After update of coturn can not connect to 443

[marcelrouw]

Hi,

After I updated my Coturn server on AWS from version 4.5.0.7-1+b1 to 4.5.1.0-1~bpo9+1 I get error on connection to port 443. I used the Debian Stretch backports for the installation of Coturn. If I remove alt-listening-port=443 from the config file. It seems to work correctly.

0: log file opened: /var/log/turn/turn_2019-07-29.log
0: pid file created: /run/turnserver/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: Wait for relay ports initialization...
0:   relay 10.0.1.125 initialization...
0:   relay 10.0.1.125 initialization done
0:   relay ::1 initialization...
0:   relay ::1 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:3478
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: IPv4. TLS/SCTP listener opened on : 127.0.0.1:3479
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: Trying to bind fd 16 to <127.0.0.1:443>: errno=13
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3478
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:3478
0: IPv4. TLS/TCP listener opened on : 127.0.0.1:3479
0: Trying to bind fd 25 to <127.0.0.1:443>: errno=13
0: IPv4. DTLS/UDP listener opened on: 127.0.0.1:3479
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 28 to <127.0.0.1:443>: errno=13
0: Cannot bind DTLS/UDP listener socket to addr 127.0.0.1:443
0: Trying to bind DTLS/UDP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 16 to <127.0.0.1:443>: errno=13
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 25 to <127.0.0.1:443>: errno=13
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 28 to <127.0.0.1:443>: errno=13
0: Cannot bind DTLS/UDP listener socket to addr 127.0.0.1:443
0: Trying to bind DTLS/UDP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 16 to <127.0.0.1:443>: errno=13
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 25 to <127.0.0.1:443>: errno=13
0: Cannot bind TLS/TCP listener socket to addr 127.0.0.1:443
0: Trying to bind TLS/TCP listener socket to addr 127.0.0.1:443, again...
0: Trying to bind fd 28 to <127.0.0.1:443>: errno=13
0: Cannot bind DTLS/UDP listener socket to addr 127.0.0.1:443

Is there still a way to directly connect to port 443 by Coturn or do I need to use something like iptables to fix this issue?

[bradleythughes]

I'm not sure if you noticed the errno=13 in the log you posted. This is EACCES, aka "Permission denied", which makes me wonder if the turnserver is not running as a privileged user (like root) that is allowed to bind to low ports. Perhaps something changed in the startup script as part of the upgrade?

[marcelrouw]

/etc/turnserver.conf for both servers the user and group set

proc-user=turnserver
proc-group=turnserver

The /etc/init.d/coturn seems to be the same for both servers. After a quick inspection by eye.

Only the new server has a /lib/systemd/system/coturn.service

[Unit]
Description=coTURN STUN/TURN Server
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=network.target

[Service]
User=turnserver
Group=turnserver
Type=forking
RuntimeDirectory=turnserver
PIDFile=/run/turnserver/turnserver.pid
ExecStart=/usr/bin/turnserver --daemon -c /etc/turnserver.conf --pidfile /run/turnserver/turnserver.p
id
#FixMe: turnserver exit faster than it is finshing the setup and ready for handling the connection.
ExecStartPost=/bin/sleep 2
Restart=on-failure
InaccessibleDirectories=/home
PrivateTmp=yes

[Install]
WantedBy=multi-user.target

ps -ef new server:
turnser+ 14080 1 0 Jul29 ? 00:00:08 /usr/bin/turnserver --daemon -c /etc/turnserver.conf

ps -ef old server:
turnser+ 10654 1 0 Jul29 ? 00:00:45 /usr/bin/turnserver -c /etc/turnserver.conf -o -v

After removing the coturn systemd config everything seems to be in as it used to be

sudo rm /lib/systemd/system/coturn.service
sudo systemctl daemon-reload

Now the ps -ef on the new server looks exactly as on the old server.
I also had some issues with reading certificate files. This is also resolved.

So this issue seems to be in the systemd coturn.service going back to the init.d version resolved it for me.

[TimoHess]

sudo rm /lib/systemd/system/coturn.service
sudo systemctl daemon-reload

Thx. You saved my day.

[zhu]

Add AmbientCapabilities=CAP_NET_BIND_SERVICE to the [Service] section will solve this problem.

[pdarcos]

Thanks @zhu
That fixed it.

Cheers

[artooro]

In my case the turnserver user did not have access to the private key so the TLS listening port was not binding.
There were no errors logged by coturn even in verbose mode making this difficult to troubleshoot.

[Commifreak]

Add AmbientCapabilities=CAP_NET_BIND_SERVICE to the [Service] section will solve this problem.

This indeed fixed it - but what is the cause? I've set up the coturn some month ago and changed nothing. Now it was siply not working/binding.

A simple update of the system & packages was causing this?

Is a fix on the way for the systemd config?

[misi]

No it will not be fixed by default in systemd.
According RFC coturn default port don't need access to privileged port. (3478)
See for more info and workaournds:

coturn/debian/README.Debian

Lines 55 to 69 in 4417fd2

	7) Non privileged ports
	If you plan to use any privileged ports(ports<1024 e.g. 80 or 443)
	add the following for non root privileged port binding to
	/etc/systemd/system/coturn.service.d/capability.conf.
	(After it reload config "systemctl daemon-reload")
	[Service]
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	Or alternatively create nftables/iptables port forwarding nat rules.
	iptables -t nat -A PREROUTING -p udp -m udp --dport 80 -j REDIRECT --to-ports 3478
	iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3478
	iptables -t nat -A PREROUTING -p udp -m udp --dport 443 -j REDIRECT --to-ports 5349
	iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 5349

[rasos]

We run a dedicated Stun/TURN server and have the best experience to circumvent restrictive firewalls by offering ports 80 and 443 for TURN(S).

listening-port=3478
tls-listening-port=443
alt-listening-port=80

Adding AmbientCapabilities=CAP_NET_BIND_SERVICE is thus required.

[misi]

It is mentioned in debian package README but I need to move it to upstream doc too.

[Davidian34]

We run a dedicated Stun/TURN server and have the best experience to circumvent restrictive firewalls by offering ports 80 and 443 for TURN(S).

listening-port=3478
tls-listening-port=443
alt-listening-port=80

Adding AmbientCapabilities=CAP_NET_BIND_SERVICE is thus required.

I've been trying to set alt-listening-port and alt-tls-listening-port in the configuration but they are always ignored. (I've tried with two alt ips for each)

[rpirsc13]

I've been trying to set alt-listening-port and alt-tls-listening-port in the configuration but they are always ignored. (I've tried with two alt ips for each)

Same issue here. I've been trying to set both alternative listening ports with no success. Based on the logs the server does not even attempt to listen on those ports. For now just modifying the main ports to 80 and 443 does the trick

[Davidian34]

I've been trying to set alt-listening-port and alt-tls-listening-port in the configuration but they are always ignored. (I've tried with two alt ips for each)

Same issue here. I've been trying to set both alternative listening ports with no success. Based on the logs the server does not even attempt to listen on those ports. For now just modifying the main ports to 80 and 443 does the trick

I've tried that but it behaves a lot better with these two: listening-port=3478 & tls-listening-port=443 than with: listening-port=80 & tls-listening-port=443. This causes more connection failures in my case.

I will let you know if I find how to set alt ports or let me know if you find it cause it would probably help to have more opened ports.

[MeinhartEsrohr]

Hello, I just can not get it to work with Ubuntu version 20.04.2 LTS , the 443 port just does not come up, I have tried everything written here, it just will not work.

this is my current working config (NAT)under 18.02:

listening-port=3478

tls-listening-port=443

external-ip=195.165.215.100/10.10.10.13

fingerprint

colt-cred-mech

use-auth-secret
static-auth-secret=12345678abc

realm=turn.gh-immo.de

cert=/home/matrix/turn_gh-immo_de_crt.pem

pkey=/home/matrix/turn_gh-immo_de.pem

cipher-list="ECDH+AESGCM:ECDH+CHACHA20:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS"

dh2066

log-file=/var/log/coturn.log

simple-log

no-tlsv1
no-tlsv1_1

---

at the end i had this config under 20.04 (not worked):

listening-port=3478

tls-listening-port=443

external-ip=195.165.215.100/10.10.10.13

min-port=32769
max-port=65535
verbose
fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=12345678abc
realm=turn.gh-immo.de

cert=/home/matrix/turn_gh-immo_de_crt.pem
pkey=/home/matrix/turn_gh-immo_de.pem

cipher-list="ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
dh-file=/etc/turnserver/dhp.pem
keep-address-family
no-cli
no-tlsv1
no-tlsv1_1

no-loopback-peers
no-multicast-peers

Permission SSL certificate
chmod 644 /home/matrix/turn_gh-immo_de_crt.pem
chmod 644 /home/matrix/turn_gh-immo_de.pem

[AndyXheli]

Did you try ?

sudo rm /lib/systemd/system coturn.service
sudo systemctl daemon-reload

[MeinhartEsrohr]

yes sure

Did you try ?

sudo rm /lib/systemd/system coturn.service
sudo systemctl daemon-reload

[AndyXheli]

What dose you log say ? Silly question you rebooted server after applying that commend ?

…

Sent from my iPhone

On May 4, 2021, at 10:06 AM, MeinhartEsrohr ***@***.***> wrote:  yes sure Did you try ? sudo rm /lib/systemd/system coturn.service sudo systemctl daemon-reload — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[pdarcos]

yes sure

Did you try ?
sudo rm /lib/systemd/system coturn.service
sudo systemctl daemon-reload

Have you tried Adding AmbientCapabilities=CAP_NET_BIND_SERVICE as described above by @rasos ?

Sounds like it could be a permissions issue that can be fixed with that setting in your systemd startup script.

[MeinhartEsrohr]

What dose you log say ? Silly question you rebooted server after applying that commend ?
…
Sent from my iPhone
On May 4, 2021, at 10:06 AM, MeinhartEsrohr @.***> wrote:  yes sure Did you try ? sudo rm /lib/systemd/system coturn.service sudo systemctl daemon-reload — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

yes sure i did a reboot after applying

I have to say , in the logs I never saw anything that would help me, maybe I need to change the log ?! I meant the coturn.log file

[rawtaz]

@MeinhardEsrohr Change the line verbose to Verbose and restart coturn - then you should get more information in the log.

[MeinhartEsrohr]

@MeinhardEsrohr Change the line verbose to Verbose and restart coturn - then you should get more information in the log.

cool, i will try this , thank you

[MeinhartEsrohr]

@MeinhardEsrohr Change the line verbose to Verbose and restart coturn - then you should get more information in the log.

Hey rawtaz,

this is my LOG:

0: log file opened: /var/log/coturn/coturn.log
0: pid file created: /run/turnserver/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: Wait for relay ports initialization...
0: relay 10.10.10.13 initialization...
0: relay 10.10.10.13 initialization done
0: relay ::1 initialization...
0: relay ::1 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
1: turn server id=1 created
1: sctp_create_server_listener:262:start
1: IO method (general relay thread): epoll (with changelist)
1: turn server id=0 created
1: sctp_create_server_listener:262:start
1: create_server_socket:751:start
1: IPv4. UDP listener opened on: 127.0.0.1:3478
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: create_server_socket:751:start
1: IPv4. UDP listener opened on: 127.0.0.1:3479
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: create_server_socket:751:start
1: IPv4. UDP listener opened on: 10.10.10.13:3478
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: create_server_socket:751:start
1: IPv4. UDP listener opened on: 10.10.10.13:3479
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: create_server_socket:751:start
1: IPv6. UDP listener opened on: ::1:3478
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: create_server_socket:751:start
1: IPv6. UDP listener opened on: ::1:3479
1: create_server_socket:813:end
1: create_server_socket:751:start
1: create_server_socket:813:end
1: Total General servers: 2
1: IO method (admin thread): epoll (with changelist)
1: IO method (auth thread): epoll (with changelist)
1: IO method (auth thread): epoll (with changelist)
1: IPv4. SCTP listener opened on : 127.0.0.1:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 127.0.0.1:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 127.0.0.1:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 127.0.0.1:3479
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 10.10.10.13:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 10.10.10.13:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 10.10.10.13:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 10.10.10.13:3479
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv6. SCTP listener opened on : ::1:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv6. TCP listener opened on : ::1:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv6. SCTP listener opened on : ::1:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv6. TCP listener opened on : ::1:3479
1: create_server_listener:253:end
1: IPv4. SCTP listener opened on : 127.0.0.1:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 127.0.0.1:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 127.0.0.1:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 127.0.0.1:3479
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 10.10.10.13:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 10.10.10.13:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv4. SCTP listener opened on : 10.10.10.13:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv4. TCP listener opened on : 10.10.10.13:3479
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv6. SCTP listener opened on : ::1:3478
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: IPv6. TCP listener opened on : ::1:3478
1: create_server_listener:253:end
1: sctp_create_server_listener:262:start
1: IPv6. SCTP listener opened on : ::1:3479
1: sctp_create_server_listener:302:end
1: create_server_listener:195:start
1: SQLite DB connection success: /var/lib/turn/turndb
1: IPv6. TCP listener opened on : ::1:3479
1: create_server_listener:253:end
1: run_listener_server: cycle=1
1: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
1: timer_event_handler: timeout 0x7f9298002490: timer_handler
2: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
2: timer_event_handler: timeout 0x7f928c002530: timer_handler
2: timer_event_handler: timeout 0x7f9290002490: timer_handler
2: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
2: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
2: timer_event_handler: timeout 0x7f9298002490: timer_handler
3: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
3: timer_event_handler: timeout 0x7f928c002530: timer_handler
3: timer_event_handler: timeout 0x7f9290002490: timer_handler
3: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
29: server_input_handler:74:start
29: IPv4. tcp or tls connected to: 10.10.1.70:61159
29: server_input_handler:121:end
29: open_client_connection_session:4648:start
29: open_client_connection_session:4682:end
29: session 001000000000000001: TCP socket closed remotely 10.10.1.70:61159
29: shutdown_client_connection:4109:start
29: session 001000000000000001: usage: realm=<turn.gh-immo.de>, username=<>, rp=0, rb=0, sp=0, sb=0
29: closing session 0x7f9298005200, client socket 0x7f9298004c80 (socket session=0x7f9298005200)
29: session 001000000000000001: closed (2nd stage), user <> realm <turn.gh-immo.de> origin <>, local 10.10.10.13:3478, remote 10.10.1.70:61159, reason: TCP connection closed by client (callback)
29: shutdown_client_connection:4174:end
36: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
36: timer_event_handler: timeout 0x7f9298002490: timer_handler
37: timer_event_handler: timeout 0x7f928c002530: timer_handler
37: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
37: timer_event_handler: timeout 0x7f9290002490: timer_handler
37: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
37: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
37: timer_event_handler: timeout 0x7f9298002490: timer_handler
38: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
38: timer_event_handler: timeout 0x7f9290002490: timer_handler
38: timer_event_handler: timeout 0x7f928c002530: timer_handler
38: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
38: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
38: timer_event_handler: timeout 0x7f9298002490: timer_handler
39: timer_event_handler: timeout 0x7f928c002530: timer_handler
39: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
39: timer_event_handler: timeout 0x7f9290002490: timer_handler
39: timer_event_handler: timeout 0x55c01ab0f1d0: rtcp_map_timeout_handler
39: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
39: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
39: timer_event_handler: timeout 0x7f9298002490: timer_handler
40: timer_event_handler: timeout 0x7f928c002530: timer_handler
40: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
40: timer_event_handler: timeout 0x7f9290002490: timer_handler
40: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
40: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
40: timer_event_handler: timeout 0x7f9298002490: timer_handler
41: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
41: timer_event_handler: timeout 0x7f9290002490: timer_handler
41: timer_event_handler: timeout 0x7f928c002530: timer_handler
41: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
41: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
41: timer_event_handler: timeout 0x7f9298002490: timer_handler
42: timer_event_handler: timeout 0x7f9290002490: timer_handler
42: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
42: timer_event_handler: timeout 0x7f928c002530: timer_handler
42: timer_event_handler: timeout 0x55c01ab0f1d0: rtcp_map_timeout_handler
42: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
42: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
42: timer_event_handler: timeout 0x7f9298002490: timer_handler
43: timer_event_handler: timeout 0x7f9290002490: timer_handler
43: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
43: timer_event_handler: timeout 0x7f928c002530: timer_handler
43: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
43: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
43: timer_event_handler: timeout 0x7f9298002490: timer_handler
44: timer_event_handler: timeout 0x7f9290002490: timer_handler
44: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
44: timer_event_handler: timeout 0x7f928c002530: timer_handler
44: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
44: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
44: timer_event_handler: timeout 0x7f9298002490: timer_handler
45: timer_event_handler: timeout 0x7f928c002530: timer_handler
45: timer_event_handler: timeout 0x7f9290002490: timer_handler
45: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
45: timer_event_handler: timeout 0x55c01ab0f1d0: rtcp_map_timeout_handler
45: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
45: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
45: timer_event_handler: timeout 0x7f9298002490: timer_handler
46: timer_event_handler: timeout 0x7f9290002490: timer_handler
46: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
46: timer_event_handler: timeout 0x7f928c002530: timer_handler
46: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
46: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
46: timer_event_handler: timeout 0x7f9298002490: timer_handler
47: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
81: run_listener_server: cycle=17
89: server_input_handler:74:start
89: IPv4. tcp or tls connected to: 10.10.1.70:61294
89: server_input_handler:121:end
89: open_client_connection_session:4648:start
89: open_client_connection_session:4682:end
89: session 000000000000000001: TCP socket closed remotely 10.10.1.70:61294
89: shutdown_client_connection:4109:start
89: session 000000000000000001: usage: realm=<turn.gh-immo.de>, username=<>, rp=0, rb=0, sp=0, sb=0
89: closing session 0x7f9290004f50, client socket 0x7f92900049d0 (socket session=0x7f9290004f50)
89: session 000000000000000001: closed (2nd stage), user <> realm <turn.gh-immo.de> origin <>, local 10.10.10.13:3478, remote 10.10.1.70:61294, reason: TCP connection closed by client (callback)
89: shutdown_client_connection:4174:end
199: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
199: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
199: timer_event_handler: timeout 0x7f9298002490: timer_handler
200: timer_event_handler: timeout 0x7f928c002530: timer_handler
200: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
200: timer_event_handler: timeout 0x7f9290002490: timer_handler
200: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
200: timer_event_handler: timeout 0x7f92980036e0: timer_timeout_handler
200: timer_event_handler: timeout 0x7f9298002490: timer_handler
201: timer_event_handler: timeout 0x7f928c002530: timer_handler
201: timer_event_handler: timeout 0x7f92900036e0: timer_timeout_handler
201: timer_event_handler: timeout 0x7f9290002490: timer_handler
201: timer_event_handler: timeout 0x55c01ab0dc10: timer_handler
201: timer_event_handler: timeout 0x55c01ab0f1d0: rtcp_map_timeout_handler

But I don't see any error in the log or what the problem is why it doesn't open the port 443

[rawtaz]

@MeinhartEsrohr I believe that the alt-listening-port and alt-tls-listening-port are only effective for when you specify a secondary IP to listen on. I don't see any listening-ip in your configuration, so that and your log suggests that your coturn will grab all the IPs it can get. When you haven't specified either of the alt- port directives, it will use the "main" port +1 as the port alt number, which you see in your logs.

What are you trying to accomplish? In my config I have listening-port=3478, tls-listening-port=443 and listening-ip=<my public IP, in your case the internal one I guess>. That makes coturn listen on the main port 3478 for non-TLS traffic and port 443 for TLS traffic, all on that specific IP.

[MeinhartEsrohr]

@MeinhartEsrohr I believe that the alt-listening-port and alt-tls-listening-port are only effective for when you specify a secondary IP to listen on. I don't see any listening-ip in your configuration, so that and your log suggests that your coturn will grab all the IPs it can get. When you haven't specified either of the alt- port directives, it will use the "main" port +1 as the port alt number, which you see in your logs.

What are you trying to accomplish? In my config I have listening-port=3478, tls-listening-port=443 and listening-ip=<my public IP, in your case the internal one I guess>. That makes coturn listen on the main port 3478 for non-TLS traffic and port 443 for TLS traffic, all on that specific IP.

Hi @rawtaz , thanks for your detailed answer, my current configuration works under Ubuntu Server version 18.04 without problems ( even without Listining IP), above I had posted the configuration under 18.04.
exactly like in your example I have configured it too ( only without Listinig IP) it worked also with the older version, I will test it tonight again with Listinig IP.

As we work with NAT, I would enter my DMZ internal address in Listining IP.
Thanks a lot

[amirphl]

I just edited two files to bind on 80 and 443:
in /etc/turnserver.conf:
change

• proc-user=turnserver
• proc-group=turnserver

to

• proc-user=root
• proc-group=root

and in coturn system service file, change

• User=turnserver
• Group=turnserver

to

• User=root
• Group=root

then run systemctl daemon-reload, then systemctl restart coturn.
Alert: Beware that with this approach, you are using Coturn with the root user. I don't know whether it is recommended or not.

[rawtaz]

@amirphl What's the reason to make it run as root instead of the dedicated turnserver user and group?

If it's just to be able to listen on the privileged ports, a better approach is to put this in your systemd file for the service (e.g. /lib/systemd/system/coturn.service):

[Service]
# Needed to let coturn bind to privileged ports.
AmbientCapabilities=CAP_NET_BIND_SERVICE

Then you shouldn't have to make it run as root.

[amirphl]

@rawtaz
Thank you, I tested your solution and it worked. It is a better solution.

[spine001]

The directlry mentioned in the test @misi mentioned in his January 13th 2021 message (

coturn/debian/README.Debian

Lines 55 to 69 in 4417fd2
)
doesn't exist in Ubuntu 20.04 plus current Ubuntu's available Coturn Version Coturn-4.5.1.1 'dan Eider'

The correct file is /lib/systemd/system/coturn.service as stated by several above. We may want to correct the documentation.

[spine001]

Also to correct the certificate access problem mentioned above, the certbot documentation now states:

For historical reasons, the containing directories are created with permissions of 0700 meaning that certificates are accessible only to servers that run as the root user. If you will never downgrade to an older version of Certbot, then you can safely fix this using chmod 0755 /etc/letsencrypt/{live,archive}.

For servers that drop root privileges before attempting to read the private key file, you will also need to use chgrp and chmod 0640 to allow the server to read /etc/letsencrypt/live/$domain/privkey.pem.

Note

/etc/letsencrypt/archive and /etc/letsencrypt/keys contain all previous keys and certificates, while /etc/letsencrypt/live symlinks to the latest versions.

this documention is here

I followed the instructions ans problem gone. We may want to add these instructions to the COTURN documentation. Will save people tons of time.

[un99known99]

Hi,
I faced similar issues but without the dependency of low ports. While rebooting pi I have following entries in logfile:

0: Trying to bind fd 88 to <[2003:f2:c70d:d400:ba27:345r:fe53:7777]:8346>: errno=99
39 0: Cannot bind DTLS/UDP listener socket to addr [2003:f2:c70d:d400:ba27:345r:fe53:7777]:8346
40 0: Trying to bind DTLS/UDP listener socket to addr [2003:f2:c70d:d400:ba27:345r:fe53:7777]:8346, again...

...only for ipv6, after some iterations:

0: Trying to bind TLS/TCP listener socket to addr [2003:f2:c70d:d400:ba27:345r:fe53:7777]:8346, again...
271 0: IPv6. DTLS/UDP listener opened on: 2003:f2:c70d:d400:ba27:345r:fe53:7777:8346
272 0: IPv6. DTLS/UDP listener opened on: 2003:f2:c70d:d400:ba27:345r:fe53:7777:8347
273 0: IPv6. DTLS/UDP listener opened on: 2003:f2:c70d:d400:ba27:345r:fe53:7777:9273
274 0: IPv6. DTLS/UDP listener opened on: 2003:f2:c70d:d400:ba27:345r:fe53:7777:9274
275 0: IPv6. DTLS/UDP listener opened on: fd00::d400:ba27::fe53:7777:8346
276 0: IPv6. DTLS/UDP listener opened on: fd00::d400:ba27::fe53:7777:8347
277 0: IPv6. DTLS/UDP listener opened on: fd00::d400:ba27::fe53:7777:9273
278 0: IPv6. DTLS/UDP listener opened on: fd00::d400:ba27::fe53:7777:9274
279 0: Total General servers: 4

But only at first boot. If I restart only coturn no such errors in logfile.

Any idea?

Thanks, best regards
Mike

[rawtaz]

But only at first boot. If I restart only coturn no such errors in logfile.

Perhaps Coturn is trying to start before the network is ready? Depending on how you start it, make sure it's set to start when the network is ready. You can do that with systemd etc by configuring the unit file.

[un99known99]

how can I throttle coturn or ensure that nw ipv6 is up? u mean in config file /lib/systemd/system/coturn.service?
How can I config the config unit file accordingly?

[rawtaz]

A good start would be to read the documentation for systemd and/or DDG/Google something like "systemd network ready"..

[un99known99]

thx for pointing in that direction:

[Service]
ExecStartPre=/bin/sh -c 'until ping -c1 google.com; do sleep 1; done;'
in /lib/systemd/system/coturn.service did it ....

again, thx a ton

[rawtaz]

There's a cleaner way to define that a service requires the network to be ready before it starts, should be easy to find the configuration line you need for that. But your interesting solution is intriguing, glad it works!

[un99known99]

u mean:
systemctl enable systemd-networkd.service systemd-networkd-wait-online.service

[Unit]
After=systemd-networkd-wait-online.service
Wants=systemd-networkd-wait-online.service

would it replace the AFTER=network.target???????????

[Unit]
Description=coTURN STUN/TURN Server
Documentation=man:coturn(1) man:turnadmin(1) man:turnserver(1)
After=network.target

[rushglen]

Version Coturn-4.5.1.1 'dan Eider'
Ubuntu 20.04 LTS (GNU/Linux 5.4.0-1009-aws x86_64)

Was getting error
0: Trying to bind fd 18 to <172.30.2.202:3478>: errno=98
Cannot bind local socket to addr: Address already in use
0: Cannot bind TLS/TCP listener socket to addr 172.30.2.202:3478
0: Trying to bind TLS/TCP listener socket to addr 172.30.2.202:3478, again...

rather than remove as suggested above (in case it didn't work) using:
sudo rm /lib/systemd/system/coturn.service

I renamed 'coturn.service' to:
old-coturn.-service

then
sudo systemctl daemon-reload

Now everything works!

[OlliverL]

@rushglen
thank you very much, I had the same error your solution fixed the issue.
Took me a whole workday to research.