Audio and Video call only work in the same LAN

[kfersch]

Steps to reproduce

After I have setup my own Matrix Server and TURN Server on the same machine,
Chatting works perfectly regardless on which System - Browser, APP or Android. The Problems occurs when we want to videochat.
It seems that we only can videochat if the both users are connected to the same network, otherwise it is ringing we can accept the call but no connection is made. Tested with Windows APP, Browser (Chrome, Firefox) and Android APP nothing worked.

My TURN server is available and running tested via Trickle ICE and turnutils_uclient.

Outcome

What did you expect?

Videochat is working on different Networks.

What happened instead?

No videochat was possible.

Operating system

Windows, Android, Chrome, Firefox

Browser information

No response

URL for webapp

No response

Application version

No response

Homeserver

Synapse [latest Debian package]

Will you send logs?

Yes

[robintown]

Thank you for the report, however we would need more information to be able to investigate this issue:

• Can you please submit logs?
• When testing your TURN server, were you testing it from outside the local network?
• Is your TURN server behind a NAT?
• You've added the address and credentials of your TURN server to your Synapse config, correct?

[kfersch]

Sure what logs do you want ?

Since my host is an external hosted Server, I am not 100% sure, but as far as I know the Server is not behind a NAT.
But to be sure I tested both with the external_ip config option and without.

Yes, I tested my TURN server via Trickle ICE and
https://icetest.info/

Results
IceGatheringState: complete
host
udp
undefined:63011
N/A

Some more background information my TURN Server is running behind an NGINX Reverse Proxy:
Nginx module:

stream {
    map $ssl_preread_server_name $name {
     domain web_backend;
     turn-domain turn_backend;
    }

    upstream web_backend {
        server 127.0.0.1:4444;
    }

    upstream turn_backend {
        server x.x.x.x:3478;
    }

    server {
        listen 443;
        listen [::]:443;
        proxy_pass $name;

        ssl_preread on;

        proxy_buffer_size 10m;
    }
}

The Turn server uses a auth-shared-secret, which i double checked on both configuration files.
Yes the TURN configuration was added to the Synapse, as I already mentioned Voice Call for Persons which are in the same network will work. I can also see that Elements want to connect to my turn server via `chrome://webrtc-internals/``

I also opened the Ports which the Turn Server uses for udp calls.

[robintown]

Results
IceGatheringState: complete
host
udp
undefined:63011
N/A

This isn't a good sign, if your TURN server were configured correctly you would see a relay entry in the results rather than just the host ones.

[robintown]

If you can trigger the call failure, logs can then be sent by clicking the 'Feedback' button in the top-left menu, and selecting 'submit debug logs'.

[kfersch]

Results
IceGatheringState: complete
host
udp
undefined:63011
N/A

This isn't a good sign, if your TURN server were configured correctly you would see a relay entry in the results rather than just the host ones.

Yes indeed sorry for that i already fixed that. My response is now:

Time | Component | Type | Foundation | Protocol | Address | Port | Priority | Mid | MLine Index | Username Fragment
-- | -- | -- | -- | -- | -- | -- | -- | -- | -- | --
0.001 |   | host | 1270274445 | udp | b3c02f4c-ed11-4939-a46b-e634b09bcd43.local | 56201 | 126 \| 31 \| 0 | 0 | 0 | Q9pO
0.207 | rtp | relay | 1110780486 | udp | 127.0.0.1 | 55883 | 1 \| 30 \| 255 | 0 | 0 | Q9pO
0.208 | Done
0.209

I removed the NGINX and directly hosted the Turn Server and enabled TCP removed the shared secret and did go for username.password auth.
I reconfigured the Synapse to adapt the new TURN settings.
At the first look it seems to work. Will still check it if it now works with my colleague.
I will now try it. Will inform you...

[kfersch]

The reason why i wanted to set the TURN server behind an NGINX is the following open BUG:
element-hq/element-android#1533
Want to enable TLS for my TURN server with letsencrypt certificates

[robintown]

0.207 | rtp | relay | 1110780486 | udp | 127.0.0.1 | 55883 | 1 \| 30 \| 255 | 0 | 0 | Q9pO

Another thing about this that's suspicious is that it claims the 127.0.0.1 loopback address is the relay's address. There should be a public-facing address there instead

[kfersch]

Finally It worked! Changing the relay-ip address to the public ip and it worked.
Thx for the support.