I connect to OM server with help of vpn (so I and OM server are
in the same network) everything works as needed. I can save and replay
video, I can hear myself, two OM users connected by vpn to OM server
can talk to each other, etc. But it is not an option use vpn
connection...
I spent two days to find what I did wrong. I tried another TURN and
STUN servers, different type of configurations and so on, nothing
helped.
Regards,
Yarema
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
turnUrl is set in applicationContext and then passed to JS
it never works for me if set in KMS config, and i have no time for further
investigation
Hopefully will get back to this topic after 5.0.0 will be final
On Sun, 29 Mar 2020 at 23:54, YUP <yu...@gmail.com> wrote:
> BTW, just wondering, why in the full version of OM in docker the
> kurento server doesn't have turn-environments, but have it for OM? It
> should be in the line in the file
> /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
> with
> turnURL=<User>:<Pass>@<IpAddress>:<Port>[?transport=<Transport>]
>
> If kurento server runs in docker, it is very easy via KMS_TURN_URL.
>
> If I understand correctly, OM connects to kurento media server which
> next connects to turn server, turn-server is something like a meeting
> point for different streams from different clients. Please correct me.
> I'm trying to figure out how to correctly setup OM in my environment.
>
> Regards,
> Yarema
>
>
>
> On Sun, Mar 29, 2020 at 9:37 AM YUP <yu...@gmail.com> wrote:
> >
> > It's ok, at least now I know what the problem is.
> > Best,
> > Yarema
> >
> > On Sun, Mar 29, 2020 at 5:25 AM Maxim Solodovnik <so...@gmail.com>
> wrote:
> > >
> > > I'm installing KMS inside docker to avoid this
> > > Not sure if I can help with your advanced config :(
> > >
> > > On Sun, Mar 29, 2020, 08:57 YUP <yu...@gmail.com> wrote:
> > >>
> > >> Hi Maxim,
> > >> Probably I found what caused that issue with *.webm files. I run
> > >> openmeetings in a docker container which load dependent kurento
> > >> container (see my docker-compose.yml file in my first email).
> > >> Something is wrong with communication between them, maybe permission
> > >> issue, different users, don't know now.
> > >>
> > >> > it would be more reasonable to have
> > >> > listening-port=80
> > >> > in this case (due to it insecure)
> > >>
> > >> Good advice, I forgot that firewall allows connection to 80 port too
> :)
> > >>
> > >> Regards,
> > >> Yarema
>
--
WBR
Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
BTW, just wondering, why in the full version of OM in docker the
kurento server doesn't have turn-environments, but have it for OM? It
should be in the line in the file
/etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
with
turnURL=<User>:<Pass>@<IpAddress>:<Port>[?transport=<Transport>]
If kurento server runs in docker, it is very easy via KMS_TURN_URL.
If I understand correctly, OM connects to kurento media server which
next connects to turn server, turn-server is something like a meeting
point for different streams from different clients. Please correct me.
I'm trying to figure out how to correctly setup OM in my environment.
Regards,
Yarema
On Sun, Mar 29, 2020 at 9:37 AM YUP <yu...@gmail.com> wrote:
>
> It's ok, at least now I know what the problem is.
> Best,
> Yarema
>
> On Sun, Mar 29, 2020 at 5:25 AM Maxim Solodovnik <so...@gmail.com> wrote:
> >
> > I'm installing KMS inside docker to avoid this
> > Not sure if I can help with your advanced config :(
> >
> > On Sun, Mar 29, 2020, 08:57 YUP <yu...@gmail.com> wrote:
> >>
> >> Hi Maxim,
> >> Probably I found what caused that issue with *.webm files. I run
> >> openmeetings in a docker container which load dependent kurento
> >> container (see my docker-compose.yml file in my first email).
> >> Something is wrong with communication between them, maybe permission
> >> issue, different users, don't know now.
> >>
> >> > it would be more reasonable to have
> >> > listening-port=80
> >> > in this case (due to it insecure)
> >>
> >> Good advice, I forgot that firewall allows connection to 80 port too :)
> >>
> >> Regards,
> >> Yarema
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
It's ok, at least now I know what the problem is.
Best,
Yarema
On Sun, Mar 29, 2020 at 5:25 AM Maxim Solodovnik <so...@gmail.com> wrote:
>
> I'm installing KMS inside docker to avoid this
> Not sure if I can help with your advanced config :(
>
> On Sun, Mar 29, 2020, 08:57 YUP <yu...@gmail.com> wrote:
>>
>> Hi Maxim,
>> Probably I found what caused that issue with *.webm files. I run
>> openmeetings in a docker container which load dependent kurento
>> container (see my docker-compose.yml file in my first email).
>> Something is wrong with communication between them, maybe permission
>> issue, different users, don't know now.
>>
>> > it would be more reasonable to have
>> > listening-port=80
>> > in this case (due to it insecure)
>>
>> Good advice, I forgot that firewall allows connection to 80 port too :)
>>
>> Regards,
>> Yarema
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
I'm installing KMS inside docker to avoid this
Not sure if I can help with your advanced config :(
On Sun, Mar 29, 2020, 08:57 YUP <yu...@gmail.com> wrote:
> Hi Maxim,
> Probably I found what caused that issue with *.webm files. I run
> openmeetings in a docker container which load dependent kurento
> container (see my docker-compose.yml file in my first email).
> Something is wrong with communication between them, maybe permission
> issue, different users, don't know now.
>
> > it would be more reasonable to have
> > listening-port=80
> > in this case (due to it insecure)
>
> Good advice, I forgot that firewall allows connection to 80 port too :)
>
> Regards,
> Yarema
>
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Hi Maxim,
Probably I found what caused that issue with *.webm files. I run
openmeetings in a docker container which load dependent kurento
container (see my docker-compose.yml file in my first email).
Something is wrong with communication between them, maybe permission
issue, different users, don't know now.
> it would be more reasonable to have
> listening-port=80
> in this case (due to it insecure)
Good advice, I forgot that firewall allows connection to 80 port too :)
Regards,
Yarema
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Yarema,
sorry had no time and HW so far to experiment
it would be more reasonable to have
listening-port=80
in this case (due to it insecure)
>> The only problem remain, that session recording files are
>> wav file, not avi. Do you have a clue what is the reason is? Coul it
>> be a ffmpeg issue?
During session recording intermediate files are *.webm
Later *.wav is extracted/generated to create *.mp4 (not avi)
Could you check if you have *.webm in `data` folder?
On Sat, 28 Mar 2020 at 18:43, YUP <yu...@gmail.com> wrote:
> Maxim,
> Finally I managed to launch openmeetings with kurento and coturn. The
> problem was in coturn server which didn't work as expected. I
> installed coturn server on my private laptop (no firewall and NAT)
> which listens on port 443, with the following configuration:
>
> listening-port=443
> tls-listening-port=5349
> verbose
> lt-cred-mech
> user=kurento:kurento
> realm=my_openmeetings_server_domain
> log-file=/var/log/turnserver/turn.log
>
> After that all openmeetings users can see each other cameras and hear
> each other. The only problem remain, that session recording files are
> wav file, not avi. Do you have a clue what is the reason is? Coul it
> be a ffmpeg issue?
>
> Best,
> Yarema
>
>
> On Thu, Mar 19, 2020 at 9:43 PM YUP <yu...@gmail.com> wrote:
> >
> > Maxim,
> > I made a mistake, in nginx configuration section for openmetings port
> > should be 5443 instead of 5080, sorry for that.
> > I also forgot to mention that only tcp requests are allowed in our
> > firewall, udp if prohibited, as far as know.
> > Can you examine my configs and say what is wrong?
> >
> > Regards,
> > Yarema
> >
> > location /openmeetings {
> > proxy_pass http://localhost:5080/openmeetings;
> >
> > proxy_set_header Host $host;
> > proxy_http_version 1.1;
> > proxy_set_header Upgrade $http_upgrade;
> > proxy_set_header Connection "upgrade";
> >
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header Referer 'https://$host/openmeetings/';
> > proxy_set_header X-Real-IP $remote_addr;
> > }
> >
> > On Mon, Mar 16, 2020 at 5:01 PM YUP <yu...@gmail.com> wrote:
> > >
> > > Please take your time.
> > > I gonna describe my set up briefly .
> > >
> > > Initial data:
> > > External nat has address external_nat_ip
> > > All external ports are closed except 443
> > > From inside allowed only http connections to ports 80, 8080, 443 and 22
> > >
> > > Openmeetings runs in docker, I use docker-compose with the following
> > > docker-compose.yml:
> > >
> > > version: '3.7'
> > > services:
> > > openmeetings:
> > > image: apache/openmeetings:min-5.0.0-M3
> > > ports:
> > > - "5080:5080"
> > > - "5443:5443"
> > > volumes:
> > > - ~/openmeetings/omdata:/opt/omdata
> > > - ~/openmeetings/logs:/opt/openmeetings/logs
> > > environment:
> > > - OM_KURENTO_WS_URL=ws://kurento:8888/kurento
> > > - TURN_USER=kurento
> > > - TURN_PASS=kurento
> > > - TURN_URL=external_nat_ip?transport=tcp
> > > - OM_DB_TYPE=mysql
> > > - OM_DB_HOST=172.17.0.1
> > > - OM_DB_PORT=3306
> > > - OM_DB_USER=om_user
> > > - OM_DB_PASS=om_passwd
> > > - OM_DB_NAME=openmeetings
> > > depends_on:
> > > - kurento
> > > - coturn
> > > restart: unless-stopped
> > > kurento:
> > > image: kurento/kurento-media-server
> > > ports:
> > > - "8888:8888"
> > > environment:
> > > - KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
> > > restart: unless-stopped
> > > coturn:
> > > image: kurento/coturn-auth
> > > ports:
> > > - "3478:3478"
> > > environment:
> > > - LISTENING_PORT=3478
> > > - REALM=kurento.org
> > > - USER=kurento
> > > - PASSWORD=kurento
> > > restart: unless-stopped
> > >
> > > I use sslh https://github.com/yrutschle/sslh to connect do different
> > > services behind nat with the following configuration:
> > >
> > > verbose: true
> > > timeout: 18000;
> > > listen:
> > > (
> > > { host: "internal_nat_ip"; port: "443"; }
> > > );
> > > protocols:
> > > (
> > > # ssh:
> > > { name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
> > > probe: "builtin"; },
> > > # openvpn:
> > > { name: "openvpn"; host: "localhost"; port: "1194"; probe:
> "builtin"; },
> > > # nginx:
> > > { name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
> > > log_level: 0;},
> > > # coturn:
> > > { name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
> > > [ "\x21\x12\xa4\x42" ]; }
> > > );
> > > transparent: true;
> > >
> > >
> > > And nginx configuration (there are another services, I left only
> > > openmeetings and kurento (do I really need to have kurento websocket
> > > outside nat?))
> > >
> > >
> > > server {
> > > listen 2443 ssl http2;
> > > listen [::]:2443 ssl http2;
> > > server_name localhost;
> > >
> > > autoindex on;
> > > root /srv/http/;
> > > index index.php index.html index.htm;
> > >
> > > # ssl_certificate /etc/httpd/conf/server.crt;
> > > # ssl_certificate_key /etc/httpd/conf/server.key;
> > >
> > > include conf/001-certbot.conf;
> > >
> > > # ssl on;
> > > ssl_session_cache builtin:1000 shared:SSL:10m;
> > > ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
> > > # ssl_ciphers
> HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
> > > # ssl_prefer_server_ciphers on;
> > >
> > >
> > > proxy_headers_hash_max_size 512;
> > > proxy_headers_hash_bucket_size 128;
> > >
> > > location ~ [^/]\.php(/|$) {
> > > fastcgi_split_path_info ^(.+\.php)(/.+)$;
> > > fastcgi_index index.php;
> > > fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
> > > include fastcgi.conf;
> > > fastcgi_param PATH_INFO $fastcgi_path_info;
> > > fastcgi_param SCRIPT_FILENAME
> $document_root$fastcgi_script_name;
> > > }
> > >
> > > # User directories, e.g. http://example.com/~user/ :
> > > location ~ ^/~(.+?)(/.*)?$ {
> > > alias /home/$1/public_html$2;
> > > index index.html index.htm;
> > > autoindex on;
> > > auth_pam "Restricted Zone";
> > > auth_pam_service_name "nginx";
> > > }
> > >
> > > # Deny static files
> > > location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
> > > deny all;
> > > }
> > >
> > > # Deny .md files
> > > location ~ ^/(.+\.md)$ {
> > > deny all;
> > > }
> > >
> > > # Deny setup directories
> > > location ~ ^/(doc|sql|setup)/ {
> > > deny all;
> > > }
> > > }
> > >
> > > location /openmeetings {
> > > proxy_pass http://localhost:5080/openmeetings;
> > >
> > > proxy_set_header Host $host;
> > > proxy_http_version 1.1;
> > > proxy_set_header Upgrade $http_upgrade;
> > > proxy_set_header Connection "upgrade";
> > >
> > > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > > proxy_set_header Referer 'https://$host/openmeetings/';
> > > proxy_set_header X-Real-IP $remote_addr;
> > > }
> > >
> > > location /kurento {
> > > # prevents 502 bad gateway error
> > > proxy_buffers 8 32k;
> > > proxy_buffer_size 64k;
> > > # redirect all HTTP traffic to localhost:8088;
> > > proxy_pass http://0.0.0.0:8888/kurento;
> > > # proxy_set_header X-Real-IP $remote_addr;
> > > # proxy_set_header Host $http_host;
> > > # proxy_set_header X-Forwarded-For
> $proxy_add_x_forwarded_for;
> > > #proxy_set_header X-NginX-Proxy true;
> > > # enables WS support
> > > proxy_http_version 1.1;
> > > proxy_set_header Upgrade $http_upgrade;
> > > proxy_set_header Connection "upgrade";
> > > proxy_read_timeout 999999999;
> > > }
> > >
> > > add_header X-Frame-Options SAMEORIGIN;
> > > add_header X-Content-Type-Options nosniff;
> > > }
> > >
> > >
> > >
> > > On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <so...@gmail.com>
> wrote:
> > > >
> > > > Hello Yarema,
> > > >
> > > > sorry for keeping silence
> > > > I'll try to investigate this config later this week
> > > > To much day time job right now :(
> > > >
> > > > Please share your further findings here if any :)
> > > >
> > > > On Mon, 16 Mar 2020 at 09:04, YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > Maxim,
> > > > > I was also managed to install coturn on external server which
> listen
> > > > > on port 443. Kurento connects to this port (via TURN_URL,
> > > > > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > > > > openmeetings connects to kurento. But I don't understand why all my
> > > > > construction not working as needed? I still can't make settings
> test,
> > > > > record and play sample, two users can't see each other videos from
> > > > > cameras.
> > > > > Here I should to see to find the solution?
> > > > >
> > > > > On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > I was able to connect to kurento websocket which is proxified by
> > > > > > nginx, the solution was very simple, put wss instead of https,
> > > > > > probably for some reasons openmeetings needs to have ws or wss
> in the
> > > > > > input url:
> > > > > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > > > > But it is not solved the issue with recording audio/video in
> test and
> > > > > > different users.
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > No, it is not a reason, checked.
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com>
> wrote:
> > > > > > > >
> > > > > > > > Server has self-signed certificate, can it be a reason?
> > > > > > > >
> > > > > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com>
> wrote:
> > > > > > > > >
> > > > > > > > > Just to inform you, I made proxified kurento websocket in
> nginx and I
> > > > > > > > > can connect to it:
> > > > > > > > > $ wscat -n --connect
> https://external_server_ip_address/kurento
> > > > > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS
> ServerName
> > > > > > > > > to an IP address is not permitted by RFC 6066. This will
> be ignored in
> > > > > > > > > a future version.
> > > > > > > > > Connected (press CTRL+C to quit)
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > > I set
> > > > > > > > > - OM_KURENTO_WS_URL=
> https://external_server_ip_address/kurento
> > > > > > > > > but got
> > > > > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to
> create
> > > > > > > > > Kurento client, will re-try in 10000 ms
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com>
> wrote:
> > > > > > > > > >
> > > > > > > > > > Can we just proxify kurento websocket? Something like
> this
> > > > > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > > > > >
> > > > > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <
> solomax666@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > It seems I misread your previous email "all ports
> except 443, 80, 8080 and 22."
> > > > > > > > > > > I'm afraid you need more open ports ...
> > > > > > > > > > >
> > > > > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs
> can be set up
> > > > > > > > > > > for context i.e.
> > > > > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case
> you can proxy them ....
> > > > > > > > > > >
> > > > > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com>
> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > > > > >
> > > > > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <
> solomax666@gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > > > > TURN requires more open port to handle "totally
> closed" networks ...
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <
> yupadmin@gmail.com> wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > It seems to me that I found what is happening.
> Firewall blocks all non
> > > > > > > > > > > > > > http requests out to all ports except 443, 80,
> 8080 and 22. That is
> > > > > > > > > > > > > > why I don't have connection to outside turn ans
> stun servers. Is it
> > > > > > > > > > > > > > possible to connect to those server in such
> conditions? Tunnels?
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <
> yupadmin@gmail.com> wrote:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Hello all,
> > > > > > > > > > > > > > > Could someone help me with configuration of my
> OM setup? Any help will
> > > > > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > > > > I have a server which is for several reasons
> behind NAT, only 443 port
> > > > > > > > > > > > > > > is open. There is sslh balancer, which
> redirect external traffic to
> > > > > > > > > > > > > > > different targets: nginx, openvpn, etc.
> Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > > > > > > installed in container behind nginx proxy and
> works well, except audio
> > > > > > > > > > > > > > > and video. When I perform setup check after
> logged in (video camera
> > > > > > > > > > > > > > > and microphone) I can see myself in camera and
> can also see increasing
> > > > > > > > > > > > > > > and decreasing green line, which indicate
> microphone level, but I
> > > > > > > > > > > > > > > can't save and replay the testing record. As
> far I understand the
> > > > > > > > > > > > > > > problem is in NAT, so I had to use kurento
> server with TURN server. I
> > > > > > > > > > > > > > > did that by adding the environment variables
> for kurento server in
> > > > > > > > > > > > > > > docker container with the corresponding data
> for turn.anyfirewall.com:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > > > > - KMS_TURN_URL=
> webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > > > > - TURN_URL=
> 130.211.143.110:443?transport=tcp
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > After restarting it allowed me immediately to
> perform network test
> > > > > > > > > > > > > > > (except ip ping), but not resolved the issue
> with camera and
> > > > > > > > > > > > > > > microphone.
> > > > > > > > > > > > > > > When I connect to OM server with help of vpn
> (so I and OM server are
> > > > > > > > > > > > > > > in the same network) everything works as
> needed. I can save and replay
> > > > > > > > > > > > > > > video, I can hear myself, two OM users
> connected by vpn to OM server
> > > > > > > > > > > > > > > can talk to each other, etc. But it is not an
> option use vpn
> > > > > > > > > > > > > > > connection...
> > > > > > > > > > > > > > > I spent two days to find what I did wrong. I
> tried another TURN and
> > > > > > > > > > > > > > > STUN servers, different type of configurations
> and so on, nothing
> > > > > > > > > > > > > > > helped.
> > > > > > > > > > > > > > >
> > > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > > Yarema
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > >
> > > > > > > > > > > > > --
> > > > > > > > > > > > > WBR
> > > > > > > > > > > > > Maxim aka solomax
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > WBR
> > > > > > > > > > > Maxim aka solomax
> > > >
> > > >
> > > >
> > > > --
> > > > WBR
> > > > Maxim aka solomax
>
--
WBR
Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Maxim,
Finally I managed to launch openmeetings with kurento and coturn. The
problem was in coturn server which didn't work as expected. I
installed coturn server on my private laptop (no firewall and NAT)
which listens on port 443, with the following configuration:
listening-port=443
tls-listening-port=5349
verbose
lt-cred-mech
user=kurento:kurento
realm=my_openmeetings_server_domain
log-file=/var/log/turnserver/turn.log
After that all openmeetings users can see each other cameras and hear
each other. The only problem remain, that session recording files are
wav file, not avi. Do you have a clue what is the reason is? Coul it
be a ffmpeg issue?
Best,
Yarema
On Thu, Mar 19, 2020 at 9:43 PM YUP <yu...@gmail.com> wrote:
>
> Maxim,
> I made a mistake, in nginx configuration section for openmetings port
> should be 5443 instead of 5080, sorry for that.
> I also forgot to mention that only tcp requests are allowed in our
> firewall, udp if prohibited, as far as know.
> Can you examine my configs and say what is wrong?
>
> Regards,
> Yarema
>
> location /openmeetings {
> proxy_pass http://localhost:5080/openmeetings;
>
> proxy_set_header Host $host;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Referer 'https://$host/openmeetings/';
> proxy_set_header X-Real-IP $remote_addr;
> }
>
> On Mon, Mar 16, 2020 at 5:01 PM YUP <yu...@gmail.com> wrote:
> >
> > Please take your time.
> > I gonna describe my set up briefly .
> >
> > Initial data:
> > External nat has address external_nat_ip
> > All external ports are closed except 443
> > From inside allowed only http connections to ports 80, 8080, 443 and 22
> >
> > Openmeetings runs in docker, I use docker-compose with the following
> > docker-compose.yml:
> >
> > version: '3.7'
> > services:
> > openmeetings:
> > image: apache/openmeetings:min-5.0.0-M3
> > ports:
> > - "5080:5080"
> > - "5443:5443"
> > volumes:
> > - ~/openmeetings/omdata:/opt/omdata
> > - ~/openmeetings/logs:/opt/openmeetings/logs
> > environment:
> > - OM_KURENTO_WS_URL=ws://kurento:8888/kurento
> > - TURN_USER=kurento
> > - TURN_PASS=kurento
> > - TURN_URL=external_nat_ip?transport=tcp
> > - OM_DB_TYPE=mysql
> > - OM_DB_HOST=172.17.0.1
> > - OM_DB_PORT=3306
> > - OM_DB_USER=om_user
> > - OM_DB_PASS=om_passwd
> > - OM_DB_NAME=openmeetings
> > depends_on:
> > - kurento
> > - coturn
> > restart: unless-stopped
> > kurento:
> > image: kurento/kurento-media-server
> > ports:
> > - "8888:8888"
> > environment:
> > - KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
> > restart: unless-stopped
> > coturn:
> > image: kurento/coturn-auth
> > ports:
> > - "3478:3478"
> > environment:
> > - LISTENING_PORT=3478
> > - REALM=kurento.org
> > - USER=kurento
> > - PASSWORD=kurento
> > restart: unless-stopped
> >
> > I use sslh https://github.com/yrutschle/sslh to connect do different
> > services behind nat with the following configuration:
> >
> > verbose: true
> > timeout: 18000;
> > listen:
> > (
> > { host: "internal_nat_ip"; port: "443"; }
> > );
> > protocols:
> > (
> > # ssh:
> > { name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
> > probe: "builtin"; },
> > # openvpn:
> > { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
> > # nginx:
> > { name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
> > log_level: 0;},
> > # coturn:
> > { name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
> > [ "\x21\x12\xa4\x42" ]; }
> > );
> > transparent: true;
> >
> >
> > And nginx configuration (there are another services, I left only
> > openmeetings and kurento (do I really need to have kurento websocket
> > outside nat?))
> >
> >
> > server {
> > listen 2443 ssl http2;
> > listen [::]:2443 ssl http2;
> > server_name localhost;
> >
> > autoindex on;
> > root /srv/http/;
> > index index.php index.html index.htm;
> >
> > # ssl_certificate /etc/httpd/conf/server.crt;
> > # ssl_certificate_key /etc/httpd/conf/server.key;
> >
> > include conf/001-certbot.conf;
> >
> > # ssl on;
> > ssl_session_cache builtin:1000 shared:SSL:10m;
> > ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
> > # ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
> > # ssl_prefer_server_ciphers on;
> >
> >
> > proxy_headers_hash_max_size 512;
> > proxy_headers_hash_bucket_size 128;
> >
> > location ~ [^/]\.php(/|$) {
> > fastcgi_split_path_info ^(.+\.php)(/.+)$;
> > fastcgi_index index.php;
> > fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
> > include fastcgi.conf;
> > fastcgi_param PATH_INFO $fastcgi_path_info;
> > fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> > }
> >
> > # User directories, e.g. http://example.com/~user/ :
> > location ~ ^/~(.+?)(/.*)?$ {
> > alias /home/$1/public_html$2;
> > index index.html index.htm;
> > autoindex on;
> > auth_pam "Restricted Zone";
> > auth_pam_service_name "nginx";
> > }
> >
> > # Deny static files
> > location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
> > deny all;
> > }
> >
> > # Deny .md files
> > location ~ ^/(.+\.md)$ {
> > deny all;
> > }
> >
> > # Deny setup directories
> > location ~ ^/(doc|sql|setup)/ {
> > deny all;
> > }
> > }
> >
> > location /openmeetings {
> > proxy_pass http://localhost:5080/openmeetings;
> >
> > proxy_set_header Host $host;
> > proxy_http_version 1.1;
> > proxy_set_header Upgrade $http_upgrade;
> > proxy_set_header Connection "upgrade";
> >
> > proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > proxy_set_header Referer 'https://$host/openmeetings/';
> > proxy_set_header X-Real-IP $remote_addr;
> > }
> >
> > location /kurento {
> > # prevents 502 bad gateway error
> > proxy_buffers 8 32k;
> > proxy_buffer_size 64k;
> > # redirect all HTTP traffic to localhost:8088;
> > proxy_pass http://0.0.0.0:8888/kurento;
> > # proxy_set_header X-Real-IP $remote_addr;
> > # proxy_set_header Host $http_host;
> > # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> > #proxy_set_header X-NginX-Proxy true;
> > # enables WS support
> > proxy_http_version 1.1;
> > proxy_set_header Upgrade $http_upgrade;
> > proxy_set_header Connection "upgrade";
> > proxy_read_timeout 999999999;
> > }
> >
> > add_header X-Frame-Options SAMEORIGIN;
> > add_header X-Content-Type-Options nosniff;
> > }
> >
> >
> >
> > On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <so...@gmail.com> wrote:
> > >
> > > Hello Yarema,
> > >
> > > sorry for keeping silence
> > > I'll try to investigate this config later this week
> > > To much day time job right now :(
> > >
> > > Please share your further findings here if any :)
> > >
> > > On Mon, 16 Mar 2020 at 09:04, YUP <yu...@gmail.com> wrote:
> > > >
> > > > Maxim,
> > > > I was also managed to install coturn on external server which listen
> > > > on port 443. Kurento connects to this port (via TURN_URL,
> > > > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > > > openmeetings connects to kurento. But I don't understand why all my
> > > > construction not working as needed? I still can't make settings test,
> > > > record and play sample, two users can't see each other videos from
> > > > cameras.
> > > > Here I should to see to find the solution?
> > > >
> > > > On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > I was able to connect to kurento websocket which is proxified by
> > > > > nginx, the solution was very simple, put wss instead of https,
> > > > > probably for some reasons openmeetings needs to have ws or wss in the
> > > > > input url:
> > > > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > > > But it is not solved the issue with recording audio/video in test and
> > > > > different users.
> > > > >
> > > > > On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > No, it is not a reason, checked.
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > Server has self-signed certificate, can it be a reason?
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > > > > > > can connect to it:
> > > > > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > > > > > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > > > > > > a future version.
> > > > > > > > Connected (press CTRL+C to quit)
> > > > > > > > >
> > > > > > > >
> > > > > > > > I set
> > > > > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > > > > but got
> > > > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > > > > Kurento client, will re-try in 10000 ms
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > > > >
> > > > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > > > > > > I'm afraid you need more open ports ...
> > > > > > > > > >
> > > > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > > > > > > for context i.e.
> > > > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > > > > > > >
> > > > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > > > >
> > > > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > > > > > > >
> > > > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > > > > > > >
> > > > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Hello all,
> > > > > > > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > > > > > > microphone.
> > > > > > > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > > > > > > connection...
> > > > > > > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > > > > > > helped.
> > > > > > > > > > > > > >
> > > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > > Yarema
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > > > --
> > > > > > > > > > > > WBR
> > > > > > > > > > > > Maxim aka solomax
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > WBR
> > > > > > > > > > Maxim aka solomax
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Maxim,
I made a mistake, in nginx configuration section for openmetings port
should be 5443 instead of 5080, sorry for that.
I also forgot to mention that only tcp requests are allowed in our
firewall, udp if prohibited, as far as know.
Can you examine my configs and say what is wrong?
Regards,
Yarema
location /openmeetings {
proxy_pass http://localhost:5080/openmeetings;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer 'https://$host/openmeetings/';
proxy_set_header X-Real-IP $remote_addr;
}
On Mon, Mar 16, 2020 at 5:01 PM YUP <yu...@gmail.com> wrote:
>
> Please take your time.
> I gonna describe my set up briefly .
>
> Initial data:
> External nat has address external_nat_ip
> All external ports are closed except 443
> From inside allowed only http connections to ports 80, 8080, 443 and 22
>
> Openmeetings runs in docker, I use docker-compose with the following
> docker-compose.yml:
>
> version: '3.7'
> services:
> openmeetings:
> image: apache/openmeetings:min-5.0.0-M3
> ports:
> - "5080:5080"
> - "5443:5443"
> volumes:
> - ~/openmeetings/omdata:/opt/omdata
> - ~/openmeetings/logs:/opt/openmeetings/logs
> environment:
> - OM_KURENTO_WS_URL=ws://kurento:8888/kurento
> - TURN_USER=kurento
> - TURN_PASS=kurento
> - TURN_URL=external_nat_ip?transport=tcp
> - OM_DB_TYPE=mysql
> - OM_DB_HOST=172.17.0.1
> - OM_DB_PORT=3306
> - OM_DB_USER=om_user
> - OM_DB_PASS=om_passwd
> - OM_DB_NAME=openmeetings
> depends_on:
> - kurento
> - coturn
> restart: unless-stopped
> kurento:
> image: kurento/kurento-media-server
> ports:
> - "8888:8888"
> environment:
> - KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
> restart: unless-stopped
> coturn:
> image: kurento/coturn-auth
> ports:
> - "3478:3478"
> environment:
> - LISTENING_PORT=3478
> - REALM=kurento.org
> - USER=kurento
> - PASSWORD=kurento
> restart: unless-stopped
>
> I use sslh https://github.com/yrutschle/sslh to connect do different
> services behind nat with the following configuration:
>
> verbose: true
> timeout: 18000;
> listen:
> (
> { host: "internal_nat_ip"; port: "443"; }
> );
> protocols:
> (
> # ssh:
> { name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
> probe: "builtin"; },
> # openvpn:
> { name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
> # nginx:
> { name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
> log_level: 0;},
> # coturn:
> { name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
> [ "\x21\x12\xa4\x42" ]; }
> );
> transparent: true;
>
>
> And nginx configuration (there are another services, I left only
> openmeetings and kurento (do I really need to have kurento websocket
> outside nat?))
>
>
> server {
> listen 2443 ssl http2;
> listen [::]:2443 ssl http2;
> server_name localhost;
>
> autoindex on;
> root /srv/http/;
> index index.php index.html index.htm;
>
> # ssl_certificate /etc/httpd/conf/server.crt;
> # ssl_certificate_key /etc/httpd/conf/server.key;
>
> include conf/001-certbot.conf;
>
> # ssl on;
> ssl_session_cache builtin:1000 shared:SSL:10m;
> ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
> # ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
> # ssl_prefer_server_ciphers on;
>
>
> proxy_headers_hash_max_size 512;
> proxy_headers_hash_bucket_size 128;
>
> location ~ [^/]\.php(/|$) {
> fastcgi_split_path_info ^(.+\.php)(/.+)$;
> fastcgi_index index.php;
> fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
> include fastcgi.conf;
> fastcgi_param PATH_INFO $fastcgi_path_info;
> fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
> }
>
> # User directories, e.g. http://example.com/~user/ :
> location ~ ^/~(.+?)(/.*)?$ {
> alias /home/$1/public_html$2;
> index index.html index.htm;
> autoindex on;
> auth_pam "Restricted Zone";
> auth_pam_service_name "nginx";
> }
>
> # Deny static files
> location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
> deny all;
> }
>
> # Deny .md files
> location ~ ^/(.+\.md)$ {
> deny all;
> }
>
> # Deny setup directories
> location ~ ^/(doc|sql|setup)/ {
> deny all;
> }
> }
>
> location /openmeetings {
> proxy_pass http://localhost:5080/openmeetings;
>
> proxy_set_header Host $host;
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
>
> proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> proxy_set_header Referer 'https://$host/openmeetings/';
> proxy_set_header X-Real-IP $remote_addr;
> }
>
> location /kurento {
> # prevents 502 bad gateway error
> proxy_buffers 8 32k;
> proxy_buffer_size 64k;
> # redirect all HTTP traffic to localhost:8088;
> proxy_pass http://0.0.0.0:8888/kurento;
> # proxy_set_header X-Real-IP $remote_addr;
> # proxy_set_header Host $http_host;
> # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
> #proxy_set_header X-NginX-Proxy true;
> # enables WS support
> proxy_http_version 1.1;
> proxy_set_header Upgrade $http_upgrade;
> proxy_set_header Connection "upgrade";
> proxy_read_timeout 999999999;
> }
>
> add_header X-Frame-Options SAMEORIGIN;
> add_header X-Content-Type-Options nosniff;
> }
>
>
>
> On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <so...@gmail.com> wrote:
> >
> > Hello Yarema,
> >
> > sorry for keeping silence
> > I'll try to investigate this config later this week
> > To much day time job right now :(
> >
> > Please share your further findings here if any :)
> >
> > On Mon, 16 Mar 2020 at 09:04, YUP <yu...@gmail.com> wrote:
> > >
> > > Maxim,
> > > I was also managed to install coturn on external server which listen
> > > on port 443. Kurento connects to this port (via TURN_URL,
> > > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > > openmeetings connects to kurento. But I don't understand why all my
> > > construction not working as needed? I still can't make settings test,
> > > record and play sample, two users can't see each other videos from
> > > cameras.
> > > Here I should to see to find the solution?
> > >
> > > On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
> > > >
> > > > I was able to connect to kurento websocket which is proxified by
> > > > nginx, the solution was very simple, put wss instead of https,
> > > > probably for some reasons openmeetings needs to have ws or wss in the
> > > > input url:
> > > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > > But it is not solved the issue with recording audio/video in test and
> > > > different users.
> > > >
> > > > On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > No, it is not a reason, checked.
> > > > >
> > > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > Server has self-signed certificate, can it be a reason?
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > > > > > can connect to it:
> > > > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > > > > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > > > > > a future version.
> > > > > > > Connected (press CTRL+C to quit)
> > > > > > > >
> > > > > > >
> > > > > > > I set
> > > > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > > > but got
> > > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > > > Kurento client, will re-try in 10000 ms
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > > >
> > > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > > > > > I'm afraid you need more open ports ...
> > > > > > > > >
> > > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > > > > > for context i.e.
> > > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > > > > > >
> > > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > > >
> > > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > > > > > >
> > > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > > > > > >
> > > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > > > > > >
> > > > > > > > > > > > > Hello all,
> > > > > > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > > >
> > > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > > > >
> > > > > > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > > > > > microphone.
> > > > > > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > > > > > connection...
> > > > > > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > > > > > helped.
> > > > > > > > > > > > >
> > > > > > > > > > > > > Regards,
> > > > > > > > > > > > > Yarema
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > > --
> > > > > > > > > > > WBR
> > > > > > > > > > > Maxim aka solomax
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > WBR
> > > > > > > > > Maxim aka solomax
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Please take your time.
I gonna describe my set up briefly .
Initial data:
External nat has address external_nat_ip
All external ports are closed except 443
From inside allowed only http connections to ports 80, 8080, 443 and 22
Openmeetings runs in docker, I use docker-compose with the following
docker-compose.yml:
version: '3.7'
services:
openmeetings:
image: apache/openmeetings:min-5.0.0-M3
ports:
- "5080:5080"
- "5443:5443"
volumes:
- ~/openmeetings/omdata:/opt/omdata
- ~/openmeetings/logs:/opt/openmeetings/logs
environment:
- OM_KURENTO_WS_URL=ws://kurento:8888/kurento
- TURN_USER=kurento
- TURN_PASS=kurento
- TURN_URL=external_nat_ip?transport=tcp
- OM_DB_TYPE=mysql
- OM_DB_HOST=172.17.0.1
- OM_DB_PORT=3306
- OM_DB_USER=om_user
- OM_DB_PASS=om_passwd
- OM_DB_NAME=openmeetings
depends_on:
- kurento
- coturn
restart: unless-stopped
kurento:
image: kurento/kurento-media-server
ports:
- "8888:8888"
environment:
- KMS_TURN_URL=kurento:kurento@external_nat_ip?transport=tcp
restart: unless-stopped
coturn:
image: kurento/coturn-auth
ports:
- "3478:3478"
environment:
- LISTENING_PORT=3478
- REALM=kurento.org
- USER=kurento
- PASSWORD=kurento
restart: unless-stopped
I use sslh https://github.com/yrutschle/sslh to connect do different
services behind nat with the following configuration:
verbose: true
timeout: 18000;
listen:
(
{ host: "internal_nat_ip"; port: "443"; }
);
protocols:
(
# ssh:
{ name: "ssh"; service: "ssh"; host: "localhost"; port: "22";
probe: "builtin"; },
# openvpn:
{ name: "openvpn"; host: "localhost"; port: "1194"; probe: "builtin"; },
# nginx:
{ name: "ssl"; host: "localhost"; port: "2443"; probe: "builtin";
log_level: 0;},
# coturn:
{ name: "regex"; host: "localhost"; port: "3478"; regex_patterns:
[ "\x21\x12\xa4\x42" ]; }
);
transparent: true;
And nginx configuration (there are another services, I left only
openmeetings and kurento (do I really need to have kurento websocket
outside nat?))
server {
listen 2443 ssl http2;
listen [::]:2443 ssl http2;
server_name localhost;
autoindex on;
root /srv/http/;
index index.php index.html index.htm;
# ssl_certificate /etc/httpd/conf/server.crt;
# ssl_certificate_key /etc/httpd/conf/server.key;
include conf/001-certbot.conf;
# ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1; #TLSv1.2;
# ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
# ssl_prefer_server_ciphers on;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
location ~ [^/]\.php(/|$) {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
include fastcgi.conf;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
# User directories, e.g. http://example.com/~user/ :
location ~ ^/~(.+?)(/.*)?$ {
alias /home/$1/public_html$2;
index index.html index.htm;
autoindex on;
auth_pam "Restricted Zone";
auth_pam_service_name "nginx";
}
# Deny static files
location ~ ^/(README|LICENSE|ChangeLog|DCO)$ {
deny all;
}
# Deny .md files
location ~ ^/(.+\.md)$ {
deny all;
}
# Deny setup directories
location ~ ^/(doc|sql|setup)/ {
deny all;
}
}
location /openmeetings {
proxy_pass http://localhost:5080/openmeetings;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Referer 'https://$host/openmeetings/';
proxy_set_header X-Real-IP $remote_addr;
}
location /kurento {
# prevents 502 bad gateway error
proxy_buffers 8 32k;
proxy_buffer_size 64k;
# redirect all HTTP traffic to localhost:8088;
proxy_pass http://0.0.0.0:8888/kurento;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header Host $http_host;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header X-NginX-Proxy true;
# enables WS support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 999999999;
}
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
}
On Mon, Mar 16, 2020 at 1:39 PM Maxim Solodovnik <so...@gmail.com> wrote:
>
> Hello Yarema,
>
> sorry for keeping silence
> I'll try to investigate this config later this week
> To much day time job right now :(
>
> Please share your further findings here if any :)
>
> On Mon, 16 Mar 2020 at 09:04, YUP <yu...@gmail.com> wrote:
> >
> > Maxim,
> > I was also managed to install coturn on external server which listen
> > on port 443. Kurento connects to this port (via TURN_URL,
> > TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> > openmeetings connects to kurento. But I don't understand why all my
> > construction not working as needed? I still can't make settings test,
> > record and play sample, two users can't see each other videos from
> > cameras.
> > Here I should to see to find the solution?
> >
> > On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
> > >
> > > I was able to connect to kurento websocket which is proxified by
> > > nginx, the solution was very simple, put wss instead of https,
> > > probably for some reasons openmeetings needs to have ws or wss in the
> > > input url:
> > > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > > But it is not solved the issue with recording audio/video in test and
> > > different users.
> > >
> > > On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> > > >
> > > > No, it is not a reason, checked.
> > > >
> > > > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > Server has self-signed certificate, can it be a reason?
> > > > >
> > > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > > > > can connect to it:
> > > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > > > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > > > > a future version.
> > > > > > Connected (press CTRL+C to quit)
> > > > > > >
> > > > > >
> > > > > > I set
> > > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > > but got
> > > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > > Kurento client, will re-try in 10000 ms
> > > > > >
> > > > > >
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > > > > I'm afraid you need more open ports ...
> > > > > > > >
> > > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > > > > for context i.e.
> > > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > > > > >
> > > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > > >
> > > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > > > > >
> > > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > > > > >
> > > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > > > > >
> > > > > > > > > > > > Hello all,
> > > > > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > > > > >
> > > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > > >
> > > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > > >
> > > > > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > > > > microphone.
> > > > > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > > > > connection...
> > > > > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > > > > helped.
> > > > > > > > > > > >
> > > > > > > > > > > > Regards,
> > > > > > > > > > > > Yarema
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > WBR
> > > > > > > > > > Maxim aka solomax
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > WBR
> > > > > > > > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Yarema,
sorry for keeping silence
I'll try to investigate this config later this week
To much day time job right now :(
Please share your further findings here if any :)
On Mon, 16 Mar 2020 at 09:04, YUP <yu...@gmail.com> wrote:
>
> Maxim,
> I was also managed to install coturn on external server which listen
> on port 443. Kurento connects to this port (via TURN_URL,
> TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
> openmeetings connects to kurento. But I don't understand why all my
> construction not working as needed? I still can't make settings test,
> record and play sample, two users can't see each other videos from
> cameras.
> Here I should to see to find the solution?
>
> On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
> >
> > I was able to connect to kurento websocket which is proxified by
> > nginx, the solution was very simple, put wss instead of https,
> > probably for some reasons openmeetings needs to have ws or wss in the
> > input url:
> > - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> > But it is not solved the issue with recording audio/video in test and
> > different users.
> >
> > On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> > >
> > > No, it is not a reason, checked.
> > >
> > > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> > > >
> > > > Server has self-signed certificate, can it be a reason?
> > > >
> > > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > > > can connect to it:
> > > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > > > a future version.
> > > > > Connected (press CTRL+C to quit)
> > > > > >
> > > > >
> > > > > I set
> > > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > > but got
> > > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > > Kurento client, will re-try in 10000 ms
> > > > >
> > > > >
> > > > >
> > > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > Can we just proxify kurento websocket? Something like this
> > > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > >
> > > > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > > > I'm afraid you need more open ports ...
> > > > > > >
> > > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > > > for context i.e.
> > > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > > > >
> > > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > > >
> > > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > > > >
> > > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > > > >
> > > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > > > >
> > > > > > > > > > > Hello all,
> > > > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > > > be greatly appreciated.
> > > > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > > > >
> > > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > > >
> > > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > > >
> > > > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > > > microphone.
> > > > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > > > connection...
> > > > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > > > helped.
> > > > > > > > > > >
> > > > > > > > > > > Regards,
> > > > > > > > > > > Yarema
> > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > --
> > > > > > > > > WBR
> > > > > > > > > Maxim aka solomax
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > WBR
> > > > > > > Maxim aka solomax
--
WBR
Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Maxim,
I was also managed to install coturn on external server which listen
on port 443. Kurento connects to this port (via TURN_URL,
TURN_USER,TURN_PASS), I can see it in logs. I see in logs that
openmeetings connects to kurento. But I don't understand why all my
construction not working as needed? I still can't make settings test,
record and play sample, two users can't see each other videos from
cameras.
Here I should to see to find the solution?
On Sun, Mar 15, 2020 at 7:23 PM YUP <yu...@gmail.com> wrote:
>
> I was able to connect to kurento websocket which is proxified by
> nginx, the solution was very simple, put wss instead of https,
> probably for some reasons openmeetings needs to have ws or wss in the
> input url:
> - OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
> But it is not solved the issue with recording audio/video in test and
> different users.
>
> On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
> >
> > No, it is not a reason, checked.
> >
> > On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> > >
> > > Server has self-signed certificate, can it be a reason?
> > >
> > > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > > >
> > > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > > can connect to it:
> > > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > > a future version.
> > > > Connected (press CTRL+C to quit)
> > > > >
> > > >
> > > > I set
> > > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > > but got
> > > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > > Kurento client, will re-try in 10000 ms
> > > >
> > > >
> > > >
> > > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > Can we just proxify kurento websocket? Something like this
> > > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > > >
> > > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > >
> > > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > > I'm afraid you need more open ports ...
> > > > > >
> > > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > > for context i.e.
> > > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > > >
> > > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > It nothing changes, only 443 is open to the world.
> > > > > > >
> > > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > > >
> > > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > > >
> > > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > > >
> > > > > > > > > > Hello all,
> > > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > > be greatly appreciated.
> > > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > > >
> > > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > > >
> > > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > > >
> > > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > > microphone.
> > > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > > connection...
> > > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > > helped.
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > Yarema
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > WBR
> > > > > > > > Maxim aka solomax
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > WBR
> > > > > > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
I was able to connect to kurento websocket which is proxified by
nginx, the solution was very simple, put wss instead of https,
probably for some reasons openmeetings needs to have ws or wss in the
input url:
- OM_KURENTO_WS_URL=wss://external_server_ip_address/kurento
But it is not solved the issue with recording audio/video in test and
different users.
On Sun, Mar 15, 2020 at 10:16 AM YUP <yu...@gmail.com> wrote:
>
> No, it is not a reason, checked.
>
> On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
> >
> > Server has self-signed certificate, can it be a reason?
> >
> > On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> > >
> > > Just to inform you, I made proxified kurento websocket in nginx and I
> > > can connect to it:
> > > $ wscat -n --connect https://external_server_ip_address/kurento
> > > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > > to an IP address is not permitted by RFC 6066. This will be ignored in
> > > a future version.
> > > Connected (press CTRL+C to quit)
> > > >
> > >
> > > I set
> > > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > > but got
> > > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > > Kurento client, will re-try in 10000 ms
> > >
> > >
> > >
> > > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > > >
> > > > Can we just proxify kurento websocket? Something like this
> > > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > > >
> > > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > >
> > > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > > I'm afraid you need more open ports ...
> > > > >
> > > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > > for context i.e.
> > > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > > >
> > > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > It nothing changes, only 443 is open to the world.
> > > > > >
> > > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > > >
> > > > > > > Maybe you can set up KMS to use 8080?
> > > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > > >
> > > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > > >
> > > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > > >
> > > > > > > > > Hello all,
> > > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > > be greatly appreciated.
> > > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > > >
> > > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > > and the same for openmeetings docker container:
> > > > > > > > >
> > > > > > > > > - TURN_USER=webrtc
> > > > > > > > > - TURN_PASS=webrtc
> > > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > > >
> > > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > > microphone.
> > > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > > connection...
> > > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > > helped.
> > > > > > > > >
> > > > > > > > > Regards,
> > > > > > > > > Yarema
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > --
> > > > > > > WBR
> > > > > > > Maxim aka solomax
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > WBR
> > > > > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
No, it is not a reason, checked.
On Sun, Mar 15, 2020 at 10:10 AM YUP <yu...@gmail.com> wrote:
>
> Server has self-signed certificate, can it be a reason?
>
> On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
> >
> > Just to inform you, I made proxified kurento websocket in nginx and I
> > can connect to it:
> > $ wscat -n --connect https://external_server_ip_address/kurento
> > (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> > to an IP address is not permitted by RFC 6066. This will be ignored in
> > a future version.
> > Connected (press CTRL+C to quit)
> > >
> >
> > I set
> > - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> > but got
> > o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> > Kurento client, will re-try in 10000 ms
> >
> >
> >
> > On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> > >
> > > Can we just proxify kurento websocket? Something like this
> > > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> > >
> > > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > >
> > > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > > I'm afraid you need more open ports ...
> > > >
> > > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > > for context i.e.
> > > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > > >
> > > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > It nothing changes, only 443 is open to the world.
> > > > >
> > > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > > >
> > > > > > Maybe you can set up KMS to use 8080?
> > > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > > >
> > > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > > >
> > > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > > >
> > > > > > > > Hello all,
> > > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > > be greatly appreciated.
> > > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > > >
> > > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > > - KMS_STUN_PORT=443
> > > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > > and the same for openmeetings docker container:
> > > > > > > >
> > > > > > > > - TURN_USER=webrtc
> > > > > > > > - TURN_PASS=webrtc
> > > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > > >
> > > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > > microphone.
> > > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > > connection...
> > > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > > helped.
> > > > > > > >
> > > > > > > > Regards,
> > > > > > > > Yarema
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > WBR
> > > > > > Maxim aka solomax
> > > >
> > > >
> > > >
> > > > --
> > > > WBR
> > > > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Server has self-signed certificate, can it be a reason?
On Sun, Mar 15, 2020 at 9:38 AM YUP <yu...@gmail.com> wrote:
>
> Just to inform you, I made proxified kurento websocket in nginx and I
> can connect to it:
> $ wscat -n --connect https://external_server_ip_address/kurento
> (node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
> to an IP address is not permitted by RFC 6066. This will be ignored in
> a future version.
> Connected (press CTRL+C to quit)
> >
>
> I set
> - OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
> but got
> o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
> Kurento client, will re-try in 10000 ms
>
>
>
> On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
> >
> > Can we just proxify kurento websocket? Something like this
> > https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
> >
> > On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > >
> > > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > > I'm afraid you need more open ports ...
> > >
> > > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > > for context i.e.
> > > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> > >
> > > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > > >
> > > > It nothing changes, only 443 is open to the world.
> > > >
> > > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > > >
> > > > > Maybe you can set up KMS to use 8080?
> > > > > TURN requires more open port to handle "totally closed" networks ...
> > > > >
> > > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > > possible to connect to those server in such conditions? Tunnels?
> > > > > >
> > > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > > >
> > > > > > > Hello all,
> > > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > > be greatly appreciated.
> > > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > > can't save and replay the testing record. As far I understand the
> > > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > > did that by adding the environment variables for kurento server in
> > > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > > >
> > > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > > - KMS_STUN_PORT=443
> > > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > > and the same for openmeetings docker container:
> > > > > > >
> > > > > > > - TURN_USER=webrtc
> > > > > > > - TURN_PASS=webrtc
> > > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > > >
> > > > > > > After restarting it allowed me immediately to perform network test
> > > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > > microphone.
> > > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > > connection...
> > > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > > helped.
> > > > > > >
> > > > > > > Regards,
> > > > > > > Yarema
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > WBR
> > > > > Maxim aka solomax
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Just to inform you, I made proxified kurento websocket in nginx and I
can connect to it:
$ wscat -n --connect https://external_server_ip_address/kurento
(node:24082) [DEP0123] DeprecationWarning: Setting the TLS ServerName
to an IP address is not permitted by RFC 6066. This will be ignored in
a future version.
Connected (press CTRL+C to quit)
>
I set
- OM_KURENTO_WS_URL=https://external_server_ip_address/kurento
but got
o.a.o.c.r.KurentoHandler:124 [pool-1-thread-1] - Fail to create
Kurento client, will re-try in 10000 ms
On Sun, Mar 15, 2020 at 8:56 AM YUP <yu...@gmail.com> wrote:
>
> Can we just proxify kurento websocket? Something like this
> https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
>
> On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
> >
> > It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> > I'm afraid you need more open ports ...
> >
> > I'm not sure but I would investigate if KMS/TURN URLs can be set up
> > for context i.e.
> > yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
> >
> > On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> > >
> > > It nothing changes, only 443 is open to the world.
> > >
> > > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > > >
> > > > Maybe you can set up KMS to use 8080?
> > > > TURN requires more open port to handle "totally closed" networks ...
> > > >
> > > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > > possible to connect to those server in such conditions? Tunnels?
> > > > >
> > > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > > >
> > > > > > Hello all,
> > > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > > be greatly appreciated.
> > > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > > installed in container behind nginx proxy and works well, except audio
> > > > > > and video. When I perform setup check after logged in (video camera
> > > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > > and decreasing green line, which indicate microphone level, but I
> > > > > > can't save and replay the testing record. As far I understand the
> > > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > > did that by adding the environment variables for kurento server in
> > > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > > >
> > > > > > - KMS_STUN_IP=130.211.143.110
> > > > > > - KMS_STUN_PORT=443
> > > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > > and the same for openmeetings docker container:
> > > > > >
> > > > > > - TURN_USER=webrtc
> > > > > > - TURN_PASS=webrtc
> > > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > > >
> > > > > > After restarting it allowed me immediately to perform network test
> > > > > > (except ip ping), but not resolved the issue with camera and
> > > > > > microphone.
> > > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > > in the same network) everything works as needed. I can save and replay
> > > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > > connection...
> > > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > > STUN servers, different type of configurations and so on, nothing
> > > > > > helped.
> > > > > >
> > > > > > Regards,
> > > > > > Yarema
> > > >
> > > >
> > > >
> > > > --
> > > > WBR
> > > > Maxim aka solomax
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
Can we just proxify kurento websocket? Something like this
https://gist.github.com/steve-ng/ed6de1fa702ef70bd6ce ?
On Sun, Mar 15, 2020 at 8:41 AM Maxim Solodovnik <so...@gmail.com> wrote:
>
> It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
> I'm afraid you need more open ports ...
>
> I'm not sure but I would investigate if KMS/TURN URLs can be set up
> for context i.e.
> yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
>
> On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
> >
> > It nothing changes, only 443 is open to the world.
> >
> > On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> > >
> > > Maybe you can set up KMS to use 8080?
> > > TURN requires more open port to handle "totally closed" networks ...
> > >
> > > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > > >
> > > > It seems to me that I found what is happening. Firewall blocks all non
> > > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > > why I don't have connection to outside turn ans stun servers. Is it
> > > > possible to connect to those server in such conditions? Tunnels?
> > > >
> > > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > > >
> > > > > Hello all,
> > > > > Could someone help me with configuration of my OM setup? Any help will
> > > > > be greatly appreciated.
> > > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > > is open. There is sslh balancer, which redirect external traffic to
> > > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > > installed in container behind nginx proxy and works well, except audio
> > > > > and video. When I perform setup check after logged in (video camera
> > > > > and microphone) I can see myself in camera and can also see increasing
> > > > > and decreasing green line, which indicate microphone level, but I
> > > > > can't save and replay the testing record. As far I understand the
> > > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > > did that by adding the environment variables for kurento server in
> > > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > > >
> > > > > - KMS_STUN_IP=130.211.143.110
> > > > > - KMS_STUN_PORT=443
> > > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > > and the same for openmeetings docker container:
> > > > >
> > > > > - TURN_USER=webrtc
> > > > > - TURN_PASS=webrtc
> > > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > > >
> > > > > After restarting it allowed me immediately to perform network test
> > > > > (except ip ping), but not resolved the issue with camera and
> > > > > microphone.
> > > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > > in the same network) everything works as needed. I can save and replay
> > > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > > can talk to each other, etc. But it is not an option use vpn
> > > > > connection...
> > > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > > STUN servers, different type of configurations and so on, nothing
> > > > > helped.
> > > > >
> > > > > Regards,
> > > > > Yarema
> > >
> > >
> > >
> > > --
> > > WBR
> > > Maxim aka solomax
>
>
>
> --
> WBR
> Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
It seems I misread your previous email "all ports except 443, 80, 8080 and 22."
I'm afraid you need more open ports ...
I'm not sure but I would investigate if KMS/TURN URLs can be set up
for context i.e.
yourserver:4278/turn, yourserver:8888/kms in this case you can proxy them ....
On Sun, 15 Mar 2020 at 14:32, YUP <yu...@gmail.com> wrote:
>
> It nothing changes, only 443 is open to the world.
>
> On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
> >
> > Maybe you can set up KMS to use 8080?
> > TURN requires more open port to handle "totally closed" networks ...
> >
> > On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> > >
> > > It seems to me that I found what is happening. Firewall blocks all non
> > > http requests out to all ports except 443, 80, 8080 and 22. That is
> > > why I don't have connection to outside turn ans stun servers. Is it
> > > possible to connect to those server in such conditions? Tunnels?
> > >
> > > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > > >
> > > > Hello all,
> > > > Could someone help me with configuration of my OM setup? Any help will
> > > > be greatly appreciated.
> > > > I have a server which is for several reasons behind NAT, only 443 port
> > > > is open. There is sslh balancer, which redirect external traffic to
> > > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > > installed in container behind nginx proxy and works well, except audio
> > > > and video. When I perform setup check after logged in (video camera
> > > > and microphone) I can see myself in camera and can also see increasing
> > > > and decreasing green line, which indicate microphone level, but I
> > > > can't save and replay the testing record. As far I understand the
> > > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > > did that by adding the environment variables for kurento server in
> > > > docker container with the corresponding data for turn.anyfirewall.com:
> > > >
> > > > - KMS_STUN_IP=130.211.143.110
> > > > - KMS_STUN_PORT=443
> > > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > > and the same for openmeetings docker container:
> > > >
> > > > - TURN_USER=webrtc
> > > > - TURN_PASS=webrtc
> > > > - TURN_URL=130.211.143.110:443?transport=tcp
> > > >
> > > > After restarting it allowed me immediately to perform network test
> > > > (except ip ping), but not resolved the issue with camera and
> > > > microphone.
> > > > When I connect to OM server with help of vpn (so I and OM server are
> > > > in the same network) everything works as needed. I can save and replay
> > > > video, I can hear myself, two OM users connected by vpn to OM server
> > > > can talk to each other, etc. But it is not an option use vpn
> > > > connection...
> > > > I spent two days to find what I did wrong. I tried another TURN and
> > > > STUN servers, different type of configurations and so on, nothing
> > > > helped.
> > > >
> > > > Regards,
> > > > Yarema
> >
> >
> >
> > --
> > WBR
> > Maxim aka solomax
--
WBR
Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
It nothing changes, only 443 is open to the world.
On Sun, Mar 15, 2020 at 8:24 AM Maxim Solodovnik <so...@gmail.com> wrote:
>
> Maybe you can set up KMS to use 8080?
> TURN requires more open port to handle "totally closed" networks ...
>
> On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
> >
> > It seems to me that I found what is happening. Firewall blocks all non
> > http requests out to all ports except 443, 80, 8080 and 22. That is
> > why I don't have connection to outside turn ans stun servers. Is it
> > possible to connect to those server in such conditions? Tunnels?
> >
> > On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> > >
> > > Hello all,
> > > Could someone help me with configuration of my OM setup? Any help will
> > > be greatly appreciated.
> > > I have a server which is for several reasons behind NAT, only 443 port
> > > is open. There is sslh balancer, which redirect external traffic to
> > > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > > installed in container behind nginx proxy and works well, except audio
> > > and video. When I perform setup check after logged in (video camera
> > > and microphone) I can see myself in camera and can also see increasing
> > > and decreasing green line, which indicate microphone level, but I
> > > can't save and replay the testing record. As far I understand the
> > > problem is in NAT, so I had to use kurento server with TURN server. I
> > > did that by adding the environment variables for kurento server in
> > > docker container with the corresponding data for turn.anyfirewall.com:
> > >
> > > - KMS_STUN_IP=130.211.143.110
> > > - KMS_STUN_PORT=443
> > > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > > and the same for openmeetings docker container:
> > >
> > > - TURN_USER=webrtc
> > > - TURN_PASS=webrtc
> > > - TURN_URL=130.211.143.110:443?transport=tcp
> > >
> > > After restarting it allowed me immediately to perform network test
> > > (except ip ping), but not resolved the issue with camera and
> > > microphone.
> > > When I connect to OM server with help of vpn (so I and OM server are
> > > in the same network) everything works as needed. I can save and replay
> > > video, I can hear myself, two OM users connected by vpn to OM server
> > > can talk to each other, etc. But it is not an option use vpn
> > > connection...
> > > I spent two days to find what I did wrong. I tried another TURN and
> > > STUN servers, different type of configurations and so on, nothing
> > > helped.
> > >
> > > Regards,
> > > Yarema
>
>
>
> --
> WBR
> Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
Maybe you can set up KMS to use 8080?
TURN requires more open port to handle "totally closed" networks ...
On Sun, 15 Mar 2020 at 14:18, YUP <yu...@gmail.com> wrote:
>
> It seems to me that I found what is happening. Firewall blocks all non
> http requests out to all ports except 443, 80, 8080 and 22. That is
> why I don't have connection to outside turn ans stun servers. Is it
> possible to connect to those server in such conditions? Tunnels?
>
> On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
> >
> > Hello all,
> > Could someone help me with configuration of my OM setup? Any help will
> > be greatly appreciated.
> > I have a server which is for several reasons behind NAT, only 443 port
> > is open. There is sslh balancer, which redirect external traffic to
> > different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> > installed in container behind nginx proxy and works well, except audio
> > and video. When I perform setup check after logged in (video camera
> > and microphone) I can see myself in camera and can also see increasing
> > and decreasing green line, which indicate microphone level, but I
> > can't save and replay the testing record. As far I understand the
> > problem is in NAT, so I had to use kurento server with TURN server. I
> > did that by adding the environment variables for kurento server in
> > docker container with the corresponding data for turn.anyfirewall.com:
> >
> > - KMS_STUN_IP=130.211.143.110
> > - KMS_STUN_PORT=443
> > - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> > and the same for openmeetings docker container:
> >
> > - TURN_USER=webrtc
> > - TURN_PASS=webrtc
> > - TURN_URL=130.211.143.110:443?transport=tcp
> >
> > After restarting it allowed me immediately to perform network test
> > (except ip ping), but not resolved the issue with camera and
> > microphone.
> > When I connect to OM server with help of vpn (so I and OM server are
> > in the same network) everything works as needed. I can save and replay
> > video, I can hear myself, two OM users connected by vpn to OM server
> > can talk to each other, etc. But it is not an option use vpn
> > connection...
> > I spent two days to find what I did wrong. I tried another TURN and
> > STUN servers, different type of configurations and so on, nothing
> > helped.
> >
> > Regards,
> > Yarema
--
WBR
Maxim aka solomax
Re: Openmeetings, kurento and TURN behind NAT
Posted by YUP <yu...@gmail.com>.
It seems to me that I found what is happening. Firewall blocks all non
http requests out to all ports except 443, 80, 8080 and 22. That is
why I don't have connection to outside turn ans stun servers. Is it
possible to connect to those server in such conditions? Tunnels?
On Fri, Mar 13, 2020 at 1:09 AM YUP <yu...@gmail.com> wrote:
>
> Hello all,
> Could someone help me with configuration of my OM setup? Any help will
> be greatly appreciated.
> I have a server which is for several reasons behind NAT, only 443 port
> is open. There is sslh balancer, which redirect external traffic to
> different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> installed in container behind nginx proxy and works well, except audio
> and video. When I perform setup check after logged in (video camera
> and microphone) I can see myself in camera and can also see increasing
> and decreasing green line, which indicate microphone level, but I
> can't save and replay the testing record. As far I understand the
> problem is in NAT, so I had to use kurento server with TURN server. I
> did that by adding the environment variables for kurento server in
> docker container with the corresponding data for turn.anyfirewall.com:
>
> - KMS_STUN_IP=130.211.143.110
> - KMS_STUN_PORT=443
> - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> and the same for openmeetings docker container:
>
> - TURN_USER=webrtc
> - TURN_PASS=webrtc
> - TURN_URL=130.211.143.110:443?transport=tcp
>
> After restarting it allowed me immediately to perform network test
> (except ip ping), but not resolved the issue with camera and
> microphone.
> When I connect to OM server with help of vpn (so I and OM server are
> in the same network) everything works as needed. I can save and replay
> video, I can hear myself, two OM users connected by vpn to OM server
> can talk to each other, etc. But it is not an option use vpn
> connection...
> I spent two days to find what I did wrong. I tried another TURN and
> STUN servers, different type of configurations and so on, nothing
> helped.
>
> Regards,
> Yarema
Re: Openmeetings, kurento and TURN behind NAT
Posted by Maxim Solodovnik <so...@gmail.com>.
Hello Yarema,
I'm afraid you need to set-up turn server "visible to KMS"
Which means
1) your KMS port should be opened
OR
2) TURN server should be on the same server as KMS and TURN ports
should be opened
3*) (I'm not nginx expert) maybe you can proxy TURN
requests/responses, I'm not aware on such option ...
On Fri, 13 Mar 2020 at 07:10, YUP <yu...@gmail.com> wrote:
>
> Hello all,
> Could someone help me with configuration of my OM setup? Any help will
> be greatly appreciated.
> I have a server which is for several reasons behind NAT, only 443 port
> is open. There is sslh balancer, which redirect external traffic to
> different targets: nginx, openvpn, etc. Openmeetings 5.0.0-M3 minimal
> installed in container behind nginx proxy and works well, except audio
> and video. When I perform setup check after logged in (video camera
> and microphone) I can see myself in camera and can also see increasing
> and decreasing green line, which indicate microphone level, but I
> can't save and replay the testing record. As far I understand the
> problem is in NAT, so I had to use kurento server with TURN server. I
> did that by adding the environment variables for kurento server in
> docker container with the corresponding data for turn.anyfirewall.com:
>
> - KMS_STUN_IP=130.211.143.110
> - KMS_STUN_PORT=443
> - KMS_TURN_URL=webrtc:webrtc@130.211.143.110:443?transport=tcp
> and the same for openmeetings docker container:
>
> - TURN_USER=webrtc
> - TURN_PASS=webrtc
> - TURN_URL=130.211.143.110:443?transport=tcp
>
> After restarting it allowed me immediately to perform network test
> (except ip ping), but not resolved the issue with camera and
> microphone.
> When I connect to OM server with help of vpn (so I and OM server are
> in the same network) everything works as needed. I can save and replay
> video, I can hear myself, two OM users connected by vpn to OM server
> can talk to each other, etc. But it is not an option use vpn
> connection...
> I spent two days to find what I did wrong. I tried another TURN and
> STUN servers, different type of configurations and so on, nothing
> helped.
>
> Regards,
> Yarema
--
WBR
Maxim aka solomax