TURN fix for remote/mobile connections (Tailscale users)

[cmac86]

What changed

PR #83 fixes TURN relay for remote WebRTC connections. If you use HTTPS_DOMAIN (Tailscale mode), this affects you.

Three issues were fixed:

1. external_tls was misconfigured — LiveKit's TURN server expected an external TLS terminator that didn't exist. TURN connections silently failed at the TLS handshake. This means TURN relay has been broken since it was introduced.

2. TURN TLS moved from port 5349 to port 443 — iOS WebKit's WebRTC engine doesn't connect to TURN on non-standard ports. Port 443 is what LiveKit recommends for maximum client compatibility.

3. Added TURN/UDP on port 3478 as a fallback path.

Who's affected

Only users with HTTPS_DOMAIN set in .env (Tailscale or custom domain setups). LAN-only users are not affected — LAN connections don't use TURN.

This went unnoticed because desktop browsers on macOS/Linux connect fine without TURN. Tailscale creates a network interface that Chrome/Firefox discover as a WebRTC candidate, allowing direct connection through the WireGuard tunnel. Mobile devices (iOS, Android) don't expose the Tailscale interface to the WebRTC stack, so they depend on TURN relay — which wasn't working.

How to update

git pull
docker compose up -d livekit

Requirement: Port 443 must be available. If another service is using port 443, set TURN_TLS_PORT in your .env to a different port — but note that non-443 ports won't work for iOS mobile clients.

Symptoms this fixes

• Mobile browser (Safari/Chrome) loads the frontend but can't connect to a voice session
• Android app shows "Connected" but times out on "Talk to CAAL"
• SignalJoinResponseEvent timeout in browser console
• LiveKit logs show removing participant without connection with no relay candidates