Title: Prosody server support for A/V calls with Conversations 
Date: 2020-05-04
Tags: xmpp, chat, coturn, instant messaging, prosody, audio/video calls
Slug: server-support-for-audio-video-calls
Summary: Configure support for audio/video calls with Prosody,
Category: instant messaging
Status: published

[TOC]

Introduction
---

This is a guide to set up server-side support for audio/video calls over XMPP. To do this we will first install and configure [Coturn](https://github.com/coturn/coturn). It is a libre STUN/TURN server that helps establish peer connections across firewalls for media streams such as calls. Additionally we will configure Prosody to talk to `coturn`.

Like the other guides, this one assumes Debian stable running on the server, the fact that you will end up hosting a few of your friends and that you have some basic skills working on a linux command line.

Furthermore it assumes you have already installed and configured Prosody. If you haven't, take a look at our guide ['Configuring an XMPP server for secure, mobile instant messaging']({filename}configuring_an_xmpp_server_prosody_0.11.md) first.


Set up firewall 
----

To make your server communicate make sure following ports are open in your firewall for UDP traffic:

    :::console
    3478 (TURN)
    5349 (TURN + TLS)
	49152-65535 (UDP endpoints for clients)

Set up coturn
---

First install Coturn

	:::console
	$ sudo apt-get update && sudo apt-get install coturn

After installing first make a backup of the existing configuration:

    :::console
    $ sudo mv /etc/turnserver.conf /etc/turnserver.conf.bak

Then download the configuration by [the homebrewserver.club](https://homebrewserver.club/downloads/turnserver.conf):

    :::console
    $ cd ~
    $ wget https://homebrewserver.club/downloads/turnserver.conf -O turnserver.conf
    
    
The file looks like this:

    :::console
    ## Minimal version of /etc/tunserver.conf 
    ## For more options and info see the original /etc/turnserver.conf.bak

    # Which porst to listen on, make sure the corresponding ports are accepting UDP connections on your firewall
    listening-port=3478
    tls-listening-port=5349

    # Your external IP, needed for some connections
    listening-ip=CUSTOMIZE THIS

    # Ports that client can connect to. Again make sure they are open for UDP connections on your firewall
    min-port=49152
    max-port=65535

    # For the connection with Prosody. Generate a long passphrase for the secret.
    use-auth-secret
    static-auth-secret=CUSTOMIZE THIS

    #Paths to Let's Encrypt certificates
    cert=/etc/letsencrypt/live/myserver.org/cert.pem
    pkey=/etc/letsencrypt/live/myserver.org/privkey.pem

    # Log to syslog
    syslog 

    # For security:
    prod # disallow server fingerprinting
    no-loopback-peers #dissalow connections on lo interface
    no-cli # disable command-line access
    

Now time for some config. You need to edit `/etc/tunserver.conf` in a few places.
 
First, add your external IP-address to `listening-ip`. If you don't know it, you can find out using the following command:

    :::console
    $ curl https://ifconfig.co

Then, set `static-auth-secret` to a decently long passphrase. You can also generate one with:

    :::console
    $ openssl rand -base64 30 

Take note of it because we will need this secret later.

Finally, edit the paths to the Let's Encrypt certificates to whatever you've set in ['Configuring an XMPP server for secure, mobile instant messaging']({filename}configuring_an_xmpp_server_prosody_0.11.md#enabling-https).

Once you are done move it in to place:

    :::console
    $ sudo mv turnserver.conf /etc/turnserver.conf

Update & set up Prosody
---

First update your Prosody modules:

    :::console
    $ apt-get install mercurial
    $ cd /usr/src/prosody-modules
    $ hg pull
    $ hg update

Then edit your prosody config in `/etc/prosody/prosody.cfg.lua`:

First add `turncredentials` to the `modules_enabled` section.  

Then, before the 'Virtual Hosts' section add:

    :::console
    turncredentials_host = "localhost"
    turncredentials_secret="mydecentlylongpassphrase"

And replace the value of `turncredentials_secret` with the value of `static-auth-secret` in `/etc/turnserver.conf`

Finishing up
---
Start `coturn` and enable it start on boot 

    :::console
    $ sudo systemctl enable --now coturn

Restart `prosody`

    :::console
    $ /etc/init.d/prosody restart

Finally to check if it works you can add check your server with the web-based [Conversations Compliance tester](https://compliance.conversations.im/) 

Thanks & Acknowledgements
---
Thanks to the [example config of Wiktor](https://github.com/wiktor-k/coturn) and the [Prosody documentation](https://prosody.im/doc/coturn)