Amazon EC2 instance – default configuration

[Julian Lepinski]

Hey,

I was overjoyed to find out that you guys have taken the time to create an EC2 AMI for this software. I haMy goal has been to set up an EC2 instance running the rfc5766 software and confirm it works in place of the current TURN server I have been testing with (which is a free turn server from Viagenie.ca, which has worked wonderfully so far). As such, I'm not worried about changing any of the default config – I just want to start by confirming that everything is working, before worrying about customizing credentials or logging or anything else.

So here's the issue I've had: from the EC2 docs here, it seems like the only thing I should need to configure is the instance's public IP address. I've done that, and rebooted, but when I've tried to connect in using the default credentials it doesn't seem to be working properly.

I'm not sure where to go to start diagnosing this. If it's helpful, I've attached the log file from my most server. I notice that it seems to be using my private Amazon IP address instead of my public as a listening address – is that correct? I've redacted it in the logs below because I'm not sure if publicizing it is a security risk with a default-config server. It's been replaced with [AMAZON_PRIVATE_IP_REDACTED].

0: log file opened: /var/tmp/turn_1835_2014-10-25.log

0: 

RFC 3489/5389/5766/5780/6062/6156 STUN/TURN Server

Version Citrix-3.2.4.5 'Marshal West'

0: 

Max number of open files/sockets allowed for this process: 33000

0: 

Due to the open files/sockets limitation,

max supported number of TURN Sessions possible is: 16500 (approximately)

0: 

==== Show him the instruments, Practical Frost: ====

0: TLS supported

0: DTLS supported

0: Redis supported

0: PostgreSQL supported

0: MySQL supported

0: OpenSSL compile-time version 0x100010af: fresh enough

0: Default Net Engine version: 3 (UDP thread per CPU core)

=====================================================

0: Config file found: /etc/turnserver.conf

0: Config file found: /etc/turnserver.conf

0: MySQL DB connection success: host=127.0.0.1 dbname=turn user=turn password=turn connect_timeout=30

0: SSL23: Certificate file found: /usr/local/etc/turn_server_cert.pem

0: SSL23: Private key file found: /usr/local/etc/turn_server_pkey.pem

0: TLS1.0: Certificate file found: /usr/local/etc/turn_server_cert.pem

0: TLS1.0: Private key file found: /usr/local/etc/turn_server_pkey.pem

0: TLS1.1: Certificate file found: /usr/local/etc/turn_server_cert.pem

0: TLS1.1: Private key file found: /usr/local/etc/turn_server_pkey.pem

0: TLS1.2: Certificate file found: /usr/local/etc/turn_server_cert.pem

0: TLS1.2: Private key file found: /usr/local/etc/turn_server_pkey.pem

0: TLS cipher suite: DEFAULT

0: DTLS: Certificate file found: /usr/local/etc/turn_server_cert.pem

0: DTLS: Private key file found: /usr/local/etc/turn_server_pkey.pem

0: DTLS cipher suite: DEFAULT

0: NO EXPLICIT LISTENER ADDRESS(ES) ARE CONFIGURED

0: ===========Discovering listener addresses: =========

0: Listener address to use: 127.0.0.1

0: Listener address to use: [AMAZON_PRIVATE_IP_REDACTED]

0: Listener address to use: ::1

0: =====================================================

0: Total: 1 'real' addresses discovered

0: =====================================================

0: NO EXPLICIT RELAY ADDRESS(ES) ARE CONFIGURED

0: ===========Discovering relay addresses: =============

0: Relay address to use: [AMAZON_PRIVATE_IP_REDACTED]

0: Relay address to use: ::1

0: =====================================================

0: Total: 2 relay addresses discovered

0: =====================================================

0: Cannot create pid file: /var/run/turnserver.pid

0: pid file created: /var/tmp/turnserver.pid

0: IO method (main listener thread): epoll (with changelist)

0: Redis DB async connection success: ip=127.0.0.1 dbname=1 password=turn port=6379 connect_timeout=30

0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided

0: Wait for relay ports initialization...

0:   relay [AMAZON_PRIVATE_IP_REDACTED] initialization...

0:   relay [AMAZON_PRIVATE_IP_REDACTED] initialization done

0:   relay ::1 initialization...

0:   relay ::1 initialization done

0: Relay ports initialization done

0: IO method (general relay thread): epoll (with changelist)

1: turn server id=0 created

1: IPv4. UDP/DTLS listener opened on: 127.0.0.1:3478

1: Cannot create TLS listener

1: IPv4. UDP/DTLS listener opened on: 127.0.0.1:5349

1: IPv4. UDP/DTLS listener opened on: [AMAZON_PRIVATE_IP_REDACTED]:3478

1: IPv4. UDP/DTLS listener opened on: [AMAZON_PRIVATE_IP_REDACTED]:5349

1: IPv6. UDP/DTLS listener opened on: ::1:3478

1: IPv6. UDP/DTLS listener opened on: ::1:5349

1: Total UDP servers: 0

1: Total General servers: 1

1: Cannot create TLS listener

1: Cannot create TLS listener

1: Cannot create TLS listener

1: Cannot create TLS listener

1: Cannot create TLS listener

1: IO method (cli thread): epoll (with changelist)

1: Cannot create CLI listener

1: IO method (auth thread): epoll (with changelist)

[Oleg Moskalenko]

I suppose that you edited the file /etc/turnserver.conf, correctly. You had to change the public and the private IP addresses there.

You have to be starting/stopping the turn server with commands:

$ sudo /etc/init.d/refc5766-turn-server stop
$ sudo /etc/init.d/refc5766-turn-server start

That AMI is pretty well tested, it must work fine, if you set everything properly, including the instance firewall settings.

Oleg

--
You received this message because you are subscribed to the Google Groups "TURN Server (Open-Source project)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.
Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.

[Julian]

Oleg,

Thank you kindly for the quick reply – I believe it was indeed that the ports were being blocked by the default security group of the instance. I don't have a lot of experience with EC2, so it didn't occur to me to change that. 

In testing I simply opened access to all ports, which is clearly not what I want in practice. It seems like people are suggesting opening the following ports; does this make sense?

TCP 443 
TCP 3478-3479 
TCP 32355-65535 
UDP 3478-3479 
UDP 32355-65535

Thanks again!

-Julian

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc5766-turn-server+unsubscribe@googlegroups.com.
To post to this group, send email to turn-server-project-rfc5766-turn-...@googlegroups.com.

[Oleg Moskalenko]

Julian, the ports range to be open is up to you. The default configuration requires those ports that you posted. The general rule is that two type of ports to be open:

1) TURN listening ports. The defaults are 3478 and 3479. The port 443 is used by some people to get through the tough firewalls. Any port(s) can be configured as a listening port(s) (and then those ports have to be open in the firewall.

2) TURN relay ports - the range of ports where the TURN server allocates the relay endpoints. Those ports are to be open, too.

Check the /etc/turnserver.conf and the docs for the default and current ports settings.

Regards,
Oleg

To unsubscribe from this group and stop receiving emails from it, send an email to turn-server-project-rfc57...@googlegroups.com.
To post to this group, send email to turn-server-project...@googlegroups.com.

[Julian]

Great. Thanks again for the information – it's been quite helpful.

To post to this group, send email to turn-server-project-rfc5766-turn-s...@googlegroups.com.

Visit this group at http://groups.google.com/group/turn-server-project-rfc5766-turn-server.
For more options, visit https://groups.google.com/d/optout.