One-to-one calls should avoid going through the JVB for optimal performance and for optimal resource usage. This is why we've added the peer-to-peer mode where the two participants connect directly to each other. Unfortunately, a direct connection is not always possible between the participants. In those cases you can use a TURN server to relay the traffic (n.b. the JVB does much more than just relay the traffic, so this is not the same as using the JVB to 'relay' the traffic).
Jitsi meetings in general operate in 2 ways: peer-to-peer (P2P) or via the Jitsi Videobridge (JVB). Utc 7 am to ist. This is transparent to the user. P2P mode is only used for 1-to-1 meetings. In this case, audio and video are encrypted using DTLS-SRTP all the way from the sender to the receiver, even if they traverse network components like TURN servers. Key features of Jitsi Meet Encrypted communication (secure communication): As of April 2020, 1-1 calls use the P2P mode, which is end-to-end encrypted via DTLS-SRTP between the two participants. Group calls also use DTLS-SRTP encryption, but rely on the Jitsi Videobridge (JVB) as video router, where packets are decrypted temporarily. Using Turn for p2p connections. If the video bridge fails to establish p2p connections between two participants, we can establish the p2p connection through the Turn Server. To do this, we need to set useStunTurn: true in p2p settings of Jitsi Meet configurations. Using Turn Server with JVB.
This document describes how to enable TURN server support in one-to-one calls in Jitsi Meet, even though it gives some hints how to configure prosody and coTURN, it assumes a properly configured TURN server, and a properly configured XMPP server.
One way to configure TURN support in meet with a static configuration. You can simply fill out the
p2p.stunServers option with appropriate values, e.g.:
Jitsi Meet, now with geographical bridge cascading September 18, 2018 Real-time communication is a tricky business, and large scale video conferencing is especially so.
This technique doesn't require any special configuration on the XMPP server, but it exposes the credentials to your TURN server and other people can use your bandwidth freely, so while it's simple to implement, it's not recommended.
This draft describes a proposed standard REST API for obtaining access to TURN services via ephemeral (i.e. time-limited) credentials. These credentials are vend by a web service over HTTP, and then supplied to and checked by a TURN server using the standard TURN protocol. The usage of ephemeral credentials ensures that access to the TURN server can be controlled even if the credentials can be discovered by the user.
Jitsi P2p Encryption
Jitsi Meet can fetch the TURN credentials from the XMPP server via XEP-0215. You can enable this functionality by setting
p2p.useStunTurn: true in config.js. By properly configuring a common shared secret on your TURN server and your XMPP server, the XMPP server can deliver appropriate credentials and TURN urls to Jitsi Meet. coTURN natively supports shared secret authentication (--use-auth-secret-) and in prosody, you can use the mod_turncredentials module.
Use TURN server on port 443
By default, TURN server listens on standard ports udp 3478 and tcp 5349(for tls connections).There are certain corporate networks which allow only tcp connections using port 443(https) and to coverthis kind of scenarios it is useful to have TURN server listening on port 443 for tls connections.Here is how to run nginx and TURN server on the same machine sharing port, for this you will need a seconddns for your turn domain pointing to the same machine (as a reference below we will use
- You need to enable the multiplexing based on that new dns. You need to create a file in
/etc/nginx/modules-available. If you are placing the file in
/etc/nginx/modules-availableyou need to add a symlink in
/etc/nginx/modules-enabled.The file content should be:
Make sure you edit the file and replace
jitsi-meet.example.com it your domain of deployment,
turn-jitsi-meet.example.com with the DNS you will use for the TURN server and
__your_public_ip__ with your public ip of the deployment.If you have more virtualhost make sure you add them here and do the port change and for them(the next step).
- Then go to /etc/nginx/site-available/your-conf and change your virtual host to listen on 4444 instead of 443.
- Next you need to make sure Prosody is advertising the correct DNS and port for the TURN server. You should edit the line using port
5349and make it look like (change port and address):
- Now you need to make sure the TURN server (coturn) uses trusted certificates here is how to request those fromLet's Encrypt, make sure you set correct values for the domain and email:
Jitsi P2p Software
- After restarting prosody (systemctl restart prosody) you are good to go!