Rejecting permission creation request: Forbidden

[MelBourbon]

I have installed eturnal and configured it as followed:

# eturnal STUN/TURN server configuration file.
#
# This file is written in YAML. The YAML format is indentation-sensitive, please
# MAKE SURE YOU INDENT CORRECTLY.
#
# See: https://eturnal.net/documentation/#Global_Configuration

eturnal:

  ## Shared secret for deriving temporary TURN credentials (default: $RANDOM):
  secret: "my-secret"

  ## The server's public IPv4 address (default: autodetected):
  #relay_ipv4_addr: "..."
  ## The server's public IPv6 address (optional):
 # relay_ipv6_addr: "..."

  listen:
    -
      ip: "::"
      port: 3478
      transport: udp
    -
      ip: "::"
      port: 3478
      transport: tcp
  
  relay_min_port: 49152     # This is the default.
  relay_max_port: 65535     # This is the default.

  ## Reject TURN relaying to the following addresses/networks:
  blacklist_peers:
    - recommended           # Expands to various addresses/networks recommended
                            # to be blocked. This is the default.

  ## If 'true', close established calls on expiry of temporary TURN credentials:
  strict_expiry: false      # This is the default.

  ## Logging configuration:
  log_level: notice           # critical | error | warning | notice | info | debug
  log_rotate_size: 10485760 # 10 MiB (default: unlimited, i.e., no rotation).
  log_rotate_count: 10      # Keep 10 rotated log files.
  #log_dir: stdout          # Enable for logging to the terminal/journal.

  ## See: https://eturnal.net/documentation/#Module_Configuration
  modules:
    mod_log_stun: {}        # Log STUN queries (in addition to TURN sessions).
    #mod_stats_influx: {}   # Log STUN/TURN events into InfluxDB.
    #mod_stats_prometheus:  # Expose STUN/TURN and VM metrics to Prometheus.
    #  ip: any              # This is the default: Listen on all interfaces.
    #  port: 8081           # This is the default.
    #  tls: false           # This is the default.
    #  vm_metrics: true     # This is the default.

I have configured my dendrite server as followed:

turn:
    turn_user_lifetime: "5m"
    turn_uris:
      - turn.domain.com:3478?transport=udp
      - turn.domain.com_3478?transport=tcp
    turn_shared_secret: "my-secret"

If I now want to establish a VOIP connection the log shows 'Rejecting permission creation request: Forbidden'

2024-07-19 11:57:18.079931+02:00 [notice] Creating TURN allocation (lifetime: 599 seconds) [UDP, session li5azgzdsbn8, user 1721383131:@user:my.domain.com, client 80.187.71.89:20387, relay 185.162.250.150:65437]
2024-07-19 11:57:18.150375+02:00 [notice] Creating TURN allocation (lifetime: 600 seconds) [UDP, session 7s5o3keguero, user 1721383131:@user:my.domain.com, client 80.187.71.89:20388, relay 185.162.250.150:55822]
2024-07-19 11:57:28.241786+02:00 [notice] Relayed 0 KiB (in 0 B / 0 packets, out 0 B / 0 packets), duration: 10 seconds [UDP, session 7s5o3keguero, user 1721383131:@fuser:my.domain.com, client 80.187.71.89:20388, relay 185.162.250.150:55822]
2024-07-19 11:57:28.317435+02:00 [notice] Rejecting permission creation request: Forbidden [UDP, session li5azgzdsbn8, user 1721383131:@fuser:my.domain.com, client 80.187.71.89:20387, relay 185.162.250.150:65437]
2024-07-19 11:57:28.318527+02:00 [notice] Rejecting permission creation request: Forbidden [UDP, session li5azgzdsbn8, user 1721383131:@user:my.domain.com, client 80.187.71.89:20387, relay 185.162.250.150:65437]

If I try to test with

turnutils_uclient -t -p 3478 -W my-secret -v -y turn.domain.com

I receive error 420 (Unknown Attribute)

No TURN connection with eturnal is possible.

[gsfig]

I'm having the same issue!

[Obamium69]

I'm getting the same issue when using Synapse

[BVollmerhaus]

I doubt it's related, but note that you have a typo in the TURN URI for TCP in your Dendrite config (a _ instead of a :).