TURN/STUN Server
Configure Your Own TURN/STUN Server
TURN Server
Traversal Using Relays around NAT (TURN) is a protocol that assists in traversal of network address translators (NAT) or firewalls for multimedia applications. It may be used with the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It is most useful for clients on networks masqueraded by symmetric NAT devices. TURN does not aid in running servers on well known ports in the private network through a NAT; it supports the connection of a user behind a NAT to only a single peer, as in telephony, for example.
Herein we will cover using CoTURN, a free open-source server which provides a feature-rich and standards compliant option for those wanting control over their own TURN/STUN server.
Red5 Pro WebRTC uses STUN over UDP as our default implementation.
Step-by-step Install on an Ubuntu Linux Server
Pre-build steps
1 - Update the install via apt
sudo apt-get update
2 - Ensure that build tools are installed
sudo apt-get -y install build-essential
All coturn downloads may be found here; the latest at the time of writing this guide is turnserver-4.5.0.8 download the tarball.
1 - Install the support libraries
sudo apt-get -y install sqlite libsqlite3-dev libevent-dev libssl-dev
2 - Download the source
wget http://turnserver.open-sys.org/downloads/v4.5.0.8/turnserver-4.5.0.8.tar.gz
3 - Un-tar the source
tar -xzvf turnserver-4.5.0.8.tar.gz
4 - Run configure
from source directory
cd turnserver-4.5.0.8
./configure
5 - Run make
make
6 - Run make install
as sudo
sudo make install
If all goes well, you'll see this at the end when make install
finishes:
1) If your system supports automatic start-up system daemon services, then, to enable the turnserver as an automatically started system service, you have to: a) Create and edit /etc/turnserver.conf or /usr/local/etc/turnserver.conf . Use /usr/local/etc/turnserver.conf.default as an example. b) For user accounts settings: set up SQLite or PostgreSQL or MySQL or MongoDB or Redis database for user accounts. Use /usr/local/share/turnserver/schema.sql as SQL database schema, or use /usr/local/share/turnserver/schema.userdb.redis as Redis database schema description and/or /usr/local/share/turnserver/schema.stats.redis as Redis status & statistics database schema description. If you are using SQLite, the default database location is in /var/db/turndb or in /usr/local/var/db/turndb or in /var/lib/turn/turndb. c) add whatever is necessary to enable start-up daemon for the /usr/local/bin/turnserver. 2) If you do not want the turnserver to be a system service, then you can start/stop it "manually", using the "turnserver" executable with appropriate options (see the documentation). 3) To create database schema, use schema in file /usr/local/share/turnserver/schema.sql. 4) For additional information, run: $ man turnserver $ man turnadmin $ man turnutils
7 - Configure the database
We're using the fastest available sqlite
. The db file is located at /usr/local/var/db/turndb
. By default, coturn uses SQLite database for users and settings. That database is automatically created (empty) when the process turnserver starts the first time. This step is only here for reference and flow.
8 - Add Admin User
Add the long-term TURN users with the turnadmin utility. For example, this command adds user prouser
with password 3TptDG7cAfz5TaXsda
, realm red5pro.com
, to the default sqlite database:
sudo turnadmin -a -u prouser -r red5pro.com -p 3TptDG7cAfz5TaXsda
Add the admin user(s) to the database, with turnadmin
utility. If you added those users, they will be able to connect to the TURN server ports over HTTPS from your browser and perform admin tasks with the web interface.
9 - Configure the server
Copy /usr/local/etc/turnserver.conf.default
to /usr/local/etc/turnserver.conf
(sudo cp /usr/local/etc/turnserver.conf.default /usr/local/etc/turnserver.conf
) then edit the turnserver.conf
file. Add or modify the following lines:
-
listening-ip=
set this to the IP of your server instance.- note: if your VM/server has a private IP and a public IP, then you will need to set the
listening-ip
to your private IP, and also configureexternal-ip=
to its public IP
- note: if your VM/server has a private IP and a public IP, then you will need to set the
realm=
set to your domain (eg, realm=company.com)- uncomment
no-loopback-peers
- uncomment
listening-port=3478
10 - Start the server
Options used for WebRTC with CoTURN:
- Run server process as daemon
-o
- Use long-term credentials mechanism
-a
- Fingerprinting
-f
Use fingerprints in the TURN messages. If an incoming request contains fingerprint, then TURN server will always add fingerprints to the messages in this session, regardless of the per-server setting. - Authentication realm
-r
The default realm to be used for the users when no explicit origin/realm relationship was found in the database. Must be used with long-term credentials mechanism or with TURN REST API. - If running CoTURN behind a NAT, you'll also need
-X
- To limit relay endpoint port ranges, use
--min-port
and--max-port
- For verbose output, use
-v
Special note for AWS:
- The
-L
option is not needed and may cause a failure to resolve server reflexive addresses
Command formats:
Provide only STUN over UDP without TURN / relay:
sudo turnserver -o --stun-only --no-tcp
Provide STUN and TURN functionality over UDP and TCP (options: a, f, and r are needed):
sudo turnserver -o -a -f -r red5pro.com
Click links for additional details on the turnserver and its configuration options.
Test TURN/STUN
Open a browser to Trickle ICE and add the server in the ICE servers
box, remove the google
entry and then click Gather candidates
; if everything is working you'll see output like this:
Time Component Type Foundation Protocol Address Port Priority 0.001 1 host 89435858 udp 10.0.0.5 35948 126 | 32542 | 255 0.037 1 srflx 976374523 udp 71.222.38.190 35948 100 | 32542 | 255 0.101 1 host 1272402466 tcp 10.0.0.5 9 9 0 | 32542 | 255 0.101 Done
Using your TURN/STUN Server with Red5 Pro
No modifications are required in Red5 Pro server since it has an internal harvester for ICE connectivity. Utilization of your TURN/STUN server, will require modification of the html-sdk or your own javascript to include the URI for your TURN/STUN server. The URI will be stun:<turn server's IP address>:3478
.
If you are using the default, live
, webapp, you will want to modify the following:
In webapps/live/script/r5pro-publisher-failover.js
and r5pro-subscriber-failover.js
, change the line var iceServers = window.r5proIce;
to var iceServers = [{ urls: "stun:stun.yourstunserver.domain.com:3478" }]
If you are using the webrtcexamples, you can set the stun
server address on the index.html page.
For further details about configuring the html-sdk see the Configure & Publish section at the link.
Lastly, in previous releases the
{red5pro}/conf/red5pro-webrtc.xml
could be modified, but if you don't modify the front-end/SDK settings then those will overrule the server-side configuration.
Troubleshooting
If you want to try testing with a specific TURN/STUN server that is not the default Google, you can find a list of STUN servers here: STUN + TURN servers list. For example, http://numb.viagenie.ca
allows you to create a free account and use their TURN server.