Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Coturn behind NAT, correct firewall setting for a range of ports #1471

Open
Sirpion opened this issue Apr 9, 2024 · 1 comment
Open

Coturn behind NAT, correct firewall setting for a range of ports #1471

Sirpion opened this issue Apr 9, 2024 · 1 comment

Comments

@Sirpion
Copy link

Sirpion commented Apr 9, 2024
edited

Many recommendations say that for Coturn to work correctly, it is necessary to allow connections to the following ports (49152-65535) on the public IP address.

But there is information that Coturn (+SFU) can work with one public open port:

https://nextcloud-talk.readthedocs.io/en/latest/TURN/

The High Performance Backend uses a certain range of ports for WebRTC media connections (20000-40000 by default). A client could be behind a restrictive firewall that only allows connections to port 443, so even if the High Performance Backend is publicly accessible the client would need to connect to a TURN server in port 443, and the TURN server will then relay the packets to the 20000-40000 range in the High Performance Backend.

https://doc.quobis.com/ga/_downloads/d12076cb1871bf381f1caaa831da2a3e/sippo-wac-admin-guide-v4.1.pdf

ORIGIN ORIGIN PORT DESTSERVICE DESTPORT PROTOCOL DESCRIPTION REQUIRED
ucclient n/a turn-server 443 TCP Media traffic Yes
turn-server n/a sfu 10000-18000 UDP Internal media traffic Yes

Visualization of the required operating mode:
https://www.twilio.com/docs/video/networking-considerations#2-udp-traffic-blocked-on-ports-10000---60000-but-allowed-on-port-3478

1. Will a scheme with one open port (example 3478) for external access (incoming connections) to the Coturn public IP address work?
2. If yes, can you provide a link to an example working configuration with one port allowed (+SFU)?
@MicheleTedesco
Copy link

Hi Sirpion, your question is no issue regarding the code of coturn. Would you please close your issue and ask your question in the coturn forum at https://groups.google.com/g/turn-server-project-rfc5766-turn-server ?
You need to understand the concept behind WebRTC, so you might look there for documentation first. Coturn is just doing what WebRTC requires, so the requirements are defined there.
Also you will have to provide further information for getting an answer - where reside the clients, on the "same side" of the firewall as the coturn server, where is the messaging server, ... . In a typical setup with clients and turnserver behind a firewall and conferencing systems outside the firewall, the firewall can block all traffic initiated from outside to the coturn server. Only (typically udp-) communication from the internal clients to the coturn server and communication initiated by the coturn server to the outside has to be allowed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Sirpion @MicheleTedesco