Implementing our own STUN/TURN server for WebRTC Application

[Sojharo Mangi]

Hello All,

I am working on a webrtc application and have to implement following TURN server.

https://code.google.com/p/rfc5766-turn-server/

I am following this tutorial.

http://www.dialogic.com/den/developer_forums/f/71/t/10238.aspx

and it says to reference the TURN server as follows, in javascript code where RTCPeerConnection is created.

var pc_config = {"iceServers": [{"url": "stun:stun.l.google.com:19302"},            {"url":"turn:my_username@<turn_server_ip_address>", "credential":"my_password"}]};
        pc_new = new webkitRTCPeerConnection(pc_config);

I am little confused, why are we referencing to Google's public STUN server. I thought RFC5766 TURN server has STUN inside it.

Is RFC5766 only TURN server? and not STUN server? Can't we implement our own STUN server rather using one provided by Google?

Sorry for such naive question. I am new to WebRTC.

Thanks.

[Alex Gouaillard]

You do not have to use google stun, but it does not hurt :-)

Yes a turn server IS also a STUN server.

Sent from my iPhone

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[@amiteshawa]

Sojharo

Please refer these presentations: 

http://www.slideshare.net/amiteshawa/web-rtc-media-stra

http://www.slideshare.net/amiteshawa/setup-ephemeral-password

BTW, I see you are using old approach for TURN URL. Please refer the ppt to know the new structure.

You may also take a look at the sample code here:

https://github.com/amiteshawa/learn-rtc 

regards,

amitesh

[Sojharo Mangi]

Thank you very much for your kind reply Amitesh and Alex. Amitesh, I had already seen your first presentation and had kept it at my disposal for reference.

I am going to install RFC5766 turn server for my application on Ubuntu 12.04. I will follow the instructions.

Kindly, also let me know how to reference that TURN server in my application's javascript code so that it can be used as both stun and turn server as RFC5766 also implements STUN server.

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

Regards,

 

Sojharo

[Alexandre GOUAILLARD]

you just need to pass the turn credential, and chrome/firefox will use it as stun as well.

you can use the test page to give it a try and see that stun candidates (type srflx) are indeed generated:

http://webrtc.googlecode.com/svn/trunk/samples/js/demos/html/ice-servers.html

for rfc5766-turn-server, you can find more documentation on the original page's wiki and external links:

https://code.google.com/p/rfc5766-turn-server/

Alex. Gouaillard, PhD, PhD, MBA

------------------------------------------------------------------------------------

CTO - Temasys Communications, S'pore / Mountain View

President - CoSMo Software, Cambridge, MA

------------------------------------------------------------------------------------

sg.linkedin.com/agouaillard

• 
  

[@amiteshawa]

    for stun

    var STUN = {

        url: 'stun:<hostname/ip>:<port>'

    };

    For chrome version less than 28

    var TURN = {

        url: 'turn:<turn-username>@<hostname/ip>:<port>',

        credential: 'password'

    };

   for Chrome 28 and above    

    TURN = {

         url: 'turn:<hostname/ip>:<port>',

         credential: 'password', 

         username: 'turn-username'

    };

    pcConfig.iceServers = [STUN, TURN];

[Alexandre GOUAILLARD]

actually …

even though the solution proposed by amiteshawa will work with today's chrome (33), it is limited and will not work in future release.

1. It is limited to connection between client and TURN server over UDP, as it omit the transport option. A lot of networks will restrict the usage of UDP ports, so it is important to support TCP, especially as the rfc5766-turn-sever code supports it out of the box.

2. It will not work in future versions as the formatting will change (possibly in 34, and definitely in 35).

------

1. 

the full url formatting for current chrome is:

var TURN = {

        url: '{turn|turns}:<turn-username>@<hostname/ip>:<port>?transport=<transport>',

        credential: 'password'

    };

- <transport> can be either 'udp' or 'tcp'

- you can use 'turn' prefix with either 'dup' or 'tcp' transports,

- you can use 'turns' prefix with 'tcp transport for TLS connection to your turn server if it is configured to accept it.

- 'turns' with 'udp' (a.k.a. DTLS) will not be supported.

ex: (credits to warren McDonald):

   +---------------------------------+----------+--------+-------------+
   | URI                             | <secure> | <port> | <transport> |
   +---------------------------------+----------+--------+-------------+
   | turn:example.org                | false    |        |             |
   | turns:example.org               | true     |        |             |
   | turn:example.org:8000           | false    | 8000   |             |
   | turn:example.org?transport=udp  | false    |        | UDP         |
   | turn:example.org?transport=tcp  | false    |        | TCP         |
   | turns:example.org?transport=tcp | true     |        | TLS         |
   +---------------------------------+----------+--------+-------------+

ex: with appRTC today in chrome 33:

'{"iceServers":[

{"url":"stun:stun.l.google.com:19302"},

{"url":

"turn:192.158.30.23:3478?transport=udp",

"credential":"ty7VQmZPoXmLp7NW/oofnzyVpJU=",

"username":"1394350698:67154523"

},

{"url":

"turn:192.158.30.23:3478?transport=tcp",

"credential":"ty7VQmZPoXmLp7NW/oofnzyVpJU=",

"username":"1394350698:67154523"

},

{"url":

"turn:192.158.30.23:3479?transport=udp",

"credential":"ty7VQmZPoXmLp7NW/oofnzyVpJU=",

"username":"1394350698:67154523"

},

{"url":

"turn:192.158.30.23:3479?transport=tcp",

"credential":"ty7VQmZPoXmLp7NW/oofnzyVpJU=",

"username":"1394350698:67154523"

}

]}';

Lots of info (e.g. username and credential) are redundant for a given server, which lead to a change in the format

-------

2. Be ready for the next version

Be sure to note the 's' at the end of 'url' now, and note that the variable is now an array.

var TURN = {

        'urls': [

            '{turn|turns}:<turn-server-ip>:<turn-server-port>?transport=<transport>',

            '{turn|turns}:<turn-server-ip>:<turn-server-port>?transport=<transport>',

            ………

            ]

        'credential': <turn-password>,

        'username': <turn-username>

    };

ex: chrome 35 today. You can see there is only one turn-server-ip (192.158.30.23) but two instances of a turn server running on two different ports (3478 and 3479), both accessible over both TCP and UDP. Both server instances apparently share the same login database and shared secret.

'{"iceServers":[

{"urls":"stun:stun.l.google.com:19302"},

{"urls":[

"turn:192.158.30.23:3478?transport=udp",

"turn:192.158.30.23:3478?transport=tcp",

"turn:192.158.30.23:3479?transport=udp",

"turn:192.158.30.23:3479?transport=tcp"

],

"credential":"6g+zb7w+7rOU4ieD3OmEsM0LsK4=",

"username":"1394348043:25744438"

}

]}';

HTH.

[@amiteshawa]

Alex: 

does chrome support transport over tcp right now?

[Alexandre GOUAILLARD]

yes,

it supports TURN TCP and TURN TLS:

https://code.google.com/p/webrtc/issues/detail?id=1171

https://code.google.com/p/webrtc/issues/detail?id=1425

which allow chrome to connect to TURN server over TCP. It does NOT mean that the relay will be done over TCP though

it supports ICE-TCP (rfc6544): which provide candidate for media over TCP.

I think it pretty much covered all that since M30, Q3 last year.

A little synopsis of the situation in chrome and firefox for your perusal (the firefox part needs to be updated, and I might be wrong or incomplete on some aspect, so feel free to correct me if that's the case.)

[Sojharo Mangi]

Thanks for the explanations. I feel confident in referencing the server in javascript now. I tried to install the latest rfc5766 turn server (turnserver-3.2.2.9.tar.gz) and got the following error on ./configure

more is /bin/more
ginstall: not found
install is /usr/bin/install
pkill is /usr/bin/pkill
Use TMP dir /var/tmp
Compiler: cc
Do not use -lsocket
Do not use -lwldap32
Do not use -lwldap64
Do not use -lintl
Sockets code is fine: no sin_len field present
Ignore IP_RECVERR
Do not use -lcrypto
ERROR: OpenSSL Crypto development libraries are not installed properly in required location.
Abort.

Kindly, let me know how to come over this. Thanks.

[Alexandre GOUAILLARD]

you might want to ask this question in the corresponding group:

https://groups.google.com/forum/#!forum/turn-server-project-rfc5766-turn-server

[@amiteshawa]

Looking at logs I feel you are using g++ compiler. can you please try using gcc compiler?

[@amiteshawa]

Thanks alex

[Alexandre GOUAILLARD]

no problem.

On Sat, Mar 8, 2014 at 11:36 PM, @amiteshawa <amitesh...@gmail.com> wrote:

Thanks alex

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Oleg Moskalenko]

The TURN server can be compiled by both gcc and g++ compiler.

[Oleg Moskalenko]

The reason of the error is clearly explained in the ./configure output that your posted.

The install process is described in the INSTALL file.

[Sojharo Mangi]

Thanks Oleg, Alex and Amitesh. I successfully installed the server.

Amitesh, it will be helpful in future if you update your presentation. With Libevent, Openssl is also required.

[Sojharo Mangi]

I tried to run the server and got the following error with other warnings.

ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98
Cannot bind local socket to addr: Address already in use

I found this answer by Oleg on Google Group

https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/WWIiisP0KJU

How do I know whether my TURN server is already running or not?

I also cannot run this command

/etc/init.d/rfc5766-turn-server stop

--

Regards,

 

Sojharo

[Oleg Moskalenko]

On Saturday, March 8, 2014 12:36:23 PM UTC-8, Sojharo Mangi wrote:

I tried to run the server and got the following error with other warnings.

ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98
Cannot bind local socket to addr: Address already in use

I found this answer by Oleg on Google Group

https://groups.google.com/forum/#!topic/turn-server-project-rfc5766-turn-server/WWIiisP0KJU

How do I know whether my TURN server is already running or not?

Are you using Linux ?

1) TURN server is running as a process with name turnserver. You can check whether this process is present, with command:
  $ ps -ea | grep turn
2) Post here the full log output of the turnserver, from the beginning.
3) Post here the following command output:
  $ uname -a
4) try also to run it with option --ne=2
5) post here the output of the command:
  $ grep -n REUSEPORT /usr/include/*

 

I also cannot run this command

/etc/init.d/rfc5766-turn-server stop

That's because you did not set the script /etc/init.d/rfc5766-turn-server. It is set by the precompiled package installations. You are compiling the program yourself, so you have to set it yourself.

Overall, you need some basic Linux knowledge to set the TURN server properly. Try to find somebody around with such a knowledge, that would be very helpful.




 

[Sojharo Mangi]

None of these commands are working on my Linux. However, "ps -ea" worked and showed the list. It did not had turn in it. I am trying to figure it out myself. I hope I will be able to run the server soon. Thanks

[Oleg Moskalenko]

On Saturday, March 8, 2014 3:12:28 PM UTC-8, Sojharo Mangi wrote:

None of these commands are working on my Linux.

"uname -a" does not work ?!

???!!!

 

[Sojharo Mangi]

It shows me the system's information. How can it help me?

Linux CloudKiboTurnServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Regards,

 

Sojharo

[Oleg Moskalenko]

It is not supposed to help you, directly. I asked you to post the output of the commands to help me to help you - you if indeed need any help.

[Sojharo Mangi]

  $ ps -ea | grep turn

It does not give any output, Oleg. however ps -ea prints the list:

 PID TTY          TIME CMD
    1 ?        00:00:01 init
    2 ?        00:00:00 kthreadd
    3 ?        00:00:00 ksoftirqd/0
    5 ?        00:00:00 kworker/0:0H
    6 ?        00:00:00 kworker/u:0
    7 ?        00:00:00 kworker/u:0H
    8 ?        00:00:00 migration/0
    9 ?        00:00:00 rcu_bh
   10 ?        00:00:00 rcu_sched
   11 ?        00:00:00 watchdog/0
   12 ?        00:00:00 cpuset
   13 ?        00:00:00 khelper
   14 ?        00:00:00 kdevtmpfs
   15 ?        00:00:00 netns
   16 ?        00:00:00 bdi-default
   17 ?        00:00:00 kintegrityd
   18 ?        00:00:00 kblockd
   19 ?        00:00:00 ata_sff
   20 ?        00:00:00 khubd
   21 ?        00:00:00 md
   22 ?        00:00:00 devfreq_wq
   24 ?        00:00:00 khungtaskd
   25 ?        00:00:00 kswapd0
   26 ?        00:00:00 ksmd
   27 ?        00:00:00 fsnotify_mark
   28 ?        00:00:00 ecryptfs-kthrea
   29 ?        00:00:00 crypto
   40 ?        00:00:00 kthrotld
   41 ?        00:00:00 kworker/u:1
   42 ?        00:00:00 scsi_eh_0
   43 ?        00:00:00 scsi_eh_1
   45 ?        00:00:00 binder
   65 ?        00:00:00 deferwq
   66 ?        00:00:00 charger_manager
  194 ?        00:00:00 jbd2/vda-8
  195 ?        00:00:00 ext4-dio-unwrit
  310 ?        00:00:00 upstart-udev-br
  312 ?        00:00:00 udevd
  391 ?        00:00:00 dbus-daemon
  396 ?        00:00:01 rsyslogd
  616 ?        00:00:00 upstart-socket-
  703 ?        00:00:00 kvm-irqfd-clean
  707 ?        00:00:00 kpsmoused
  821 ?        00:00:00 udevd
  822 ?        00:00:00 udevd
  883 tty4     00:00:00 getty
  888 tty5     00:00:00 getty
  895 tty2     00:00:00 getty
  899 tty3     00:00:00 getty
  902 tty6     00:00:00 getty
  915 ?        00:00:00 acpid
  917 ?        00:00:00 cron
  918 ?        00:00:00 atd
  944 ?        00:00:00 whoopsie
 1012 ?        00:00:00 sshd
 1018 tty1     00:00:00 getty
 1049 ?        00:00:00 flush-253:0
14997 ?        00:00:00 kworker/0:2
17405 ?        00:00:04 kworker/0:0
17778 ?        00:00:05 kworker/0:1
18933 ?        00:00:00 sshd
19066 pts/0    00:00:00 bash
19129 pts/0    00:00:00 ps

2) Post here the full log output of the turnserver, from the beginning.

root@CloudKiboTurnServer:~/turnserver-3.2.2.9# turnserver -L 162.243.217.34
0:
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Citrix-3.2.2.9 'Marshal West'
0:
Max number of open files/sockets allowed for this process: 4096
0:
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0:

==== Show him the instruments, Practical Frost: ====

0: TLS is not supported
0: DTLS supported
0: Redis is not supported
0: PostgreSQL is not supported
0: MySQL is not supported
0: OpenSSL version: fresh enough
0: Default Net Engine version: 2 (UDP thread per network endpoint)

=====================================================

0: Config file found: /usr/local/etc/turnserver.conf
0: Listener address to use: 162.243.217.34
0: Listener address to use: 162.243.217.34
0: Config file found: /usr/local/etc/turnserver.conf
0: WARNING: Cannot find userdb file: turnuserdb.conf: going without flat file user database.
0:
CONFIGURATION ALERT: you specified long-term user accounts, (-u option)
    but you did not specify the long-term credentials option
    (-a or --lt-cred-mech option).
     I am turning --lt-cred-mech ON for you, but double-check your configuration.
0:
CONFIGURATION ALERT: you did specify the long-term credentials usage
 but you did not specify the realm option (-r option).
    The TURN Server will be inaccessible.
        Check your configuration.
0: WARNING: cannot find certificate file: turn_server_cert.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: WARNING: cannot find private key file: turn_server_pkey.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: Relay address to use: 162.243.217.34
0: Relay address to use: 162.243.217.34
0: pid file created: /var/run/turnserver.pid
0: IO method (main listener thread): epoll (with changelist)
0: Wait for relay ports initialization...
0:   relay 162.243.217.34 initialization...
0:   relay 162.243.217.34 initialization done
0:   relay 162.243.217.34 initialization...
0:   relay 162.243.217.34 initialization done
0: Relay ports initialization done
0: IO method (general relay thread): epoll (with changelist)
0: turn server id=0 created
bind: Address already in use
0: ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98

Cannot bind local socket to addr: Address already in use

0: Cannot bind TCP/TLS listener socket to addr 162.243.217.34:3478
0: Trying to bind TCP/TLS listener socket to addr 162.243.217.34:3478, again...
bind: Address already in use
0: ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98

Cannot bind local socket to addr: Address already in use

0: Cannot bind TCP/TLS listener socket to addr 162.243.217.34:3478
0: Trying to bind TCP/TLS listener socket to addr 162.243.217.34:3478, again...
bind: Address already in use
0: ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98

Cannot bind local socket to addr: Address already in use

0: Cannot bind TCP/TLS listener socket to addr 162.243.217.34:3478
0: Trying to bind TCP/TLS listener socket to addr 162.243.217.34:3478, again...
bind: Address already in use
0: ERROR: Trying to bind fd 18 to <162.243.217.34:3478>: errno=98

Cannot bind local socket to addr: Address already in use

0: Cannot bind TCP/TLS listener socket to addr 162.243.217.34:3478
0: Trying to bind TCP/TLS listener socket to addr 162.243.217.34:3478, again...
^C



  3) $ uname -a

It gives the following output:

Linux CloudKiboTurnServer 3.8.0-29-generic #42~precise1-Ubuntu SMP Wed Aug 14 16:19:23 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

4) try also to run it with option --ne=2

It does not work.

 $ grep -n REUSEPORT /usr/include/*

It does not give output.

[Oleg Moskalenko]

OK, I see. your system seems to be OK.

I found your problem. The turnserver behaves like the listener address was configured twice. You configured the listener address 162.243.217.34 both in the command line and in the config file turnserver.conf. So it tries to bind the socket to the same network endpoint twice - and it is failing.

Remove  162.243.217.34 either from the command line or from the turnserver.conf.

I'll fix this case in the next build.

Regards,
Oleg

[Sojharo Mangi]

Thank you very much Oleg, I tried without -L and the server started. I used the following command.

turnserver -o --daemon

and this was the output:

0:
RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server
Version Citrix-3.2.2.9 'Marshal West'
0:
Max number of open files/sockets allowed for this process: 4096
0:
Due to the open files/sockets limitation,
max supported number of TURN Sessions possible is: 2000 (approximately)
0:

==== Show him the instruments, Practical Frost: ====

0: TLS is not supported
0: DTLS supported
0: Redis is not supported
0: PostgreSQL is not supported
0: MySQL is not supported
0: OpenSSL version: fresh enough
0: Default Net Engine version: 2 (UDP thread per network endpoint)

=====================================================

0: Config file found: /usr/local/etc/turnserver.conf
0: Listener address to use: 162.243.217.34

0: Config file found: /usr/local/etc/turnserver.conf
0: WARNING: Cannot find userdb file: turnuserdb.conf: going without flat file user database.
0:
CONFIGURATION ALERT: you specified long-term user accounts, (-u option)
    but you did not specify the long-term credentials option
    (-a or --lt-cred-mech option).
     I am turning --lt-cred-mech ON for you, but double-check your configuration.
0:
CONFIGURATION ALERT: you did specify the long-term credentials usage
 but you did not specify the realm option (-r option).
    The TURN Server will be inaccessible.
        Check your configuration.
0: WARNING: cannot find certificate file: turn_server_cert.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because certificate file is not set properly
0: WARNING: cannot find private key file: turn_server_pkey.pem (1)
0: WARNING: cannot start TLS and DTLS listeners because private key file is not set properly
0: Relay address to use: 162.243.217.34

[Oleg Moskalenko]

Again, you do not need both -o and --daemon - those are the same option, use only one of them.

[Sojharo Mangi]

Ok Oleg, Thanks

[Jonathan Ekwempu]

Alex, what is the best way to scale turn servers? Use chrome 35 today as an example. 

Thanks,

Jonathan

[Alexandre GOUAILLARD]

hi jonathan,

it s better if you ask the question to the entire list, you get better chance to get an answer :-)

For horizontal scaling, the way google does it is a little bit more complicated but seems good, it also allows to separate things better (have the turn servers credential generation and load balancing done separately). They are a little bit old and simple, but you have the concepts explained in the attached document.

For vertical scaling, use oleg's server :-) It s updated often, and there are a lots of optimizations being made. You still need to do all the benchmarking to test the data centers, connectivity, bandwidth, ect, and be able to set your thresholds in your middleware and so on. 

Honestly, unless you have a special need to manage your own global infrastructure, you'd better use someone's else.

HTH,

Alex.

[Jonathan Ekwempu]

Thanks for the information.

Jonathan

[Oleg Moskalenko]

In the future updated TURN specs which we are trying to put together, we are going to put mandatory requirement for the browser to support 300 ALTERNATE SERVER mechanism. That would allow unlimited horizontal scalability - without any extra machinery involved. Our server supports that mechanism - but current Chrome does not.

Another horizontal scalability way is DNS round-robin. But I do not think that Chrome supports that.

One more way is to use a very smart load balancer between the Chrome and the TURN server. There must be a single "external" IP and the balancer must be distributing the packets among multiple TURN server systems behind it. This approach has its limitations, not all TURN session patterns can be used in such environments.

[Raghv Mitra]

How to configure it in 2022? Now the chrome 104 version is running

[Harald Alvestrand]

Is there a chromium bug filed to support 300 ALTERNATE SERVER?

--

---
You received this message because you are subscribed to the Google Groups "discuss-webrtc" group.
To unsubscribe from this group and stop receiving emails from it, send an email to discuss-webrt...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/48cd00d2-cf83-40dd-9fff-3e62b7e794d3n%40googlegroups.com.

[Philipp Hancke]

there is support even:

  https://source.chromium.org/chromium/chromium/src/+/main:third_party/webrtc/api/transport/stun.h;drc=2330c1533e39e4f8c195b0a2a05802ea9dee9c85;l=64

I don't believe this is relevant in practice. Round robin DNS with geolocation works well enough.

To view this discussion on the web visit https://groups.google.com/d/msgid/discuss-webrtc/CAOqqYVE9AocQ%3D4tHg49ME9nDOiqTx6oPbu6W9RdV314xGeAh-Q%40mail.gmail.com.