MediaSoup and STUN/TURN Server

2730 views
Skip to first unread message

Krishna Isola

unread,
Sep 24, 2018, 10:55:03 AM9/24/18
to medi...@googlegroups.com
Greetings!

I’m looking for clarification and to improve my knowledge on the below topic of discussion.

Topic of discussion: In what scenarios STUN/TURN (say CoTurn) server is required along with MediaSoup Server?

My understanding of STUN/TURN is as follows:
* During signaling negotiation, each user shares their ICE candidates which includes STUN & TURN candidates

a) User-A & User-B are accessible within the network (or subnet): I believe no STUN/TURN is required
b) User-A & User-B are in different subnet & not directly accessible: I believe firstly STUN candidates are resolved. If successful, goes with STUN candidates 
c) User-A & User-B are not accessible directly: I believe STUN candidates also fails and resolves to TURN (Relay)  

MediaSoup Deployment Scenarios:

Note: For the discussion sake, “CoTurn” STUN/TURN server deployed along with MediaSoup

1. On-Prem MediaSoup Server module

* On-Prem means deployed within a LAN network (organization)

1.1) MediaSoup being SFU, does it really need STUN/TURN server?
1.2) If so, when and how it is useful

2. Cloud Deployment of MediaSoup Server module
* Let’s say deployed on AWS EC2 instance: Mediasoup Server Application + CoTurn

1.1) MediaSoup being SFU, does it really need STUN/TURN server?
1.2) If so, when and how it is useful

Regards,
Krish

Iñaki Baz Castillo

unread,
Sep 24, 2018, 11:05:43 AM9/24/18
to medi...@googlegroups.com
On Mon, 24 Sep 2018 at 16:55, Krishna Isola <apv.k...@gmail.com> wrote:
>
> Greetings!
>
> I’m looking for clarification and to improve my knowledge on the below topic of discussion.
>
> Topic of discussion: In what scenarios STUN/TURN (say CoTurn) server is required along with MediaSoup Server?
>
> My understanding of STUN/TURN is as follows:
> * During signaling negotiation, each user shares their ICE candidates which includes STUN & TURN candidates

Not entirely true since mediasoup server is Ice Lite, meaning that it
does not require ICE candidates from clients but, instead, will wait
for RTP in its open ports to know the client's remote IP, port and
transport protocol (UDP or TCP).


> a) User-A & User-B are accessible within the network (or subnet): I believe no STUN/TURN is required

mediasoup must run (unless local deployment just for local networks)
in a server with public IP (or with mapped public IP). There is no
peer to peer media flows when using mediasoup.



> MediaSoup Deployment Scenarios:
>
> Note: For the discussion sake, “CoTurn” STUN/TURN server deployed along with MediaSoup
>
> 1. On-Prem MediaSoup Server module
>
> * On-Prem means deployed within a LAN network (organization)
>
> 1.1) MediaSoup being SFU, does it really need STUN/TURN server?

It may need a TURN server (see bottom of the email).


> 1.2) If so, when and how it is useful
>
> 2. Cloud Deployment of MediaSoup Server module
> * Let’s say deployed on AWS EC2 instance: Mediasoup Server Application + CoTurn
>
> 1.1) MediaSoup being SFU, does it really need STUN/TURN server?

Same, see bottom.

> 1.2) If so, when and how it is useful



If you run mediasoup in a local network, it will be hard to connect to
it clients outside that local network (unless you have a VPN and all
the clients use that VPN, or unless you open and map a public IP and
all the RTP port range to the private IP and ports).

Now, let's assume normal deployments, this is: mediasoup running a
server with public IP reachable from any one in the world) or within
AWS or similar (in that case, you need to map the public IP to the
private one in the server and let mediasoup Server to know about such
a public IP, there is a setting for that in the
mediasoup.Server(settings) API).

In these scenarios, when is TURN required?

In case a client is behind a firewall that blocks outgoing UDP or
"uncommon" TCP (this is, anything but 443 nowadays unfortunately). In
that case, you need to setup a TURN server with TLS enabled on port
443 and configure your clients (mediasoup-client inside) with the TURN
address + credentials). So, the client will send and receive
audio/video to/from the IP and port 443 of the TURN server, which will
relay it to/from the corresponding UDP port open by mediasoup server.

--
Iñaki Baz Castillo
<i...@aliax.net>

Krishna Isola

unread,
Sep 24, 2018, 1:32:03 PM9/24/18
to medi...@googlegroups.com
Thank you very much for your prompt response. 

Can I generalize this statement for MediaSoup?
While MediaSoup is in cloud:
- For public Internet users, most likely TURN Server is not required
- For Enterprise users: Possibly required a TURN Server due to the organization firewall restrictions

I do have one more follow up question on your TURN sever recommendation.

In case a client is behind a firewall that blocks outgoing UDP or
"uncommon" TCP (this is, anything but 443 nowadays unfortunately). In
that case, you need to setup a TURN server with TLS enabled on port
443 and configure your clients (mediasoup-client inside) with the TURN
address + credentials). So, the client will send and receive
audio/video to/from the IP and port 443 of the TURN server, which will
relay it to/from the corresponding UDP port open by mediasoup server.

Is there a way to determine this programmatically that the client app required to use TURN server?
- Like Client starts without TURN, gets a response code <xxx> then fail-over / fallback to TURN server
- Otherwise, the manual configuration approach. Turn ON/OFF this functionality

Regards,
Krish


On Sep 24, 2018, at 8:35 PM, Iñaki Baz Castillo <i...@aliax.net> wrote:



Mészáros Mihály

unread,
Sep 24, 2018, 5:06:14 PM9/24/18
to medi...@googlegroups.com

To use TURN it could be many reasons.

Two not yet mentioned came to my mind:

1. IPv6 <=>IPv4 interwork could be  also an example.
In case Client is IPv6 only and MediaSoup server speaks only IPv4 (e.g. because it is a VPS limitation)
WebRTC don't send actually any REQUESTED-ADDRESS-FAMILY
=> according https://tools.ietf.org/html/rfc6156#section-4.2
An IPv4 familly relay ip and port will be allocated on the TURN server, so communication could establish.

2. Enterprise TURN
If client use the enterprise TURN server (autodiscovered), and Enterprise TURN server may added to allowed list off Enterprise firewall, but may SFUs in the cloud not.

Misi

--
You received this message because you are subscribed to the Google Groups "mediasoup" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mediasoup+...@googlegroups.com.
To post to this group, send email to medi...@googlegroups.com.
Visit this group at https://groups.google.com/group/mediasoup.
To view this discussion on the web visit https://groups.google.com/d/msgid/mediasoup/C22AC187-8A64-431E-B400-F9013CA3C01B%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Iñaki Baz Castillo

unread,
Sep 25, 2018, 3:28:57 PM9/25/18
to medi...@googlegroups.com
Hi Krish,

Too busy this week. Let me please come back to this thread the next
days (or may be next week at max).

Thanks.
> --
> You received this message because you are subscribed to the Google Groups "mediasoup" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mediasoup+...@googlegroups.com.
> To post to this group, send email to medi...@googlegroups.com.
> Visit this group at https://groups.google.com/group/mediasoup.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mediasoup/7BCB894F-DA43-452B-8D97-8181D0A763E1%40gmail.com.
> For more options, visit https://groups.google.com/d/optout.



Iñaki Baz Castillo

unread,
Oct 14, 2018, 10:43:30 AM10/14/18
to medi...@googlegroups.com
On Mon, 24 Sep 2018 at 19:32, Krishna Isola <apv.k...@gmail.com> wrote:
>
> Thank you very much for your prompt response.
>
> Can I generalize this statement for MediaSoup?
> While MediaSoup is in cloud:
> - For public Internet users, most likely TURN Server is not required
> - For Enterprise users: Possibly required a TURN Server due to the organization firewall restrictions

Generally yes.



> I do have one more follow up question on your TURN sever recommendation.
>
> In case a client is behind a firewall that blocks outgoing UDP or
> "uncommon" TCP (this is, anything but 443 nowadays unfortunately). In
> that case, you need to setup a TURN server with TLS enabled on port
> 443 and configure your clients (mediasoup-client inside) with the TURN
> address + credentials). So, the client will send and receive
> audio/video to/from the IP and port 443 of the TURN server, which will
> relay it to/from the corresponding UDP port open by mediasoup server.

yes.


> Is there a way to determine this programmatically that the client app required to use TURN server?
> - Like Client starts without TURN, gets a response code <xxx> then fail-over / fallback to TURN server
> - Otherwise, the manual configuration approach. Turn ON/OFF this functionality

You provide always mediasoup-client with your TURN server URL(s).
Then, depending on the network circumstances, the underlying browser
PeerConnection will communicate directly to mediasoup server or will
do it through the TURN server. You don't decide that
"programmatically".
Reply all
Reply to author
Forward
0 new messages