I am working on a WebRtc application to broadcast video to my clients. I use Kurento as the WebRtc media server and use Spring Boot to build my signaling server. There is only media data that flows from my media server to clients but no media data in the opposite direction. So the media server's public address is not needed while clients's public addresses are required. That is I need to find ICE candidates that contains public address for my clients.
I know clients can setup up an extra stun server to achieve this. But since the clients are already talking to my signaling server, is it possible that I just use my signaling server to find ICE candidates for the clients?
A stun server lets the client figure out a UDP port where other clients can connect. This is different from the TCP connection the client uses to connect to your signaling server.
If you client is only talking to your media server, that is not needed. However, you may need a TURN server to allow connections from networks that block UDP (unless your media server supports ICE-TCP)
I am trying to get a browser client to connect with my C++ linux application using WebRTC. So my environment is not the typical triangle WebRTC where 2 browsers setup a WebRTC call thru a server. Instead, the browser client side is typical, but my application is acting as the server and the remote client, so it does the signalling and also streams the SRTP media using gstreamer.
I am successful up to a point. I have successfully exchanged the ice candidates and the offer/answer SDP exchange is also successful. The browser ICE connection state successfully goes to "checking" and at that point I am stuck.
Question: Is the server or remote browser involved in the ice checking operations? That is, does the browser do the ICE checking with the STUN server or with the actual candidate address from the remote end. That would then imply that my C++ application has to be involved in that checking process.
Thanks,
-Andres
your server needs to respond to STUN binding requests at least which are sent as part of ICE.
If your server always has a public IP, using ice-lite (see RFC 5245) will make your life a lot easier.
I understand that to establish a peer-to-peer connection
initiator peer
initialises shared signaling channel
initialises RTCPeerConnection object (pc)
requests local stream(s) using getUserMedia
registers local MediaStream with pc
creates SDP offer and sends to peer
trickles ICE candidates
registers remote ICE candidate to begins connectivity checks
receiver peer
listens and processes remote offers delivered
registers remote ICE candidate to begins connectivity checks
generates SDP answer and sends to peer
But my WebRTC use case is peer-to-server where received streams are processed on my Node.js server. In my use case the server has publicly routable IP address and is listening for any new RTCPeerConnection requests. Because of this, some of the steps involved to establish a peer-to-peer connection seem unnecessary for my case.
Q1 How do the steps to establish a peer-to-server connection differ from peer-to-peer connection establishment?
Particularly
Q2 Do I still need a signaling channel?
Q3 Do I still need the step to trickle ICE candidates?
Your peer-to-server connection is no different than a peer-to-peer. Meaning, that your server is just a peer that handles numerous connections. You will still need a unique connection for each connection to the server, so the steps would not differ at all on the connection set up. But you can reuse media streams.
Yes, you still need a signalling server for connection build up and tear down for each of your clients and for your server to communicate(id est exchange ICE/SDP). It could be the same FQDN/physical box as your Node.js server but signalling would still have to take place.
Yes, on the client side. Admittedly, your ICE candidates will be few for your server(since it is publicly accessible) and you may not have to query for them(should just use local IP and what ever ports are available if it is truly open for connections, which is not very secure...) but the client will still have to trickle candidates to the server so that the server's stream can hit the client.
My understanding about STUN server for webrtc is that when the clients are behind the NAT (in most cases, if not all), the STUN server will help the webrtc clients to identify their addresses and ports. And I also read some article saying that a signaling server is needed for webrtc clients. The signaling server could be a web server, socket.io, or even emailing a url. My first question would be: is the STUN server the signaling server?
Actually now I built a very simple socket.io based service which broadcasts client's session descriptions to all other clients. So I believe the socket.io based server should have enough knowledge about the clients' addresses and ports information. If this is the case, why do we bother to have another STUN server?
The STUN server is NOT the signalling server.
The purpose of the signalling server is to pass information between the peers at the start up of the session(how can they send an offer without knowing who to send to?). This information includes the SDPs that are created on the offers and the answers and also any Ice Candidates that are created by either party.
The reason to have a STUN server is so that the two peers can send the media to each other. The media streams will not hit your signalling server but instead will go straight to the other party(the definition of a peer-to-peer connection), the exception to this would be the case when a TURN server is used.
Media cannot magically go through a NAT or a firewall because the two parties do not have direct access to each other(like they would if they were on the same LAN).
In short STUN server is needed the large majority of the time when the two parties are not on the same network(to get valid connection candidates for peer-to-peer media streaming) and a signalling server is ALWAYS needed(whether they are on different networks or not) so that the negotiation and connection build up can take place. Good explanation of the connection and streaming process
STUN is used to implement the ICE protocol, which tries to find a working network path between the two clients. ICE will also use TURN relay servers (if configured in the RTCPeerConnection) for cases where the two clients (due to NAT/Firewall restrictions) can't make a direct peer-to-peer connection.
STUN servers are used to identify the external address used by the computer on the internet (the outside-the-NAT address) and to attempt to set up a port mapping usable by the peer (if the NAT isn't "symmetric") -- contacting the STUN server will tell you the external IP and port to try to use in ICE. These are the ICE candidates included in the SDP or in the trickle-ICE messages.
For almost-guaranteed connectivity, a server should have TURN servers (preferably supporting UDP and TCP TURN, though UDP is far preferred). Note that unlike STUN, TURN can use appreciable bandwidth, and so can cost money to host. Luckily, most connections succeed without needing to use a TURN server (i.e. they run peer-to-peer)
NAT(Network Address Transformation) is used to translate "Private IP', which is valid only in LAN into "Public IP" which is valid in WAN.
The problem is that "Public IP" is only visible from outside, so we need STUN or TURN server to send back "Public IP" to you.
This process enables a WebRTC peer to get a publicly accessible address for itself, and then pass that on to another peer via a signaling mechanism
A STUN server is used to get an external network address.
TURN servers are used to relay traffic if direct (peer to peer) connection fails.
for more you can also refer from below link: https://www.html5rocks.com/en/tutorials/webrtc/infrastructure/#what-is-signaling
In your case, you need STUN. Most clients will be behind NAT, so you need STUN to get the clients public IP. But if both your clients were not behind NAT, then you wouldn't need STUN. More generally, no, a STUN server is not strictly required. I know this because I successfully connected 2 WebRTC peers without a stun server. I used the example code from aiortc, a python WebRTC/ ORTC library where both clients were running locally on my laptop. The signalling channel used my manual copy-pasting. I literally copied the SD (session description) from the one peer to the other. Then, copied the SD from the 2nd peer to the 1st peer once again.
From the ICE RFC (RFC8445), which WebRTC uses
An ICE agent SHOULD gather server-reflexive and relayed candidates.
However, use of STUN and TURN servers may be unnecessary in certain
networks and use of TURN servers may be expensive, so some
deployments may elect not to use them.
It's not clear that STUN is a requirement for ICE, but the above says it may be unnecessary.
However, signalling has nothing to do with it. This question actually stems from not understanding what STUN does, and how STUN interplays with signalling. I would argue the other 3 answers here do not actually answer these 2 concerns.
Pre-requisite: Understand the basic concepts of NAT. STUN is a tool to go around NAT, so you have to understand it.
Signalling: Briefly, in WebRTC you need to implement your own signalling strategy. You can manually type the local session description created by one peer in the other peer, use WebSockets, socket.io, or any other methods (I saw a joke that smoke signals can be used, but how are you going to pass the following session description (aka. SDP message) through a smoke signal...). Again, I copy pasted something very similar to below:
v=0
o=alice 2890844526 2890844526 IN IP4 host.anywhere.com
s=
c=IN IP4 host.anywhere.com
t=0 0
m=audio 49170 RTP/AVP 0
a=rtpmap:0 PCMU/8000
m=video 51372 RTP/AVP 31
a=rtpmap:31 H261/90000
m=video 53000 RTP/AVP 32
a=rtpmap:32 MPV/90000
When both peers are not behind NAT, you don't need a STUN server, as the IP addresses located in the session description (the c= field above, known as connection data) generated by each peer would be enough for each peer to send datagrams or packets to each other. In the example above, they've provided the domain name instead of IP address, host.anywhere.com, but this can be resolved to an A record. (Study DNS for more information).
Why don't you need a STUN server in this case? From RFC8445:
There are different types of candidates; some are derived from physical or logical network interfaces, and others are discoverable via STUN and TURN.
If you're not using NAT, the client already knows the IP address which peers can directly address, so the additional ICE candidates that STUN would generate would not be helpful (it would just give you the same IP address you already know about).
But when a client is behind a NAT, the IP they think they won't help a peer contact them. Its like telling you my ip address is 192.168.1.235, it really is, but its my private IP. The NAT might be on the router, and your client may have no way of asking for the public IP. So STUN is a tool for dealing with this. Specifically,
It provides a means for an endpoint to determine the IP address and port allocated by a NAT that corresponds to its private IP address and port.
STUN basically lets the client find out what the IP address. If you were hosting a Call of Duty server from your laptop, and port forwarded a port to your machine in the router settings, you still had to look up your public IP address from a website like https://whatismyipaddress.com/. STUN lets a client do this for itself, without you accessing a browser.
Finally, how does STUN interplay with signalling?
The ICE candidates are generated locally and with the help of STUN (to get client public IP addresses when they're behind NAT) and even TURN. Session descriptions are sent to the peer using the signalling channel. If you don't use STUN, you might find that the ICE candidates generated that is tried by ICE all fail, and a connection (other than the signalling channel) does not successfully get created.
I read that WebRTC uses relay servers, if the direct peer connection doesn't work because of firewalls.
Is there a way to check, if this is the case?
When you establishing WebRTC connection, you set STUN and/or TURN for a web browser to use. If you informed a web browser with the both options, web browser will start trying to use STUN first. Then, in case of unsuccess it will try to use TURN.
The 'relay server' is a TURN-server.
As I know, there is no standard way to know out which option a web browser decided to use: STUN or TURN.
In other hand, if you're the owner of TURN server, you can see whether web client does use it or not, and then send this information to the client.
UPDATED
This is my code: https://github.com/fycth/webrtcexample/blob/master/www/js/rtc_lib.js
You can see there I use just STUN server, so it is p2p or nothing, and no relay.
In chrome. go to chrome://webrtc-internals, go to succeeded connection-googCandidate pair(in black letters) check if googLocalcandidatetype is relay, then webrtc uses relay connection . If googLocalcandidatetype is local, then it uses peer to peer connection
In firefox, go to about:webrtc, if the succeeded connection contains any candidate as relayed-udp, then webrtc uses relay connection