Skip to content

ejabberd configuration error prevents turn credentials from being offered to clients which makes call completion fail when stun is not sufficient. Fix suggested.

Certain users on my ejabberd server could not complete calls to one and other. The callee's client would ring, but when they answered, a connection was attempted but not completed.

adb logcat debugging output on the phone showed messages such as "skipping turn/tcp without username and password". There was a like line for udp.

https://docs.ejabberd.im/admin/configuration/modules/#mod-stun-disco at Available Options->services->restricted says "This option determines whether temporary credentials for accessing the service are offered. The default is false for STUN/STUNS services and true for TURN/TURNS services." However, freedombox configures mod_stun_disco with turn set to false in /etc/ejabberd/ejabberd.yml:

mod_stun_disco:
   credentials_lifetime: 1000d
   secret: hahaIwon'ttellyou
   services:
   - host: <fqdn of turn server>
     port: 3478
     type: stun
     transport: tcp
     restricted: false
   - host: <fqdn of turn server>
     port: 3478
     type: stun
     transport: udp
     restricted: false
   - host: <fqdn of turn server>
     port: 3478
     type: turn
     transport: tcp
     restricted: false
   - host: <fqdn of turn server>
     port: 3478
     type: turn
     transport: udp
     restricted: false

Changing "restricted:" to "true" in the last two host sections of mod_stun_disco fixed the problem:

    - host: <fqdn of turn server>
      port: 3478
      type: turn
      transport: tcp
      restricted: true
    - host: <fqdn of turn server>
      port: 3478
      type: turn
      transport: udp
      restricted: true

Edit: In the ejabberd chat it was suggested that the "restricted" directive could simply be dropped since, for stun it defaults to false and for turn it defaults to true and "just exists to cope with unusual setups".

Edited by joeDoe