fix(coturn): shift STUN/TURN cleartext port to 3479 (3478 taken by OpenDesk-NC-Talk)

2026-05-13 14:05:43 +02:00 · 2026-05-13 14:05:43 +02:00 · ed27e707a2
commit ed27e707a2
parent cebcf4f567
2 changed files with 12 additions and 7 deletions
--- a/infra/k3s/10-config.yaml
+++ b/infra/k3s/10-config.yaml
@ -48,10 +48,13 @@ data:
  # learn the TURN endpoints from Prosody via mod_external_services and
  # fall back to relay when direct UDP doesn't reach JVB:10001 (typical
  # for mobile-carrier NATs). ===
-  JVB_STUN_SERVERS: "meet.it.financeflow.de:3478"
+  # 3478 is taken on this host by OpenDesk's bundled Nextcloud-Talk
+  # TURN; we shift to 3479 (same trick as JVB on 10001 vs OpenDesk on
+  # 10000). TLS port 5349 was free.
+  JVB_STUN_SERVERS: "meet.it.financeflow.de:3479"
  TURN_HOST: "meet.it.financeflow.de"
  TURNS_HOST: "meet.it.financeflow.de"
-  TURN_PORT: "3478"
+  TURN_PORT: "3479"
  TURNS_PORT: "5349"
  TURN_TRANSPORT: "udp,tcp"

--- a/infra/k3s/80-coturn.yaml
+++ b/infra/k3s/80-coturn.yaml
@ -13,8 +13,10 @@
 # Secret entry so they stay in lockstep.
 #
 # Port plan (mirrors required FritzBox forwards):
-#   UDP 3478          STUN + TURN (cleartext)
-#   TCP 3478          TURN over TCP — first cleartext fallback
+#   UDP 3479          STUN + TURN (cleartext) — 3478 is taken by an
+#                     OpenDesk-bundled Nextcloud-Talk TURN on this host,
+#                     same shift trick we used on JVB (10000 → 10001).
+#   TCP 3479          TURN over TCP — first cleartext fallback
 #   UDP 5349          TURN over DTLS
 #   TCP 5349          TURN over TLS  — works through most firewalls
 #   UDP 50000-50100   relay range — actual media flows on these
@ -45,7 +47,7 @@ spec:
            - |
              set -eu
              cat > /tmp/turnserver.conf <<EOF
-              listening-port=3478
+              listening-port=3479
              tls-listening-port=5349
              listening-ip=0.0.0.0
              external-ip=${PUBLIC_IP}
@ -83,8 +85,8 @@ spec:
                  name: jitsi-secrets
                  key: TURN_CREDENTIALS_SECRET
          ports:
-            - { name: stun-udp, containerPort: 3478, hostPort: 3478, protocol: UDP }
-            - { name: stun-tcp, containerPort: 3478, hostPort: 3478, protocol: TCP }
+            - { name: stun-udp, containerPort: 3479, hostPort: 3479, protocol: UDP }
+            - { name: stun-tcp, containerPort: 3479, hostPort: 3479, protocol: TCP }
            - { name: turns-udp, containerPort: 5349, hostPort: 5349, protocol: UDP }
            - { name: turns-tcp, containerPort: 5349, hostPort: 5349, protocol: TCP }
          volumeMounts: