Relay STUN/TURN unavailable
Describe the problem
I've been busy trying to fix our netbird self-hosted instance for the last 2 weeks. A lot of troubleshooting and trial&error has been done, and i've reached the point where I can connect to peers again. The (hopefully last) issue left is with STUN/TURN (coturn) and Relay.
#Used Technologies
Netbird, Authentik, Nginx Proxy Manager, Cloudflare
Expected behavior
Connected to relay and stun/turn without any errors
NetBird version, Netbird Status and Screenshots
0.38.2
Additional context
i think there is a problem with the relay client not being able to connect to coturn client
because coturn is running on the host network, and the relay server which is running in a internal docker network, trying to reach the coturn server through public IP instead of reverse proxy. could that be possible? There were also some TLS issues earlier, which I fixed by using the CF origin certs
Attached is the output of netbird status -d & client.log. For some reason TLS handshake issues returned.
7 Replies
What is your setup.env like?
@Codixer
I've had a busy day checking & testing all components and trying to fix the errors.
I figured turn/stun would not work through the ports when they are behind CF orange cloud proxy. Because of that, i've set a different DNS record for turn.cazzy.cc and appended settings in turnserver.conf and management.json
Finally 1 out of 3 relays connected, but still stuck at the other 2:
[stun:turn.cazzy.cc:3478] is Available
[turn:turn.cazzy.cc:3478?transport=udp] is Unavailable, reason: allocate: Allocate error response (error 401: Unauthorized)
[rels://vpn.cazzy.cc:443] is Unavailable, reason: relay client not connected
To fix the 2nd one we have to set the correct TURN/STUN credentials which i lost somewhere in the rabbit hole
errors from coturn container:
coturn-1 | 19: (9): ERROR: session 000000000000000001: check_stun_auth: user self credentials are incorrect
coturn-1 | 21: (11): ERROR: session 002000000000000001: check_stun_auth: user self credentials are incorrect
coturn-1 | 23: (10): ERROR: session 001000000000000004: check_stun_auth: user self credentials are incorrect
For the 3rd entry I really don't have a clue, I guess since its behind reverse proxy and might not have been properly configured.
- rels://vpn.cazzy.cc:443 not available, research needed
This is my setup.env but I think the management.json, docker-compose.yml and turnserver.conf might be more interesting for the latest config since I didn't rebuild through configure.sh:
Dashboard domain. e.g. app.mydomain.com
NETBIRD_DOMAIN="vpn.cazzy.cc"
TURN server domain. e.g. turn.mydomain.com
if not specified it will assume NETBIRD_DOMAIN
NETBIRD_TURN_DOMAIN="turn.cazzy.cc"
TURN server public IP address
required for a connection involving peers in
the same network as the server and external peers
usually matches the IP for the domain set in NETBIRD_TURN_DOMAIN
NETBIRD_TURN_EXTERNAL_IP="5.xxx.xxx.xx"
-------------------------------------------
OIDC
e.g., https://example.eu.auth0.com/.well-known/openid-configuration
-------------------------------------------
NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT="https://xx.cazzy.cc/application/o/netbird/.well-known/openid-configuration"
NETBIRD_USE_AUTH0=false
NETBIRD_AUTH_CLIENT_ID="xxxx"
NETBIRD_AUTH_SUPPORTED_SCOPES="openid profile email offline_access api"
NETBIRD_AUTH_AUDIENCE="xxxx"
NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID="xxxx"
NETBIRD_AUTH_DEVICE_AUTH_AUDIENCE="xxxx"
NETBIRD_MGMT_IDP="authentik"
NETBIRD_IDP_MGMT_CLIENT_ID="xxxx"
NETBIRD_IDP_MGMT_EXTRA_USERNAME="Netbird"
NETBIRD_IDP_MGMT_EXTRA_PASSWORD="xxxx"
-------------------------------------------
Letsencrypt
-------------------------------------------
Disable letsencrypt
if disabled, cannot use HTTPS anymore and requires setting up a reverse-proxy to do it instead
NETBIRD_DISABLE_LETSENCRYPT=true
-------------------------------------------
Extra settings
-------------------------------------------
Disable anonymous metrics collection, see more information at https://netbird.io/docs/FAQ/metrics-collection
NETBIRD_DISABLE_ANONYMOUS_METRICS=false
DNS DOMAIN configures the domain name used for peer resolution. By default it is netbird.selfhosted
NETBIRD_MGMT_DNS_DOMAIN=netbird.selfhosted
you might need to use the setup.env yeah
Variables could change on several spots
@Codixer Will work on revising the setup.env including all changes made. WIll revert with the results 🙂
I got it to work 🙂
:D