TURN support broken for months

[Midar]

Steps to reproduce

Try calling a user with Element iOS that is on a mobile connection. Or let them initiate a call, it doesn't matter. It also doesn't matter whether turn.matrix.org is enabled as a fallback or not.

Outcome

The connection can never be established.

I switched from turn.matrix.org to my own TURN server, thinking this might be the issues (despite this working in the past!), only to see that all the logs contain is this:

Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000001: realm <turn.myserver.org> user <>: incoming packet BINDING processed, success
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000001: realm <turn.myserver.org> user <>: incoming packet message processed, error 401: Unauthorized
Jan  7 13:21:12 vps turnserver: 7: : IPv4. tcp or tls connected to: MYMOBILECARRIERIP:24758
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000002: realm <turn.myserver.org> user <>: incoming packet message processed, error 401: Unauthorized
Jan  7 13:21:12 vps turnserver: 7: : IPv4. Local relay addr: TURNSERVERIP:62822
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000001: new, realm=<turn.myserver.org>, username=<1641561511:@js:myserver.org>, lifetime=600
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000001: realm <turn.myserver.org> user <1641561511:@js:myserver.org>: incoming packet ALLOCATE processed, success
Jan  7 13:21:12 vps turnserver: 7: : IPv4. Local relay addr: TURNSERVERIP:63075
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000002: new, realm=<turn.myserver.org>, username=<1641561511:@js:myserver.org>, lifetime=600
Jan  7 13:21:12 vps turnserver: 7: : session 001000000000000002: realm <turn.myserver.org> user <1641561511:@js:myserver.org>: incoming packet ALLOCATE processed, success

This is coturn with verbose logging. Turning it into uppercase verbose only prints context timeouts in addition, nothing else.

I'm not an expert in TURN/STUN/coturn, but it looks to me like Element iOS isn't even attempting to try to use TURN.

Furthermore, if I enable TURN with TLS on my homeserver, Element iOS chokes on the (perfectly valid, as it works in Firefox etc.) cert as well.

Given that I have heard from so many users that video/voice on Element iOS just doesn't work at all and they have switched back to Signal, I wonder: Is this working for anyone at all in environments where you need TURN? (To make it clear, STUN seems to work)

Your phone model

iPhone 11 Pro Max

Operating system version

15.2

Application version

1.6.11

Homeserver

private

Will you send logs?

No

[krithin]

The ssl-specific issue is possibly related to https://bugs.chromium.org/p/webrtc/issues/detail?id=11710 (or at least it is certainly related to that on Android, but I'm not as sure about iOS). There's a webrtc library used in Element that has a list of root certificates hardcoded into it, and that list doesn't include the LetsEncrypt root certificate - and though you didn't list your domain name I'm guessing you're probably using LetsEncrypt for your cert. That issue has been open for years; the fix is to just not use turns URLs and stick to just plain turn. In that case, although some signaling data will be in the clear the call data itself will still be encrypted, as required by the webrtc spec. Firefox doesn't run into that certificate bug and is able to make TLS connections to your site because it uses an operating-system-provided root CA list.

More generally, though, I can agree with your observation that video calling is generally broken on element iOS, and has never been solidly reliable in years.

[Midar]

To clarify, the logs posted above are with TLS disabled. I just wanted to mention that enabling it adds even more problems.

[gileluard]

I've checked and, on iOS using the TURN server turn.matrix.org, everything seems to work as expected. Nevertheless, I'd like to double check with you some points:

• the iOS first get the URIs and the credential of the TURN server by calling the [GET] request /_matrix/client/v3/voip/turnServer .
• voip on Web RTC is used only for DM
• Web RTC "switches" to TURN if devices are not on the same network.