turnserver issue

[PatrickHurley75]

Following instructions exactly as described leads to a loop of stupidity.

The comments in the file /kurento/modules/kurento/WebRtcEndpoint.conf.ini
say that you must get one srfix and one relay candidate to show the turnserver is working on Trickle ICE, but the configuration makes this impossible.

Trickle ICE, at the very outset, requires a username and password combination for it's service to relay. With none defined, one cannot check for a relay. No combination of configuarions of using the secret-password defined in the bbb-install.sh coturn server will provide a relay candidate on Trickle ICE. I've tried everything at this stage. The only way I got a relay candidate on Trickle ICE was to delete use-auth-cred in turnserver.conf. Then I got a relay, so a working turnserver, but now the bbb server is configured wrongly.

Am I correct to assume that, even though I will never get a relay on Trickle ICE with the default configuartion, the turnserver is actually working and configured correctly? Would it suffice, as it were, to show that the new turnserver was working as a stun server on Trickle ICE. At least we know it's not blocking everything.

If we delete the lt-cred-mech option, then we cannot test our server on Trickle ICE.

To Reproduce
Steps to reproduce the behavior:

1. Go to Trickle ICE with default turnserver settings
2. Try to get a relay.
   That's it.

Expected behavior
Get a relay

Actual behavior
infinte sadness and virtual madness

Additional context
Because of this error, I kept trying to find answers and changed the wrong thing and then it wasn't working, because now I broke it. So, I was stuck at that point over and over.

At this point, I am trying to refix all configurations with the troubleshooting pages, again.

But now I see that the file has the new follwing line

turnURL=username:password@XX.XX.XX.XX:443(?transport=[udp|tcp|tls])

but the file /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml

is sending the turnsecret to the server, calling on auth-use-secret which we had to delete to get username:password to give us a relay on Trickle ICE.

Is bbb going to use the server strictly as lt-cred-mech or use-auth-secret or as a mixture of both?

At the end of all of this, what I am asking is

If I use lt-cred-mech only on the turnserver, what changes do I need to make to /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml to add username and password in the turn server settings? Could I simply enter username:password for turnsecret here?
<constructor-arg index="0" value="turnsecret"/> <constructor-arg index="1" value="turns:turn.mydomain.com:443?transport=tcp"/>

in /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml

Otherwise, if I stick with use-auth-secret what was the line in /etc/kurento/modules/kurento/WebRtcEndpoint.conf.ini
that became,

turnURL=username:password@XX.XX.XX.XX:443(?transport=[udp|tcp|tls])

or, can I use both methods as per configuration and just assume that the turnserver knows what to do and my webcam issues are something else?

[PatrickHurley75]

OK. I think I should change the following in turn-stun-servers from

`
'

to
<constructor-arg index="0" value=""/> <constructor-arg index="1" value="turns:username@password@turn.mydomain.com:443?transport=tcp"/>

Would that work? I will delete the use-auth-secret line in tunrserver.conf and only use lt-cred-mech
with username:password. Hopefully, this will solve my issues. All calls sent as username:password and no need for the Rest-Api calls.
I think I have it sorted.
Ok.

Would the bbb-server still send an api request along with the username and password in the instance above? I didn't delete the api-call constructor, I just left it blank? Would it send a blank call or not send an api-call? Would it matter anyway if I have use-auth-secret disabled in the turnserver? Would it just ignore the api-call and route the username:password through?

We'll see.

[PatrickHurley75]

Didn't work. The bbb server still sends an empty api-call along with the username:password for the index 0 constructor-arg in the stun-turn-server.xml file. It expects an answer to the api-call and is refused connection to the turnserver. How do I change it to not send for the rest-api call at all?

[robbi5]

Trickle ICE (and other WebRTC testing tools, as well as your browsers WebRTC API) need an username and password combination.
In bbb-webs stun-turn-server.xml and your turnserver.conf you define a secret.
bbb-web then uses this secret to calculate a username + password combination for each participant individually.
If you want to generate this yourself (for example for testing at Trickle ICE), you could use the node.js code found in this stackoverflow answer: https://stackoverflow.com/questions/35766382/coturn-how-to-use-turn-rest-api/35767224#35767224

[richp10]

@PatrickHurley75 / @robbi5

I do think the documentation is unclear on this issue and the core of the problem is that there are two different configuration files - one of which seems to require coturn to use the lt-cred-mech and the other uses the static-auth-secret mechanism.

I have had a go at clarifying this as a PR to the documentation - would you mind taking a look: bigbluebutton/bigbluebutton.github.io#138

The comment by robbi here has given me pause for doubt - if bbb-web is creating a username / password pair that would suggest it is using lt-cred-mech and I might have this wrong.

[congyijun]

@PatrickHurley75

Hello, have you resolve this issue? or alternative solution.
As i setup the TURN server, have same issue. I try the chrome and firefox join the audio conference call. Once I click the "Audio", the browser reminder error code: 1002 immediately. By the way, my windows computer behind firewall and proxy server. If the windows computer connect to Internet by 4G, didn't have any issue. Both audio and video working stable.