Skip to content

Mattermost Calls drops connection due to internal Docker IP (172.x) used as ICE candidate #1143

Open
Open
Mattermost Calls drops connection due to internal Docker IP (172.x) used as ICE candidate#1143
@thebraun2fw-max

Description

@thebraun2fw-max
thebraun2fw-max
opened on Mar 30, 2026

Summary

When using Mattermost Calls with a self-hosted TURN server (coturn), calls initially connect successfully but drop after some time.

The TURN server logs show that internal Docker network IPs (e.g. 172.21.0.3) are being used as peers, which leads to:
• 403 Forbidden IP errors
• eventual allocation timeout
• call disconnection

Environment
• Mattermost: self-hosted (Docker)
• Mattermost Calls plugin: enabled
• coturn: installed on the same host (not in Docker)
• Network:
• Internal: {Local IP}
• External (NAT): {Public IP}
• Docker network: 172.21.0.0/16

TURN configuration

listening-port=3478
tls-listening-port=5349

listening-ip=0.0.0.0
relay-ip={Local IP}
external-ip={Public IP}/{Local IP}

realm={Public IP}
server-name={Public IP}

lt-cred-mech
user={login}:{pass}

fingerprint
no-multicast-peers
no-loopback-peers
no-cli

Ports open and forwarded:
• 3478 TCP/UDP
• 5349 TLS
• relay ports (UDP range)

TURN works correctly when tested with:

turnutils_uclient -u {login} -w {pass} -p 3478 {Public IP} -y

Mattermost Calls configuration

"com.mattermost.calls": {
"defaultenabled": true,
"serversideturn": true,
"icehostoverride": "",
"iceserversconfigs": "[\n {\n "urls": [\n "turn:{Public IP}:3478?transport=udp",\n "turn:{Public IP}:3478?transport=tcp",\n "turns:{Public IP}:5349"\n ],\n "username": "{login}",\n "credential": "{pass}"\n }\n]"
}

Observed behavior

Call connects successfully
Media flows correctly (audio/video/screenshare works)
After some time, the call drops
coturn logs
Key issue:

peer 172.21.0.3 lifetime updated
CREATE_PERMISSION processed, error 403: Forbidden IP

Later:

closed (2nd stage), reason: allocation timeout

Analysis
• 172.21.0.3 is a Docker internal IP
• This IP is not reachable from clients outside Docker
• TURN server attempts to relay traffic to this internal address
• This results in:
• intermittent 403 Forbidden IP
• broken media path
• connection timeout

Important observations
• TURN itself works correctly (tested independently)
• Issue only occurs when used via Mattermost Calls
• Happens even with:
• serversideturn: true
• valid TURN credentials
• Indicates that invalid ICE candidates are being generated or selecte

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions