View previous topic :: View next topic |
Author |
Message |
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Mon Jun 18, 2018 4:05 pm Post subject: Video Conferencing -- recommendations? |
|
|
I'd like to have fully self-hosted video conferencing for private use among a small group of people. Free/Libre is a must, and, as much as possible, I do not want to involve any middlemen external servers or services. I don't know a lot about the technical details, but, for example, I believe with webRTC, you need some kind of TURN or STUN server as well, and a lot of software just relies on third-party servers for this. I don't want that, I want to run all the services and software necessary for the whole round trip of a video conference call myself, on my own server.
I have actually successfully installed Rocket Chat using a Portage overlay, but was dismayed to find that the video conferencing part of Rocket Chat merely delegates that functionality to meet.jit.si . I've seen jitsi packages in another overlay, but it seems it is no longer maintained (no update in 3 years). Has anyone successfully installed a fully-functional jitsi setup in Gentoo?
Or are there other packages I could look into for video chat? |
|
Back to top |
|
|
bunder Bodhisattva
Joined: 10 Apr 2004 Posts: 5934
|
Posted: Mon Jun 18, 2018 10:03 pm Post subject: |
|
|
there is discord, its a little gamer oriented but it has video and voice chat...
cisco webex will apparently work on linux, if you need something super "enterprise-y". _________________
Neddyseagoon wrote: | The problem with leaving is that you can only do it once and it reduces your influence. |
banned from #gentoo since sept 2017 |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Tue Jun 19, 2018 2:15 am Post subject: |
|
|
Discord doesn't seem to be open source and installable.
I'm going to try manually installing Jitsi. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Tue Jun 19, 2018 10:23 am Post subject: Re: Video Conferencing -- recommendations? |
|
|
Pistos wrote: | I want to run all the services and software necessary for the whole round trip of a video conference call myself, on my own server. | I'd take a look at Asterisk, which I haven't reviewed since 2007, and appears to have moved on wrt video-support.
The homepage has a link to a "presentation" on "multi-party video-conferencing" in asterisk-15, but I didn't click-through.
Found this (looks official) with a web-search on: asterisk video-conferencing.
It might seem a bit excessive, but the project has been around since 1999 running on commodity PC hardware and Linux, so worth a look.
There's an O'Reilly book that is pretty good, but like I said, my edition is from 2007. |
|
Back to top |
|
|
Chiitoo Administrator
Joined: 28 Feb 2010 Posts: 2573 Location: Here and Away Again
|
Posted: Tue Jun 19, 2018 2:57 pm Post subject: ><)))°€ |
|
|
For peer-to-peer chat, without servers in the middle, there's Tox for example. There are several clients for it, but I'm mainly familiar with qTox myself.
It has not gone through a security audit yet, and has more and/or less issues depending on whom you ask, but it certain works for a lot of things.
I have not tested video chat recently, nor voice chat at all, but I know they are there. _________________ Kindest of regardses. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Fri Jun 22, 2018 2:19 pm Post subject: Re: ><)))°€ |
|
|
Chiitoo wrote: | For peer-to-peer chat, without servers in the middle, there's Tox for example. There are several clients for it, but I'm mainly familiar with qTox myself. | Damn, that looks good.
Thanks for the heads-up. :-) |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Sun Jun 24, 2018 5:43 pm Post subject: |
|
|
I tried Tox, on your recommendation. Kind of impressive, because it worked out of the box, interoperating easily between Android and Linux. It is peer-to-peer and decentralized. You do have to hook up to the initial pool/network it seems, but after that, I believe it is peer-to-peer and independent of the network. I'm looking into running a Tox node in order to have a private pool. |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Sun Jun 24, 2018 10:50 pm Post subject: |
|
|
Pistos wrote: | I tried Tox, on your recommendation. Kind of impressive, because it worked out of the box, interoperating easily between Android and Linux. | What was the quality of the video like? Quote: | I'm looking into running a Tox node in order to have a private pool. | Cool; do let us know how you get on. I'd love to read a write-up. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Mon Jun 25, 2018 8:47 pm Post subject: |
|
|
Maybe nextcloud with talk app ? |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Tue Jul 03, 2018 6:46 pm Post subject: |
|
|
steveL: Tox video chat quality was... well there was room for improvement. It was choppy compared to pretty much any other videochat solution I've tried (Zoom, Skype, WebRTC, Slack). I was told by the #tox IRC channel to try to turn down the frame rate in the settings, but I haven't tried that yet.
Elleni: Excellent suggestion! I didn't know that existed, but after a bit of time spent installing, I eventually got it going. I did not get full success with it, unfortunately. I am able to almost establish a connection with a remote person, but the most we were able to get was just audio-only with no video. But most of the time, it was neither. I'll keep plugging away at it. There is also an Android app for it, available from F-Droid.
I'll report back if I get any further with anything. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Fri Jul 06, 2018 8:55 pm Post subject: |
|
|
Keep trying. Tested it again with two accounts. One logged in with firefox on my gentoo box, one with android app. Maybe you need a stun or turn server as proxy for clients behind a firewall? Btw there is a talk app for iphone users too.
Edit: Wait, I realize, videocalls only works because my cellphone is on wifi and thus on the same network as my gentoo box I ll try to setup a turnserver myself to see if I can get video to work through different networks too
Edit2: Configured coturn on my nextcloud server and now I can do videocalls even when cellphone is not connected on my home wifi and thus beeing on different network than my gentoo box.
turnserver.conf options enabled:
Code: | fingerprint
lt-cred-mech
use-auth-secret
static-auth-secret=some password
static-auth-secret=north
realm=cloud.mydomain.com
total-quota=100
stale-nonce
cert=/path/to/my/letsencrypt/fullchain.pem
pkey=/path/to/my/letsencrypt/privkey.pem
cipher-list="ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AES:RSA+3DES:!ADH:!AECDH:!MD5"
log-file=/var/log/turnserver.log
simple-log
no-loopback-peers
no-multicast-peers
secure-stun |
Used this:
https://blog.wirelessmoves.com/2018/06/a-turn-server-for-nextcloud-talk.html
https://blog.netways.de/2017/08/16/setting-up-a-turn-server-for-nextcloud-video-calls/
And opened firewall:
Code: | iptables -A INPUT -p tcp --dport 3478 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT |
As having setup coturn anyways, I also use its stun functionality now, just didn't add no-stun option but instead additionally added secure-stun option in turnserver.conf
Nextcloud settings: Code: | cloud.mydomain.com:3478 |
To keep things simple, I used the nextcloud hostname for coturn too and thus the same letsencrypt certificate
Last edited by Elleni on Sat Jul 07, 2018 1:23 am; edited 1 time in total |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Sat Jul 07, 2018 1:21 am Post subject: |
|
|
@Elleni: Wow, thank you so much for this detailed info! I did about half of what you have written here, so I will try again with these really valuable config examples you've given. I'll let you know how it goes. |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Sat Jul 07, 2018 3:42 am Post subject: |
|
|
@Elleni: I got one successful call at first, but after that, nothing, it is still back to black screens on both sides.
I notice that the letsencrypt files are only readable by root, so the turnserver.log keeps saying: 0: WARNING: cannot find certificate file. Did you expose the cert files to non-root?
Previously, I also was able to get one call before things stopped working. This leads me to believe there is some random factor involved here, and I am just coincidentally getting a rare successful call.
I did not try to fiddle with iptables yet, I'm hoping I don't have to do that. I have no special restrictions on this server that I set up, so I don't see why most ports wouldn't just be open. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Sat Jul 07, 2018 11:07 am Post subject: |
|
|
Well thats some progress anyhow
I did not configure coturn to run on different user or groups so I guess, it is started as root. I did not see any messages regarding certificate in my log, not even in Verbose mode. Access rights to cert files are -rw-r--r-- as they are installed by certbot/letsencrypt.
To ensure it is not an firewall problem, you could temporary stop iptables and see if it works then. On my setup, I also had got black screen when trying to issue a videocall, as I have
Code: | iptables -L
Chain INPUT (policy DROP)
...
...
...
|
So I had to open mentioned ports on my nextcloud/coturn server in order to let it do its magic.
You could also try if it is working with two clients on the same network. If it does, than it is likely to be a turn problem. |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Sat Jul 07, 2018 2:18 pm Post subject: |
|
|
@Elleni:
Yes, the cert files themselves are rw r r but the parent directories all seem to be drwx------ and owned by root:root . Could you confirm that that's the case for you? You can also check the user running the turnserver process with `ps aux | grep turn`. It seems to me a security problem if non-root users can just read the private key? |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Sat Jul 07, 2018 4:25 pm Post subject: |
|
|
ps aux | grep turn
Code: | turnser+ 11220 0.0 0.1 643348 8036 ? Ssl 03:07 0:24 /usr/bin/turnserver -o --pidfile /var/run/turnserver/turnserver.pid
root 20178 0.0 0.0 12720 1100 pts/0 S+ 18:18 0:00 grep --colour=auto turn |
ls -l /etc/letsencrypt/archive/
ls -l /etc/letsencrypt/live/www.mydomain.com/
Code: | insgesamt 4
-rw-r--r-- 1 root root 543 7. Jun 2017 README
lrwxrwxrwx 1 root root 41 4. Jun 03:45 cert.pem -> ../../archive/www.mydomain.com/cert8.pem
lrwxrwxrwx 1 root root 42 4. Jun 03:45 chain.pem -> ../../archive/www.mydomain.com/chain8.pem
lrwxrwxrwx 1 root root 46 4. Jun 03:45 fullchain.pem -> ../../archive/www.mydomain.com/fullchain8.pem
lrwxrwxrwx 1 root root 44 4. Jun 03:45 privkey.pem -> ../../archive/www.mydomain.com/privkey8.pem |
ls -l /etc/letsencrypt/archive/www.mydomain.com/ Code: |
insgesamt 136
-rw-r--r-- 1 root root 2277 7. Jun 2017 cert1.pem
-rw-r--r-- 1 root root 2338 8. Jun 2017 cert2.pem
-rw-r--r-- 1 root root 2378 6. Aug 2017 cert3.pem
-rw-r--r-- 1 root root 2378 6. Okt 2017 cert4.pem
-rw-r--r-- 1 root root 2378 5. Dez 2017 cert5.pem
-rw-r--r-- 1 root root 2378 3. Feb 03:45 cert6.pem
-rw-r--r-- 1 root root 2736 5. Apr 03:45 cert7.pem
-rw-r--r-- 1 root root 2736 4. Jun 03:45 cert8.pem
-rw-r--r-- 1 root root 1647 7. Jun 2017 chain1.pem
-rw-r--r-- 1 root root 1647 8. Jun 2017 chain2.pem
-rw-r--r-- 1 root root 1647 6. Aug 2017 chain3.pem
-rw-r--r-- 1 root root 1647 6. Okt 2017 chain4.pem
-rw-r--r-- 1 root root 1647 5. Dez 2017 chain5.pem
-rw-r--r-- 1 root root 1647 3. Feb 03:45 chain6.pem
-rw-r--r-- 1 root root 1647 5. Apr 03:45 chain7.pem
-rw-r--r-- 1 root root 1647 4. Jun 03:45 chain8.pem
-rw-r--r-- 1 root root 3924 7. Jun 2017 fullchain1.pem
-rw-r--r-- 1 root root 3985 8. Jun 2017 fullchain2.pem
-rw-r--r-- 1 root root 4025 6. Aug 2017 fullchain3.pem
-rw-r--r-- 1 root root 4025 6. Okt 2017 fullchain4.pem
-rw-r--r-- 1 root root 4025 5. Dez 2017 fullchain5.pem
-rw-r--r-- 1 root root 4025 3. Feb 03:45 fullchain6.pem
-rw-r--r-- 1 root root 4383 5. Apr 03:45 fullchain7.pem
-rw-r--r-- 1 root root 4383 4. Jun 03:45 fullchain8.pem
-rw-r--r-- 1 root root 3268 7. Jun 2017 privkey1.pem
-rw-r--r-- 1 root root 3272 8. Jun 2017 privkey2.pem
-rw-r--r-- 1 root root 3272 6. Aug 2017 privkey3.pem
-rw-r--r-- 1 root root 3272 6. Okt 2017 privkey4.pem
-rw-r--r-- 1 root root 3268 5. Dez 2017 privkey5.pem
-rw-r--r-- 1 root root 3272 3. Feb 03:45 privkey6.pem
-rw-r--r-- 1 root root 3272 5. Apr 03:45 privkey7.pem
-rw-r--r-- 1 root root 3272 4. Jun 03:45 privkey8.pem |
ls -l /etc/letsencrypt/live/www.mydomain.com/
Code: | insgesamt 4
-rw-r--r-- 1 root root 543 7. Jun 2017 README
lrwxrwxrwx 1 root root 41 4. Jun 03:45 cert.pem -> ../../archive/www.mydomain.com/cert8.pem
lrwxrwxrwx 1 root root 42 4. Jun 03:45 chain.pem -> ../../archive/www.mydomain.com/chain8.pem
lrwxrwxrwx 1 root root 46 4. Jun 03:45 fullchain.pem -> ../../archive/www.mydomain.com/fullchain8.pem
lrwxrwxrwx 1 root root 44 4. Jun 03:45 privkey.pem -> ../../archive/www.mydomain.com/privkey8.pem |
Maybe it is (a security issue), but I dont like to fiddle with those file permissions, as they were created from certbot, so I did not touch. Besides that, if someone gets on my machine - even with user rights only, I would consider my system compromised already, so I dont think, I'll change something on the file permissions of those, because I am afraid it could brake automatic certification renewal process of certbot. And my server is more for fun and learning anyway, no production server, so I am not worried too much.
I have no entries about cert at all in turnserver.log so I dont know, if they are actually used. Are you sure, you have no typo in the path as you get warnings in the logfile? Does videocalling work with iptables service temporary stopped on your server? And if not - does it work when both callers are within the same network? Good luck |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Sun Jul 08, 2018 5:02 am Post subject: |
|
|
I'm not suggesting you change the permissions to make them stricter, I'm questioning whether you made them more loose than the defaults. It sounds like you haven't. But I haven't touched the defaults set by certbot, either. My permissions on the descendant dirs and files are just as you have them, rw r r. But the /etc/letsencrypt/archive directory itself is drwx------ .
And you're right, if someone malicious has user-level permissions, that's bad news, however I think of it this way: I run numerous bits of code from third parties. If any one of them has some security problem, and an attacker exploits one of them to begin snooping around the filesystem (or worse), at least I can minimize the "footprint" of potential damage to just whatever is accessible to the user that is running the process that has been exploited.
I haven't tried iptables related stuff yet, I have been busy. But I probably will. I'm sure I have no typos in the cert path in the turnserver config, because when I temporarily expose the cert files in question to non-root, then the warnings go away, and when I put permissions back to what they were, I get the warnings back again.
It does not work when both callers are on the same network, but that's probably because the Nextcloud server is not on the same network as the callers. I am going to have a wide variety of people using this service, so it definitely needs to run properly with TURN and STUN and so on. |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Tue Jul 10, 2018 1:59 am Post subject: |
|
|
I got a separate cert for a separate domain, then chmodded things so that only the turnserver user can read it. Now I don't get the warnings in the coturn logs any more. I checked my iptables, and I appear to have no rules at all, with a default policy of ACCEPT, so this is as I expected.
Code: | # iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination |
Nevertheless, I am unable to get a successful call going. |
|
Back to top |
|
|
Pistos Apprentice
Joined: 29 Jul 2003 Posts: 175 Location: Canada
|
Posted: Wed Jul 18, 2018 5:17 pm Post subject: |
|
|
I did eventually get Nextcloud Talk working, and am settling on this as my chosen solution for the time being. |
|
Back to top |
|
|
Elleni Veteran
Joined: 23 May 2006 Posts: 1270
|
Posted: Wed Jul 18, 2018 11:19 pm Post subject: |
|
|
Cool, I am happy to hear this. What was the solution finally to get it working ? |
|
Back to top |
|
|
potuz Guru
Joined: 30 Jan 2010 Posts: 378
|
Posted: Wed Aug 29, 2018 10:42 pm Post subject: |
|
|
This is one of the most frustrating topics for me as a linux user. I'm 40 years old and have been a linux user since 1997 and never ever managed to have a good video call while on a trip on an open source native client. I got my hopes up when I saw this thread and set up qtox quickly before a trip. The video quality is horribly bad that it's impossible to hold a conversation. So we end up resorting to using video over WhatsApp on the cellphone which on the same connection (so no bandwith issue) has a flawless quality.
I wish there was any way to have a decent video call on linux without having to resort to Skype/Whatsapp or the likes. |
|
Back to top |
|
|
Fitzcarraldo Advocate
Joined: 30 Aug 2008 Posts: 2034 Location: United Kingdom
|
Posted: Fri Aug 31, 2018 10:00 pm Post subject: |
|
|
potuz,
I know it's only a WebRTC demonstrator, but have you tried browser-based AppRTC? I find it works quite well for PC-to-PC and PC-to-smartphone video calls.
https://webrtc.org/reference-apps/
Very simple to use. You just open https://appr.tc/ in Firefox or Chrome (possibly other browsers as well these days, as it works for me in Samsung Internet for Android, which I believe is based on Chromium) and you will get an allocated 'room name' consisting of nine digits. SMS or e-mail that room name to the other party then click on JOIN. The other party also opens https://appr.tc/ in a browser and enters the same room name and clicks on JOIN, and away you go.
WebRTC is open-source, and so is AppRTC: https://github.com/webrtc/apprtc
EDIT: Not entirely open-source, but also uses WebRTC, is talky. Similar concept to AppRTC. Supports conference calls with many participants. _________________ Clevo W230SS: amd64, VIDEO_CARDS="intel modesetting nvidia".
Compal NBLB2: ~amd64, xf86-video-ati. Dual boot Win 7 Pro 64-bit.
OpenRC udev elogind & KDE on both.
Fitzcarraldo's blog |
|
Back to top |
|
|
|