Integrating WEBRTC app with TURN SERVER

[Tomasz G]

Hi,

I am sure that the most people involved in the project are also involved in WEBRTC.

So I hope that experienced people will share their experience with me and others.

Simply, I am going run locally popular example of WEBRTC app:

https://github.com/webrtc/apprtc

And based on this example I am going build simple, but efficient video chat app.

The apprtc installed, and even works locally  without turn server ( "Same origin policy" don't allow use Google TURN server, which works only from  https://apprtc.appspot.com: access-control-allow-origin:"https://apprtc.appspot.com").

But I know that in real internet world (nats and firewalls) I need turn server.

I knew about this project: https://code.google.com/p/rfc5766-turn-server/ from apprtc tutorials.
But some chinese guys (I am Polish :) give me link to https://code.google.com/p/coturn/ in this tutorial:

http://io.diveinedu.com/2015/02/02/%E7%AC%AC%E4%BA%94%E7%AB%A0-WebRTC%E7%9A%84iOS%E6%A1%86%E6%9E%B6%E7%BC%96%E8%AF%91.html

Tutorial unfortunatelly don't solve my all questions, and don't help me integrate my app with turnserver - maby because of translations :)

So I have questions to this community.
1. I see (source->Changes) that a both projects are developed parallel with the same people. So can you tell me what turnserver I should use;

  +https://code.google.com/p/rfc5766-turn-server/
  +https://code.google.com/p/coturn/ 
  +or somethink else.

I need simplicity and efficient. I am not too eager install heavy packages like java, node.... Of course I like Python and JavaScript :) So please advice me witch turn server I need too use.

2. Another great source about webrtc and turnservers is:
https://www.webrtc-experiment.com/docs/STUN-or-TURN.html

There are some mentions about STUN server. Hmm, I think good solution is use STUN and TURN for fallback. I think it is for advanced users, but maby somebody have done it. Please tell me what install, how configure servers and if is possible to configure apprtc app via this simple settings:

LOOPBACK_CLIENT_ID = 'LOOPBACK_CLIENT_ID'

TURN_BASE_URL = 'https://computeengineondemand.appspot.com'

TURN_URL_TEMPLATE = '%s/turn?username=%s&key=%s'

CEOD_KEY = '4080218913'

3. I am trying integrate my apprtc with coturn:
 +apprtc: http://localhost:8080/?wstls=false

 +coturn: http://localhost: 3478

and I have questions:

a) Do I need execute some turnadmin commands, which are described in INSTALL guide?
Or it will be enaugh to run turnserver from example:
my_name@my_machine:~/WEBRTC/turnserver-4.4.5.2/examples/scripts/restapi$ ./secure_relay_secret.sh

which contains:

if [ -d examples ] ; then

       cd examples

fi

export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/

export DYLD_LIBRARY_PATH=${DYLD_LIBRARY_PATH}:/usr/local/lib/:/usr/local/mysql/lib/

PATH="./bin/:../bin/:../../bin/:${PATH}" turnserver -v --syslog -a -L 127.0.0.1 -L ::1 -E 127.0.0.1 -E ::1 --max-bps=3000000 -f -m 3 --min-port=32355 --max-port=65535 --use-auth-secret --static-auth-secret=logen --realm=north.gov --cert=turn_server_cert.pem --pkey=turn_server_pkey.pem --log-file=stdout -q 100 -Q 300 --cipher-list=ALL $@

b) When I open localhost: 3478 in browser I see:
"TURN Server
use https connection for the admin session:

What uri is for rest API?
http://localhost:3478/turn.php from chinese tutorial show the same page

http://localhost:3478/turn from example apprtc TURN_URL_TEMPLATE show the same page

c) In rest API I need pass some parameters: username and key. Is it enough?
Will be enough to simply add extra -u switch to turnserver command? Need I some extra configurations?

d) Are some other important issues, which person running apprtc app and coturn server should know?

4. Are some other important issues? 

[Tomasz G]

Additional question:

3. e) How solve "Same origin policy"? I am not going experiment with the same ports and nginx, but simply set "access-control-allow-origin" header to turnserver response. How do it without nginx proxy? Or maby some others solutions?

[Fernando Escardó]

I still haven't tested coturn so i cannot answer all your questions, but here are a few tips:

To decide between coturn and rfc576... this wiki should help you: https://code.google.com/p/coturn/wiki/diff2projects

STUN/TURN: In most WebRTC scenarios you should provide STUN and TURN. WebRTC peer browsers/apps will use ICE and decide, it is a little more complex but something basic  is like this:

* First try to comunicate directly (ie. local private IP)

* If there is NAT is where STUN comes in, will try to Public IP.

* If nothing works (both peer are have "incoming" ports closed), then will try TURN.

In general in your WebRTC app you don't need nothing special for that to work, just provide your ICE servers (STUN and TURN).

The more "complex" part is that for security you need to use the REST API before you provide ICE servers. Your APP should make a request to your webserver (YOU need to validate user first, not the turn server); if valid, from your server (code not visible to user as you will use long term credential) you need to request the TURN server for ephemeral credentials. Then provide that credentials to your app and populate your ICE server TURN with those.

STUN is light and low bandwidth so in general there is no need to secure it.

I suggest you read about ICE and some examples to get a much better idea.

"b) When I open localhost: 3478 in browser I see: 
"TURN Server 
use https connection for the admin session:"

When browsing to a secure webserver you need to use HTTPS in your URL or the browser/app will try http by default. In your case:

https://localhost:3478

Hope this helps you.

[Tomasz G]

Thanks Fernando for tips and information about TURN security needs.
Tomorrow I will deep experience with coturn - I decided use this STUN/TURN server.
I will notice you about results.