Proper firewall config for testing proper setup of TURN server
425 views
Skip to first unread message
Chad Phillips
Apr 5, 2017, 2:31:13 AM4/5/17
to meetecho-janus
I've set up coturn (https://github.com/coturn/coturn) as a STUN/TURN server. In WebRTC client, my iceServers config is:
FIRST QUESTION:
I've tested candidate gathering for each of the the above ICE configs individually (at https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/), and each seems to generate the appropriate candidates (the first STUN/TURN, the second TURN/TCP, the third TURN/TLS).
So far so good. Now, I want to create some firewall rules to test the operation, and in this regard, I'm not quite clear I completely understand how to do that. Here's what I think would be the proper firewall settings to test each case, would love somebody to confirm I'm correct, or point out where I've messed up :)
TURN:
- Default policy DROP for INPUT, OUTPUT, FORWARD chains
- Allow web server TCP traffic in and out
- Allow UDP in/out for TURN server port
TURN/TCP:
- Allow all TCP in/out
- Block all UDP in/out (except DNS queries)
TURN/TLS:
- Default policy DROP for INPUT, OUTPUT, FORWARD chains
- Allow TCP traffic in/out to TURN server port (443 is sensible here, since it would also be open for HTTPS traffic from the browser)
- Allow UDP DNS queries
SECOND QUESTION:
In each of the above cases, how does the media flow to/from the TURN servers -- specifically, does any of the media in any of these cases flow via UDP?
THIRD QUESTION:
Are there any other TURN configs I should be adding to the above iceServers config in order to cover all possible cases where TURN may need to be used?
"iceServers": [
{
"url": "turn:[ip]:80",
"username": "xxxxx",
"credential": "xxxxx"
},
{
"url": "turn:[ip]:80?transport=tcp",
"username": "xxxxx",
"credential": "xxxxx"
},
{
"url": "turns:[ip]:443",
"username": "xxxxx",
"credential": "xxxxx"
}
],
FIRST QUESTION:
I've tested candidate gathering for each of the the above ICE configs individually (at https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/), and each seems to generate the appropriate candidates (the first STUN/TURN, the second TURN/TCP, the third TURN/TLS).
So far so good. Now, I want to create some firewall rules to test the operation, and in this regard, I'm not quite clear I completely understand how to do that. Here's what I think would be the proper firewall settings to test each case, would love somebody to confirm I'm correct, or point out where I've messed up :)
TURN:
- Default policy DROP for INPUT, OUTPUT, FORWARD chains
- Allow web server TCP traffic in and out
- Allow UDP in/out for TURN server port
TURN/TCP:
- Allow all TCP in/out
- Block all UDP in/out (except DNS queries)
TURN/TLS:
- Default policy DROP for INPUT, OUTPUT, FORWARD chains
- Allow TCP traffic in/out to TURN server port (443 is sensible here, since it would also be open for HTTPS traffic from the browser)
- Allow UDP DNS queries
SECOND QUESTION:
In each of the above cases, how does the media flow to/from the TURN servers -- specifically, does any of the media in any of these cases flow via UDP?
THIRD QUESTION:
Are there any other TURN configs I should be adding to the above iceServers config in order to cover all possible cases where TURN may need to be used?
Mirko Brankovic
Apr 5, 2017, 3:18:52 AM4/5/17
to meetecho-janus
Seems legit to me.
Just make sure you add port range that you used on Coturn also to rule.
--
You received this message because you are subscribed to the Google Groups "meetecho-janus" group.
To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janus+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Regards,
Mirko
Lorenzo Miniero
Apr 5, 2017, 4:32:12 AM4/5/17
to meetecho-janus
If the purpose is to check whether your TURN server works, you can also use the iceTransportPolicy:"relay" setting, which will instruct the browser to force going on TURN. Only set a single TURN server for each test, use that policy, and the browser should end up picking the server you specified: if it works, you're set. As to how the media is transported, that depends on the chosen TURN server: where you see ?transport=tcp, TCP will be used between the browser and the TURN server: it's always UDP between the TURN server and Janus instead.
L.
Chad Phillips
Apr 8, 2017, 11:48:08 AM4/8/17
to meetecho-janus
Lorenzo,
Awesome tip, thank you! I was able to verify all three settings as working properly. Then I followed up by doing some firewall restrictions to make sure it would work in the 'real world'. Performed perfectly.
I must say, for something so critical to a production WebRTC installation, it's difficult to find comprehensive documentation. It's out there, but I really had to piece it together.
Awesome tip, thank you! I was able to verify all three settings as working properly. Then I followed up by doing some firewall restrictions to make sure it would work in the 'real world'. Performed perfectly.
I must say, for something so critical to a production WebRTC installation, it's difficult to find comprehensive documentation. It's out there, but I really had to piece it together.
To unsubscribe from this group and stop receiving emails from it, send an email to meetecho-janu...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
--Regards,Mirko
Reply all
Reply to author
Forward
0 new messages