I want to test stun client/server and the send udp traffic from server side to client side.
I run stun client in a local machine, I get the following result.1.
Lenovo-Z50-70:~/iop-bb$ stun -v my_stun_server
STUN client version 0.96
Opened port 22948 with fd 3
Opened port 22949 with fd 4
Encoding stun message:
Encoding ChangeRequest: 0
About to send msg of len 28 to 212.227.107.179:3478
Encoding stun message:
Encoding ChangeRequest: 4
About to send msg of len 28 to 212.227.107.179:3478
Encoding stun message:
Encoding ChangeRequest: 2
About to send msg of len 28 to 212.227.107.179:3478
Received stun message: 88 bytes
MappedAddress = 41.224.250.29:22948
SourceAddress = 212.227.107.179:3478
ChangedAddress = 127.0.0.1:3479
XorMappedAddress = 41.224.250.29:22948
ServerName = Vovida.org 0.96
Received message of type 257 id=1
On the server side, I execute the following, echo "hello" | nc -w1 -u 41.224.250.29 22944.
But, in the client side I didn't receive the packet.
Any suggestion?
You would need to match the port on both sides and do a hole punching step after obtaining your public ip and port.
You ran a stun client listening on local port 22948 to the server (listening on port 3478). From that port you sent a stun binding request request to your server.
The server responded back with a response indicating that your public ip:port was
41.224.250.29 22948.
So now you know that your local ip (e.g. 192.168.1.2) maps to 41.224.250.29 and your local port 22948 maps to the public port 22948.
You could in theory start communicating between client port 22948 and server 3478, but 3478 is already in use by the server. You need to do a hole punching step using the same port you obtained from the STUN response.
The hole punching step with your other service goes like this. Client sends from port 22948 to server (port 9876 for example).
echo "hello there" | nc -p 22948 server 9876
The server could respond:
echo "I see you" | nc -p 9876 41.224.250.29 22948
On the server side, I execute the following, echo "hello" | nc -w1 -u 41.224.250.29 22944
Does this received any packet prior from that client or using the address "41.224.250.29 22944"? If not, client end NAT will not allow this incoming traffic unless it's a full-cone NAT. It's also important that client is using a socket which is ready to receive any packet from that external source. Basically, you have to make sure that binding is there for that external source.
Related
Edit:
I think based on the below answer here, it seems the answer is "client and server basically only communicate on one port, 3478 (or equivalent")
rfc 5766 : Issue when Both devices support TURN
==========================.
I have been reading several sources on TURN, including RFC.
I get the whole premise:
Client creates allocation on TURN server
Client sends data to Peer through TURN that relays via the relayed transport address
Same way around from peer --> Server --> client
Most resources focus on setting up the server and what ports need to be configured.
The point that I am unclear is on the client side:
After the allocation is done and the client can start sending data, do they send that data to the relayed transport address that the Server allocated? Or do they send it to the standard TURN port e.g. 3478, and then the server takes care of looking up the allocation for this client and send it through the relayed address to the peer?
Example:
Client address 192.6.12.123:45677 (let's assume it's the NAT)
TURN server listens on 34.45.34.123:3478
TURN server has done an allocation for client on 34.45.34.123:50678
So when the client wants to send to a peer application data, do they send on port 3478 or port 50678?
My assumption (based also on some wireshark captures I tried) is that the client always send everything on port 3478 and the server takes care to send via the relayed address.
My assumption (based also on some wireshark captures I tried) is that the client always send everything on port 3478
The client will pick a random local port (e.g 45677), but traffic sent from this port goes to the server's port 3478 (or 5349 if using TLS) on the server. The server will forward it through its allocated port (50678) to whatever remote port the other client established during ICE negotiation.
If a webserver is handling traffic on port 80, each client must establish a connection between itself and the server on that port. Assuming a client maintains the connection, how is the server able to service other clients in parallel?
Does the server immediately kill the connection with a client after a request? Or do webservers dynamically generate new ports for clients to use such that port 80 is free for new connections?
A port is one end of a communication channel.
The server initials sets up a LISTENing port (80 in the case of an HTTPS server). A client creates a port (the operating system will assign a random, available port number to this) and CONNECTs to the listening port. At that point the communications channel is uniquely described by the IP address of the server, port 80 at the server, and the IP address of the client along with port number of the client. If you look at the output of netstat you'll see lots of sockets/ports in various stages of connection:
symcbean#skynet ~ $ netstat -t
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.202:47206 stackoverflow.com:https ESTABLISHED
tcp 0 1 192.168.1.202:50894 aba1c1ff9d2ec5376.:smtp SYN_SENT
tcp 0 0 192.168.1.202:47210 stackoverflow.com:https ESTABLISHED
tcp 0 0 192.168.1.202:60806 ec2-34-213-90-136:https ESTABLISHED
tcp 0 0 192.168.1.202:51124 151.101.1.69:https ESTABLISHED
tcp 0 0 192.168.1.202:34784 i0.wp.com:https ESTABLISHED
tcp 0 0 192.168.1.202:54082 lhr25s14-in-f10.1:https ESTABLISHED
tcp 0 0 192.168.1.202:38412 172-155-250-212.s:https ESTABLISHED
Exactly how the server handles communicating concurrently on multiple channels varies. I've never come across a server which only handles a single connection at a time.
On the (prefork) Apache webserver, the process which opened the listening socket hands off the connection to a pre-existing child process to deal with. Some servers run as a single process but with multiple threads of execution. Some (such as nginx and lighthttpd) run as a single thread and give their attention to the channel sending data first.
I have installed the TURN server everything in the server code is working fine. no error in the log file. only a warning stating
0: WARNING: I cannot support STUN CHANGE_REQUEST functionality because only one IP address is provided
but the TURN server running on the server.
here is what shows when I check lsof -i :3478
turnserve 999 root 15u IPv4 446811411 0t0 TCP domain.com:stun (LISTEN)
turnserve 999 root 23u IPv4 446811417 0t0 TCP domain:stun (LISTEN)
turnserve 999 root 24u IPv4 446810998 0t0 UDP domain.com:stun
turnserve 999 root 25u IPv4 446810999 0t0 UDP domain.com:stun
when I check STUN in Trickle ICE it throws an errors
The server stun:xxx.xxx.xxx.xxx:3478 returned an error with code=701:
STUN server address is incompatible.
The server stun:xxx.xxx.xxx.xxx:3478 returned an error with code=701:
STUN allocate request timed out.
what's going wrong in this.
Thank you
I think that 701 error is a more generic connectivity error that Trickle ICE uses to indicate it didn't get a binding response back. Run stunclient your.stun.ip.address with the command line tools at www.stunprotocol.org to see if your STUN service is accessible from the outside world.
STUN technically requires being hosted on a device with two IP addresses and two ports. It's typically a command line parameter to specify which IP addresses the server should listen on. But most server implementations can operate on a host with a single IP address.
The second IP address and port on the server is used for STUN client filtering tests to detect what type of NAT is in effect. The client sends a binding request on the server's primary ip and port, but with a change request attribute to have the server respond from the alternate IP address or port. More often than not, this binding request with a change-request attribute fails since NATs will not forward traffic from the other IP/port.
The filtering test is useful for logging what type of NAT the client is on. So that failed connections can be debugged and that success/failure metrics can be correlated to NAT type.
Since most ICE implementations will exchange all available address candidates (local, mapped, and relay), the filtering test isn't very or useful to connectivity establishment.
I'm surprised Trickle ICE is giving you an error. I didn't think WebRTC ever used the changer-request attribute. I just did a Wireshark trace of a Trickle ICE session to stunserver.stunprotocol.org. I don't see the webrtc client setting the change-request attribute in either of the two binding requests it makes.
More details in RFC 5780 Section 3.2
In macOS, I just do so:
> brew install stuntman
when it done
> stunclient stunserver.stunprotocol.org
Binding test: success
Local address: 198.18.0.1:54898
Mapped address: 210.0.158.130:56750
To specify port, just like this:
> stunclient stunserver.stunprotocol.org 3478
Binding test: success
Local address: 198.18.0.1:63061
Mapped address: 210.0.158.130:37126
Have fun!
I setup turnserver 3.2.5.9 for WebRTC
I'd like to do this.
Client-A-->(TCP)-->TURN-->(UDP)-->TURN-->(TCP)-->Client-B
I have tow problems each Client-A and B ,both in different private network each other.
For the Client-A's issue.
The TURN server responds candidates for host srfix relay.
I'd like have a relay candidate as tcp.
However,I only can have udp .
How can I have a relay candidate as tcp.
For the Client-B's issue.
The TURN server responds only host.
So, the Client-B can't have any access to the TURN server.
FW policy, which Client-B is placed, is strict that it isn't allow to use UDP.
However, I think It should access to the TURN server by TCP.
Does anyone know how to tell the TURN server about Clients' Global IPs and TCP ports in both cases.
Here is turnserver.conf
listening-port=80
listening-ip=my-server-global-ip
external-ip=my-server-global-ip
lt-cred-mech
userdb=/opt/turnserver/etc/turnuserdb.conf
realm=my.server.domain
stale-nonce
no-udp
no-stun
Here is Response from Trickle ICE tool at the Client-A
Time Component Type Foundation Protocol Address Port Priority
0.015 1 host 2508812977 udp 10.2.1.17 53175 126 | 32542 | 255
0.059 1 srflx 3607399481 udp Client-Global-ip 53175 100 | 32542 | 255
0.086 1 relay 1628315121 udp my-server-global-ip 54043 1 | 32542 | 255
0.116 1 host 3674902081 tcp 10.2.1.17 9 90 | 32542 | 255
39.827 Done
39.833
Here is Response from Trickle ICE tool at the Client-B
0.012 1 host 1197209968 udp 192.168.95.131 60019 126 | 30 | 255
39.819 Done
39.823
WebRTC does not support allocation of TCP relay candidates.
Note that you can still have TURN/TCP candidates which use TCP between the client and the TURN server, those will have a local type preference of 1 which you can see in the trickle ice tool output.
You need to re-configure TURN server with TCP protocol option. Kurento and Wowza support TCP protocol for WebRTC.
I want to setup a reverse udp tunnel, because I need to connect to my openvpn server from remote and the openvpn server is behind a NAT. For this I use socat and ssh. The tcp tunnel command:
socat exec:"ssh removeserver \"socat tcp-listen:10000,fork -\"" tcp-connect:localhost:22
does work correctly and I'm then able to buildup a ssh connection to remoteserver:10000.
But when I want to do the same with udp:
socat exec:"ssh removeserver \"socat udp-listen:10000,fork -\"" udp-connect:localhost:1194
and then try to buildup the openvpn connection, I get the following error:
2011/12/23 13:27:43 socat[28241] E read(3, 0x80c3b08, 8192): Connection refused
The tunnel at first seems to work, becaues both logfiles (server and client) have entries for the connection attempt. But the connection can't be established.
I have just tried this and I believe the reason it fails is because the ssh part of the tunnel doesn't preserve the UDP datagram sizes. Ie. a 14 byte datagram and a 22 byte datagram get combined on the other end into a 26 byte datagram. Openvpn doesn't work in this scenario.
I have had proof-of-concept success with a similar construct as this, but where there is a program which reads the UDP datagrams and turns them into tcp stream with 16-bit length prefixes (i.e. a stream of length,bytes,length,bytes etc) and obviously does the reverse as well.
With this I was able to tunnel openvpn .