Configuring auth_realm for Multiple Vhosts in ejabberd with TURN/STUN

[paulo-roger]

Hi everyone!

I'm running multiple vhosts on my ejabberd server, and I'm getting a warning that I should set auth_realm for the TURN/STUN listen options. I understand that I need to specify auth_realm for each vhost, but I’m a bit confused about the port configuration.

Do I need to assign a unique listening port for each vhost with its respective auth_realm domain, or is it possible to have all the vhosts share the same port?

Thanks in advance for any guidance!

[weiss]

That log message made sense back in the days when static (plain-text) credentials were used for TURN authentication. I guess you're using mod_stun_disco instead, in which case the TURN realm is irrelevant. Our example configuration should work just fine with multiple domains.

I removed the message now.

[paulo-roger]

Thanks!

In the same subject regarding stun/turn I have more a couple of questions if you don't mind, please.

I have this example from process-one blog

  -
    port: 3478
    transport: udp
    module: ejabberd_stun
    use_turn: true
    turn_min_port: 49152
    turn_max_port: 65535
    ## The server's public IPv4 address:
    turn_ip: 0.0.0.0
  -
    port: 5349
    transport: tcp
    module: ejabberd_stun
    use_turn: true
    tls: true
    turn_min_port: 49152
    turn_max_port: 65535
    ip: 0.0.0.0
    turn_ip: 0.0.0.0

The example from ejjaberd repo

  -
    port: 3478
    ip: "::"
    transport: udp
    module: ejabberd_stun
    use_turn: true
    ## The server's public IPv4 address:
    # turn_ipv4_address: "203.0.113.3"
    ## The server's public IPv6 address:
    # turn_ipv6_address: "2001:db8::3"

And this one from joinjaber

  -
    port: 3478
    transport: udp
    module: ejabberd_stun
    use_turn: true
    turn_min_port: 49152
    turn_max_port: 65535
    # The server's public IPv4 address:
    turn_ipv4_address: 0.0.0.0
  -
    port: 5349
    transport: tcp
    module: ejabberd_stun
    use_turn: true
    tls: true

Also some of those options are not in the documentation.

My questions are:
transport have to set explicitly? Does it default as tcp? If set for udp, should I duplicate the entry using the same port for tcp?
From the docs:

listen:
  -
    port: 3478
    transport: udp
    module: ejabberd_stun
  -
    port: 3478
    module: ejabberd_stun

The ejabberd example have ip: "::" but others don't, does it makes a difference? Also I don't see it in the docs I mentioned above, maybe it is legacy from older versions?

max and min ports are recommended to setup only for large servers or are they good practice for everyone? If positive, I could add the same range in the tcp + tls as in the udp?

Sorry if my questions are somewhat dumb. I really appreciate your help already.

[weiss]

Short answer, I'd recommend just sticking to the example configuration, and specifying the server's public IP address as turn_ipv4_address:

listen:
  -
    port: 3478
    ip: "::"
    transport: udp
    module: ejabberd_stun
    use_turn: true
    ## The server's public IPv4 address:
    # turn_ipv4_address: "203.0.113.3"

modules:
  mod_stun_disco: {}

The blog article you mentioned uses a more verbose configuration, but that's just to show all options.

As for your questions:

• Regarding transport: The default is udp, and that's what clients prefer in order to minimize latency during A/V calls. Offering TLS or unencrypted TCP transports only makes sense as fallback for clients behind restrictive firewalls. In practice, only TLS on 443 really makes sense for this scenario. As that's less trivial to set up (esp. if a web server is running on the same system), our example configuration just offers udp, which works in the vast majority of cases. There's a cost in offering TLS and/or unencrypted TCP as that may increase call negotiation latency (since clients test all offered options during negotiation, even if they end up being unused).
• The turn_min_port—turn_min_port range is UDP-only (regardless of the transport) and must be publicly accessible on the turn_ipv4_address. You can reduce it on small servers, but note that a single A/V call might need a few ports within that range (so the size of the range limits the number of parallel A/V calls). If you do end up with multiple ejabberd_stun listeners (to support unencrypted TCP and/or TLS in addition to UDP), you can use the same UDP port range for all of them.
• The default ip value is 0.0.0.0 which makes the listener IPv4-only. On Linux systems, ip: "::" listens on both IPv4 and IPv6 by default. That's recommended, as some (mobile) networks require IPv6 for TURN relaying (long story).
• What option(s) are you missing from the documentation?

If you'd like to understand the reasonings behind my words, you might want to read my short description of the STUN/TURN protocols. The way TURN relaying works is somewhat unintuitive but I tried my best to explain the relevant basics in a compact way.

[paulo-roger]

Wow! Thank you so much for your answer! I am gonna read your link now, I've tried the XEPs yesterday but still was confusing for me.

What option(s) are you missing from the documentation?

transport and ip.

General listen options supported: certfile, send_timeout, shaper, tls,
The specific ejabberd_stun configurable options are:

And then it proceeds for the specifics.

Ah OK, now I get it.

The Listen Options: port, ip, transport and module are valid for all cases. I was thinking it would be listed under "General listen options supported". Sorry.

Again, I really appreciate your answers! You made it a lot easier for me, thank you very much.