Are STUN servers really necessary? - webrtc

In the WebRTC signalling process, I have to find my own public IP address with my port by doing a request to a STUN server. But does it really need to be this complex?
Couldn't I just send a request to the router of my subnet and get its IP address and the port it opened for me? Or even better, I store directly my public address in my computer and the router notifies me whenever it changes. The browser would give an API to get this public address directly. No need to use a STUN server. Why don't we do this instead?
Thank you for your help.

These are all great questions.
Couldn't I just send a request to the router of my subnet and get its IP address and the port it opened for me?
There's an old protocol called uPnP that will dynamically open a port mapping for you - provided the router supports it. A lot of routers used to support it. Not sure how standard it is now.
Even if routers were intelligent and there was a standard signaling mechanism in place, STUN (or something equivalent for STUN is still needed) for the following scenario.
Carrier NAT is when your ISP is sharing a public IP address with multiple routers. That is, your router's public IP address as configured by the ISP when it starts, is really just another private IP address. Upstream, there's a "bigger router" that is sharing the public IPv4 address with multiple other customers. That is, your PC might think it's IP address is 192.16.1.2, and your router reports that it's own IP address is 10.0.0.2. And the actual public IP address, 1.2.3.4, is shared with other customers. STUN solves this problem because the outbound packet to the public STUN server will go through both NATs - creating port mappings along the way.
Or even better, I store directly my public address in my computer and the router notifies me whenever it changes
Because establishing an effective P2P/WebRTC connection is more than knowing your public IP Address. It also involves knowing what "port" to use as well. While most routers will attempt to preserve the local port of the socket the client PC is using in the mapping (e.g. 10.0.0.2:9876 maps to 1.2.3.4:9876). This isn't always the case - another node could be using port 9876 on your network and/or many NATs just pick a randomly available port for the mapping. At the end of the day, you have to signal to the other side of your P2P/WebRTC connection "which IP" and "which port" to use.
The browser would give an API to get this public address directly.
There are plenty of sites such as whatismyipaddress.com that will tell you your IP address. But if there's a HTTP proxy server involved (explicitly configured on the PC or silently deployed on the network), the web service will only see the proxy IP address. Further HTTP(S) is a TCP based protocol. STUN and WebRTC are UDP based.

Related

Need help changing my website's name / address

this might sound a bit amateur-ish but I'm in a bit of a situation here.
So I created myself a website and managed to get it working on localhost, I tried port forwarding ports 80,443 but nothing helped, So next thing I'm googling around and I read about ngrok and it actually worked. Got it working on a long randomly generated domain but the problem is that I want to use the one that I have from no-ip.com. How can I do that please? I'm very lost here.
Software being used: Xampp (Apache,MySQL)
I've reserved a DHCP ip-address for my PC in my router's settings, hopefully that helps? I don't know. Help me internet.
There are a whole bunch of possible reasons that this might not work. Here are a few of them.
Your ISP
Even if you have port forwarding set up properly on your router, it is still possible that you cannot do what you want.
First, many ISPs block serving websites from residential internet connections. Connections to port 80/443 will never even reach your router. You might try experimenting by forwarding a different port number (such as 8000 instead of 80) to see if the traffic can get through on that port. (However, that will not work as a practical solution since your users will not know to use an alternate port and your ISP can choose to terminate your service if you are violating the terms of your agreement.)
Second, due to the exhaustion of public IPv4 addresses, some ISPs are implementing Carrier-Grade NAT (CGNAT, a.k.a. Large-Scale NAT - LSN). Instead of giving your router a public IP address, they give your router a private IP address inside their network. Once again, connections to port 80/443 (or any other port for that matter) will never reach you. You can check if you are behind CGNAT by going to your router's setting and finding the public IP address, then going to https://whatsmyip.com/ and seeing if it is the same or different. (In theory, you should be able to tell that you have CGNAT if your router's IP address is between 100.64.0.0 - 100.127.255.255, but in practice some ISPs use other private network ranges too, such as 10.0.0.0 - 10.255.255.255.)
The reason Ngrok works for you is because Ngrok opens a tunnel from your computer to their cloud servers and sends the traffic through that tunnel.
DNS
You mentioned in the comments that you have the DNS set to resolve the private IP of your computer. That certainly will not allow users on the public internet to get to your site, because they cannot connect to your address.
However, you also mentioned in the comments that if you change the DNS to point to your public IP, it doesn't work from either inside or outside. This could mean your problem is one of the ISP issues described above. It could also mean that your router does not support Hairpin-NAT (a.k.a. NAT Reflection), which is how the router would be able to redirect local traffic back to the local server instead of trying to send it out over the internet.
Firewall
Your computer's firewall can look at the source IP address of the incoming traffic, and it might be set not to allow external access to your web server. DO NOT DISABLE YOUR FIREWALL to try to get around this. Instead, you need to add a specific exception to the firewall rules to allow the incoming traffic. How you do this will depend on your operating system.

WebRTC STUN server purpose

I understand the purpose of STUN and TURN servers and their use in WebRTC, but I don't fully get:
If I as a WebRTC client have already logged in to use the WebRTC service, wouldn't this service already have my public IP address? Why does it need to be found a second time by the STUN server?
Short answer: Because Proxies and NATs.
Lots of reasons:
The web server knows your public IP address for the established TCP connection, but for the subsequent P2P communications over UDP, it doesn't know how your local NAT will map the port (or which port its using).
You could be on a network in which all HTTP/HTTPS traffic goes over a proxy. Hence, the WebRTC service only knows the address of your proxy.
The WebRTC service itself could have a front end load balancer. Hence, it only knows the IP address of the load balancer.
The two endpoints attempting to do a WebRTC session may actually be behind the same NAT. Hence, the public IP address isn't as useful.
But the primary reason is around port prediction as discussed in #1 above. Address exchange over ICE or WebRTC involves not just exchanging IP Addresses, but also, UDP ports as well. Even if the web server knows the client's actual IP address, the web server can not infer what UDP port it will use for media traffic.

Is ICE Necessary for Client-Server WebRTC Applications?

I have a WebRTC MCU (kurento) running on a public IP address
serving some clients that only send or only receive audio
So every clients is directly connected with MCU (not with each other ) that has a public IP address .
Q1: Is there still a necessity to use STUN and TURN for NAT traversal ?? if so Why ??
Q2: Is there any hack in WebRTC in browser that would remove the need for STUN and TURN ?
In my opinion : most of client-server architectures do not have any difficulty with clients behind NAT .What's the difference here with webrtc?
Yes ICE is absolutely must for WebRTC.
Q1: Is there still a necessity to use STUN and TURN for NAT traversal
?? if so Why ??
For your scenario you don't need to use STUN or TURN. Let me explain why.
Every client that are in private network is under some kind of NAT which has a public IP address. Outside world doesn't know this client's private IP address and even if they knew they can't connect with the client without knowing that public IP address. STUN server is used to gather this public IP address.
So if your server wants to initiates the connection then it needs the client to send its NAT's public IP. Client will use STUN server to know its public IP and send it to the server. But if client initiates the connection then there is no need to know the NAT's public IP. Client can send packets to the public server to initiate the connection. Server can know the cilents public IP from the clients packet and then they can connect. So no need for STUN.
Your server is doing TURN's role in this scenario. So you don't need TURN server.
Q2: Is there any hack in WebRTC in browser that would remove the need for STUN and TURN ?
There is no hack. Depending on scenarios TURN/STUN is used. For your scenario you don't need. If you wanted to make client-client connection then you would have needed STUN server.
ICE is mandatory
but using any stun and turn server is not.
since you are connecting to a server on a public port, you NEVER need to use a TURN server, but depending the kind of NAT/Firewall your clients are behind, you might need a STUN server
you do not need to modify the browsers at all. The application decides wether to use a stun server or not. if you pass an empty "iceservers" parameter to your peerconnection object at creation, the ICE UA in your browser will only generate host (local) candidates.

How to connect to my apache localhost from a different network?

I am able to connect it if the two devices are in the same network but for example, if I use 4G on my android and turn of the wifi and try to connect to http://computer-ip-address then it just hangs and eventually errors out saying count not connect. The apache server is hosted in my local mac, and I've disabled my firewall temporarily. Any ideas on how to get a device using a different network to connect to my apache server on my local network?
You will need to configure your router so that it will forward port 80 from external to your mac.
Then, you can open http://your-public-Internet-ip on your mobile phone, effectively visiting your local web server.
If you don't like to remember your ip address, especially if you are on the go, the answer is dyndns or any free alternative, e.g. http://www.no-ip.com/services/managed_dns/free_dynamic_dns.html.
Using such a service, you will be able to enter http://yourname.service.com into your mobile phone. You will either have to configure your router to always tell this service your current IP (check your router for supported services) or run a tiny program on your mac which will handle this.
You need to enable port forwarding on your router to forward TCP 80 (and possibly TCP 443 if you are using SSL) to your web servers IP address.
Once done, you should be able to access your site via your routers public IP address.
Take note that of your web server is using a dynamic address provided by DHCP, your IP may change and this would stop it from working. I suggest you give your web server a static IP address to stop this.
You will probably have a dynamic IP on your router as well, so you can request a static one from your ISP or you can sign up for a dynamic DNS service.
If you post the model of your router, we may be able to give you more specific instruction on setting up port forwarding.
i hope your httpd.conf is set with port listening to
Listen 80
also, you can only access your site from your LAN otherwise, your server would need to be reachable from a public IP address, not a private one over an internet 4g connection, that means a diferent network
bonus points, if you try to reach your server from an external address, did you configure portforwarding on your router ?
If you could immediately and immediately connect to your localhost using your 4G network, then most likely anyone on the internet could do the same. It is important to understand that there are two components to the answer to your question:
Securing HTTP access (port 80 or whichever) from the internet. You probably don't want to open a wide door to your local network.
Configuring addressing from your client (in this case your phone) to your local computer (in this case your Mac). If the latter does not have a public IP address, then you will have to configure your client to hit your router instead, and to configure your router to forward accordingly.
Given that this is mostly system configuration work, I'm guessing that Serverfault would be a better place to find a satisfying answer.

IP Address using VB.Net Code

What kind of IP address does whatismyip.com provide?
How can I get it using VB.Net code?
Also what is IP port?
Thanks
Furqan
PART 1
Okay, let's pretend you have a router in your house and that you have several computers in your house all connected to the internet through your router.
In order for the router to know where traffic goes on your network, it assigns unique IP Addresses to all computers on your home network (Usually beginning with 192.168.x.x). These IP addresses are local ip addresses, meaning only your router and computers/devices connected to it in your house knows about them. If you open a command prompt and do command IPConfig you will see the IP address that your router has assigned your computer.
So what is the IP address that WhatIsMyIP.com showing you? In much the same way that your router assigns addresses to all the computers on your network, your internet service provider hands out unique IP addresses to all of their customers. Now, because you have a router, the only thing the ISP can see on your network is that router and your ISP assigns an IP address to it. This is why routers are also called hardware firewalls, because people on the other side of it, can't tell how many computers or devices are connected to it.
What this means is, when you are visiting websites on the internet, the only IP address they see is your routers external IP address (the one assigned by your ISP). So no matter which computer in your house you use, the website wouldn't know the difference because all it can see is your router's IP address. Go ahead and try it; go to www.WhatIsMyIP.com on several different computers in your house. You will see that they all show the same IP address. However, if you did IPConfig in your command prompt on each computer, that shows you the local address your router assigned and it would be different on every computer in your home.
So, now that you understand the difference between local and external IP addresses, how would you retrieve your external IP address in VB or C# .net code that is running on your PC? Well the only IP address your computer is actually aware of is that local IP that we talked about. The only way you can see your external IP address is to go to a website that tells you what address the request came from (which would be your router's IP address).
What you would need to do is write up some code in your VB.net program that would navigate out to WhatIsMyIP.com (or some other website that can give you your IP address) and tell the code to grab it. I have written a web service located at http://www.u413.com/test/terminal/myip that returns only your IP address as the entire HTTP response. Find something similar though for your application because this little sample will not stay there forever; I only put it up there as a temporary example on a domain I already own.
Visit http://www.vbdotnetheaven.com/UploadFile/kbawala/WebRequestClass04182005054320AM/WebRequestClass.aspx to see how to make web requests from code running on your computer.
NOTE: You may not be aware of what DNS is either if you are unaware of how IP addresses work. Everything on the net has an IP address, including the servers that serve up website pages. But what a pain that would be, trying to remember up to 12 digit IP addresses for all your favorite websites. That is what DNS servers were invented for. DNS servers take a domain name (e.g. www.facebook.com) and translates it into the correct IP address. That way all you need to remember is facbook.com instead of 69.63.181.12 (this is facebook's IP address. Go ahead, try it! Put that IP in your browser's address bar and you will see facebook.), domain names are much easier to remember!
If you want to see the IP address associated with a website, open up a command prompt. Once the prompt is open type PING [websitedomain] (e.g. PING Facebook.com) and your computer will send 4 test requests to the address which is displayed for you.
PART 2
Let's pretend your IP address is like the address of an apartment buliding. The pizza delivery boy needs to know the address to the apartment building in order to deliver your pizza. But what is he going to do when he gets there? There are hundreds of doors/apartments to choose from. He needs to know the apartment number (port number on your computer).
Your computer has thousands of ports, and programs can listen on any one of them for requests from the outside world. When you go to a website almost all websites are served on port 80. Port 80 is the default port for web pages. When you go to facebook.com you are actually going to facebook.com:80, you just don't see the :80 because it is implied since it is the default. If I put up a web server, I could decide any port to serve websites on. If I served web pages on a different port than port 80, then you would have to include it in your URL. http://www.SomeDudesCustomWebServer.com:1337.
Outgoing requests use a port too, but that one is usually unimportant and your computer just picks one that is available. So when you go to Facebook.com, the facebook web servers are all serving up pages over port 80, but the port your computer opened up to send the request does not have to be port 80 because it picks an available port and then sends the port with the request. Then when facebook sends its response, it sends the reply back to the ip address and port that made the request.
Outgoing ports are only used for the duration of the request. Ports that must listen for connections must stay the same otherwise the computers making requests would have no idea what port to send the request to.
Easy huh!
Hope that helps you understand a bit better.
EDIT:
Port Forwarding
Okay, in light of the chat application you want to use/create, if you want it to communicate over the net you'll have to learn about port forwarding. Basically, because all you could see of your friend's network would be his external ip address, you will have to use that address to connect to his chat server (or vice versa if he is connecting to your chat server then it will be your external IP). Because of this, the connection request would only get as far as the router that has the external IP, but it would not know what computer on the network to forward the request to.
You will need to access your router's firmware and set up port forwarding so that the router knows to forward requests on a specific port, to a specific computer on the network. Visit http://portforward.com/ for more detail on how to setup port forwarding.
EDIT 2:
Firewall
When setting up stuff to communicate with your computer using your PC, you may start getting frustrated that it just won't connect. What is likely stopping you is your firewall. By default, most ports on your PC are completely blocked by the windows firewall. For each port that you want to communicate on you will want to go into the firewall and create a rule that will open up the port. Go here http://www.top-windows-tutorials.com/windows-7-firewall.html for a video on how to use the windows firewall. I did not watch it, but it is what came up first on a google search.
Do not simply disable the firewall. Even though this is an easy and quick solution to open up all your ports, you are leaving yourself open to attack. Viruses love to set themselves up in your computer if they can and listen on an open port for a connection from their beloved creator so he can obtain access to your PC. Only open the ports you need.
UDP vs TCP
When opening and forwarding ports you may notice that it asks for UDP (User Datagram Protocol) or TCP (Transmission Control Protocol). What they stand for may not make sense but all you need to know is this: UDP is for single packet transmissions which means that two packets sent by a pc may or may not be related to each other. These types of data packets are usually used for broadcasts on a local network. An example I would use is LAN games. When you host a game on a LAN the other computers/devices can see the name of the game and join it. That is because the computer hosting the game is transmitting a UDP broadcast across the entire LAN so that any devices can see the game. Those UDP transmissions usually contain the name of the game and the connection info required to connect to the game.
TCP is for continuous packet transmission. TCP requires an established connection, any packets transmitted on this connection are always related to that one connection/request. To continue my example from the last paragraph, once you click connect on the LAN game, your computer then establishes a TCP connection with the host and uses that connection for the duration of the game or games. TCP is the most commonly used connection type and your chat program would likely communicate over TCP, especially if you are connecting across the net because UDP broadcasts are useless across the internet. UDP is only really useful on a LAN.
You should be safe forwarding and unblocking only the TCP ports, but sometimes when I'm unsure I just do both UDP and TCP just to be safe. In fact, many routers and firewalls have 3 options: TCP, UDP, or Both which saves you from having to create two rules for both types of the port.
When in doubt, open/forward both.
What's my ip provides your IP v4 public address.
It's really easy to retrieve it, this topic explain how to proceed : How to get the IP address of the server on which my C# application is running on?
The code is only a few lines long, so the language (c# in this example) does'nt matter.
They provide your external internet facing IP.
This IP will depend on how you connect to the internet. If you connect straight from your computer to your ISP without any kind of router or firewall in between, it might be the same as your internal IP, but in most circumstances this will not be the case.
If you're at home and you've connected via a router of some kind, then you might be able to query it for the IP, but there is no standard way of doing this.
There is no standard way of getting hold of your external IP from the client it self. If you've got access to a server on the internet where you could deploy some code you could connect to that server from your client PC and ask it what IP you're connecting from.
IP Port Numbers
I also needed external IP using command line, but because I didn't find it I wrote small application using vb.net. You can use reflection for source code or ask on app home page for it. Basically application opens web page that provide your IP and parse it using regular expression, but because is designed with this purpose uses many "tricks" for this (can use more web pages at once, uses fastes page, etc). Check source for details.