coturn + webrtc: host behind NAT couldn't connect to turn server

2.8k views Asked by At

I'm trying to integrate screen-sharing with WebRTC on my website. If I try to establish a connection between two chrome browser on the same device (normal and incognito) everything is fine. When I try to establish the connection between my browser and another computer from a different network it fails. Therefore I'm trying to configure a TURN server.

Both systems, where the WebRTC functionality is integrated and the TURN server, are hosted on DomainFactory where I don't have root permissions. For this reason I couldn't install coturn via apt get. I had to install it manually from github.

coturn configuration:

external-ip=[public ip of turn-server]
fingerprint
lt-cred-mech
user=[user]:[password]
realm=[turn-server url]
total-quota=100
bps-capacity=0
stale-nonce=600
cert=[path to certificate file]
pkey=[path to private key file]
log=[path to log file]
no-multicast-peers

My problem is: if the host of the screen-sharing is behind a NAT then its IP is still a local one and seems not to connect to the TURN server.

These are the results from https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/ for the host behind the NAT:

Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.003   rtp host    2448344806  udp 63e84acb-f85e-4ba8-b012-595df04e86ec.local  52272   126 | 30 | 255
39.823  Done
39.825

And these are the results, if I try to check TURN connection from the other network without NAT with the same WebRTC sample application:

Time    Component   Type    Foundation  Protocol    Address Port    Priority
0.005   rtp host    3661447420  udp 192.168.0.70    51584   126 | 32542 | 255
0.006   rtp host    4036240074  udp 192.168.178.30  51585   126 | 32286 | 255
0.105   rtp host    2495527948  tcp 192.168.0.70    9   90 | 32542 | 255
0.105   rtp host    3189235258  tcp 192.168.178.30  9   90 | 32286 | 255
0.122   rtp relay   1181488584  udp 176.221.47.80   51563   1 | 32286 | 255
0.122   Done
0.123

coturn log:

0: log file opened: [path to log]
0:
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Coturn-4.5.1.3 'dan Eider'
0:
Max number of open files/sockets allowed for this process: 4096
0:
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0:

==== Show him the instruments, Practical Frost: ====

0: TLS supported
0: DTLS supported
0: DTLS 1.2 supported
0: TURN/STUN ALPN supported
0: Third-party authorization (oAuth) supported
0: GCM (AEAD) supported
0: OpenSSL compile-time version: OpenSSL 1.0.2l  25 May 2017 (0x100020cf)
0:
0: SQLite supported, default database location is [path to turndb]
0: Redis is not supported
0: PostgreSQL supported
0: MySQL is not supported
0: MongoDB is not supported
0:
0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Domain name:
0: Default realm: [realm]
0:
CONFIG ERROR: Empty cli-password, and so telnet cli interface is disabled! Please set a non empty cli-password!
0: SSL23: Certificate file found: [path to certificate file]
0: SSL23: Private key file found: [path to private key file]
0: TLS1.0: Certificate file found: [path to certificate file]
0: TLS1.0: Private key file found: [path to private key file]
0: TLS1.1: Certificate file found: [path to certificate file]
0: TLS1.1: Private key file found: [path to private key file]
0: TLS1.2: Certificate file found: [path to certificate file]
0: TLS1.2: Private key file found: [path to private key file]
0: TLS cipher suite: DEFAULT
0: DTLS: Certificate file found: [path to certificate file]
0: DTLS: Private key file found: [path to private key file]
0: DTLS1.2: Certificate file found: [path to certificate file]
0: DTLS1.2: Private key file found: [path to private key file]
0: DTLS cipher suite: DEFAULT
0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering listener addresses: =========
0: Listener address to use: [localhost]
0: Listener address to use: [public ip1]
0: Listener address to use: [public ip2]
0: Listener address to use: [public ip3]
0: Listener address to use: [ipv6 localhost]
0: Listener address to use: [ipv6 public]
0: =====================================================
0: Total: 4 'real' addresses discovered
0: =====================================================
0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED
0: ===========Discovering relay addresses: =============
0: Relay address to use: [public ip1]
0: Relay address to use: [public ip2]
0: Relay address to use: [public ip3]
0: Relay address to use: [ipv6 public]
0: =====================================================
0: Total: 4 relay addresses discovered
0: =====================================================
0: Cannot create pid file: /var/run/turnserver.pid
0: pid file created: /var/tmp/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
0: Wait for relay ports initialization...
0:   relay [public ip1] initialization...
0:   relay [public ip1] initialization done
0:   relay [public ip2] initialization...
0:   relay [public ip2] initialization done
0:   relay [public ip3] initialization...
0:   relay [public ip3] initialization done
0:   relay [ipv6 public] initialization...
0:   relay [ipv6 public] initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=1 created
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=2 created
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=3 created
0: IPv4. DTLS/UDP listener opened on: [localhost]:3478
0: IPv4. DTLS/UDP listener opened on: [localhost]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip1]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip1]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip2]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip2]:5349
0: IPv4. DTLS/UDP listener opened on: [public ip3]:3478
0: IPv4. DTLS/UDP listener opened on: [public ip3]:5349
0: IPv6. DTLS/UDP listener opened on: [ipv6 localhost]:3478
0: IPv6. DTLS/UDP listener opened on: [ipv6 localhost]:5349
0: IPv6. DTLS/UDP listener opened on: [ipv6 public]:3478
0: IPv6. DTLS/UDP listener opened on: [ipv6 public]:5349
0: Total General servers: 4
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IO method (auth thread): epoll (with changelist)
0: IO method (auth thread): epoll (with changelist)
0: SQLite DB connection success: [path to turndb]
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IO method (admin thread): epoll (with changelist)
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv4. TLS/TCP listener opened on : [public ip1]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip1]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv4. TLS/TCP listener opened on : [public ip2]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv4. TLS/TCP listener opened on : [public ip2]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv4. TLS/TCP listener opened on : [public ip3]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv4. TLS/TCP listener opened on : [public ip3]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 localhost]:5349
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:3478
0: IPv6. TLS/TCP listener opened on : [ipv6 public]:5349
269933: handle_udp_packet: New UDP endpoint: local addr [public ip1]:5349, remote addr [ip without NAT]:49333
269933: session 003000000000000012: realm <[realm]> user <>: incoming packet BINDING processed, success
269933: session 003000000000000012: realm <[realm]> user <>: incoming packet message processed, error 401: Unauthorized
269933: IPv4. Local relay addr: [public ip1]:52030
269933: session 003000000000000012: new, realm=<[realm]>, username=<[user]>, lifetime=600
269933: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet ALLOCATE processed, success
269943: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269953: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269963: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet BINDING processed, success
269970: session 003000000000000012: refreshed, realm=<[realm]>, username=<[user]>, lifetime=0
269970: session 003000000000000012: realm <[realm]> user <[user]>: incoming packet REFRESH processed, success
269971: session 003000000000000012: usage: realm=<[realm]>, username=<[user]>, rp=7, rb=332, sp=7, sb=720
269971: session 003000000000000012: peer usage: realm=<[realm]>, username=<[user]>, rp=0, rb=0, sp=0, sb=0
269971: session 003000000000000012: closed (2nd stage), user <[user]> realm <[realm]> origin <>, local [public ip1]:5349, remote [ip without NAT]:49333, reason: allocation timeout
269971: session 003000000000000012: delete: realm=<[realm]>, username=<[user]>
269996: IPv4. tcp or tls connected to: [ip without NAT]:59678
269996: session 000000000000000016: realm <[realm]> user <>: incoming packet message processed, error 401: Unauthorized
269996: IPv4. Local relay addr: [public ip1]:64039
269996: session 000000000000000016: new, realm=<[realm]>, username=<[user]>, lifetime=600
269996: session 000000000000000016: realm <[realm]> user <[user]>: incoming packet ALLOCATE processed, success

I'm pretty new to TURN and WebRTC so some help would be nice :)

1

There are 1 answers

0
giavac On

The first attempt to gather ICE candidates with the WebRTC sample application shows that only host candidates were discovered.

This main mean that either the TURN settings were wrong (wrong URL or wrong credentials), or that the computer could not reach the TURN server on the given port.

There are NAT conditions that forbid accessing outside ports different than a given preset, e.g. port 443 TCP (the default for HTTPS).

As a matter of experiment, you could try setting up coturn to listen on port 443 TCP and try again the ICE gathering application.

In general, applications like Wireshark allow you to capture the network traffic on your computer and verify where the requests are going and whether there's any response from the TURN server (you can use the stun filter).