fix(webRTC): LAN IP filtering (#333)

* fix webRTC voice call for LAN setup * log re-add * refactor: extract ICE candidate filtering policy * fix: decouple relay-only diagnostics from LAN TURN setup * fix: fix remote_up script --------- Co-authored-by: deepashreeKedia <kediadeepashree2@gmail.com> Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
2026-06-07 07:55:16 +02:00 · 2026-05-21 07:28:43 +05:30 · 2026-05-21 07:28:43 +05:30 · af66372b65
commit af66372b65
parent 8484e4bfaf
6 changed files with 190 additions and 62 deletions
--- a/scripts/setup_local.ps1
+++ b/scripts/setup_local.ps1
@ -167,6 +167,7 @@ if ([string]::IsNullOrEmpty($env:ENABLE_COTURN)) {
 $UseCoturn = Test-IsEnabled $EnableCoturn
 $TurnHost = $env:TURN_HOST
 $TurnSecret = $env:TURN_SECRET
+$ForceTurnRelay = if ([string]::IsNullOrEmpty($env:FORCE_TURN_RELAY)) { 'false' } else { $env:FORCE_TURN_RELAY }

 if ($UseCoturn) {
    $defaultTurnHost = Get-DefaultLanIPv4
@ -208,6 +209,7 @@ Write-Host "  Coturn:        $EnableCoturn" -ForegroundColor Blue
 if ($UseCoturn) {
    Write-Host "  TURN Host:     $TurnHost" -ForegroundColor Blue
    Write-Host '  TURN Secret:   ********' -ForegroundColor Blue
+    Write-Host "  Force relay:   $ForceTurnRelay" -ForegroundColor Blue
 }
 Write-Host "  Telemetry:     $EnableTelemetry" -ForegroundColor Blue
 Write-Host "  Registry:      $Registry" -ForegroundColor Blue
@ -251,6 +253,9 @@ $envLines = @(
    ''
    '# Telemetry (set to false to disable)'
    "ENABLE_TELEMETRY=$EnableTelemetry"
+    ''
+    '# Relay-only ICE candidates for explicit TURN diagnostics'
+    "FORCE_TURN_RELAY=$ForceTurnRelay"
 )

 if ($UseCoturn) {
--- a/scripts/setup_local.sh
+++ b/scripts/setup_local.sh
@ -50,8 +50,8 @@ if [[ "${ENABLE_COTURN:-false}" == "true" ]]; then
    # Pick a TURN_HOST that's reachable from BOTH the browser (running on the
    # host) and the API container (running in docker). 127.0.0.1 is tempting
    # but doesn't work for the api container — its own loopback isn't where
-    # coturn lives, so aiortc can't allocate a relay and FORCE_TURN_RELAY
-    # ends up with an empty answer SDP. The host's LAN IP works for both.
+    # coturn lives, so aiortc can't allocate a relay. The host's LAN IP works
+    # for both.
    detect_lan_ip() {
        local ip=""
        if command -v ipconfig >/dev/null 2>&1; then
@ -102,16 +102,7 @@ if [[ "${ENABLE_COTURN:-false}" == "true" ]]; then
    fi
 fi

-if [[ "${ENABLE_COTURN:-false}" != "true" ]]; then
-    FORCE_TURN_RELAY=false
-elif [[ -z "${FORCE_TURN_RELAY:-}" ]]; then
-    if dograh_is_local_ipv4 "$TURN_HOST"; then
-        FORCE_TURN_RELAY=true
-        echo -e "${YELLOW}Detected a local/private TURN host IP; enabling FORCE_TURN_RELAY=true.${NC}"
-    else
-        FORCE_TURN_RELAY=false
-    fi
-fi
+FORCE_TURN_RELAY="${FORCE_TURN_RELAY:-false}"

 # Telemetry opt-out (default: true)
 ENABLE_TELEMETRY="${ENABLE_TELEMETRY:-true}"
@ -170,7 +161,7 @@ OSS_JWT_SECRET=$OSS_JWT_SECRET
 # Telemetry (set to false to disable)
 ENABLE_TELEMETRY=$ENABLE_TELEMETRY

-# Relay-only ICE candidates (auto-enabled for local/private TURN host IPs)
+# Relay-only ICE candidates for explicit TURN diagnostics
 FORCE_TURN_RELAY=$FORCE_TURN_RELAY
 ENV_EOF

--- a/scripts/setup_remote.sh
+++ b/scripts/setup_remote.sh
@ -49,14 +49,7 @@ if ! dograh_is_ipv4 "$SERVER_IP"; then
    dograh_fail "Invalid IP address format"
 fi

-if [[ -z "${FORCE_TURN_RELAY:-}" ]]; then
-    if dograh_is_local_ipv4 "$SERVER_IP"; then
-        FORCE_TURN_RELAY=true
-        dograh_warn "Detected a local/private server IP; enabling FORCE_TURN_RELAY=true."
-    else
-        FORCE_TURN_RELAY=false
-    fi
-fi
+FORCE_TURN_RELAY="${FORCE_TURN_RELAY:-false}"

 # Get the TURN secret (skip prompt if TURN_SECRET is already set)
 if [[ -z "${TURN_SECRET:-}" ]]; then
@ -260,7 +253,7 @@ echo -e "${BLUE}[4/$TOTAL] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)

 cat > .env << ENV_EOF
-# Change environment from local to production so that coturn filters local IPs
+# Remote deployments run with production signaling and HTTPS defaults
 ENVIRONMENT=production

 # Canonical public host/base URL for this install.
@ -277,6 +270,7 @@ MINIO_PUBLIC_ENDPOINT=https://$SERVER_IP
 # TURN Server Configuration (time-limited credentials via TURN REST API)
 TURN_HOST=$SERVER_IP
 TURN_SECRET=$TURN_SECRET
+# Relay-only ICE candidates for explicit TURN diagnostics
 FORCE_TURN_RELAY=$FORCE_TURN_RELAY

 # JWT secret for OSS authentication