Allow Mattermost voice calls from Internet

When Mattermost is hosted behind a firewall or reverse proxy such as Traefik, calls from Mattermost will only work from internal network and not externally.

Disclaimer

Below configurations is assuming Mattermost is running behind Traefik and OpnSense in a kubernetes cluster such as k3s.

Reference

Network Ports for voice calls - MatterMost

Kubernetes Manifests

Service

apiVersion: v1
kind: Service
metadata:
  name: mattermost
  namespace: default
spec:
  selector:
	app: mattermost
  externalTrafficPolicy: Local
  type: LoadBalancer
  ports:
  - port: 80
	targetPort: 80
	name: http
  - port: 443
	targetPort: 443
	name: https
  - port: 8065
	targetPort: 8065
	name: app
  - port: 8443
	targetPort: 8443
	name: call-tcp
  - port: 8443
	targetPort: 8443
	protocol: UDP
	name: call-udp

Take Note!

Service must be of type LoadBalancer so as to expose a IP address which can be used in our firewall rules in OpnSense.

Ingress

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: mattermost
  namespace: default
  annotations: 
	kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints: 
	- https
  routes:
	- match: Host(`mattermost.example.com`) 
	  kind: Rule
	  services:
	  - name: mattermost
		port: 8065
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: mattermost-voice
  namespace: default
  annotations: 
	kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints: 
	- rtc
  routes:
	- match: Host(`mattermost-voice.example.com`) 
	  kind: Rule
	  services:
	  - name: mattermost
		port: 8443

Take Note

UDP 8443 is the port Mattermost use for voice calls.

At this point the DNS records for above domains should already be pointing to public address of homelab.

Traefik Static Configuration

entryPoints:
    rtc:
        address: ":8443"

OpnSense Firewall Rules

In OpnSense, go to Firewall > NAT

All fields that are not mentioned are left at default

Port Forward

Interface: WAN
Protocol: UDP
Destination: WAN net
Destination Port Range: 8443 to 8443
Redirect target IP: <IP address of Mattermost service external IP> /32
Redirect target port: 8443
Description: Mattermost

Outbound

Interface: WAN
Protocol: UDP
Source Address: <IP address of Mattermost service external IP> /32
Description: Mattermost

Info

Consider the usage of firewall aliases for convenience.

Mattermost Configuration

Navigate to System Console > Plugins > Calls
Change ICE Host Override to mattermost-voice.example.com
Click Save.