Hi.
I use an external ICE provider, so only 3478 port must be opened (I mean I don’t need to open 57001 - 65535) - am I right?
What about KMS ports (40000 - 57000) - it seems like everything works well for me, without opening these ports at all. Why? Am I missing something? 
How can I remove COTURN and Redis from my environment, as I do not need them anymore? Or maybe you’d rather recommend leaving them, as a fallback when external ICE provider is not available?
Thanks
Maybe all connections are working because your ICE Provider is making turn relay connections. But I would recommend to use all the ports (40000 - 57000).
But there’s actually a problem using an external ICE provider. OpenVidu creates credentials for each participant using turn/stun connection and save it to the redis database. How do you use your STUN/TURN service? it should have credentials to work
Actually we use Twilio NTS (https://www.twilio.com/docs/stun-turn/api) and currently we’re saving ICE credentials for 24h (according to Twilio docs All tokens have a limited lifetime to protect you from abuse. The lifetime is configurable up to 24 hours (which is also the default value) but you should make it as short as possible for your application. - we plan to call for ICE in a shorter periods of time, maybe even per room join request). So having these nodejs middleware, we are trying to manage ICE credentials on our side.
Everything seems to be working OK without COTURN and KMS ports opened… Surprising for me, especially when it comes to KMS :). Does it mean that we do not use KMS at all at the moment when it comes to relay connections? How should I understand it?
So in your opinion can we keep these ports closed and can we disable coturn/redis at all, or you would recommend opening them all and keeping coturn/redis installed, as it is right now?
It can work fine without opening all of KMS ports because KMS can relay all connections through 443 or 3478 by using a TURN server. But this is not ideal: you probably will always be “forcing” relay connections (connections using a TURN server as bridge between the 2 endpoints of a WebRTC connection, here the browser and KMS) even in those cases when they wouldn’t be needed if all recommended ports were opened.
Ok, great, thank you very much @pabloFuente, I’ll open KMS ports and leave coturn/redis installed for now.
Unfortunately, after opening all possible ports and restarting apps, my OpenVidu seems to be still using COTURN instead of the external ICE (when on my local environment it does not, it uses my ICE provider there - running OV locally via docker run -p 4443:4443 --rm -e openvidu.secret=MY_SECRET openvidu/openvidu-server-kms:2.15.0).
(I also tried opening all traffic/ports with the same result, so it’s not a matter of ports)
What I can see in logs:
openvidu-server_1 | [INFO] 2020-08-26 21:27:06,483 [http-nio-0.0.0.0-5443-exec-4] io.openvidu.server.rest.SessionRestController - REST API: POST /api/tokens {session=53555, role=MODERATOR, data=, kurentoOptions={}}
openvidu-server_1 | [INFO] 2020-08-26 21:27:06,483 [http-nio-0.0.0.0-5443-exec-4] io.openvidu.server.coturn.CoturnCredentialsService - Creating COTURN user
openvidu-server_1 | [INFO] 2020-08-26 21:27:06,493 [http-nio-0.0.0.0-5443-exec-4] io.openvidu.server.coturn.CoturnCredentialsService - COTURN user created: true
openvidu-server_1 | [INFO] 2020-08-26 21:27:06,494 [http-nio-0.0.0.0-5443-exec-4] io.openvidu.server.core.Session - Token created { Session: 53555 | Tokens: [wss://my.app.url?sessionId=53555&token=XXX&role=MODERATOR&version=2.15.0&coturnIp=XXX&turnUsername=XXX&turnCredential=XXX, wss:///my.app.url?sessionId=53555&token=XXX&role=MODERATOR&version=2.15.0&coturnIp=XXX&turnUsername=XXX&turnCredential=XXX] }
Everything works well, but I want to use the external ICE provider. How can I debug that to get to know what is the exact reason of it (I mean why OV does not use provided ICE details and uses COTURN instead)?
EDIT:
Nevertheless, in chrome://webrtc-internals/ I can see Twilio ICE servers… So what is the reason of this COTURN appearin in the logs above? It’s just in case or my Chrome lies?
Hi,
Don’t worry about those credentials being created in the server side. As long as you are providing the iceServers property on openvidu-browser “OpenVidu” object: https://docs.openvidu.io/en/2.15.0/api/openvidu-browser/classes/openvidu.html#setadvancedconfiguration
Those will be used by client devices instead of the TURN credentials initialized by OpenVidu. OpenVIdu will be generating credentials for its COTURN server for each user, but you can simply override them in your client side with the method above. Ignore the logs, they do not matter.