ICE issue: need janus to be reached from internet as internal corporate network

[Ju Ju]

Hi everyone,

To avoid using TURN server for my corporate mates, I would like to be accessible from inside as from internet (for the media part (UDP))

Let's say my janus server has 2 network interface

eth0 -> Public IP

eth1 -> Private IP (192.168.1.2)

let's say there is a NAT for my eth1 to reach internal network

eth1 192.168.1.2 -> 10.0.0.2

So basically, my clients need to know they must reach 10.0.0.2 if they want to reach janus

but as you know, janus only announce IP adresses he has.

So I tried to add 10.0.0.2 :

on an unused interface (eth2) -> doesn't work as janus try to use it during the ICE negociation

on a loopback interface (lo:1) -> doesn't work as Janus doesn't use it in its ICE candidates

I noticed they is the "feature" "nat_1_1_mapping but it doesn't work as it override ALL ICE candidate -> my janus is not anymore reach from internet if I set

nat_1_1_mapping = 10.0.0.2

So I need this override only for some interface (in my case eth1)

How can I do it ?

J-

[Lorenzo Miniero]

You'd probably need a STUN server on the NATted network, so that the srflx address is picked there. That would only cover the NATted LAN and not the Internet though, as you can only configure a single STUN server in Janus. Better to simply deploy Janus in a way that it can interact with your LAN directly and not via NAT.

L.

[Ju Ju]

Hello Lorenzo ,

In every serious company you can’t double attached a server to internet + internal network. It is a too big security issue. In my company it is strictly forbidden to do that. The outside NAT is the limit (maybe even above the limit)

However I think my case is typical for company who want carry their media server and still give access from outside. As you know, TCP proxy (alias TURN server) are bad solution (TCP for realtime media…)

So. I guess I will have to change your code to allow re write candidate only for specific interface ?

J-

--
You received this message because you are subscribed to a topic in the Google Groups "meetecho-janus" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/meetecho-janus/31ZLEmB5MuU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to meetecho-janu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Alessandro Amirante]

AFAIK, such "serious" companies use a VPN to grant access to the private network to their employees without exposing servers to the public Internet. Janus would definitely work in such conditions.

A.

To unsubscribe from this group and all its topics, send an email to meetecho-janus+unsubscribe@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "meetecho-janus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janus+unsubscribe@googlegroups.com.

[Ju Ju]

Hello Alessandro,

The VPN solution will work for employees not for customers. In our case we have both. By the way, VPN are not stable enough,slow and add overhead (and by "slow" I talking about VPN solution for >100k employee not of a simple linux server under a desk); beside they are their load can’t be forecast. AFAIK there is nothing to proxy UDP with dynamic port so a NAT or expose Public IP with only UDP port is the same for me regarding security.

Of course the target solution will be to have 2 solutions: one for inside and one for outside but meanwhile I think you feature « nat mapping » is the right solution …just  it is just not enough flexible for what I need.

Kr,

J-

[Lorenzo Miniero]

Messing with the interfaces or nat_1_1 mappings won't help, if we're talking real NATs here. As I said, you need two STUN servers, one for getting the public address from the outside (to talk to people on the internet) and one to get the NATted address from the inside (so the STUN server would need to listen on the 10.x LAN), but gain, we don't currently allow the configuration of two STUN servers for Janus itself.

L.

To unsubscribe from this group and all its topics, send an email to meetecho-janus+unsubscribe@googlegroups.com.

[Ju Ju]

update:

We made a patch and it is working !

So now I could have both external (internet) users and corporate users without my server to be double attached to internet and corporate network (for security matters)

The patch is working like this :

I'm using the mapping variable in janus.cfg -> instead of 1 uniq IP address which will overwrite every interface IP in ICE candidate, we set a list of IP, one per interface available separate with a ","

I could raise a PR if someone has the same use case

[Mirko Brankovic]

I guess the PR is always welcome, so that we can see what is going on 

--

You received this message because you are subscribed to the Google Groups "meetecho-janus" group.

To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janus+unsubscribe@googlegroups.com.

[Lorenzo Miniero]

PRs are always welcome!

L.

[Ju Ju]

Ok I will aise a PR as soon as I have a clean patch

[Ju Ju]

Ok I will do a new PR as soon as I understand how github works :D

For ones who have the same need I had, I give the patch here, based on yesterday master branch

How it works ?

instead of having 1 IP address like before

;nat_1_1_mapping = 1.2.3.4

you have to set up 1 IP address for each interface (with a valid IP address) your server has, separate with a comma

for instance if you have

eth0: 192.168.1.2

eth1: 192.168.2.2

eth6: 193.252.1.1

and you want to NAT only eth0 and eth1 set up like this

;nat_1_1_mapping = 1.2.3.4,2.3.4.5,193.252.1.1

If you don't enter enough IP you will have a warning.

[Lorenzo Miniero]

Please make sure the code aligns to our own coding style, though, e.g., in terms of indentation, variables initialization and stuff like that.

I noticed you added a splitme method that is unneeded: g_strsplit does what you need already.

L.

[Ju Ju]

Hum we are not very skilled with Glib so we won't be able to do it , sorry :(

anyways what we did could be see a proof of concept...