Hello, I'm trying to deploy Galene as an internal video conferencing system and I'm running into trouble getting the video to work. My network topology is as follows: Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene The proxies are forwarding either HTTP or HTTPs traffic all the way inwards. Galene is configured with -insecure and a proxy applies trusted TLS to its connections. Loading the main page, selecting a room, and using the text chat works just fine, what doesn't work is actually setting up a call. If I log two workstations as "presenters" then they each see their own video, but report 0kbps+0kbps. I suspect that the magic bullet is going to be adding a TURN server somewhere, but I know not where. At no point in this topology does NAT occur, so I had thought I could get away without one. My best guess is that I'd need to amend my diagram as follows: -> TURN Server / Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene I can provide debug logs on request, I just don't really know what I'm looking for here. Thanks in advance for any pointers. --Michael
> Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene Wow. > Loading the main page, selecting a room, and using the text chat works > just fine, what doesn't work is actually setting up a call. If I log > two workstations as "presenters" then they each see their own video, but > report 0kbps+0kbps. This means that the HTTPS traffic is getting through, but that the RTP traffic (media) isn't. > I suspect that the magic bullet is going to be adding a TURN server > somewhere, Yes. You need to put a TURN server somewhere where it can be reached by both the client and the server. So your diagram becomes: --------------> TURN Server <------------- / \ Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene Since there's a VPN in the way, it might be difficult to make the TURN server reachable by both sides. In particular, if the goal is to hide IP addresses, then the TURN server is going to have too much knowledge. -- Juliusz
>> Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene > > Wow Yeah the network architecture is slightly too exciting. If I add some more labels it might make more sense as a traditional corporate service: Laptop -> VPN Server -> Corp Edge -> Prod Edge -> Cluster Edge -> Galene The VPN is a very traditional road-warrior setup, so knowledge of IPs isn't a problem, there's already a nice dashboard that shows who's likely to be on based on tunnel status. > Yes. You need to put a TURN server somewhere where it can be reached by > both the client and the server. So your diagram becomes: > > --------------> TURN Server <------------- > / \ > Laptop -> VPN Server -> Proxy -> Proxy -> Proxy -> Galene Since reaching all the way back into the corp network to see a client is not practical in this network topology I'm trying to better understand where/how to put the TURN server. Some cursory googling suggests that its possible to tunnel all this traffic over HTTP. Is this something that the built-in TURN server for Galene supports? In your opinion is this network architecture even practical? With some work I could refactor it to look like: Laptop -> VPN Server -> LB -> Galene I assume this would make things slightly cleaner from a traffic management perspective, but that then involves spinning up a dedicated machine for Galene which is a harder sell in my environment. If this is the only practical approach though then that's what I'll explore. --Michael
> Since reaching all the way back into the corp network to see a client is > not practical in this network topology I'm trying to better understand > where/how to put the TURN server. Put the TURN server in the DMZ, and make sure that all clients (inside and outside the corporation) are able to access the TURN port on the DMZ host. > I assume this would make things slightly cleaner from a traffic > management perspective, but that then involves spinning up a dedicated > machine for Galene which is a harder sell in my environment. Hopefully, you'll manage to convince your admins to put a TURN server in the DMZ: they're probably already familiar with TURN, so it won't be as frightening to them as allowing access to a Galène server. In fact, they might already have a TURN server available -- Galène can share a single TURN server with other videoconferencing software. -- Juliusz
Fortunately I'm the only admin I need to convince, and usually I'm pretty good at arguing with myself. Unfortunately its becoming more clear that I don't really know what I'm doing here, so I'll take some time to read up more on the different parts of the stack and how they work. Thanks for the pointers! --Michael