bbb-install icon indicating copy to clipboard operation
bbb-install copied to clipboard
verified publisher icon bigbluebutton

Fresh install in VM with NAT fails with 408 Authorization failure

Open xanni opened this issue 4 years ago • 6 comments

I have an external turnserver at turn.glasswings.com.au, working IPv6 and tested working NAT. bbb-conf --status and bbb-conf --check report no problems. However no matter what I try I can't get the session to start.

$ sudo bbb-conf --check

BigBlueButton Server 2.3.8 (2397)
                    Kernel version: 4.15.0-151-generic
                      Distribution: Ubuntu 18.04.5 LTS (64-bit)
                            Memory: 8167 MB
                         CPU cores: 4

/etc/bigbluebutton/bbb-web.properties (override for bbb-web)
/usr/share/bbb-web/WEB-INF/classes/bigbluebutton.properties (bbb-web)
       bigbluebutton.web.serverURL: https://bbb.glasswings.com.au
                defaultGuestPolicy: ALWAYS_ACCEPT
                 svgImagesRequired: true

/etc/nginx/sites-available/bigbluebutton (nginx)
                       server_name: bbb.glasswings.com.au
                              port: 80, [::]:80
                              port: 443 ssl

/opt/freeswitch/etc/freeswitch/vars.xml (FreeSWITCH)
                       local_ip_v4: 192.168.122.2
                   external_rtp_ip: 178.63.21.144
                   external_sip_ip: 178.63.21.144

/opt/freeswitch/etc/freeswitch/sip_profiles/external.xml (FreeSWITCH)
                        ext-rtp-ip: $${external_rtp_ip}
                        ext-sip-ip: $${external_sip_ip}
                        ws-binding: 192.168.122.2:5066
                       wss-binding: 192.168.122.2:7443

/usr/local/bigbluebutton/core/scripts/bigbluebutton.yml (record and playback)
                     playback_host: bbb.glasswings.com.au
                 playback_protocol: https
                            ffmpeg: 4.2.4-1ubuntu0.1bbb2~18.04

/etc/bigbluebutton/nginx/sip.nginx (sip.nginx)
                        proxy_pass: 192.168.122.2
                          protocol: http

/usr/local/bigbluebutton/bbb-webrtc-sfu/config/default.yml (Kurento SFU)
                        kurento.ip: 178.63.21.144
                       kurento.url: ws://127.0.0.1:8888/kurento
                    kurento.sip_ip: 192.168.122.2
                    localIpAddress: 192.168.122.2
               recordScreenSharing: true
                     recordWebcams: true
                  codec_video_main: VP8
               codec_video_content: VP8

/usr/share/meteor/bundle/programs/server/assets/app/config/settings.yml (HTML5 client)
                             build: 1813
                        kurentoUrl: wss://bbb.glasswings.com.au/bbb-webrtc-sfu
                  enableListenOnly: true
                    sipjsHackViaWs: true


# Potential problems described below

xanni avatar Jul 25 '21 13:07 xanni

Please check the secret_value settings in /etc/turnserver.conf on turn.glasswings.com.au and the settings in /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml on bbb.glasswings.com.au to match. If these values don't match, a connection is not possible.

If the secret_value matches, could You please provide the output of

[email protected]:~$ grep -e "listening-ip" /etc/turnserver.conf

the output of

[email protected]:~$ dig turn.glasswings.com.au. IN ANY

of

[email protected]:~$ getent hosts turn.glasswings.com.au.

and of

[email protected]:~$ telnet turn.glasswings.com.au. 443

The output of the telnet command should look like below, where the IPv4/IPv6 address behind "Trying" in the first line is interesting, and the fact that a connection is successfully established (or not, in case of routing/firewall issues). By pressing the Ctrl and the ]-Key, You get to the telnet prompt where You can close the connection by entering "close":

Trying ...
Connected to turn.glasswings.com.au.
Escape character is '^]'.
^]
telnet> close
Connection closed.

Last but not least, the content of the file /usr/share/bbb-web/WEB-INF/classes/spring/turn-stun-servers.xml on bbb.glasswings.com.au will be helpful. Please make sure to censor all passwords before posting it! (See <secret_value> in https://docs.bigbluebutton.org/admin/setup-turn-server.html#configure-bigbluebutton-to-use-your-turn-server for details.)

michi-80337 avatar Aug 23 '21 03:08 michi-80337

shining:~$ grep -e "listening-ip" /etc/turnserver.conf #listening-ip=172.17.19.101 #listening-ip=10.207.21.238 #listening-ip=2607:f0d0:1002:51::4

(Using the default, which is all available interface addresses)

bbb:~$ host turn.glasswings.com.au
turn.glasswings.com.au has address 178.63.21.144
turn.glasswings.com.au has IPv6 address 2a01:4f8:141:4401::2

bbb:~$ getent hosts turn.glasswings.com.au.
2a01:4f8:141:4401::2 turn.glasswings.com.au

bbb:~$ telnet turn.glasswings.com.au 5349
Trying 2a01:4f8:141:4401::2...
Connected to turn.glasswings.com.au.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
xanni@bbb:~$ telnet turn.glasswings.com.au 5350
Trying 2a01:4f8:141:4401::2...
Connected to turn.glasswings.com.au.
Escape character is '^]'.
^]
telnet> quit	  
Connection closed.

Note that coturn is not configured to listen on port 443 as that port is not available on that server. It is already in use by Apache and I have not been able to configure Apache to proxy to coturn.

turn-stun-servers.xml.gz

xanni avatar Aug 26 '21 07:08 xanni

Here's an excerpt from the documentation:

We recommend using a minimal server installation of Ubuntu 20.04. The coturn software requires port 443 for its exclusive use in our recommended configuration, which means the server cannot have any dashboard software or other web applications running.

As far as I've understood it, BigBlueButton uses the connection to port 443 to manage which client is allowed to relay its data via the TURN server. You might be lucky by choosing an alternative port for 443 on your TURN server and declaring it in turn-stun-servers.xml similar to the TurnServer bean with the id turn2. You might expect some fun with firewalls, SSL certificates and similar stuff.

Nevertheless, as far as I see it, this is no problem with bbb-install.sh or BigBlueButton. Hence this issue might be ripe for closing. ...

michi-80337 avatar Aug 26 '21 10:08 michi-80337

The same TURN server seems to work OK with another BBB installation that is not using NAT. And the same BBB installation that is using NAT does not work at all even with the default STUN server instead of using my own TURN server. So let me clarify the issue: it is not about TURN, it is about getting BBB working behind NAT. And yes, I have port 443 reverse proxied to the BBB server with the same certificate on both the server and the proxy. That part works fine.

xanni avatar Aug 26 '21 12:08 xanni

Sorry for creating some confusion here.

I'm not talking about the port 443 at bbb.glasswings.com.au, I'm talking about the port 443 at turn.glasswings.com.au. The system bbb.glasswings.com.au is in this case the client (using a source port in the range above 32768) conecting to the coturn server at the system turn.glasswings.com.au (using destination port 443). That has nothing to do with the connection from the users web browser to the BBB server.

BBB shouldn't use the TURN server at all when there is no NAT, because a client can talk directly to the BBB server in this case. TURN is the abbreviation for "Traversal Using Relays around NAT". You need a TURN server if a client and a server are both in different networks, each connected to the Internet using NAT.

michi-80337 avatar Aug 26 '21 18:08 michi-80337

So if I understand correctly, BBB does not support TURN servers on any port other than 443? That's annoying. It means there is no way to operate a BBB server in a VM without paying for an additional IPv4 address.

xanni avatar Aug 26 '21 19:08 xanni