dataforge/fn_registry
1
0
Fork 0
Code Issues Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
00c7fc728ec69c9f6201e2ef64593b9ceaf94fe0
fn_registry/dev/issues/0166-matrix-livekit-turn-deploy.md
T
egutierrez 1cbbad9ff9 feat(matrix): 4 synapse quick wins applied + 6 follow-up issues 
Server-side homeserver.yaml on organic-machine VPS:
- encryption_enabled_by_default_for_room_type: invite -> all
- presence.enabled: false (block EDU metadata leak)
- url_preview_enabled: false (block SSRF + IP leak)
- msc4108 rendezvous endpoint uncommented (QR login)

Synapse restarted, /versions shows e2ee_forced.* + msc4108 unstable
features active. Backup at synapse_data/homeserver.yaml.bak.1779659423.

Issues opened for remaining gaps:
- 0165 LUKS for media_store (at-rest encryption)
- 0166 LiveKit TURN deploy (NAT traversal gap)
- 0167 STUN leak to Google (hardcode external_ip)
- 0168 UDP range expand 200 -> 500
- 0169 LIVEKIT_SECRET rotation (audit exposure)
- 0170 livekit.example.yaml rename hygiene

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 23:53:37 +02:00

2.4 KiB
Raw Blame History

id, title, status, type, domain, scope, priority, depends, blocks, related, created, updated, tags
id title status type domain scope priority depends blocks related created updated tags
0166 Desplegar TURN para LiveKit (coturn o integrado) pendiente infra
matrix
app:element_matrix_chat alta
0167
0168
2026-05-24 2026-05-24
matrix
livekit
webrtc
turn
nat

0166 — Desplegar TURN para LiveKit (coturn o integrado)

Status: pendiente Created: 2026-05-24 Type: infra Priority: alta Domain: matrix Scope: app:element_matrix_chat Depends:Blocks:

Problema

LiveKit corre sin TURN (turn.enabled: false en configs/livekit/livekit.yaml). Usuarios detras de NAT simetrico (CGNAT movil 4G/5G, redes corporativas con firewall estricto, hotel WiFi) NO pueden establecer call — WebRTC ICE direct/reflexive falla. Calls fallan silenciosos para ~10-20% usuarios.

Objetivo

Calls funcionan en cualquier red. Element X movil sobre 4G CGNAT completa handshake.

Plan

  1. Decidir: coturn standalone vs LiveKit TURN integrado (recomendado: integrado, menos moving parts).
  2. Anadir subdominio turn.organic-machine.com con Let's Encrypt cert (Traefik).
  3. Activar bloque turn: en livekit.yaml: 
    turn:
  enabled: true
  domain: "turn.organic-machine.com"
  tls_port: 5349
  udp_port: 443
  external_tls: true
  4. Abrir puertos VPS firewall: TCP+UDP 443 (best practice — bypassea firewalls corp), TCP 5349.
  5. Rotar shared secret TURN.
  6. Test: navegador en red corp con force-tcp flag → call establecida.

Acceptance

  • nc -vz turn.organic-machine.com 443 UDP+TCP OK.
  • Test call Element Web detras de NAT simetrico (movil hotspot tethering) → audio/video pasa.
  • LiveKit logs muestran TURN allocation requests servidas.
  • .well-known/matrix/client sigue apuntando al livekit_service_url JWT correcto.

Definition of Done

  • Repetibilidad: 5 calls consecutivas desde 5 redes distintas (incluido CGNAT) sin fallo.
  • Observabilidad: dashboard LiveKit muestra TURN vs direct ratio.
  • User-facing: usuario movil 4G inicia call → conecta < 3s.

Notas

UDP 443 es trick conocido: la mayoria de firewalls corporativos solo dejan 443 (HTTPS) — TURN sobre UDP 443 bypassea sin requerir TCP relay que aumenta latencia.

Alternativa coturn standalone si LiveKit integrado tiene gaps de gestion: docker run -d coturn/coturn + config compartida con shared secret de LiveKit.

Reference in New Issue View Git Blame Copy Permalink